Every company has its own culture, of course; but firms
should also recognize the need for maintaining a certain attitude and
commitment to compliance. In my own firm's client relationships, we continually
reinforce the importance of the Compliance Culture, both through our policy and
procedures documents, compliance management system reviews, quality assurance monitoring,
examination readiness, due diligence and audit engagements, and also through
our overall regulatory compliance support. The need to monitor a client’s
dedication to a Culture of Compliance is central to our mission.
Do federal and state regulatory agencies want their
supervised entities to adopt a Culture of Compliance? Most certainly! Within
minutes of a regulator entering a financial institution’s premises, the
Compliance Culture there presents itself. Even emails sent to regulators
may disclose a company’s Compliance Culture, as signatures that lack protective disclosure may be indicative of compliance defects. Regulators are used to looking at
actions and attitude, by-passing the words and smiling affirmations.
The most recent example of the regulator’s view comes to us
from the Financial Crimes Enforcement Network (FinCEN). Issued on August 11,
2014, FinCEN published its “Advisory
to U.S. Financial Institutions on Promoting a Culture of Compliance”
(“Advisory”).[i]
The Advisory is remarkable for its insights and recommendations. Although
predicated on actualizing BSA/AML requirements, the Advisory may be applied to
any regulatory compliance implementation.
FinCEN boldly declares at the very top of the Advisory:
“BSA/AML shortcomings have
triggered recent civil and criminal enforcement actions - FinCEN seeks to
highlight the importance of a strong culture of BSA/AML compliance for senior
management, leadership and owners of all financial institutions subject to
FinCEN’s regulations regardless of size or industry sector.”[ii]
The word “shortcomings” is the operative word in this
preamble. It is precisely in the area of shortcomings
that a Culture of Compliance may act as a safety net, preemptively catching
potential regulatory violations. As FinCEN states, “regardless of its size and
business model, a financial institution with a poor culture of compliance is
likely to have shortcomings in its BSA/AML program.”[iii]
For the words “BSA/AML” in the remainder of this article,
substitute any regulatory framework.
The message is the same!
Components of a Culture of Compliance
FinCEN suggests that a financial institution can strengthen
its BSA/AML Compliance Culture by ensuring that:
(1) Its leadership actively supports and understands compliance efforts;
(2) Efforts to manage and mitigate
BSA/AML deficiencies and risks are not
compromised by revenue interests;
(3) Relevant information from the various departments within the organization is
shared with compliance staff to further BSA/AML efforts;
(4) The institution devotes adequate resources to its compliance
function;
(5) The compliance program is effective by, among other things, ensuring
that it is tested by an independent and competent party; and
(6) Its leadership and staff
understand the purpose of its BSA/AML
efforts and how its reporting is used.[iv]
(My emphases.)
Let’s take each of the ways, enumerated above, that a preeminent
regulatory agency such as FinCEN understands the components of a Culture of
Compliance.
Leadership Should Be Engaged[v]
FinCEN places the performance of regulatory compliance
requirements at the core of management’s responsibilities. The best way to
understand this core feature is by the term ‘leadership’ – which is like the
“Tone at the Top” concept used by accounting firms for many years.[vi]
Leadership includes the board of directors, senior and executive management,
owners and operators.
The leaders are “responsible for understanding an
institution’s responsibilities regarding compliance with the BSA and creating a
culture of compliance at that institution.”[vii]
The key to the attitude and commitment of an organization’s leaders is to be visible, because “such commitment
influences the attitudes of others within the organization.”[viii]
If there is no “demonstrable support” from the leadership
for the compliance program, it will not be effective. An example of demonstrable support would be where an institution’s
leaders receive periodic BSA/AML training that is “tailored to their roles,”[ix]
which should include an appropriate understanding of BSA/AML obligations and
compliance needs. In this way, the leadership may make informed decisions with
regards to the allocation of resources to the BSA/AML function. So, regarding
BSA/AML, the leaders of an organization should be informed of the state of BSA/AML
compliance within the institution, and, to broaden this point, they should also
be given regular updates of all pertinent matters handled by the compliance
department.
Compliance Should Not Be Compromised By Revenue Interests
It is FinCEN’s view that compliance staff should be “empowered
with sufficient authority and autonomy to implement an institution’s AML
program.”[x]
When it comes to compliance, don’t cut corners!
Specifically, “an institution’s interest in revenue should not compromise efforts
to effectively manage and mitigate BSA/AML deficiencies and risks.” In
actuality, the BSA/AML compliance function should work independently, in order
to take “take any appropriate actions to address and mitigate any risks that
may arise from an institution’s business line and to file any necessary reports.”[xi]
If compliance staff is compromised by the loss of autonomy, the data provided
to management may be inaccurate or unreliable. Furthermore, removing autonomy
from the compliance department may lead to significant failures in compliance
implementation throughout a company.
