17 July 2018
Thomas Hook

Thom Hook

Thomas Hook - Pegasystems Inc.

18Posts 126,251Views 0Comments

Culture of Compliance - Do You Walk the Walk?

25 October 2016  |  13177 views  |  0

A Culture of Compliance…sure we have that.  That’s what everyone says.  But do you really? It’s not just about talking the talk, but walking the walk too.  Maybe you have strong policies and procedures documenting all the necessary parts of your compliance program, but how are those carried out and embodied by your employees and management?  Reviewing the culture of compliance, determining how involved senior management is in the program and the message they send to the rest of the company about compliance has always been a priority for regulators and auditors.  In 2016, those priorities have been no different. For example, US financial regulator the Financial Industry Regulatory Authority (FINRA) and UK regulator the Financial Conduct Authority (FCA) have listed them as part of their 2016 top priorities for examination and enforcement.

Failures here can have real consequences. In 2012 authorities found that systematical funds were being sent to sanctioned parties and countries through a major global bank. Authorities also uncovered that enormous amounts of criminal proceeds were being laundered through that same institution. The result was $1.9 billion in forfeiture and fines as well as a court-appointed monitor that remains today.  More recently, over five thousand employees of another major global bank opened two million fraudulent accounts. This resulted in hundreds of millions of dollars in fines, governmental scrutiny, and criminal and civil investigations. Beyond the legal and regulatory ramifications, both of these were public relations nightmares.


In an Anti-Money Laundering (AML) or Sanctions compliance program, employee training and senior management involvement are required parts of the program and represent a good starting point in developing a culture of compliance. To be done right, they need to be more than check the box exercises and instead have a meaningful and effective impact.

Employee Training:

Some things to consider in creating an effective employee training.

  1. Refresh the training yearly. Regulations change, risks change and banks change. If you rely on the same training year after year, it goes stale, becomes repetitive, is ultimately less relevant and useful to preparing an employee for the ways in which AML or sanctions compliance may be a part of their day to day.
  2. Test Knowledge. Most people don’t like tests, but the point of the test is to make sure that someone was paying attention and absorbing at least some of the knowledge.  If your training does not have a knowledge check at the end, then people will blindly click through the training as fast as possible. 
  3. Provide Customized supplemental training by role. Yes, this creates more work for those developing the training, but the same AML and sanctions training should not be given to a customer service rep as is given to a back office operations analyst.  The ways in which AML or sanctions will manifest in an employee’s day to day are completely different based on role and supplemental training should reflect this.  

Senior Management Involvement:

Some things to consider in ensuring that senior management is properly involved:

  1. Effective Board Reporting. Yes, you want to give the Board of Directors detailed information about the status of the program, etc. but it should not just be an information dump.  Highlight particular program risks in the data (e.g., increase in SAR filings, influx of new customers, resourcing issues, etc.), inform them of upcoming regulation changes, and involve them in decision making.
  2. Clear Escalation Channels to Senior Management. Employees need to know how to escalate potential issues with a program and how those issues are handled by middle and senior management. Additionally, once an issue is raised, management should follow up with an employee to ensure them that the issue was considered and resolved. If employees know that their voices will be heard, it demonstrates to them that the senior management values them and the compliance program they are a part of.

While those are two major areas in which a Culture of Compliance can be nurtured, there are other ways to show the importance of compliance at your institution:


Hold responsible those employees, even senior management, who don’t keep the compliance standards of the company. By giving passes on compliance violations, it erodes the importance of compliance.

Promotion of good values

Promote and reward employees in part based on adhering the compliance policies of the institution. If they know career advancement depends on it, they know it is important.

Clear messaging

Messaging from the senior management is consistent with messaging from the middle management. If senior management is touting the importance of compliance while the managers on the ground are ignoring it or downplaying it, the culture is suffering. The reverse is also true.  If the on the ground employees voice compliance concerns that fall on the deaf ears of senior management, then people stop reporting compliance problems.

Relationship between the business, compliance, and internal audit

Another central piece of developing a strong culture of compliance is establishing a strong relationship between the business, compliance, and internal audit. Does the business view compliance and internal audit as partners or roadblocks?  This is central to supporting the three lines of defense model.  The first line is the business, compliance is the second line, and audit is the third line.  They all work together to the same goal – a successful business that is compliant with the law. If compliance or audit do not have a strong voice at your institution or don’t have a seat at the decision making table, it shows to them and all other employees that compliance is not valued. 

Proper Resources and Technology

A compliance program is only as good as the people and technology that supports it. If employees feel that the program is adequately staffed and they have the right technology to do their jobs, then this demonstrates to them that their work is important. If instead, they are constantly over-worked and using legacy systems that make their work manual and repetitive, they will feel that their work is not valued.


What happens if you don’t have a culture of compliance?  On a granular level, employees won’t participate in supporting the compliance program.  For example, customer facing employees are the first line of defense against financial crime and one of the best sources of AML investigations through reports of unusual activity that they may see. If employees don’t take the compliance program seriously or aren’t trained in its importance, they will be less likely to enforce requirements when customers ask for exceptions and will be less likely to report unusual activity when they see it. This has a direct influence on the compliance success of your business.


Start taking proactive steps to implement some of the above suggestions and permeate a culture of compliance throughout your organization - don’t wait for internal audit or regulators to identify the problems. Take a hard look at your training, senior management’s involvement and messaging with your compliance programs, and ensure your policies promote a culture of compliance. Make sure your compliance professionals have the right technologies at their disposal to do their job. Start to make changes where you need to. Regulators are looking at this and you don’t want to be the next news headline.


a member-uploaded image TagsRisk & regulationRetail banking

Comments: (0)

Comment on this story (membership required)

Latest posts from Thomas

KYC - More Than Just Satisfying Regulators

09 April 2018  |  6770 views  |  0 comments | recomends Recommends 0 TagsRisk & regulationInnovationGroupFinancial Services Regulation

The Only Constant is Regulatory Change

02 March 2018  |  2012 views  |  0 comments | recomends Recommends 0 TagsRisk & regulationInnovationGroupFinancial Services Regulation

A Technological Approach to Identifying Beneficial Ownership

11 December 2017  |  5410 views  |  0 comments | recomends Recommends 0 TagsRisk & regulationInnovationGroupFinancial Services Regulation

Thomas's profile

job title Director - Risk, Compliance & Onboarding
location Cambridge
member since 2016
Summary profile See full profile »
Thom provides industry expertise to the development of Pega KYC and CLM and other financial crime compliance solutions. With several years of AML and Sanctions experience, Thom has worked in audit, co...

Thomas's expertise

Member since 2016
15 posts0 comments
What Thomas reads

Who's commenting on Thomas's posts

Ketharaman Swaminathan