October 13, 2020
By: Deepa Keswani, Director of Compliance Advisory, The Mizen Group*
How does one foster a culture of compliance? It helps to start by looking back at the turn of the century, following 9/11, when compliance became a critical function due to the urgent emphasis placed on it by the regulators. Banks were pressured to improve compliance processes and up their game in terms of knowing their customers, transaction monitoring, and sanctions screening. Enforcement actions, which had already been a stick they used, became the primary means with which regulators drove their point home.
Although banks have taken action to improve their processes, concerns remain that mainly surface issues continue to be addressed and that, as soon as the pressure is off from the regulator, compliance once again takes a backseat.
Supervisory authorities have concluded that the root of these compliance failures is reflected in the compliance culture of the organization. Without a proper compliance culture, companies and financial institutions are not really analyzing the root causes of their compliance failures.
What is a Culture of Compliance?
At its most fundamental level, a culture of compliance refers to an environment that fosters adherence to laws, rules and regulations. A truly compliant culture involves adherence not just to the letter but also the spirit of the law; an environment where people comply with internal policies and procedures not only because they have to but also because they want to and believe it is the right thing to do.
Deloitte’s paper entitled “Corporate Culture: The second ingredient in a world-class ethics and compliance program” goes further to state that ethics is at the core of any compliance culture; one that combines people, process and technology effectively to build a strong risk management program.
In other words, a culture of compliance can be described as: the acknowledgement and adoption of relevant laws, regulations and policies where individual and organizational decision-making and actions are tied to ethical behavior.
Why is a Culture of Compliance Important?
Fostering the culture of compliance is important because a firm with a thriving compliance culture is a successful, proactive, and effective organization. Simply put: good compliance is good business. To quote former Deputy Attorney General Rod Rosenstein, “When a company creates and fosters a culture of compliance, it creates value.” He goes further to emphasize that compliance should not be treated as separate and distinct from other business goals and that “a culture of compliance must be fully integrated into the firm’s corporate culture”.
Moreover, examining the culture of compliance is especially appropriate today given the current COVID-19 health crisis. Changing work behaviors with remote working can lead to weaker oversight, less robust controls, less effective communication, and reduced adherence to policies and procedures. Regulators are becoming increasingly wary of how work from home can undo the positive reinforcement of a healthy compliance culture, which depends on relationships between employees and employers. Speaking recently to Reuters, Megan Butler, executive director for wholesale supervision at the FCA, said of these relationships, “The longer working from home goes on, the more they are at risk of breaking down (…) it’s in those areas where I think there is still more to do”.
How Can a Compliance Culture Be Achieved?
Culture is too nebulous a concept to be monitored by regulations. Regulators have stayed away from a rule, or even principles-based approach to culture, but have made their stance known with advisories, speeches, and enforcement actions. As such, banks have to step up and think of ways to address the “culture issue” in a way that not only satisfies regulatory expectations but also fulfills their own.
More often than not, institutions rely on HR departments’ annual reviews that generally only gauge management performance or individual satisfaction, with only a cursory view of regulatory concerns, if at all. These reviews do not, however, provide information on the performance of the organization with respect to culture.
In order to understand the culture in the workplace and gauge whether it is compliant, it is important to probe the environment beyond value or mission statements. According to William Dudley, former President and CEO of the New York Fed during the June 2018 Governance and Culture Reform Workshop: “independent surveys could help eliminate bias and identify patterns of behavior across the industry with higher quality information”. Independent, anonymized surveys assist in understanding employee perceptions and offer valuable insight into their thinking and a sense of the problem areas within the bank, if any. What do they think of compliance? How do they perceive their environment? Are they aligned with each other’s views? Are they in sync with the professed values of the institution?
Tips on Promoting the Culture of Compliance
FinCEN’s August 2014 Advisory on Promoting a Culture of Compliance, remains one of the few written advisories in the U.S. that reflects supervisory thinking on the topic and offers some practical ways to achieve it. Among them are:
- The Role of Management: The Advisory emphasizes how leadership should engage in compliance, receive AML training, and understand compliance efforts. Their commitment should be visible to all as it influences the attitudes of others within the institution. Importantly, they should make it clear that revenue interests should not compromise compliance efforts.
- Compliance Resources: Compliance departments should have the independence and authority to perform their roles with adequate resources (financial, technological, human) to do so.
- Independent Testing: FinCEN also highlights independent testing by competent, skilled staff, and recognition at all levels that BSA/AML efforts matter and how reporting is used.
A 2019 speech by FinCEN deputy director, Jamal El-Hindi, at the US-MENA Private Sector Dialog reiterated the practical aspects of the 2014 guidance with conceptual understanding of what underpins a culture of compliance: individuals knowing that they can make a difference; the notion of “if you see something, say something” recognizing that the workplace offers accountability and protections. The broader concepts of ensuring a system of checks and balances, showing respect for the rule of law but, at the same time, having the ability and confidence to question authority.
As a sanctions compliance officer, it might not be a bad idea to review whether your company promotes what OFAC refers to as a “culture of compliance”.
In May 2019, OFAC released its “Framework for Compliance Commitments,” which confirmed that senior management’s commitment to, and support of, an organization’s risk-based sanctions compliance program is one of the most important factors in determining its success.
This support is essential in ensuring the program receives adequate resources, helps legitimize the program, empower its personnel, and foster a “culture of compliance” throughout the organization.
According to OFAC, the effort of promoting a “culture of compliance” could generally be measured by the following criteria:
- The ability of personnel to report sanctions related misconduct by the organization or its personnel to senior management without fear of reprisal;
- Senior management messages and takes actions that discourage misconduct and prohibited activities, and highlight the potential repercussions of non-compliance with OFAC sanctions; and
- The ability of the sanctions compliance program to have oversight over the actions of the entire organization, including but not limited to senior management, for the purposes of compliance with OFAC sanctions.
On September 24, 2020, 16 months after the Framework was issued, OFAC has started to incorporate these criteria into determinations by mentioning the words “culture of compliance” for the first time in an enforcement action.
The case in question was a settlement agreement with Keysight Technologies, Inc., a California-based test measurement equipment company. The company agreed to pay $473,157 to settle its potential civil liability for reexports of U.S. export-controlled test measurement equipment to Iran through a former Finnish subsidiary “Anite”. Anite had business with Iran prior to its acquisition by Keysight in August 2015. After Keysight’s acquisition of Anite, and after Keysight implemented its policy to restrict sales to Iran, Anite employees nonetheless continued sales to Iran and obfuscated such sales from Keysight.
In the Enforcement Release, in a section called “Compliance Considerations” OFAC states that, as part of a risk-based approach, U.S. persons are encouraged to assess the sanctions risk associated with newly acquired foreign subsidiaries and ensure that those subsidiaries adopt and maintain the compliance controls necessary to mitigate that risk. This may include appropriately integrating newly acquired foreign subsidiaries into an organization’s sanctions compliance program and “promoting a culture of compliance” across the organization.
The Culture of Compliance – Looking Ahead
The future of the banking industry lies in its response to the digital transformation that has overtaken the financial services world. Failure in this transformation for many institutions is simply not an option. Placing a healthy compliance culture at the center of the innovation path makes such institutions well positioned for a revolutionary, next-gen triumph.
*Deepa Keswani is a Director of Compliance Advisory at the Mizen Group. She provides quality advice on compliance management for AML, sanctions, and other related areas.