We know that the financial services industry has been grappling with the cost of compliance for the last 10 to 15 years but a new era might be dawning with the elusive term “culture” being officially used in the term “culture of compliance.”
In August this year, FINCEN issued an advisory to U.S. financial institutions directed to senior management, leadership and owners on “promoting a culture of compliance,” seeking to highlight the importance of strong Bank Secrecy Act and anti-money laundering compliance.
It speaks of the culture of the organization being critical to compliance, which is not quite the same as having a culture of compliance. I could write a thousand words or so on what is meant by culture but then the variety of perceptions most likely all serve for the purpose of this article.
Whatever the culture, there will be various objectives and some of those will naturally conflict with each other. The advisory does not speak to how to deal with conflicts or how and when to prioritize, it simply highlights the general principles for improving and strengthening compliance with BSA obligations. This is quite specific and thus less helpful at a time when sanctions and anti-corruption loom larger than anti-money laundering and anti-terrorist financing.
FINCEN advisory highlights
The advisory lists the ways to strengthen compliance culture, to ensure that:
- Leadership actively supports and understands compliance; the commitment of leaders should be visible to thereby influence others. Informed leaders can then better determine the allocation of resources for compliance.
- Efforts to manage and mitigate deficiencies and risks are not compromised by revenue interests; effective governance sees compliance functions working independently to take appropriate actions to address and mitigate any risks arising.
- Relevant information is shared with compliance; U.S. enforcement actions reveal that compliance was not provided with key information held elsewhere in the organization.
- Devote adequate resources to the compliance function, both human and technological.
- Compliance program is effective and includes ongoing risk assessment, sound risk-based customer due diligence and appropriate detecting and reporting of suspicious activity. Above all, testing by an independent and competent party is important and taking appropriate corrective action where necessary.
- Leadership and staff understand BSA/AML efforts and reporting used. Moving away from filing just to comply, the people in the organization should be aware of how this information is used to prevent crime and also prevent internal risks such as fraud, cyber-attacks, etc. Understanding and communicating the context and purpose of compliance regime is as important to culture of organization as understanding the requirements themselves and this should be included in training.
There is nothing controversial in the advisory itself, the advice is agreeable. The problem is that it does not mandate how far and when to prioritize compliance above revenue. There will continue to be cases where information, recommendations or decisions at the operational level of compliance are not communicated up either because the compliance function has no opportunity to do so or is even blocked.
The advisory would have been better addressing governance and setting “tone at the top” and the helpful advice will remain largely ineffective without ensuring enforcement actions are truly effective: proportionate to the deficiency and the revenue involved. Only then will all the leaders responsible and liable consistently ensure it receives all the reports from compliance, and make business decisions based on risk, including the compliance and legal risk assessments. Hey presto, the tone at the top sets a culture of compliance which the top continues to monitor and promote. I would suggest that regulators will continue to be unable to determine or prescribe the tone or culture of each organization – it can only enforce the requirement to risk manage and, in particular, the monitoring and adjustments made according to that.
In the mega-Institutions, however, this is not so straightforward. The problem is really one of governance and, in large organizations, rife with internal politics, operating in numerous regulatory regimes and possibly being too big to fail, compliance efforts can easily get lost or overridden.
Regulatory enforcement update
As discussed here before (Monica Bonds, The convergence of anti-financial crime compliance, CFR 4Q/2013), the aspects of financial crime compliance are merging and the recent enforcement actions in the U.S. and Europe include all – anti-money laundering, anti-terrorist financing, anti-corruption and sanctions – along with fraud and misconduct. The level of fines is also increasing.
JPMorgan’s January settlement of $1.7 billion kicked off the year, following a deferred prosecution agreement following charges of failure to maintain an effective AML program which facilitated the Madoff Ponzi scheme. As part of the agreement JPMorgan has to improve its AML program and co-operate with the authorities in the ongoing investigation. This was followed in May by the announcement that it would close 3,500 accounts of politically exposed persons to avoid the compliance costs associated with them.
The headline in the summer was BNP Paribas’ settlement of $8.9 billion for breach of Sudan sanctions.
Going back a number of years when Bank of Tokyo Mitsubishi was facing regulatory attention regarding clients that may have been blacklisted, PwC was engaged to review transactions. In August this year, the firm was fined $25 million and given a two-year suspension as part of a settlement concerning findings that the reports had been sanitized before sending to the regulators (see the article by Monique Melis, Preventing conflicts of interest, in this issue of the CFR).
Next, Standard Chartered, after already paying $667 million in fines, was recently fined a further $300 million and banned from processing payments in dollars, for approximately 300 “high-risk retail business clients” in Hong Kong for failing to keep commitments made in 2012.
Lastly, Bank of America is to pay $16.65 billion over the next four years to settle fraud claims by federal and state enforcement agencies and regulators that relate back to the financial crisis of 2008 the largest civil settlement with a single entity in American history.
The age of the compliance officer?
In this new era, April 2014 saw a Financial Times report entitled “The Age of the Compliance Officer arrives.” It reported that HSBC and JPMorgan were both reported to be hiring an additional 3,000 compliance officers and that the push in enforcement actions was resulting in a shortage of compliance officers, hence the headline. But does that really make it the “Age of the Compliance Officer?” The article also reported that the average time spent in one firm by compliance officers was two years, creating a revolving door problem.
Since the board is responsible for ensuring that a culture of compliance exists in the organization, that means a lot more than hiring compliance staff and devising compliance procedures.
A recent survey of compliance officers from all financial services sectors in Cayman generated just sixteen responses, but almost all were senior (ten having more than 11 years’ experience) and on a number of points there was overwhelming consensus, notably half thought that COs should be approved by CIMA and also that COs should be given whistle-blower protection but interestingly only three thought the role of the CO needed to be defined and another three thought that the authority of the CO should be prescribed.
“Proper regulation and compliance significantly contributes to strong ethical business practices and give you a more reputable financial industry.” Survey respondent
Many regulators have defined the role of the compliance officer but to date it is not clear how that will be tested. In many cases of enforcement, the board is seen as responsible for failings in compliance controls and it may be a while before regulators start to direct main penalties at compliance officers.
It is a hard enough job as it is.
In Bergen v Galvin1 the role of the chief compliance officer was discussed and it was stated that “a compliance director may be held responsible for failing to adequately supervise account executives if the compliance director has been given the responsibility to ensure that the firm adopts and enforces adequate supervisory and compliance procedures and fails to do so.” There was, however, no finding of failure established in that case and the order was overturned by the court, largely because the CCO had been hired after the misconduct had ceased, according to evidence, and he did not have the authority to fire brokers or branch managers or to direct their conduct. In an age of short-term hiring and hiring often driven by identified problems that may not be made fully known to the hiree, the ability to sanction newly hired compliance officers may be limited.
In 2014, the SEC provided clear indication of when compliance officers might be in the firing line. It began in May 2014, with a speech by U.S. Securities and Exchange Commission (SEC) director of enforcement, who outlined the circumstances in which the SEC will seek sanctions against compliance personnel. Along with two recent SEC proceedings2 demonstrating this approach in action, it appears that SEC is bringing actions against compliance personnel when they were clearly responsible for the failure to adopt or implement adequate compliance programs, namely if:
- they actively participated in misconduct,
- they helped mislead regulators, or
- they have clear responsibility to implement compliance programs or policies and wholly failed to carry out that responsibility.
Of course, a distinction is needed between the expectations of compliance personnel, compliance officers and chief compliance officers. Both SEC cases related to CCOs and being included in the C-Suite3 addressing the criteria of the SEC that the person have responsibility, but more attention should be paid to whether they have the authority to act. A common theme is that the SEC seems to expect CCO and COs alike need to be proactive in carrying out their duties and responsibilities under applicable regulatory laws and requirements, proactive in carrying out the functions assigned to them in their firm’s compliance policies and procedures, and those who have knowledge of possible regulatory violations at their firms must be proactive in investigating and reporting the potential or actual violations to members of their firms’ senior management.
The details of the BNP Paribas settlement have highlighted the conflicts and challenges CO’s face when its employer’s clients are highly profitable. The violations resulted in a split compliance team; some continuing to warn of the risks the bank was taking and the others siding with the revenue interests of senior management. For a number of years prior to the sanctions, compliance staff had warned that the Sudan business raised red flags. Less than two months after the settlement, the bank announced that its top compliance officer, who had been with the bank for a whopping six years, was to retire and it was he, according to the Department of Justice, who had repeatedly dismissed compliance officers’ concerns.
It is perhaps not immaterial that the CO was also the chief operating officer, two roles that could easily conflict. Further, whilst all regulatory laws meeting international standards will have provision for the imprisonment of and personal liability for compliance of board members and management, to date this has been little used, and until it is, even a chief compliance officer may find himself excluded from the C-Suite.
- 12 Mass L Rep 54 2000 (judicial review of the Securities regulator’s decision to fine a Chief Compliance Officer)
- Two SEC Orders against Chief Compliance Officers: Delaney of Penson Financial Services, Inc. May 19, 2014; and Meade of Private Capital Management Inc. (PCM) June 11, 2014.
- C-Suite refers to the group of decisions makers in a company, e.g. the CEO, COO, CFO, CCO, CRO, CTO and Chief Internal auditor.