Here is an analysis of the just-released US Department of Justice corporate compliance metrics by experts David Caruso, Ryan Rohlfsen and myself, with some additional details on the ambit of the compliance counsel.
The Justice Department broke the metrics up into two categories, one for financial crime compliance, such as anti-money laundering (AML) and sanctions, and others on general compliance ideals. To read part one of this package, please click here.
The Justice Department stated that in the AML context in particular, effective compliance requires more, and prosecutors would inquire about:
- KYC accuracy: What does the institution’s “know your customer,” or KYC, policy look like?
- Practical application: “This seems basic, but an institution must ensure that its anti-money laundering, sanctions and other compliance policies and practices are tailored to identify and mitigate the risks posed by its unique portfolio of customers, and that those customers are providing complete and accurate information.” KYC has become the new foundation for the financial crime compliance program because that data feeds directly into the risk assessment, which tunes the sensitivity of the transaction monitoring system. Giving a pass to obviously risky, wealthy customers, has resulted in big bank fines.
- Foreign fracas: If a financial institution operates in the U.S. – whether it is a U.S.-based bank or a U.S. branch or component of a foreign bank – is it complying with U.S. laws?
- Practical application: “This may sound straightforward in principle, but we have seen that it is all too often not implemented in practice.” This is a clear nod to the stripping cases occurring in recent years – in which certain foreign banks removed wire information for sanctioned entities and regimes – that have equated to historic compliance penalties in the billions of dollars. The message: Don’t allow foreign operations compliance autonomy without oversight in the quest for profits.
- Compliance candor: Is the company or financial institution candid with regulators?
- Practical application: “When we investigate companies, we look closely at the information the companies provided to regulators about the violation. We look at whether the companies were forthcoming, or not.” In certain AML compliance penalties, the banks, alone or in concert with external auditors, tried to obfuscate federal regulators and investigators, which resulted in large penalties and longer remediation engagements. If in doubt, report the activities, but also explain the fixes and related timetables.
Non-AML specific compliance tenets:
- Senior support: Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies?
- Practical application: This is clearly achievable in all sorts of ways, including training videos, memos and penalizing or firing a manager if the person does something wrong. That is a powerful message sent to the rest of employees.
- Statutory stature: Do the people who are responsible for compliance have stature within the company?
- Practical application: Give senior compliance staff titles on par, and in association with, the bank’s executive management team. Also, ensure clear reporting structures that allow compliance to have to go through business lines executives to report odd activity.
- Funding fight: Do compliance teams get adequate funding and access to necessary resources? Of course, we won’t expect that a smaller company has the same compliance resources as a Fortune-50 company.
- Practical application: Ensure the compliance team has an equal shot as other divisions to articulate a business case for more resources and is not pushed to the side by operations that are more profit-oriented.
- Compliance clarity: Are the institution’s compliance policies clear and in writing? Are they easily understood by employees? Are the policies translated into languages spoken by the company’s employees?
- Practical application: Ensure the policies are a part of early and ongoing training, they are available in the languages the bank operates and is regularly reinforced and updated through emails, the company’s internal website or even home page.
- Conflict resolution: Do employees have repeated training, which should include direction regarding what to do or with whom to consult when issues arise?
- Practical application: Beyond their immediate supervisors, ensure employees can have a direct line to compliance personnel, or even the chief executive or board of directors, or an anonymous tips line, to ensure compliance and other issues are not allowed to fester due to business line interference.
- Evolving risks: Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances? This is especially important if a U.S.-based entity acquires or merges with another business, especially a foreign one.
- Practical application: This is the bread-and-butter of banking financial crime compliance teams, but could be challenging for corporates new to these concepts. Critical is ensuring the bank knows the country and customer risks in the acquired entity and analyzes the compatibility of all compliance systems involved to ensure no potentially risky customers fall through risk assessment or transaction monitoring cracks.
- Equal enforcement: Are there mechanisms to enforce compliance policies? Those include both incentivizing good compliance and disciplining violations. Is discipline even handed?
- Practical application: From the document itself: “The department does not look favorably on situations in which low-level employees who may have engaged in misconduct are terminated, but the more senior people who either directed or deliberately turned a blind eye to the conduct suffer no consequences. Such action sends the wrong message – to other employees, to the market and to the government – about the institution’s commitment to compliance.” The message is clear, that from a minor analyst to a business line executive that generates $20 million in annual revenues, both are terminated if they fall afoul of the rules and the heavy hitters don’t get special treatment.
- Vendor vulnerabilities: Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance?
- Practical application: Again, from the document: “This means more than including boilerplate language in a contract. It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location.” There has been more focus on third parties, across the financial crime compliance chain. Consultants have been penalized for not being independent enough in AML reviews, payment processors have been chastised for allowing criminals a pathway to the banking system and fraudsters and hackers a portal to bank customer data.
From the Justice Department on the new role of the compliance counsel:
First, the compliance counsel will help us assess a company’s program, as well as test the validity of its claims about its program, such as whether the compliance program truly is thoughtfully designed and sufficiently resourced to address the company’s compliance risks, or essentially window dressing.
Second, she will help guide Fraud Section prosecutors when they are seeking remedial compliance measures as part of a resolution with a company, whether by prosecution or otherwise.
We don’t want to impose unrealistic, unnecessary or unduly burdensome requirements on companies. At the same time, we want to make sure that appropriate compliance enhancements are included when they are needed.
For this reason, we have chosen a compliance counsel who has the experience and expertise to examine a compliance program on a more global and a more granular level.
The Criminal Division will continue to review companies’ compliance programs as one of the many factors to be considered when deciding whether to criminally charge a company or how to resolve criminal charges.
Our hiring of a compliance counsel should be an indication to companies about just how seriously we take compliance.