A Culture of Compliance…sure we have that.  That’s what everyone says.  But do you really? It’s not just about talking the talk, but walking the walk too.  Maybe you have strong policies and procedures documenting all the necessary parts of your compliance program, but how are those carried out and embodied by your employees and management?  Reviewing the culture of compliance, determining how involved senior management is in the program and the message they send to the rest of the company about compliance has always been a priority for regulators and auditors.  In 2016, those priorities have been no different. For example, US financial regulator the Financial Industry Regulatory Authority (FINRA) and UK regulator the Financial Conduct Authority (FCA) have listed them as part of their 2016 top priorities for examination and enforcement.

Failures here can have real consequences. In 2012 authorities found that systematical funds were being sent to sanctioned parties and countries through a major global bank. Authorities also uncovered that enormous amounts of criminal proceeds were being laundered through that same institution. The result was $1.9 billion in forfeiture and fines as well as a court-appointed monitor that remains today.  More recently, over five thousand employees of another major global bank opened two million fraudulent accounts. This resulted in hundreds of millions of dollars in fines, governmental scrutiny, and criminal and civil investigations. Beyond the legal and regulatory ramifications, both of these were public relations nightmares.

WHAT DOES A CULTURE OF COMPLIANCE MEAN?

In an Anti-Money Laundering (AML) or Sanctions compliance program, employee training and senior management involvement are required parts of the program and represent a good starting point in developing a culture of compliance. To be done right, they need to be more than check the box exercises and instead have a meaningful and effective impact.

Employee Training:

Some things to consider in creating an effective employee training.

1. Refresh the training yearly. Regulations change, risks change and banks change. If you rely on the same training year after year, it goes stale, becomes repetitive, is ultimately less relevant and useful to preparing an employee for the ways in which AML or sanctions compliance may be a part of their day to day.
2. Test Knowledge. Most people don’t like tests, but the point of the test is to make sure that someone was paying attention and absorbing at least some of the knowledge.  If your training does not have a knowledge check at the end, then people will blindly click through the training as fast as possible. 
3. Provide Customized supplemental training by role. Yes, this creates more work for those developing the training, but the same AML and sanctions training should not be given to a customer service rep as is given to a back office operations analyst.  The ways in which AML or sanctions will manifest in an employee’s day to day are completely different based on role and supplemental training should reflect this.  

Senior Management Involvement:

Some things to consider in ensuring that senior management is properly involved:

1. Effective Board Reporting. Yes, you want to give the Board of Directors detailed information about the status of the program, etc. but it should not just be an information dump.  Highlight particular program risks in the data (e.g., increase in SAR filings, influx of new customers, resourcing issues, etc.), inform them of upcoming regulation changes, and involve them in decision making.
2. Clear Escalation Channels to Senior Management. Employees need to know how to escalate potential issues with a program and how those issues are handled by middle and senior management. Additionally, once an issue is raised, management should follow up with an employee to ensure them that the issue was considered and resolved. If employees know that their voices will be heard, it demonstrates to them that the senior management values them and the compliance program they are a part of.

While those are two major areas in which a Culture of Compliance can be nurtured, there are other ways to show the importance of compliance at your institution:

Accountability

Hold responsible those employees, even senior management, who don’t keep the compliance standards of the company. By giving passes on compliance violations, it erodes the importance of compliance.

Promotion of good values

Promote and reward employees in part based on adhering the compliance policies of the institution. If they know career advancement depends on it, they know it is important.

Clear messaging

Messaging from the senior management is consistent with messaging from the middle management. If senior management is touting the importance of compliance while the managers on the ground are ignoring it or downplaying it, the culture is suffering. The reverse is also true.  If the on the ground employees voice compliance concerns that fall on the deaf ears of senior management, then people stop reporting compliance problems.

Relationship between the business, compliance, and internal audit

Another central piece of developing a strong culture of compliance is establishing a strong relationship between the business, compliance, and internal audit. Does the business view compliance and internal audit as partners or roadblocks?  This is central to supporting the three lines of defense model.  The first line is the business, compliance is the second line, and audit is the third line.  They all work together to the same goal – a successful business that is compliant with the law. If compliance or audit do not have a strong voice at your institution or don’t have a seat at the decision making table, it shows to them and all other employees that compliance is not valued. 

Proper Resources and Technology

A compliance program is only as good as the people and technology that supports it. If employees feel that the program is adequately staffed and they have the right technology to do their jobs, then this demonstrates to them that their work is important. If instead, they are constantly over-worked and using legacy systems that make their work manual and repetitive, they will feel that their work is not valued.

WHY IS THIS IMPORTANT?

What happens if you don’t have a culture of compliance?  On a granular level, employees won’t participate in supporting the compliance program.  For example, customer facing employees are the first line of defense against financial crime and one of the best sources of AML investigations through reports of unusual activity that they may see. If employees don’t take the compliance program seriously or aren’t trained in its importance, they will be less likely to enforce requirements when customers ask for exceptions and will be less likely to report unusual activity when they see it. This has a direct influence on the compliance success of your business.

SO WHAT SHOULD YOU DO?

Start taking proactive steps to implement some of the above suggestions and permeate a culture of compliance throughout your organization - don’t wait for internal audit or regulators to identify the problems. Take a hard look at your training, senior management’s involvement and messaging with your compliance programs, and ensure your policies promote a culture of compliance. Make sure your compliance professionals have the right technologies at their disposal to do their job. Start to make changes where you need to. Regulators are looking at this and you don’t want to be the next news headline.