Overexposed and Overworked: How Financial Crime Compliance Professionals Can Lead Change Toward a More Sustainable Approach to Compliance
From FinCEN and FINRA in the U.S., to the Financial Conduct Authority and its predecessor in the UK, the push to hold individuals—not just companies—accountable for corporate wrongdoing is gaining traction. Financial crime compliance (FCC) professionals (including know-your-customer (KYC) and anti-money laundering (AML) compliance professionals) are now finding themselves in regulatory crosshairs. Never before has it been more imperative that compliance officers find a way to navigate their organizations and drive change for a more sustainable compliance function. They bear the heavy responsibility of protecting the organization from facilitating financial crime and other corporate wrongdoing—while meeting the financial demands of their Boards and shareholders—and now they have the added burden of protecting themselves from liability. Technological advances are here and on the cusp of transforming financial crime compliance: addressing inefficiencies, providing consistent and reliable flags for risk, and creating a decision-making audit trail. They just need to be adopted and implemented. So how can compliance professionals better defend themselves from liability while helping their organization leap forward with the RegTech advances now at their disposal?
Watch our live stream for more:
The Recent Case Against MoneyGram’s Chief Compliance Officer
On May 4, 2017, Thomas E. Haider, the former Chief Compliance Officer (CCO) of MoneyGram International, Inc. (one of the largest money-transfer companies in the world) reached a settlement with FinCEN and the DOJ after he was held personally responsible for MoneyGram’s AML failures. Under the settlement, Haider paid a $250,000 penalty (reduced from an original $1-million assessment) and received a three-year ban from working as a compliance officer for a money transmitter.
The case began in December 2014 when FinCEN issued the assessment against Haider on the grounds that MoneyGram, under his watch, failed to implement an effective AML program. Haider had been presented with information that “strongly indicated” certain MoneyGram agents and outlets were complicit in consumer fraud schemes (a fact to which he admitted in his settlement). Despite his power to overrule objections by the company’s sales personnel and impose a stricter disciplinary policy, which would have severed the company’s affiliation with those problematic (albeit profitable) agents and outlets, the CCO rejected or ignored multiple proposals to that effect. Roughly one year later, in federal court, a district judge denied Haider’s motion to dismiss the civil complaint arising from FinCEN’s enforcement action. The judge’s decision affirmed that, in the U.S., a compliance officer responsible for the development and oversight of an AML program can be personally liable for his or her employer’s Bank Secrecy Act violations.
Sign of the Times—Individual Liability for Compliance Officers
The MoneyGram case is, in some ways, a sign of the times. Over the past decade, outrage over Wall Street’s perceived excesses, coupled with the role that financial institutions played in the Great Recession, have led to a robust response from prosecutors and regulators. Corporate entities have largely borne the brunt of this increased scrutiny, with no shortage of enforcement actions and settlements routinely eclipsing the billion-dollar mark. But a drumbeat has long sounded for extending liability to bankers and corporate officers within those institutions. In the AML context, this sentiment is increasingly manifesting in actions taken against individual compliance professionals—with Haider’s fate representing the highest-profile example so far.
This movement toward individual liability is attributable, at least in part, to an evolving view of compliance’s proper role in banks and other financial institutions. To that point, a modern risk-management system typically consists of three lines of defense: operational or business management in the first line; compliance and certain other corporate center control functions in the second; and internal audit in the third. As a key component of the second line of defense, compliance has to identify, assess, escalate, and mitigate legal and regulatory risks, among other types of risk. Since the financial crisis, regulators have called for enlarging the scope of compliance’s function—that is, for compliance to assume a more integrated, holistic, and even business management-type role. Regulatory leaders thus speak of the need for compliance to be “embedded” in the business process, “at the table” when strategic decisions are made and new products developed, and viewed as a “partner” in the business—not simply as a support function or cost center.
Many in the financial industry have found this trend troubling—namely, compliance professionals exposed to penalties, fines, and other sanctions for AML-related violations—with no shortage of articles and practitioner-oriented alerts on the subject. Some in the field even describe it as feeling like they have a “target on their back.” Few would argue that compliance officers should be immune from the consequences of deliberate or egregious wrongdoing, such as intentionally misleading regulators or wholly neglecting their duties. But liberally subjecting compliance professionals to individual liability can have serious, unintended negative consequences for the financial services industry: seasoned compliance officers fearing strict personal and legal liability may seek employment in less exposed financial services positions, or leave the industry altogether, reducing the experience and skill level of the financial services compliance community.
1. Actual vs. Presumed Authority
Punishing a CCO or AML Officer for the failings of their program can be unfair. In spite of regulators’ push for compliance professionals to assume greater responsibility in financial institutions, the reality is that businesses often still perceive and treat compliance as a support function or cost center. As a result, calls for vague new boundaries for compliance’s role—to ask the tough questions, to prevent misconduct—are frequently not commensurate with compliance’s actual authority.
Even under ideal conditions, limits necessarily exist as to what compliance can accomplish. Compliance officers can design supervisory systems, conduct trainings, and run tests, but ultimately the business owns the risks associated with its activities. Only a firm’s business managers—as in, those who actually undertake and own the company’s risks—can ensure particular results or outcomes, and thus prevent misconduct. The point is that while compliance officers should do their best to leave no stone unturned, so to speak, personal liability should normally be reserved for those who actually place the stones.
2. Organizational Culture Is Already Strained
Overexposing compliance officers to liability can also be at odds with regulators’ oft-proclaimed goal of integrating the compliance function into a firm’s culture. Such integration, after all, requires a relationship of trust and communication between business and compliance—a relationship that is already quite tenuous within many large banks and financial institutions. In that regard, massive bank settlements have hardly gone unnoticed in corporate boardrooms. Aiming to get ahead of the risk, many institutions now conduct internal investigations at the first hint of trouble, often hiring outside counsel to interview current and former compliance officers to assess, in a nutshell, who knew what and when. More than ever before, compliance professionals are thus finding themselves in a defensive posture, alienated from management within their own companies. The specter of corporate finger pointing—if not regulators and lawmakers eventually poring through a compliance department’s internal emails—is all too real.
3. Don’t Send FCC Professionals Running
In this already strained environment, liberally sanctioning compliance officers can only make matters worse. Placed in the untenable position of worrying about costly and potentially career-jeopardizing sanctions, compliance officers may do one of two things—neither of which is positive. First, in an effort to minimize their exposure to liability, they may go out of their way not to get involved—that is to say, turn away from the most serious issues and challenges facing their companies. As former SEC Commissioner Daniel M. Gallagher put it, regulators should be “encouraging” compliance professionals “to run towards problems, not away from them, and should not threaten them with liability for trying to be part of the solution.”
Second, compliance officers may also become increasingly reactionary, turning down even reasonable requests or proposals from the business. Faced with a defensive and overly conservative compliance department, trust and communication between business and compliance will inevitably erode. The upshot will be a chilling effect in which the business increasingly excludes compliance from its decision-making and, even more troublingly, begins to hide the firm’s risks. The financial regulatory regime depends on the healthy integration of compliance into an institution’s everyday decision-making—this a recipe for just the opposite.
These factors, considered in the aggregate, pose yet another real danger: scaring qualified compliance professionals out of the field. If compliance officers fear that regulators—years after the fact and with the benefit of 20/20 hindsight—are eager to second-guess their decisions and judgments made in real time, even the most dedicated professionals may soon begin asking themselves: is this job worth the risk?
The Way Forward: Leading Change Toward a Sustainable Compliance Program that Protects Both the Organization and the Individual
1. Delineate Compliance’s Role from that of a Company’s Business
The business owns the risks associated with its activities, and is therefore responsible for developing an organization’s compliance risk appetite: a clear articulation of the customers, activities, and geographies for which the organization is prepared to accept the risks, and those for which it is not. The compliance function is responsible for maintaining the organization’s business within the parameters of its risk appetite. A CCO can minimize liability by ensuring that the firm’s governance structure, particularly policies and procedures, clearly designates responsibility for the supervision of business functions and staff to business-line personnel.
Policies and procedures should limit compliance’s mandate to the core functions of a sustainable compliance program:
governance development (policies and procedures);
awareness and training;
quality assurance and independent testing;
monitoring, surveillance, and screening; and
reporting, recordkeeping, and other such roles.
Furthermore, the onus must be on the business—the first line of risk management that takes and owns a firm’s risks—to disclose its risk-taking, and not to place obstacles in compliance’s path.
With that in mind, steps can be taken to help delineate compliance’s role from that of a company’s business, better positioning compliance to reject improperly designated authority and thus lessen its exposure to potential liability. One such measure is to adopt a mission statement that enumerates the goals of the company’s compliance function and the means by which those goals will be achieved. Also, if a compliance officer sits on a corporate committee or board, he or she should consider doing so ex officio—without voting rights—to reduce the officer’s exercise of managerial or supervisory authority. And if authority is going to be delegated to compliance, it must be done so clearly, explicitly, and conditioned on a commensurate delegation of business input and resources.
2. Oversee and Test AML Policies and Procedures
Particular areas exist in which compliance professionals should always exercise heightened awareness. Compliance should not only closely oversee the implementation of AML policies and procedures, but also routinely test them to verify their continuing efficacy. Compliance should also ensure that AML policies and procedures are tailored to the specific nature of the business in question, especially those involving high-risk activities. Compliance officers are sanctioned for adopting generic or boilerplate written guidance that does not correspond to the actual risks facing the aspect of the business at issue. One size certainly does not fit all.
3. Document Decisions Early and Often
Stepping back, compliance professionals should not check their common sense at the door. Any decision that reasonably gives one pause should be documented early and often. This includes not only compliance-related decisions, but also the procedures that have been implemented to make those decisions. Likewise, compliance practitioners would do well to ensure that detailed minutes are taken at all corporate meetings. And if any portion of the compliance function has been outsourced, the third party must be audited; the financial institution and its CCO are still responsible for the underlying risk. Problems or issues should always be escalated internally through the established protocols.
4. Use Better Tools to Improve Accuracy, Efficiency, and Auditability
Refashioning a compliance program with business-efficiency tools and methodologies that promote sustainability, including technology-driven processes that are repeatable, auditable, and not highly manual, should also be a priority. Using advanced technology for managing complex compliance business processes—such as risk assessments, alert handling and investigations, and customer due diligence research—can increase a compliance program’s operational effectiveness while decreasing the likelihood that its compliance officers will face reputational and even legal peril.
Risk assessments are a case in point: they allow an organization to better understand its financial crime risk exposure and the strength of its control framework, and thus to stay ahead of its most serious AML vulnerabilities. Using web-based applications for conducting and administering risk assessments, instead of relying on antiquated manual spreadsheets, allows companies to manage risk exposure and controls effectively, efficiently, and with a higher degree of accuracy and auditability.
Automated risk analytics technologies offer more efficient processes as well. They quickly learn about search subjects and, unlike human researchers, can review thousands of sources to identify, evaluate, and rate risk within a fraction of the time necessary for a manual search.
Such products leverage machine learning and natural language processing to employ the same cognitive processes a due diligence researcher would use to discount content that is a duplicate or false positive. The result is technology that enables more thorough research in a fraction of the time while maintaining an auditable track record of search results.
5. Reduce Human Error in Decision-Making with Technology
Advances in AI-based solutions can help reduce human error in decision-making across the compliance function. Automated risk analytics leverage machine learning and artificial intelligence to gather insights that a human, with inherent biases, may miss. Insights gleaned from these quantitative methods protect against human error and can be integrated seamlessly into an efficient, consistent, and repeatable process.
The advantages of taking a quantitative, analytics-based approach go beyond finding hidden insights. Machine-learning technology eliminates human error. With respect to employee turnover, it drastically reduces the risks and virtually erases the associated time and resources. It is for all these reasons that regulators increasingly expect financial institutions and large corporations to leverage risk analytics for addressing key compliance challenges.
6. A Harmonized Approach to Developing, Enforcing, and Policing Metrics that Fosters a Culture of Compliance
Advances in cognitive computing may be the key to moving discrete culture indicators out of gray areas and into black-and-white clarity. In conducting surveillance, for example, cognitive computing can identify early indicators and patterns of misconduct across various internal data streams, including email, chat, calls, and HR systems, providing a set of metrics around controls violations or misconduct found, escalated, and resolved. Regulators examine these early indicators and smaller behaviors as the best markers for culture—because culture is characterized by a pattern of behaviors.
7. A Voice with the COO of the Organization
Bridging the concerns of the COO to reduce compliance costs overall, with the concerns of the compliance professionals in the regulatory hot seat, can be tricky. The COO wants to get a handle on the spiraling compliance costs of the organization. The compliance officer, meanwhile, just wants to do his or her job in a way that can protect themselves and their organizations from liability, while working more efficiently and effectively (and within reasonable work hours). RegTech solutions may not initially reduce costs—or jobs. In this era of personal liability for CCOs, COOs must remember that the first consideration is to help compliance professionals work more efficiently, effectively, accurately, and safely—creating better workflow and easier audit trails for regulators. The cost savings will come. The technologies are here now and compliance officers need to educate themselves. Implementing change isn’t easy, of course, so it’s crucial that RegTech solution providers understand the systems of the organization as well. In the end, compliance officers deserve to have what they need to do their jobs effectively and safely. They need to ask loudly and bring the COO to the table for these new technology discussions.
* * *
These are risky times for financial crime compliance professionals in all industries, but particularly the heavily regulated financial industry. Despite sound reasons for regulators to show restraint and narrowly limit any further extension of individual liability to compliance officers, the trend will likely only intensify. With that said, firms and their compliance officers have ways to limit exposure, from common sense measures like testing the efficacy of policies and procedures to harnessing technological advances that are transforming compliance into a more sustainable function—removing inefficient processes, providing consistent and reliable flags for risk, and creating a decision-making audit trail.
Don’t be afraid to ask for more resources—but don’t throw more bodies at the problem. The people you have are probably the right ones, but they are most likely handling too much and are tired. The pace at which they’ve been asked to work over the past year (or two) is unsustainable and starting to show. Provide them with better tools so that they can perform their jobs more efficiently. Gaining efficiencies is music to everyone’s ears, but especially to your COO. Faced with trouble gaining support for technology solutions to streamline your work, your first call should be to the COO. Your next call may be to your family . . . to let them know that you can finally take a vacation and hopefully, without having to spend your days worrying about personal liability!
For more information, contact:
Global Head of Financial Crime Compliance
Managing Director and President, Exiger Analytics