In trying to create, achieve and implement the elusive “culture of compliance” when it comes to financial crime controls – an initiative much ballyhooed by federal regulators, but with few details on what that exactly means – it’s no wonder officers can feel confused, and even powerless.
That’s because so much of what examiners apparently want to see when it comes to an enterprisewide, international, interwoven compliance culture in all parts of an institution is significantly dependent on other very high-ranking and powerful divisions of the bank far outside of compliance that likely don’t have the expertise to understand what they are being presented with in terms of program changes, challenges and budgets.
In some instances, these areas – like the board of directors or audit committee level – may have little time or reason to get to know the arcane intricacies of the anti-money laundering (AML) program, with its whizzing and whirring transaction monitoring systems, beeping alerts of aberrant actions and cloak-and-dagger reports to the government.
But in discussions with investigators, consultants and other financial crime compliance professionals, they have concluded that possibly the only way for a bank to truly have a compliance culture that passes muster with increasingly nitpicky regulators is to recruit and install people at key levels of the bank with extensive AML expertise, so they can act in a range of capacities, such as a mediator, champion and, most importantly, backstop.
Here are four critical areas in a bank that should be staffed with one, or several, individuals well-versed in financial crime compliance, potentially creating a node of AML excellence and oversight at what has been historically some of the areas with the least understanding of financial crime programs, vulnerabilities and solutions.
By doing that, institutions could better connect disparate and siloed operations across broader compliance categories, get perspectives from experts outside the bank without having to engage expensive third-party consultants and make more precise and informed decisions tied to complex compliance systems, resources and training.
- Board of directors level: Historically, the board of directors at many large companies and banks was a cushy position availed to titans of industry, political powerbrokers or well-known, blustering and bloviating billionaires. During key presentations, their minds were more on where they would be playing golf with their buddies after the meeting. But that dynamic, particularly tied to financial crime compliance, has changed markedly in the last decade.
There has been a rising chorus of enforcement actions in recent memory calling for boards to be more involved and, gasp, accountable for compliance failures for the institutions they oversee. For instance, many AML actions and penalties specifically require the board to know and sign off on compliance programs, changes and remediation efforts.
So it would behoove banks, particularly large, international operations, to install, say, a former top compliance officer, examiner or consultant, on their board.
That would be a boon so when an AML compliance officer goes before them to give a scorecard of the program, at least someone can understand what the individual is saying, challenge the person on key areas – such as the health of customer risk assessments, monitoring and training initiatives – and potentially avert a disaster if the board member doesn’t like what they are being told.
- Chief Compliance Officer level (CCO): Whether the CCO wants to admit it or not, maybe some are still in denial or say they simply don’t have time, but AML compliance – covering areas like global sanctions, anti-corruption and even terrorist financing – has risen to the level of importance of other top risk management areas, like credit and liquidity.
But let’s be real. At the lofty and often harried position of CCO, the individual has to worry about every area of compliance in a bank, and, wow, there are a lot of them. So, obviously, a bank has to be judicious and thoughtful about what areas of expertise the CCO will have.
So while this person doesn’t have to be a card-carrying AML compliance officer in a former life, the CCO should be well-versed and trained in both broad and deep AML trends, and hopefully the person has a technology or IT background to also make decisions on large scale systems upgrades and meshing together new and legacy programs.
- Audit Committee level: The audit committee is considered one of the key bulwarks to uncover and stop any problems before regulators, or worse, authorities and investigators, show up at the doorstep.
So, not surprisingly, the auditors that make up these committees are typically staffed with seasoned, well, auditors, trained to US and sometimes international standards. They can adroitly dive into a mishmash of numbers that would overwhelm most mere mortals and come out with organized charts, diagrams and didactic reams of data points.
But what can be a challenge for an audit committee is dealing with the decisions made in financial crime programs, which deal not just with numbers, but with hunches and amorphous thresholds of what is considered not just aberrant, but “suspicious.”
That result is a scenario where the audit committee has to audit the findings of the AML independent testing group, which may or may not be part of the bank or be done by external auditors.
The overarching audit committee must look at not just numeric thresholds, such as amount of cash deposited or number of wires through a given account, but to where these funds are going and what related entities are involved, all concepts and conundrums financial auditors may be hard-pressed to understand and make informed decisions about possible failings.
“AML expertise really needs to be infused at the audit committee level,” said a consultant at one of the big four auditing and consulting firms, who asked not to be named. “These individuals think in terms of a financial audit, but there is an awful lot more involved in reviewing financial crime programs, from AML to FCPA all the way down to FATCA issues.”
All of those distinct parts have to be assessed, and to do that the super audit committee “has to have a knowledge base,” said the person. “If not, then the AML audit people are presenting reports and annual reviews, and the audit committee is listening, but not necessarily able to understand what is being presented to them or how to find gaps.”
- Legal department: For many large banks, the legal department has had to intimately get to know AML programs and practices – but unfortunately it’s because government regulators and investigators are saying the program is systemically flawed and should be slammed with a prescriptive enforcement order or punitive penalty.
“The compliance department, in many cases, came out of the legal department,” said the consultant.
“But now, when you are in the legal department, attorneys can be kind of protective of what they do. Attorneys tend to feel they don’t need to ask for help on legal, compliance or regulation issues because they feel if they need to know it, they can look it up and figure it out. But even if they do that for AML, they won’t have the day-to-day judgement and experience of a financial crime compliance professional.”
So it’s vital that the legal department be stocked with one, or a few, attorneys with a deep knowledge of AML compliance programs, systems and vulnerabilities for several reasons. First, to keep abreast of major program penalties and prosecutorial focal points, but also be an advocate and defender of the program when authorities accuse the operation of missteps.