Wednesday, August 13, 2014

Culture of Compliance: FinCEN’s View

I have been promoting the concept of a Culture of Compliance (“Compliance Culture”) for some time. Indeed, I have written rather extensively about it and lectured on the subject. As recently as February 2014, I published a full length article entitled “Creating a Culture of Compliance.” This article covers most of the need-to-know information to establish a Compliance Culture.

Every company has its own culture, of course; but firms should also recognize the need for maintaining a certain attitude and commitment to compliance. In my own firm's client relationships, we continually reinforce the importance of the Compliance Culture, both through our policy and procedures documents, compliance management system reviews, quality assurance monitoring, examination readiness, due diligence and audit engagements, and also through our overall regulatory compliance support. The need to monitor a client’s dedication to a Culture of Compliance is central to our mission.

Do federal and state regulatory agencies want their supervised entities to adopt a Culture of Compliance? Most certainly! Within minutes of a regulator entering a financial institution’s premises, the Compliance Culture there presents itself. Even emails sent to regulators may disclose a company’s Compliance Culture, as signatures that lack protective disclosure may be indicative of compliance defects. Regulators are used to looking at actions and attitude, by-passing the words and smiling affirmations.

The most recent example of the regulator’s view comes to us from the Financial Crimes Enforcement Network (FinCEN). Issued on August 11, 2014, FinCEN published its “Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance” (“Advisory”).[i] The Advisory is remarkable for its insights and recommendations. Although predicated on actualizing BSA/AML requirements, the Advisory may be applied to any regulatory compliance implementation.

FinCEN boldly declares at the very top of the Advisory:

“BSA/AML shortcomings have triggered recent civil and criminal enforcement actions - FinCEN seeks to highlight the importance of a strong culture of BSA/AML compliance for senior management, leadership and owners of all financial institutions subject to FinCEN’s regulations regardless of size or industry sector.”[ii]

The word “shortcomings” is the operative word in this preamble. It is precisely in the area of shortcomings that a Culture of Compliance may act as a safety net, preemptively catching potential regulatory violations. As FinCEN states, “regardless of its size and business model, a financial institution with a poor culture of compliance is likely to have shortcomings in its BSA/AML program.”[iii]

For the words “BSA/AML” in the remainder of this article, substitute any regulatory framework.

The message is the same!

Components of a Culture of Compliance

FinCEN suggests that a financial institution can strengthen its BSA/AML Compliance Culture by ensuring that:

(1) Its leadership actively supports and understands compliance efforts;
(2) Efforts to manage and mitigate BSA/AML deficiencies and risks are not compromised by revenue interests;
(3) Relevant information from the various departments within the organization is shared with compliance staff to further BSA/AML efforts;
(4) The institution devotes adequate resources to its compliance function;
(5) The compliance program is effective by, among other things, ensuring that it is tested by an independent and competent party; and
(6) Its leadership and staff understand the purpose of its BSA/AML efforts and how its reporting is used.[iv] (My emphases.)

Let’s take each of the ways, enumerated above, that a preeminent regulatory agency such as FinCEN understands the components of a Culture of Compliance.

Leadership Should Be Engaged[v]

FinCEN places the performance of regulatory compliance requirements at the core of management’s responsibilities. The best way to understand this core feature is by the term ‘leadership’ – which is like the “Tone at the Top” concept used by accounting firms for many years.[vi] Leadership includes the board of directors, senior and executive management, owners and operators.

The leaders are “responsible for understanding an institution’s responsibilities regarding compliance with the BSA and creating a culture of compliance at that institution.”[vii] The key to the attitude and commitment of an organization’s leaders is to be visible, because “such commitment influences the attitudes of others within the organization.”[viii]

If there is no “demonstrable support” from the leadership for the compliance program, it will not be effective. An example of demonstrable support would be where an institution’s leaders receive periodic BSA/AML training that is “tailored to their roles,”[ix] which should include an appropriate understanding of BSA/AML obligations and compliance needs. In this way, the leadership may make informed decisions with regards to the allocation of resources to the BSA/AML function. So, regarding BSA/AML, the leaders of an organization should be informed of the state of BSA/AML compliance within the institution, and, to broaden this point, they should also be given regular updates of all pertinent matters handled by the compliance department.

Compliance Should Not Be Compromised By Revenue Interests

It is FinCEN’s view that compliance staff should be “empowered with sufficient authority and autonomy to implement an institution’s AML program.”[x]

When it comes to compliance, don’t cut corners! Specifically, “an institution’s interest in revenue should not compromise efforts to effectively manage and mitigate BSA/AML deficiencies and risks.” In actuality, the BSA/AML compliance function should work independently, in order to take “take any appropriate actions to address and mitigate any risks that may arise from an institution’s business line and to file any necessary reports.”[xi] If compliance staff is compromised by the loss of autonomy, the data provided to management may be inaccurate or unreliable. Furthermore, removing autonomy from the compliance department may lead to significant failures in compliance implementation throughout a company.

Information Should Be Shared Throughout the Organization

It is necessary to share compliance specific information with the compliance staff. FinCEN mentions several recent enforcement actions where the subject institution had “relevant information in its possession that was not made available to BSA/AML compliance staff.”[xii] In FinCEN’s view, the incidences may have resulted from at least three failures: (1) a “lack of an appropriate mechanism for sharing information;” (2) a “lack of appreciation of the significance or relevance of the information to BSA/AML compliance;” or (3) an “intentional decision to prevent compliance officers or staff from having access to the information.”[xiii]

There is information in various departments within a financial institution that may be useful and should be shared with the compliance staff. As an example, FinCEN notes that:

“In formation developed by those in the organization combating and preventing fraud could also assist a financial institution in complying with its BSA/AML obligations. Similarly, legal departments should alert compliance departments to subpoenas received issued by government agencies to trigger reviews of related customers’ risk ratings and account activity for suspicious transactions. Additionally, in a larger organization there may be multiple affiliated institutions that could benefit from sharing of relevant information across the organization.”[xiv]

FinCEN offers a note of caution that applies to BSA/AML, but really applies also to implementing virtually all regulatory compliance requirements in a financial institution:

However the “information is derived, it should be provided to the compliance staff to assist in conducting customer due diligence and monitoring customers for suspicious activity.”[xv] (My emphases.)

Broadly, that is, relevant information - whether the due diligence involves a customer, affiliate, lender, broker, or a correspondent relationship, or monitoring the foregoing and third-party service providers, employees, or any activity controlled by regulations and rules - due diligence and monitoring must be conducted through the auspices of the compliance staff.

Leadership Should Provide Adequate Human and Technological Resources

A required element of any BSA/AML compliance program is the designation of an individual responsible for coordinating and monitoring day-to-day compliance with the BSA. Many companies call this individual the BSA Officer or the AML Officer. As is the case of the AML Officer, who should be knowledgeable of the BSA guidelines and have sufficient authority to administer the program, each regulatory compliance requirement makes certain demands on appropriate compliance implementation by a particular person who accepts this responsibility, whether called a Compliance Manager or a Compliance Officer or a VP/Compliance, and so forth. The key is, according to FinCEN, that a compliance program can only be fully effective if an “institution should devote appropriate support staff” based on its risk profile.[xvi]

The failure of an institution’s leaders to devote sufficient staff to the compliance function causes what I have called the “cascade effect” – a set of incidences, beginning with the first failure, that cascades into another failure, and thence to other failures.

Here is FinCEN’s worthwhile observation:

“Devoting insufficient staff or other resources to this [compliance] function may result in alerts not being reasonably designed to capture appropriate risks or being dismissed improperly, or create a backlog of alerts that may result in the untimely reporting of suspicious activity.”[xvii]

Appropriate technological resources should also be allocated to the compliance function. For FinCEN, this means that institutions with higher risk profiles, including those with substantially higher volumes of activity, “may need to utilize automated systems for identifying and monitoring suspicious activity.”[xviii]

The Program Should Be Effective and 
Tested By an Independent and Competent Party

Obviously, from FinCEN’s point of view, the financial institution should expect the kind of involvement of the leadership that is “commensurate” with BSA/AML risk exposure. As intimated above, in the first component, appropriate leadership leads to an effective compliance management system.

Indeed, although FinCEN is delegated with concerns relating to an effective BSA/AML compliance program, its advice regarding testing centers on the need to include the very same features of all regulatory compliance management features, such as “a proper ongoing risk assessment, sound risk-based customer due diligence,”[xix] appropriate detection and reporting, as well as an independent testing.

While recognizing that all the components of an effective compliance program are important,
FinCEN stresses the independence that any compliance test program should have established. From the test should flow corrective actions, if needed. A financial institution’s leadership should ensure that the party testing the program (whether internal or external) is independent, qualified, unbiased, and does not have conflicting business interests that may influence the outcome of the compliance program test.

Our firm provides a written statement that there are no conflicts of interest preventing us from conducting the engagement for which we have been retained and, indeed, we include our actual method to resolve any perceived conflicts of interest during the course of an engagement. Financial institutions should seek similar provisions in their relationships with independent, compliance support firms.

Leadership and Staff Should Understand How Their BSA Reports are Used

Ultimately, there needs to be a viable metric, a set of measurements, guiding compliance decisions and corrective actions. This is the critical role of reports. Requests for various reports are amongst the very first set of documents requested by regulators prior to an examination. During an examination, the absence of key reports reflects poorly on management and demonstrates the failure of leadership, if not in some cases causing the violation of certain reporting requirements pursuant to statutory mandates.

FinCEN has the emphasis on reports exactly right, where it states:

“Leadership and staff at all levels in a financial institution should understand that they are not simply generating reports for the sake of compliance, but rather recognize the purpose that BSA reports serve and how the information is used.”[xx]

Reporting, of course, is not unique to BSA/AML. FinCEN believes that “reporting and the transparency that financial institutions provide under FinCEN’s regulations result in some of the most important information available to law enforcement and others safeguarding the nation.”[xxi]

Whether reports are used in the fight against serious threats from terrorist organizations, rogue nations, foreign corruption and, increasingly, some cyber-related threats, or against transnational criminal organizations, such as drug trafficking and massive fraud schemes, or reports are used to inform management regarding the quality of loan performance and servicing, or provide insights into fair lending initiatives, or determine the effectiveness of systemic compliance requirements – whatever the case, reports are central to a viable compliance management system.


Having reviewed the components of a Culture of Compliance from FinCEN’s vantage point, it is certainly the case that we can expect a similar understanding from the Consumer Financial Protection Bureau, the federal agencies and prudential regulators, and state banking departments. Establishing a Compliance Culture is really not negotiable: regulators will be looking to see just how seriously management sets the tone at the top and how management effectuates the appropriate attitude and commitment toward compliance throughout an organization.

President & Managing Director
Lenders Compliance Group

[i] Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance, FIN-2014-A007, August 11, 2014
[ii] Idem.
[iii] Idem.
[iv] Idem. Exact text.
[v] Section headings of the components in a Culture of Compliance will be those given in the Advisory.
[vi] The concept is also rooted in the Sarbanes–Oxley Act of 2002, where it refers to internal financial controls.
[vii] Op. cit. 1, p 2
[viii] Ibid.
[ix] Ibid.
[x] Ibid.
[xi] Ibid.
[xii] Op. cit. 1, p 3
[xiii] Ibid.
[xiv] Ibid.
[xv] Ibid.
[xvi] Ibid.
[xvii] Op. cit. 1, p 4
[xviii] Ibid.
[xix] Ibid.
[xx] Op. cit. 1, p 5
[xxi] Ibid.