Building a culture of compliance

Should a financial institution be held fully responsible for unknowingly supporting terrorist financing when their compliance program is up to date?

The answer to this question, which was posted on a LinkedIn anti-money laundering blog, would seem obvious: a robust, proactive compliance program should serve as a shield against civil or criminal enforcement actions. But it does not. BPN Paribas, which had a robust compliance program, last year paid nearly nine billion dollars in criminal and civil penalties. In a suit brought under the Anti-Terrorism Act, Arab Bank PLC’s compliance program was not even admissible as a defense to a civil action. So, the answer to this question is clear: an up-to-date compliance program does not shield a financial institution from liability.

For too long, the compliance industry has viewed the failure of compliance programs as an aberration from the norm. It may be that the compliance program culture itself is a key part of the failure. Money launderers, particularly those who are creative, understand the compliance industry well. Whenever a gap in a compliance program is exposed, the solution has been to come up with another rule or regulation to make sure that the same mistake does not occur in the future. Meanwhile, the sophisticated money launderer has moved on to the next area of vulnerability. The problem is not with compliance programs; the problem is the belief that a compliance program by itself can eliminate money laundering.

Five Components

The solution to the problem can be found in a recent advisory issued by the Financial Crimes Enforcement Network (FinCEN), which calls for a “culture of compliance” as opposed to a mere compliance program. The culture of compliance should be thought of as having five components: an educational program; a compliance program; a risk management-based approach to transactions; an independent investigative regime; and a program for resolving issues that arise.

Nearly all institutions provide some level of training to their key employees concerning money laundering. All too often, however, this “training” consists of telling employees how to fill out a form and little more, leaving it for the Compliance Department to review and analyze the form. This results in the belief that anti-money laundering is a “compliance” issue and not an issue for other employees at the institution. Most of the issues that arise, however, will involve other departments and the employees with the most intimate knowledge of the clients or the transactions are those that currently receive the least training. All employees need to be trained to identify potential money laundering situations.

A compliance program is designed to comply with the myriad of federal, state and international statutes and regulations, as well as international conventions. The Money Laundering Control Act, the Bank Secrecy Act, the U.S. Patriot Act and multiple amendments to these acts set forth the statutory framework for anti-money laundering compliance. A variety of agencies have adopted regulations governing financial institutions under their jurisdictions, and most of these agencies have published manuals concerning anti-money laundering compliance. The goal of any compliance program is to assimilate all of the various regulations from all of the various regulatory agencies to create rules, regulations and procedures for the institution.

Unfortunately, there is an interesting phenomenon that develops when a company has a strict compliance program. Frequently, the stricter a compliance program, the more likely it is that other departments within the organization will avoid the compliance department. When the company attempts to remedy this problem by making the compliance program even stricter, the result is frequently to further isolate the compliance department. Eventually, the company may end up with a near perfect compliance program, but it is of little use to the company because all other departments avoid it.

A risk management-based analysis involves an examination of the client and/or the transaction to determine the ultimate source of the funds at issue. It may involve an examination of an individual’s background, connections, criminal history or other relevant factors to determine the likely source of the funds. In many cases it will involve tracing the funds through multiple transactions in an effort to determine their ultimate source. The analysis is risk-based, because, in many circumstances, it will not be possible to determine with 100% certainty the source of the funds. In many cases, the actual risk involved will be insignificant. Ultimately, it will be for management to determine what level of risk is acceptable.

The FinCEN Advisory recommends that “the institution devotes adequate resources to its compliance function” and that “the compliance program is effective by, among other things, ensuring that it is tested by an independent and competent party.” One way to demonstrate that adequate resources are being devoted to BSA/AML compliance programs is to use outside experts to review potentially problematic customers or transactions and to test compliance programs to ensure that they are actually identifying and eliminating money laundering. An ongoing investigative regime offers a way to not only monitor but sharpen the compliance program an institution has in place.

Knowing the Customer

The concept of an “internal investigation” has gained wide acceptance with corporations in much of the world. All too often, the internal investigation arises after an allegation of wrong doing has arisen. It is suggested that investigations be undertaken more frequently with a focus on uncovering potentially illegal or unethical activities. One of the major principles underlying banking is for the banker to know his or her customer – something that is easier said than done. A customer may appear to be an upstanding citizen with a completely legitimate business; however, most sophisticated money launderers appear to be upstanding citizens with legitimate businesses. On the other hand, certain individuals from certain Latin American or Middle Eastern countries may have completely legitimate businesses, but, because of geographic location, may be considered to be too suspect. An external investigation is the best way to determine if there is an issue or not.

There are a number of other benefits to an independent investigative regime. First, it identifies facts that decision makers can use for a variety of purposes unrelated to money laundering or criminal activity. It allows the decision makers to have access to a third-party review of customers and transactions to determine if a transaction is really as profitable as it may appear at first. In the event a problem is discovered, even if there has been no criminal activity, it allows the institution to solidify its “good faith” and gives it the potential to resolve civil liability more favorably than might otherwise be possible. It also gives the institution the opportunity to publicly disclose what it has discovered, together with the corrective action undertaken, in a controlled manner that is less likely to damage the institution.

Regardless of how tight an anti-money laundering regime is, there is always a possibility that a violation of the law may occur. Not every violation of government guidance or policy is going to give rise to a violation of the law and not every violation of the law is going to be actionable. Before deciding what to do, it is necessary to determine exactly what happened and how it happened. There may be a significant lapse in protocol but no violation of the law. It may be that certain regulations were violated but that the questionable transaction does not actually involve money laundering. Or it may be that a compliance program was in place and the institution was in compliance with all regulations but, nevertheless, the institution has actually assisted the laundering of money for drug dealers or assisted in the financing of terrorism.

There will be a number of important decisions institutions will have to make. They will have to decide whether to self-report or not, although for publicly traded entities, there is really no choice, since violations must be disclosed to the Securities and Exchange Commission. There are also questions of when, how and where to report a violation. Before making any of these decisions, it is important to know exactly what happened and to mitigate, if possible, any damage that was done.

Moving from a compliance program approach to anti-money laundering to a culture of compliance will not be easy. It involves changes not only to the institution’s internal compliance structure but also to the way compliance is viewed within the organization. However, change is necessary if an institution is to avoid complicity in money laundering.

Mr. Boyle is a partner with Philadelphia-based Fox Rothschild, practicing in the firm’s Washington, D.C. office, and a member of the White Collar Compliance & Defense Practice Group. He can be reached at [email protected].