It seems that every time I’m at a conference or event related to compliance, I hear people talking about going “above and beyond” the requirements. Something about this statement has always seemed wrong to me. It wasn’t until recently that I understood why: most of us aren’t getting the basics right.
Most Of Us Are Failing At The Basics
This is not an indictment of Compliance Officers and the tremendous effort that goes into compliance. It’s a simple statistical fact.
We crunched some numbers by industry for anti-money laundering (AML) compliance in Canada based on information obtained from the regulator through an access to information request in 2014. The rate of examinations for which there were no deficiencies (across all reporting entity types) was 17 percent. While we congratulate the savvy few that met this bar, that leaves 83 percent of reporting entities that failed to meet the basic requirements in some way.
While these results are specific to examinations conducted by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), it’s not unreasonable to assume that the results can be generalized to compliance more broadly.
Shift The Focus
Before anyone can go “above and beyond” the fundamentals should be solid. One of the most painful reviews (like an audit for compliance) that I’ve conducted was a classic case of going above and beyond while completely missing the mark on baseline compliance. The reporting entity had great technology and related risk ranking metrics. The methods that they used to understand customer behavior involved machine learning and geo-location data at each login, analyzed over time. It was a great risk management strategy, except that they hadn’t identified a single customer in accordance with the law. Not a single one…
Ironically, in working to design measures that went beyond the basic compliance requirements, they found themselves so far outside of what was allowable under the law that had an examination been conducted by a regulator at the time, they could have been facing a very hefty penalty (as was the case for Ripple Labs in the USA).
Consequently, they spent a good deal of time and money updating their systems and identifying customers. In some cases, customers were lost. The (re)identification process was frustrating for people that believed that they had already completed everything that was needful in order to transact freely. There were updates to process documents and IT systems that took place over the course of months, and a good deal of frustration at the rework involved.
A competent third party or in house expert can be useful in assisting with system and process design, provided that they are able to understand your business model, basic compliance requirements and how to achieve these in the most elegant way possible.
Keep It Simple (Seriously)
At a recent conference, I was listening to a speaker whom I consider a model for what not to do, both functionally and ethically. As he sweepingly gestured towards an overly complex chart, he stared into the blank faces of his audience and proclaimed “It’s ok if you don’t get it. That’s not the point. The point is that I should look impressive. Are you impressed?” I was not.
Which model fits your needs?
Remember that the people that are usually fulfilling your compliance requirements are your frontline staff. Would they be able to use the model to the left to risk rank your customers?
While it can be tempting to create complex rating systems, it’s important to understand that your compliance program should be functional. If the system that you’ve created is too complex for your staff to understand and adhere to, it will fail. Whether you’re hiring someone external or creating your program in-house, remember to keep it as simple and easy to follow as possible.
Ask, Check, Test
One of the many arguments that I’ve heard for going above and beyond is that this is helpful when dealing with regulators and banking service providers. While I agree that this can certainly be the case, it’s a moot point if the basic requirements are not met.
In my experience, both regulators and bankers are candid – when asked – about where their expectations are set. There is no real appetite on the part of either to create a set of secret standards related to going above and beyond. From a practical perspective, this means that reporting entities should be focused on understanding the basic requirements, and seeking clarification as needed.
Effectiveness reviews can also be a useful tool in this regard, provided that the reviewer or auditor is well versed in local compliance requirements. Similarly, internal testing should be geared towards baseline requirements to ensure that these are being met.
Opportunities & Innovation
Going above and beyond for its own sake (in terms of compliance) is neither required, nor particularly good business.
This is not to say that reporting entities should avoid innovation. Rather, these efforts should be focused and prioritized on finding the most cost-effective and efficient ways to meet baseline compliance requirements, and mitigating risk.
Changing compliance legislation can also provide opportunities for innovation, in particular where there are public consultations. This type of dialogue with lawmakers allows stakeholders to suggest alternatives that may mitigate risk in new and innovative ways. It provides an opportunity to showcase new technologies and processes that solve common compliance problems with greater efficiency (although they may not fit into the current regulatory paradigm).
Need A Hand?
We believe that good compliance is good business. If you have questions, please feel free to contact us.