Founder and CEO of Risk Smart Inc.
Compliance seems to be everyone's business because, for many firms, it involves managing financial crime, money laundering and cyber risks. This means compliance has to not only be defensive, but offensive as well. Given this increased area of responsibility and scope, here are seven ways to have an effective compliance program:
The cost of compliance, return on compliance and/or return on compliance investment will help build the business case for stronger and more robust compliance and ethics programs. Comparison with your peers will also add context to the metrics.
Compliance fines/compliance costs (%)
Reputational risk incidence (high, medium, low)
Number of investigations and costs per remediation ($)
Risk compliance assessment completed (%)
Policies and procedures: revised/refreshed/rewritten (%)
Training programs completed and post effectiveness surveys
Regulatory visits and associated costs ($)
Compliance Shareholder Relationship Management (CSRM)
An effective compliance and ethics program is heavily dependent on relationships with both internal and external stakeholders, including regulators of all sorts. Third-party management will inevitably involve a range of stakeholders – including compliance, procurement, contracts and internal audit (as a minimum). Coordination and messaging will be of paramount importance.
Larger companies will face increasing compliance and ethics challenges, that of reaching – and impacting – all employees. As older generations retire and younger generations enter, the way you manage your compliance and ethics program – within your team and across the organization – must adapt. With the workforce’s changing needs coupled with the industry’s changing needs, new layers of compliance and ethics arise.
Reduce Compliance Fatigue
Compliance fatigue can have a diminished compliance impact. Consider "branding" the Compliance Program as part of an exercise to raise the game.
Companies are increasingly facing a dizzying array of optional and nonoptional overlapping standards, such as ISO 19600, the international compliance management system standard. Consideration should be given to what standards and qualifications need to work now and in the future.
In short, it means that when regulators find gaps in an AML program, they don’t want to be given short shrift. They don’t want to come back the next year and see little, or nothing, was done to fix what examiners have already identified. The term “repeated” is a key one in enforcement actions throughout the year.
On the issue of compliance responses, several actions in 2016 made it clear that when compliance is not supported, all are affected. Some notable enforcement actions that embodied this trend included:
Raymond James: FINRA fined the institution $17 million and implemented a $25,000 individual penalty on the chief AML officer.
Agricultural Bank of China: NY DFS penalized the New York branch of this Chinese institution $215 million for willful violations of AML and sanctions regulations.
In October 2016, a FinCEN “Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime” represented the strongest push for collaboration to date between AML, fraud and cyber functions. The advisory called for greater teamwork between BSA/AML units and in-house cybersecurity units to identify suspicious activity. It also pushed for more sharing of information, including cyber-related information, among financial institutions to guard against and report money laundering, terrorism financing and cyber-enabled crime.
Though I cannot guarantee that these suggestions either as a whole or singularly will improve effectiveness, the implementation of such measures will go a long way in sending a message that compliance is a strong and necessary partner for the organization tackling the best and worst of times.
John Thackeray is the founder and CEO of Risk Smart Inc., a consulting firm that specializes in the writing of risk documentation. Over his long career, he has held many risk positions, including CRO posts at Societe General and Penson Worldwide Holdings, where he interacted and engaged with U.S. and European regulators.