Do the right thing and be able to demonstrate that you did the right thing. Although closely related, these are different issues, and they are both vital to preventing adverse consequences premised on an alleged failure to comply with a regulatory obligation.
All complex compliance functions are necessarily risk based when done correctly. This ensures that the right resources are applied to the right risk, thereby maximising mitigation and addressing the problem, not perfectly, but all things considered, in the best way that can be realistically accomplished. To seek to address complex compliance issues without a risk based approach in 2019 is like pouring money into the purchase of lottery tickets, hoping there will be a (highly unlikely) good outcome. That is not compliance, and it is not good corporate governance.
The resources need to be targeted to be effective. Currently, it is still people (aided by teams, processes and technology) who make those decisions, using the best information they have at their disposal.
Part of the perennial problem from the perspective of a financial institution or other reporting entity is the fear that a regulator, a court or even a party to litigation, will disagree with your risk assessment. If they are right… and you are wrong… then your resources have been misapplied, resulting in a less than optimal approach. Sanctions, damage awards and other detrimental outcomes will often be the result. Not to mention the fact that criminals are more likely to reap the financial benefits of their crime due to a deficient risk based approach. This includes drug dealers, human traffickers and fraudsters. Not a desirable outcome, and hence the importance of an effective risk based approach.
Arguably, there is no perfect risk assessment. One can argue about whether a risk assessment is perfect as long as it is procedurally and conceptually correct, regardless of its effect. But for the purpose of this brief blog post, let’s approach risk assessment from the perspective that if it is reasonable it is sufficient. I am not oversimplifying, just analytically setting the groundwork for highlighting the defensibility risk and distinguishing it from the risk based approach.
Let's use anti-money laundering (AML) compliance for example. For AML work, there is a lot built up in the concept of reasonableness including but not limited to:
- the designation of a CAMLO;
- tone from the top (corporate buy-in);
- appropriate use of technology;
- training and education;
- lines of reporting;
- credible internal enforcement and sanctions for deficiencies or misconduct;
- relationship between the business line, compliance and audit.
So let’s assume all these things (and more) are in place and the risk assessment that has been put in place is reasonable.
The question that is not asked often enough, and when asked, is not addressed frankly and starkly is:
Is our AML program defensible?
This question is not as important to a regulator because regulators are concerned with whether you complied, not how well you defend your view that you are complying. If they form the opinion that a program is insufficient they seek to enforce. It is grist for the mill.
If the entity cannot defend its program (usually a specific allegation but the allegation may be broad and extend as far "breach of industry standards" or a "failure to comply with an institutional Global Code of Conduct"), various findings may occur. It may be found to be eligible for an administrative monetary penalty due to a deficiency or perhaps to have violated a law such as securities law, or to have behaved contrary to the public interest.
It may seem strange, but although a finding of deficiency, once appeal routes are exhausted, is legally determinative, the finding doesn’t necessarily mean your program was or is substantively deficient. If your program was substantively sufficient, the negative outcome means you didn't have (and perhaps still don't collect) the evidence to defend it.
For the purpose of this blog post, let’s leave aside criminal or quasi-criminal offences which are determined on the standard of beyond a reasonable doubt and also the issue of settlement (based on its own sort of risk assessment). In standard regulatory litigation, a finding of deficiency occurs when a tribunal or court finds that the allegations are probably true. This may sound foreign to some readers who are not experienced in litigation, but essentially if a tribunal or court finds, after considering all the evidence, that an entity is 49% likely to be compliant then they must find the entity to be non-compliant.
Certainly, some deficiencies are clear, such as failing to file a report. In that case, the deficiency that is found overlaps with and maps perfectly onto the actual deficiency.
But what about situations where a program is in theory sufficient, but is not demonstrably so? This problem arises out of a lack of evidence - a failure of defensibility. It can apply to any poorly documented aspect of a compliance program. How would your senior compliance management team answer the question: How was your electronic monitoring tool calibrated, what types of inputs and transactional information was it capable of ingesting, and what factors were in place to generate a compliance “hit” in February 2016? (I know, it is more than one question but I hope you get the point). How about the follow up questions? (and keep in mind that all these questions may relate to a specific point in time):
- Who reviewed hits? Did they review all the hits and if not how were they selected?
- Was this system “out of the box” from the vendor or was it specifically tuned?
- Did you ever modify the tool to reduce positive hits? When, how and why?
- What qualifications and training did the reviewers have?
- How were concerns escalated from the initial reviewers?
- Did the compliance personnel in the second line of defence understand the subject matter of the “hit” or did they need to resort to asking the business line questions about the “hit”?
These are just a few questions on a specific topic related to electronic monitoring. There may be hundreds of questions that could be asked about this very specific issue for a very specific time. And there are obviously many other issues that may generate questions. Again, using AML as an example, topics may include the substantive issue of whether your human beings and/or electronic tools understood (for example) money-laundering typologies.
I have written about this elsewhere but since June 2019, the ability of staff and electronic tools to recognize indicia of money-laundering is very much in question. The substantive offence changed significantly to include the mental element of “recklessness”.
All that being said, the defensibility problem seems to me to be most likely to occur in a serious way when the human experience and judgment involved in risk assessment is not adequately documented. The activity of risk assessment, whether it is performed by an individual decision-maker in a small entity or a team project with numerous departments and data sources providing input to a risk committee, is the foundation of the risk based approach.
As long as best practices are in place and experienced, credible decision-makers are in the appropriate roles armed with the right information, their risk assessment should be defensible. Day to day, entities are focused not on defensibility but on effectiveness of their compliance program. Defensibility is a disturbing notion to some because it may seem like CYA (“cover your ass”) for a deficient program.
It is not that at all. Appropriate corporate governance not only entitles but arguably requires senior management to protect the organization by ensuring that the entity is in a position to rebut false claims by third parties that they are failing, whether it is in the regulatory or any other area of operation.
Spend time thinking about evidence and put your organization in the best position to show that you are doing the right thing. When responding to an allegation that you have failed, being able to demonstrate compliance may be just as important as actually having been compliant.