More and more ML/TF failures are being revealed around the world, the environment is becoming increasingly fragile and competition is ever increasing, with countries, regulators and organisational leaders finding it difficult to keep up. Compliance departments become busier by the minute facing emerging risks, new regulatory requirements, and organisational leaders as well as clients, viewing them as a ‘snoops’ and as an ever-increasing cost.
We are in the heart of a digital era where we are expected to keep up with constant developments such as blockchain technology, electronic identification of clients, stricter sanctions and so many other tasks being added to the ‘To Do’ list of those who are responsible for the compliance requirements implementation.
The big question after all, is whether regulation and relevant requirements are there to punish us and make our lives difficult. Surely not! Regulations are there to protect us; to help us mitigate the risks of failure and manage upcoming challenges. As the American business magnate Warren Buffet noted, ‘it is only when the tide goes out do you discover who's been swimming naked’.
So, organisations across the world, which are the ‘obliged entities ‘and especially in Europe following the EU AML regulations, must ensure that adequate policies, controls, and procedures are in place to mitigate and effectively manage the risks of ML/TF. What we should realise is that, just by having a compliance department does not mean we are in compliance! If we think that compliance is expensive, just imagine what the cost of non-compliance could be, thinking of penalties, and the impact on reputation and even stakeholder morale.
Let’s consider what any obliged entity could do to enhance its compliance culture, allowing it to effectively manage the ML/TF risks and challenges.
- Tone at the top
People tend to do what they see, so management must lead by example. A vital part of the ML/TF prevention and detection program is the expressed commitment of the board and senior management.
Needless to say that, a strong compliance culture is being observed by its outcome, rather than by any individual component; and this needs commitment by the people at the top.
Although it is not an easy task, it has been proven that the following have enhanced the tone at the top:
- The culture should be founded on integrity and honesty.
- The people at the top should be alert and should ensure that individuals in the organisation know exactly what is expected of them.
- Management should show through its actions that non-compliance behaviours are and will not be tolerated, by setting a clear risk appetite and laying out its tolerance in the documented policies.
- Management should create an environment where people feel safe to challenge any decisions or speak up if they think something is not correct or appropriate. In other words, organisations must encourage their employees to share any concerns relating to ML/TF risks. Recent whistleblowing regulations enhance this point of view even further.
Let’s forget about implementing a checklist of initiatives, but rather focus on fostering a compliance culture with people at the top acting as role models.
- Understand the policies in place
Do we really read and understand the written and documented policies of our organisation? Most of the organisations believe that by having their policies available on their site/platform or even as hard copies in their offices, employees read and understand them.
We need to have in mind that reading is not the task, understanding the purpose and content of the policy is key for the successful implementation success.
Applying controls in the organisation that will make employees responsible and accountable of what they read; and such controls can be:
- An annual written and signed acknowledgement by all employees that they have read and fully understood and committed to the policies.
- Face to face or group meetings to discuss the key areas of the policies, as well as discuss any concerns that may arise.
- Set key expectations from employees regarding these policies and make clear what are the focus areas of each policy.
- Give case studies and practical examples for each key area of these policies.
Having the necessary resources in place to support the compliance and regulatory requirements is probably the most fundamental part of compliance and probably the strongest tool to meet any challenges. It is a vital safeguard any organisation should have in the fight against compliance risks and failures.
Such resources could include risk assessment and forensic tools, access to databases for performing background and sanctions searches as well as any solution to facilitate the compliance requirements such as electronic identification and the use of artificial intelligence.
Moreover, related to this, any organisation has to reward and commend its people for showing a compliance attitude and following the policies and procedures related to the proper use of the resources.
- Education and training
In addition to being a further tool for ensuring that policies have been fully understood, education and training is key for keeping people’s understanding and knowledge up to date and for keeping them engaged and committed.
Trainings can be external or internal, through webinars, organisation-wide emails or formal training programs.
Education programs and trainings vary across industries, organisations or even countries, however, our experience has taught us that there is a common ground on which education and training should be based on:
- The training efforts should be positive and non-accusatory, the main goal is to make people interested in compliance.
- It should be specific to the organisations’ ML/TF risks and if possible, to each department’s/individual’s responsibilities and abilities within the organisation.
- Trainings should be frequent and where necessary. Organisations must have in mind that employees should absorb and apply the information provided and thus, the trainings should be an ongoing process that begins at the time of hire. Finally, refresher trainings are good to be provided at least annually so as to keep the program active in their minds.
- Design the trainings based on the realities of the organisation and not on general information. Try to address the actual concerns and provide practical knowledge and ideas on how to apply it effectively.
- Effective Corporate Governance
If one ever asks me what contributes more to the prevention and management of the ML/TF risks, I will say the effective Corporate Governance; even more than having a perfect AML/CFT policy in place.
People come first, and they are the driving force of any organisation!
Tone at the top, as mentioned above, must be supported by a strong effective Corporate Governance.
Competence, experience and commitment should be the core of any board member and of any person holding a key position within any organisation.
Effective Corporate Governance is one which ensures that no significant decisions, especially those related to ML/TF prevention, are taken by only one person or a small group of persons, but rather there is always influence, input and approval of other key parties and personnel within the organisation.
Accountability, transparency, fairness, and responsibility seem to be the key characteristics of an effective Corporate Governance. To make sure that these characteristics are there, try to ask yourself how well your organisation is doing with the following:
- Who has the ownership of a task and who is doing what?
- Are there clear reporting lines?
- Do we have the necessary resources to respond to our regulatory requirements and are they being used properly?
- Is all information provided on a need to know basis?
- Is there a free communication between the management and the employees?
- Are the fundamental corporate changes being communicated to where they should be?
- Is the conflict-of-interest management procedure adequate and effective?
And although the list is non-exhaustive, a good thing to remember is that, an effective Corporate Governance is fluid and agile; it is the one that is aligned with the common best practices!
As a concluding remark, we need to have in mind that the identification, assessment and management of ML/TF risks is a continuing effort with ups and downs, it is a marathon.
To face the challenges, it is not enough to write down what should be done, but rather you need to understand the rules, their content and purpose. This must start from the people at the top who will inspire the entire organisation and create the conditions for the ongoing flow of information and knowledge. Continue building on a strong agile Corporate Governance within your organisation; it is the one which will support all these efforts to eventually foster an appropriate compliance culture!
At Grant Thornton Cyprus we support a number of organisations in their efforts to build a strong tone at the top, enhance their compliance culture and avoid the impact of non-compliance, we do this through compliance trainings, design of appropriate policies and procedures, independent assessments and internal audits.