Every company has its own culture, of course; but firms
should also recognize the need for maintaining a certain attitude and
commitment to compliance. In my own firm's client relationships, we continually
reinforce the importance of the Compliance Culture, both through our policy and
procedures documents, compliance management system reviews, quality assurance monitoring,
examination readiness, due diligence and audit engagements, and also through
our overall regulatory compliance support. The need to monitor a client’s
dedication to a Culture of Compliance is central to our mission.
Do federal and state regulatory agencies want their
supervised entities to adopt a Culture of Compliance? Most certainly! Within
minutes of a regulator entering a financial institution’s premises, the
Compliance Culture there presents itself. Even emails sent to regulators
may disclose a company’s Compliance Culture, as signatures that lack protective disclosure may be indicative of compliance defects. Regulators are used to looking at
actions and attitude, by-passing the words and smiling affirmations.
The most recent example of the regulator’s view comes to us
from the Financial Crimes Enforcement Network (FinCEN). Issued on August 11,
2014, FinCEN published its “Advisory
to U.S. Financial Institutions on Promoting a Culture of Compliance”
(“Advisory”).[i]
The Advisory is remarkable for its insights and recommendations. Although
predicated on actualizing BSA/AML requirements, the Advisory may be applied to
any regulatory compliance implementation.
FinCEN boldly declares at the very top of the Advisory:
“BSA/AML shortcomings have
triggered recent civil and criminal enforcement actions - FinCEN seeks to
highlight the importance of a strong culture of BSA/AML compliance for senior
management, leadership and owners of all financial institutions subject to
FinCEN’s regulations regardless of size or industry sector.”[ii]
The word “shortcomings” is the operative word in this
preamble. It is precisely in the area of shortcomings
that a Culture of Compliance may act as a safety net, preemptively catching
potential regulatory violations. As FinCEN states, “regardless of its size and
business model, a financial institution with a poor culture of compliance is
likely to have shortcomings in its BSA/AML program.”[iii]
For the words “BSA/AML” in the remainder of this article,
substitute any regulatory framework.
The message is the same!
Components of a Culture of Compliance
FinCEN suggests that a financial institution can strengthen
its BSA/AML Compliance Culture by ensuring that:
(1) Its leadership actively supports and understands compliance efforts;
(2) Efforts to manage and mitigate
BSA/AML deficiencies and risks are not
compromised by revenue interests;
(3) Relevant information from the various departments within the organization is
shared with compliance staff to further BSA/AML efforts;
(4) The institution devotes adequate resources to its compliance
function;
(5) The compliance program is effective by, among other things, ensuring
that it is tested by an independent and competent party; and
(6) Its leadership and staff
understand the purpose of its BSA/AML
efforts and how its reporting is used.[iv]
(My emphases.)
Let’s take each of the ways, enumerated above, that a preeminent
regulatory agency such as FinCEN understands the components of a Culture of
Compliance.
Leadership Should Be Engaged[v]
FinCEN places the performance of regulatory compliance
requirements at the core of management’s responsibilities. The best way to
understand this core feature is by the term ‘leadership’ – which is like the
“Tone at the Top” concept used by accounting firms for many years.[vi]
Leadership includes the board of directors, senior and executive management,
owners and operators.
The leaders are “responsible for understanding an
institution’s responsibilities regarding compliance with the BSA and creating a
culture of compliance at that institution.”[vii]
The key to the attitude and commitment of an organization’s leaders is to be visible, because “such commitment
influences the attitudes of others within the organization.”[viii]
If there is no “demonstrable support” from the leadership
for the compliance program, it will not be effective. An example of demonstrable support would be where an institution’s
leaders receive periodic BSA/AML training that is “tailored to their roles,”[ix]
which should include an appropriate understanding of BSA/AML obligations and
compliance needs. In this way, the leadership may make informed decisions with
regards to the allocation of resources to the BSA/AML function. So, regarding
BSA/AML, the leaders of an organization should be informed of the state of BSA/AML
compliance within the institution, and, to broaden this point, they should also
be given regular updates of all pertinent matters handled by the compliance
department.
Compliance Should Not Be Compromised By Revenue Interests
It is FinCEN’s view that compliance staff should be “empowered
with sufficient authority and autonomy to implement an institution’s AML
program.”[x]
When it comes to compliance, don’t cut corners!
Specifically, “an institution’s interest in revenue should not compromise efforts
to effectively manage and mitigate BSA/AML deficiencies and risks.” In
actuality, the BSA/AML compliance function should work independently, in order
to take “take any appropriate actions to address and mitigate any risks that
may arise from an institution’s business line and to file any necessary reports.”[xi]
If compliance staff is compromised by the loss of autonomy, the data provided
to management may be inaccurate or unreliable. Furthermore, removing autonomy
from the compliance department may lead to significant failures in compliance
implementation throughout a company.
Information Should Be Shared Throughout the Organization
It is necessary to share compliance specific information
with the compliance staff. FinCEN mentions several recent enforcement actions where
the subject institution had “relevant information in its possession that was
not made available to BSA/AML compliance staff.”[xii]
In FinCEN’s view, the incidences may have resulted from at least three
failures: (1) a “lack of an appropriate mechanism for sharing information;” (2)
a “lack of appreciation of the significance or relevance of the information to
BSA/AML compliance;” or (3) an “intentional decision to prevent compliance
officers or staff from having access to the information.”[xiii]
There is information in various departments within a financial
institution that may be useful and should be shared with the compliance staff. As
an example, FinCEN notes that:
“In formation developed by those in
the organization combating and preventing fraud could also assist a financial
institution in complying with its BSA/AML obligations. Similarly, legal departments
should alert compliance departments to subpoenas received issued by government
agencies to trigger reviews of related customers’ risk ratings and account
activity for suspicious transactions. Additionally, in a larger organization
there may be multiple affiliated institutions that could benefit from sharing
of relevant information across the organization.”[xiv]
FinCEN offers a note of caution that applies to BSA/AML, but
really applies also to implementing virtually all regulatory compliance
requirements in a financial institution:
However the “information is
derived, it should be provided to the compliance staff to assist in conducting
customer due diligence and monitoring customers for suspicious
activity.”[xv]
(My emphases.)
Broadly, that is, relevant information - whether the due
diligence involves a customer, affiliate, lender, broker, or a correspondent
relationship, or monitoring the foregoing and third-party service providers,
employees, or any activity controlled by regulations and rules - due diligence and monitoring must be conducted through the auspices of the compliance
staff.
Leadership Should Provide Adequate Human and Technological Resources
A required element of any BSA/AML compliance program is the
designation of an individual responsible for coordinating and monitoring
day-to-day compliance with the BSA. Many companies call this individual the BSA
Officer or the AML Officer. As is the case of the AML Officer, who should be
knowledgeable of the BSA guidelines and have sufficient authority to administer
the program, each regulatory compliance requirement makes certain demands on
appropriate compliance implementation by a particular person who accepts this
responsibility, whether called a Compliance Manager or a Compliance Officer or
a VP/Compliance, and so forth. The key is, according to FinCEN, that a
compliance program can only be fully effective if an “institution should devote
appropriate support staff” based on its risk profile.[xvi]
The failure of an institution’s leaders to devote sufficient
staff to the compliance function causes what I have called the “cascade effect”
– a set of incidences, beginning with the first failure, that cascades into
another failure, and thence to other failures.
Here is FinCEN’s worthwhile observation:
“Devoting insufficient staff or
other resources to this [compliance] function may result in alerts not being
reasonably designed to capture appropriate risks or being dismissed improperly,
or create a backlog of alerts that may result in the untimely reporting of suspicious
activity.”[xvii]
Appropriate technological resources should also be allocated
to the compliance function. For FinCEN, this means that institutions with
higher risk profiles, including those with substantially higher volumes of
activity, “may need to utilize automated systems for identifying and monitoring
suspicious activity.”[xviii]
The Program Should Be Effective and
Tested By an Independent and
Competent Party
Obviously, from FinCEN’s point of view, the financial
institution should expect the kind of involvement of the leadership that is “commensurate”
with BSA/AML risk exposure. As intimated above, in the first component,
appropriate leadership leads to an effective compliance management system.
Indeed, although FinCEN is delegated with concerns relating
to an effective BSA/AML compliance program, its advice regarding testing centers
on the need to include the very same features of all regulatory compliance
management features, such as “a proper ongoing risk assessment, sound
risk-based customer due diligence,”[xix]
appropriate detection and reporting, as well as an independent testing.
While recognizing that all the components of an effective
compliance program are important,
FinCEN stresses the independence that any compliance test program
should have established. From the test should flow corrective actions, if
needed. A financial institution’s leadership should ensure that the party
testing the program (whether internal or external) is independent, qualified,
unbiased, and does not have conflicting business interests that may influence
the outcome of the compliance program test.
Our firm provides a written statement that there are no
conflicts of interest preventing us from conducting the engagement for which we
have been retained and, indeed, we include our actual method to resolve any
perceived conflicts of interest during the course of an engagement. Financial
institutions should seek similar provisions in their relationships with
independent, compliance support firms.
Leadership and Staff Should Understand How Their BSA Reports are Used
Ultimately, there needs to be a viable metric, a set of
measurements, guiding compliance decisions and corrective actions. This is the
critical role of reports. Requests for various reports are amongst the very
first set of documents requested by regulators prior to an examination. During
an examination, the absence of key reports reflects poorly on management and
demonstrates the failure of leadership, if not in some cases causing the violation
of certain reporting requirements pursuant to statutory mandates.
FinCEN has the emphasis on reports exactly right, where it
states:
“Leadership and staff at all levels
in a financial institution should understand that they are not simply
generating reports for the sake of compliance, but rather recognize the purpose
that BSA reports serve and how the information is used.”[xx]
Reporting, of course, is not unique to BSA/AML. FinCEN
believes that “reporting and the transparency that financial institutions
provide under FinCEN’s regulations result in some of the most important
information available to law enforcement and others safeguarding the nation.”[xxi]
Whether reports are used in the fight against serious
threats from terrorist organizations, rogue nations, foreign corruption and,
increasingly, some cyber-related threats, or against transnational criminal
organizations, such as drug trafficking and massive fraud schemes, or reports
are used to inform management regarding the quality of loan performance and
servicing, or provide insights into fair lending initiatives, or determine the
effectiveness of systemic compliance requirements – whatever the case, reports
are central to a viable compliance management system.
Conclusion
Having reviewed the components of a Culture of Compliance
from FinCEN’s vantage point, it is certainly the case that we can expect a
similar understanding from the Consumer Financial Protection Bureau, the
federal agencies and prudential regulators, and state banking departments. Establishing
a Compliance Culture is really not negotiable: regulators will be looking to
see just how seriously management sets the tone at the top and how management
effectuates the appropriate attitude and commitment toward compliance
throughout an organization.
President & Managing
Director
Lenders Compliance Group
[i]
Advisory to U.S. Financial Institutions
on Promoting a Culture of Compliance, FIN-2014-A007, August 11, 2014
[ii]
Idem.
[iii]
Idem.
[iv]
Idem. Exact text.
[v]
Section headings of the components in a Culture of Compliance will be those
given in the Advisory.
[vi]
The concept is also rooted in the Sarbanes–Oxley Act of 2002, where it refers
to internal financial controls.
[vii]
Op. cit. 1, p 2
[viii]
Ibid.
[ix]
Ibid.
[x]
Ibid.
[xi]
Ibid.
[xii]
Op. cit. 1, p 3
[xiii]
Ibid.
[xiv]
Ibid.
[xv]
Ibid.
[xvi]
Ibid.
[xvii]
Op. cit. 1, p 4
[xviii]
Ibid.
[xix]
Ibid.
[xx]
Op. cit. 1, p 5
[xxi]
Ibid.
