Regulatory actions continually show that expectations of a corporate ‘culture of compliance’ or mindset must be evident across all lines of business, particularly the revenue generating lines engaged with deal making, sales or clients. This has been a steady theme within banking institutions for years, but expectations are increasing for non-banking financial sectors and corporations in other sectors to adopt a similar approach – particularly to minimize financial crime risk.
Compliance and financial crime
The FCA’s recent enforcement action against a global bank illustrates the shift in regulatory focus. In this case, the FCA levied a fine of $109m against the institution, the largest FCA fine ever brought for financial crime regulatory shortcomings. Significantly, the underlying action did not involve allegations of illicit funds movement or actual financial crime, but instead accused the firm of willingly subverting normal due diligence processes in pursuit of profit.
What drove the record fine was an insufficiently embedded and prioritized culture of compliance and the risk this posed, as opposed to actual facilitation of, or willful blindness to, financial crime. The FCA also observed that customer facing entities within the bank (the deal makers) were willing to place profit before compliance, and did not ensure that compliance personnel performed proper compliance risk reviews.
In December 2015, the New York State Department of Financial Services proposed a rule requiring Chief Compliance Officers (or equivalent) to personally certify annually that their institution is maintaining sufficient AML, sanctions transaction monitoring and client screening systems. This rule covers hundreds of institutions, including more than one hundred foreign institutions that operate a branch or representative office in New York State. The Department specifically cited a “lack of robust governance, oversight and accountability at senior levels” as having contributed to recent enforcement actions.
Expectations in other industries
This expectation is also increasingly demonstrated within nonbanking financial institutions, particularly in the US. In August 2015, FinCEN proposed that obligations imposed by the Bank Secrecy Act for reporting of suspicious activity and recordkeeping should be extended to SEC registered investment advisers.
By placing advisers under this regime and providing civil safe harbor for reporting suspicious activity by their clients, registered investment advisers will be required to adopt new policies and implement new processes. Most importantly, it will also compel advisers to report activities or statements of their clients where reasonable suspicion of illicit activity exists. For some firms, this will constitute a significant change in their compliance mindset.
Finally, increasing regulatory expectations in corporate sectors beyond finance are tangible. In 2013, a European-based oil services company paid $253m in fines and penalties, with three subsidiaries pleading guilty to violations of the FCPA and US sanctions laws.
Compare this with cases in 2015 involving the conviction of a software company executive for FCPA violations, as well as guilty pleas of the CEO and two other senior executives of a BVI-based oil and gas company. Despite the senior executives being involved in the violations, the US Department of Justice declined to prosecute the companies, citing self-identification, strong cooperation and the existence or development of strong internal compliance governance structures as mitigating factors.
Firms across sectors therefore would be well advised to ensure a compliance governance structure and mindset is implemented within their organizations.