The MLRO Compliance Questions from Hell

29 August 2018

Bachir El Nakib, Senior Consultant, Compliance Alert (LLC)

For those working in the AML/CFT, Compliance and Risk arenas, reading long consultation and policy statements has become a way of life, although perhaps not the highlight. Both regulators and central government seem to have generated huge volumes of reading matter in recent weeks. This is not necessarily a bad thing, but more cooperation and dialogue between those who generate all this new documentation might not go amiss. 

What is a Culture of Compliance?

Merriam-Webster defines "culture" as "a particular society that has its own beliefs and ways of life." Culture is like the air we breathe: it's all around and within us, and is largely invisible. It is a way of thinking, behaving, or working that exists in every organization, and can influence our judgement and affect how we attach meaning. 

Regardless of its size or business model, “a financial institution with a poor culture of compliance is likely to have shortcomings” in its compliance program, for financial institutions, it's important to have a "culture of compliance" that informs the perspective of everyone in the institution. Due to today's volume and complexity of regulation, it takes the entire organization to comply with regulatory compliance regulations. 

When regulatory compliance was a strictly technical field with regulator tolerance for low error rates, this system worked well enough. But as principle-based laws and regulations become increasingly common and regulators' tolerance for error hovers close to zero, there is no way for the current system to adequately protect the bank. Compliance efforts will not succeed until business leaders spearhead the pursuit of regulatory excellence.

Another major problem is that bank culture has traditionally devalued compliance efforts. While banks do take regulations seriously and try to comply with them, this work is often regarded as secondary to the real business of banking. Rewards and incentives for business leaders are not linked to their product lines' regulatory performance; compliance officers have historically clocked in at the low end of the pay scale. Compensation for business line executives should be linked to quality and consumer outcomes, not just sales revenues. Compliance executives should be compensated like the professionals they are by measuring the results of the operations under their control.

Before directors can establish a positive culture to effectively oversee consumer compliance risks, they must first identify and clearly understand those risks. Examiners consider this process when they evaluate an organization's board of directors. The current volatile environment, from both a regulatory and an economic perspective, makes it challenging for directors to accomplish this mission. The regulatory environment is experiencing an unprecedented period of change, while the current economic climate is also pressuring banks to become more creative in product offerings as a means to generate additional earnings. Adopting and offering more complex products and services, of course, increases the organization's compliance risk. Additionally, the supervisory or audit process may uncover areas of potential weakness within functions that were believed sound from a compliance standpoint.

Regulators are often asked how directors should approach overseeing consumer compliance in their organization. There is clearly no single correct answer to this question. However, when faced with a new regulatory concern, directors should work with their compliance management and consider asking the following questions:

  • What? — What is this regulation/guidance? What is the change? Why was it adopted?
  • Impact? — What is the impact for our institution? What products does it affect? Do we require system upgrades? What is the difficulty of this new/changed regulation? What is the risk of noncompliance?
  • Cost? — What is the estimated cost of compliance? Training? Systems? Forms?
  • Plan? — What is management's plan for implementing and monitoring compliance?

These suggested questions are only a starting point and do not guarantee insulation from adverse examination findings. They can, however, provide the foundation for the types of discussion that addresses the root of various compliance risks and stimulate the type of interaction seen in an engaged "top down" compliance management program.

Regardless of its size and business model, a financial institution with a poor culture of compliance is likely to have shortcomings in its BSA/AML program. A financial institution can strengthen its BSA/AML compliance culture by ensuring that:

(1) its leadership actively supports and understands compliance efforts;

(2) efforts to manage and mitigate AML/CFT deficiencies and risks are not compromised by revenue interests;

(3) relevant information from the various departments within the organization is shared with compliance staff to further AML/CFT efforts;

(4) the institution devotes adequate resources to its compliance function;

(5) the compliance program is effective by, among other things, ensuring that it is tested by an independent and competent party; and

(6) its leadership and staff understand the purpose of its AML efforts and how its reporting is used.

The insider threat today is not just about the security of your enterprise’s data. It’s also about knowing that your organization has developed the right policies and procedures to prevent inadvertent disclosures or blatant misuse of corporate computer resources from becoming a hole filled with legal quicksand.

Today’s regulatory environment is such that the stars are perfectly aligned for an example to be made of somebody—a company or government agency. And whoever the unfortunate soul is who sits atop the corporate chain of command at that time, he or she will wish they had taken the time to answer the following ten questions and implement the appropriate changes in their organization

Effective ethics and compliance within an organization require senior management involvement, organization-wide commitment, an effective communications strategy and an ongoing monitoring system. The following questions will assist board members in assessing whether elements of an ethical culture and an effective compliance program are in place at their company.

10 Questions and more to Consider...

-Does the tone at the top, as demonstrated  by the behavior of senior management, convey to every employee that ethics and compliance are vital to sustained  business success? Does the organization’s culture support making ethical decisions and complying with rules and regulations? Has the board considered how executive compensation aligns with the desired ethics and compliance culture?

-Does the organization support the ethical culture and compliance program through training and communication?  Is the organization complying with the Federal Sentencing Guidelines with respect to conducting effective training programs with appropriate level executives?

-What is the process for assessing ethics and compliance risks within the organization?  Has the company performed an inventory of compliance-related risks and prioritized  those risks appropriately? Have they updated their policies, procedures and internal controls to address emerging  risks (i.e., cyber risk, Anti-Corruption)?

—How are the current ethics and compliance programs structured? Do they cover the organization’s global operations,  as well as subcontractors,  business partners and vendors? Do they address the high-priority areas? Has the company ever had the compliance function benchmarked against its peers?

-Does the organization have an ethics and compliance officer? Is a senior executive with adequate time, financial  resources and board access in charge of the program? Are there dedicated, full-time resources?

-Does the code of ethics/conduct include statements regarding responsibilities to employees, shareholders, suppliers, customers and the community at large? Is the code distributed to all relevant parties, including the board of directors, employees, management and vendors?

-Is there an effective process in place that allows employees,  as well as any business partners, to raise ethics and compliance  issues, in good faith, without fear of retaliation? Is there an anonymous reporting channel?

- Who fields the issues raised, and who follows up?

- Are all of the organizations’ employees aware of this process?

- What communications means are being used to inform all employees of the process? -

- Are audit committee members or the audit chair named as an additional channel for employees to raise issues?

-Does a reporting  and monitoring  process keep the board of directors informed of key ethics and compliance  issues, as well as the actions taken to address them?

- Are ethics and compliance  issues a regular item on the board agenda?

-What type of ongoing monitoring and auditing processes are in place to assess the effectiveness of the program?  

- Is the code and ethics and compliance program reviewed at least annually by senior management to determine if it needs updating due to business, legal or regulatory changes?

- Does internal audit conduct reviews?

- Has the organization ever performed a cultural  assessment? Has the program been reviewed by outside consultants/experts for possible improvement?

-Does the organization regularly and systematically scrutinize the sources of compliance failures and react appropriately?

- Does management take action on reports?

- Does the board react appropriately to ethics or compliance failures that involve members of management?

- Are employees appropriately and consistently disciplined?


Deloitte: Ethics and Compliance Programs: Questions Boards May Want to Ask?

Download File