Wednesday, August 13, 2014

Culture of Compliance: FinCEN’s View

I have been promoting the concept of a Culture of Compliance (“Compliance Culture”) for some time. Indeed, I have written rather extensively about it and lectured on the subject. As recently as February 2014, I published a full length article entitled “Creating a Culture of Compliance.” This article covers most of the need-to-know information to establish a Compliance Culture.

Every company has its own culture, of course; but firms should also recognize the need for maintaining a certain attitude and commitment to compliance. In my own firm's client relationships, we continually reinforce the importance of the Compliance Culture, both through our policy and procedures documents, compliance management system reviews, quality assurance monitoring, examination readiness, due diligence and audit engagements, and also through our overall regulatory compliance support. The need to monitor a client’s dedication to a Culture of Compliance is central to our mission.

Do federal and state regulatory agencies want their supervised entities to adopt a Culture of Compliance? Most certainly! Within minutes of a regulator entering a financial institution’s premises, the Compliance Culture there presents itself. Even emails sent to regulators may disclose a company’s Compliance Culture, as signatures that lack protective disclosure may be indicative of compliance defects. Regulators are used to looking at actions and attitude, by-passing the words and smiling affirmations.

The most recent example of the regulator’s view comes to us from the Financial Crimes Enforcement Network (FinCEN). Issued on August 11, 2014, FinCEN published its “Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance” (“Advisory”).[i] The Advisory is remarkable for its insights and recommendations. Although predicated on actualizing BSA/AML requirements, the Advisory may be applied to any regulatory compliance implementation.

FinCEN boldly declares at the very top of the Advisory:

“BSA/AML shortcomings have triggered recent civil and criminal enforcement actions - FinCEN seeks to highlight the importance of a strong culture of BSA/AML compliance for senior management, leadership and owners of all financial institutions subject to FinCEN’s regulations regardless of size or industry sector.”[ii]

The word “shortcomings” is the operative word in this preamble. It is precisely in the area of shortcomings that a Culture of Compliance may act as a safety net, preemptively catching potential regulatory violations. As FinCEN states, “regardless of its size and business model, a financial institution with a poor culture of compliance is likely to have shortcomings in its BSA/AML program.”[iii]

For the words “BSA/AML” in the remainder of this article, substitute any regulatory framework.

The message is the same!

Components of a Culture of Compliance

FinCEN suggests that a financial institution can strengthen its BSA/AML Compliance Culture by ensuring that:

(1) Its leadership actively supports and understands compliance efforts;
(2) Efforts to manage and mitigate BSA/AML deficiencies and risks are not compromised by revenue interests;
(3) Relevant information from the various departments within the organization is shared with compliance staff to further BSA/AML efforts;
(4) The institution devotes adequate resources to its compliance function;
(5) The compliance program is effective by, among other things, ensuring that it is tested by an independent and competent party; and
(6) Its leadership and staff understand the purpose of its BSA/AML efforts and how its reporting is used.[iv] (My emphases.)

Let’s take each of the ways, enumerated above, that a preeminent regulatory agency such as FinCEN understands the components of a Culture of Compliance.

Leadership Should Be Engaged[v]

FinCEN places the performance of regulatory compliance requirements at the core of management’s responsibilities. The best way to understand this core feature is by the term ‘leadership’ – which is like the “Tone at the Top” concept used by accounting firms for many years.[vi] Leadership includes the board of directors, senior and executive management, owners and operators.

The leaders are “responsible for understanding an institution’s responsibilities regarding compliance with the BSA and creating a culture of compliance at that institution.”[vii] The key to the attitude and commitment of an organization’s leaders is to be visible, because “such commitment influences the attitudes of others within the organization.”[viii]

If there is no “demonstrable support” from the leadership for the compliance program, it will not be effective. An example of demonstrable support would be where an institution’s leaders receive periodic BSA/AML training that is “tailored to their roles,”[ix] which should include an appropriate understanding of BSA/AML obligations and compliance needs. In this way, the leadership may make informed decisions with regards to the allocation of resources to the BSA/AML function. So, regarding BSA/AML, the leaders of an organization should be informed of the state of BSA/AML compliance within the institution, and, to broaden this point, they should also be given regular updates of all pertinent matters handled by the compliance department.

Compliance Should Not Be Compromised By Revenue Interests

It is FinCEN’s view that compliance staff should be “empowered with sufficient authority and autonomy to implement an institution’s AML program.”[x]

When it comes to compliance, don’t cut corners! Specifically, “an institution’s interest in revenue should not compromise efforts to effectively manage and mitigate BSA/AML deficiencies and risks.” In actuality, the BSA/AML compliance function should work independently, in order to take “take any appropriate actions to address and mitigate any risks that may arise from an institution’s business line and to file any necessary reports.”[xi] If compliance staff is compromised by the loss of autonomy, the data provided to management may be inaccurate or unreliable. Furthermore, removing autonomy from the compliance department may lead to significant failures in compliance implementation throughout a company.