Talking to Senior Leadership About AML Compliance
November 23, 2020
The all too common view that “compliance is a cost center” can make it difficult for compliance staff to get executive and board-level “buy-in” for compliance program efforts and initiatives. With this bias in mind, how should compliance have the conversation with senior management that it is more effective and less expensive to correct problems sooner rather than later?
In this webinar, John Wiethorn, AML/BSA Officer, TransferWise and Perpetua Gitungo, DMLRO & FinCrime Compliance Lead, TransferWise discuss their experience in working with senior management on enhancing compliance programs.
Topics covered include:
- What does senior leadership investment in compliance look like?
- Case studies on failures to invest and their consequences
- Tips on steps that compliance can take to mitigate lapses and get buy-in
Here are the questions and answers from the event.
Q: My bank is currently under a cease and desist order. The bank brought in a new team for compliance but they’re facing a lot of challenges, including a lack of senior management support in getting the frontline team to update client account records and answering RFIs. It’s clear that there isn’t a culture of compliance here, and it feels like we are the enemy. So, what can we do to help create a strong compliance culture?
A (John): Wow. So, that’s a really good question.
If you’re at a point where you’re like, “It’s us versus them,” and compliance is coming in and saying you can’t do this and that might be a senior leadership that needs to be refreshed. I would suggest you start by saying, “Listen, senior leadership board, this is my expectation, we have these five problems we have to fix, there’s regulators saying we have to fix it, we have court orders, this is the approach we’re gonna do to do it, and anyone that’s not on board to support it can’t be part of this anymore,” because you’re at a point where you can’t succeed and survive as a business unless you address these very real issues. And if your senior leadership isn’t willing to give you what you need to get it done, then you have an impossible task.
I’m also a big fan of proactively reaching out to people. We do this at TransferWise, you know, it’s never great to be telling product no, right? You always wanna introduce yourselves. You always wanna say, “Hey, this is compliance. This is what we’re doing.” Or, “Hey, we’re cleaning house right now, we’re, you know, fixing things right now.”
For the case mentioned, “Hey, what is this cease and desist order? Let’s have a big company meeting. Let’s have some training that says this is the court order, this is what we’re doing, this is how you can be involved, and here’s things we’re not gonna do in the future to avoid this from ever happening again.” I’m a huge fan of training, I do a ton of it at TransferWise. And if you ever come work at TransferWise, you’ll hear me on all the recordings reminding people the importance of compliance.
It’s really, really crucial that people understand what you’re doing do you’re not an outsider, right? If you’re gonna be there a long time, you need to partner with the business, you need to partner with senior leadership. So, I say training, I say town halls, I say make it clear, have a really clear slide deck you send out and be like, “This is what happened, this is why we’re here,” and explain why the changes are happening so you’re no longer the enemy, you’re enabling them to survive and thrive.
Once they see that you’re there to help them, you’re gonna have a much easier time. That being said, that’s a hard situation to be in. So, hopefully, we’ll engage in senior leadership and get that investment so that you’re not dealing with that on the back end. But it’s a very challenging role. So, to the person who asked the question, my hat’s off to you because I’m not wearing a hat. So, just hang in there. You can get it. It’s a lot of work, but you can get there, I believe in you.
A (Pesh): I think John has really hit all the points that I would have said. It’s all about accountability, you know, they can…and also that, sort of, governance. So, you know, you’re saying frontline teams don’t want to update client records? What’s the governance looking like that? Who gives what orders…I don’t wanna call them orders, but who gives what direction to the frontline team about what they should be doing?
If you have that sort of structure, if you’re in that position where you’re actually able to almost put your foot down and say, “Actually, this has got to be done because these are the risks,” again, articulating what risks you’re facing if this is not fixed. And saying, “We can’t grow, or we can’t do this anymore unless X, Y, and Z is fixed.” I think, you know, just making sure that there’s accountability and governance and somebody who is actually really able to go in and say, “This is what needs to be done.”
Q: How do you position yourself as a trusted adviser to your senior management as opposed to the enemy?
A (Pesh): Big personalities that’s how we get away with it at TransferWise. But it’s really being very concise and very, very clear. When we go into senior management, we are not being wishy-washy about anything that we are saying. We’re not overexaggerating, we go in with very clear examples and very key expectations of what we want them to do, which means that a lot of the time they are sitting and listening.
Because often when we go in and say, you know…this is how we, kind of, have our plan. We go in with, “This is what we’ve done well, so far.” And then we go, “These are the things that should keep you awake at night.” It’s almost a sandwich method (compliment-criticism-compliment), and then you earn their trust. Because we’re very, very, very clear about what the issues are, what risks we’re trying to mitigate, and most importantly, what do we want them to do about it.
A (John): I think one part of not being the enemy, and this is the whole compliance as a roadblock issue, I say this all the time – compliance is here to enable the business. We are. We are absolutely here to enable the business. So, whatever we can do to get you there is great. So, that’s how I take it as an advisor. And I think it’s also about being proactive.
I think we talked briefly about this earlier. You know, you shouldn’t only know your board members from your board meetings. You shouldn’t only know senior leadership from, like, the reports or when there’s a problem. You really should be having a conversation with them.
I speak with our general counsel on a fairly regular basis, not because we have legal problems, but our general counsel wants to know what’s going on and I wanna keep them in the loop so that, we’re hedging things off.
Same thing with our head of risk. Same thing with our chief operating officer and our chief compliance officer. We have these conversations at the level where, in senior leaders for compliance, we’re engaging. So, they don’t see us as the enemy, they don’t see us as an outsider, we’re just part of the team as well. And we’re just enabling things from the compliance side. It’s all about de-escalation for me.
And then the two big things and Pesh talked about one of them about the clarity, but always be honest. Never tell them what they wanna hear, tell them what they need to hear. That’s critical, tell ’em the truth. Even if they’re like, “Well, we really wanna do this thing.” I’m like, “I understand you really want to do this thing. And I understand the investors really want to do this thing. But we can’t do it yet and here’s why. And you know why because we trained you well.”
I think it’s really just enabling you to do that successfully is really getting that engagement and really just taking it out of the formal and also developing those relationships, which can be hard. I admit, that can be hard, whether due to personality types or due to the size of your organization. Listen, if you have over 20 offices on the planet, that’s hard. That’s really hard for you to engage a team that’s across the world. We do it though and you just got to make that extra effort sometimes to reach out beyond your comfort zone to really start having those conversations earlier rather than later.
Q: Do you think all these apply to casinos as well?
A (John): Yes, absolutely. People expect compliance from larger financial institutions, retail banking, online – you expect to have to provide a photo ID or, KYC information. Most consumers are not aware the suspicious activity reports are being written based on how they’re betting at the table, and monitoring customer behavior etc. It’s about compliance enables the casino to stay in business.
If you have good compliance people, you should be able to present it to senior leadership in a way, “Hey, you know, we need to do this. We need to train people really well. We know that our casino has great standards and we want compliance to have those same standards so that when you deal with the regulatory board, there’s no issues with compliance.”
And senior leadership is very keen on keeping the gaming board happy in your respective state.
Q: How does one counteract or even change the culture when if the attitude is it’s easier to ask for forgiveness than permission when it comes to compliance and regulations?
A (Pesh): Ooh, that is a very, very good question. And I think we’ve all been there, especially when you’re in a high-growth institution that will grow faster or whether it’s having new controls in place. If you want to ask for forgiveness later, it might mean that we hold offering our services or our product to a certain jurisdiction or to a certain market because the pressure on the operational teams is too much.
It might also mean, and this is something that I’ve tried to explain to production teams at TransferWise which has worked quite well, this isn’t about you. And I keep telling them, “This is not about you. This is how it affects other people. This is how it affects our banking team and when they go to new partners. This new risk that you’re introducing, whether it’s a new product that is super high risk, when you introduce this, our banking partners then raise our risk level.
It means that it’s harder for us to get those partnerships and to get into the strategic relationships.” So, trying to make them understand that their actions are not just about compliance, and they’re not just about them, and growth, and whatever else. It impacts every other aspect of the business. And them understanding that has really shifted the mindset of how we do things. I’ve seen it work.
A (John): One thing I would add on, if you have proper governance in your organization, no one should be able to launch things without compliance approving it, the risk owners and the board knowing about it, understanding the risks, and making an informed decision.
And to Pesh’s point, you’re just being selfish if you don’t have that. You have poor governance and you’re thinking about yourself and you’re not thinking about the company. You’re not thinking about the customer, you’re not thinking about the customer of both compliance and your general customers. So yeah, it’s really about that clarity of ownership. Because when you have clarity of ownership, they’re not gonna launch things and be like, “Oh, I hope we’ll get forgiveness.” There’s strict liability and having poor compliance is pretty unforgivable.
Q: I work at a cryptocurrency startup and a merger resulted in a new executive team who has no previous experience working in the regulated industry and is constantly questioning the compliance team and work we do. How do you explain to this individual the need for compliance in a company and to be involved more in the business decisions?”
A (John): I mean, board training. I mean, that’s what that is. That seems like an easy one. Really good board training. And you’ve made the case for it right now in your question, right? You said, “We have new executives, we have new senior leadership, they don’t understand the importance of compliance, they’ve never been in a regulated industry.”
You know they need some very targeted specific training that gives them an overview of the laws, the regulations in which their industry operates, the particular risks of cryptocurrency, what you do to mitigate the risks, who the risk owners are, you just need to have training.
And if that one person has more questions, give them more training. I am always available to train our board members and our senior leadership. So, if they have lots of questions, I will make time for them all day, all week. But yeah, get them really good board training. That’s the first step.
Q: I don’t know how to make a compelling presentation to the board to convince them the importance of some of the risks that we’re seeing some of the stats and all that. Do you have a presentation structure that you use that would be helpful for everyone to know about?
A (Pesh): Yeah, I think when it’s smaller, it’s even much better because that means you have got that, personal engagement. You know, walking in and sort of saying, “This is what I need,” or, “This is what…” And I always say, in a smaller institution, it’s much easier to go in with a story because it works better with senior leadership in smaller organizations.
Going in with that sandwich method of, “Hey, we’ve done really well, you know, our SARs are down, our fraud rates are down, etc. But here’s the thing that you should go home today and just think about.” Or saying, like, what is that one or two things that you want them to, kind of, take away from that and just telling them, “Hey, this is what I need you guys to do.”
Because in smaller institutions, it’s much easier to have, sort of, personal relationships than it is at much larger institutions. So, I’d say use that to your advantage. And if you’re new to compliance, always feel free to reach out to other professionals who are there like myself and John on LinkedIn.
A (John): If you’re saying you need to present to the board and you’re new to compliance, that might be something to raise to the board and be like, “Hey, you know, I’m new to compliance, too. We might wanna hire someone with experience because you should have someone that knows what they’re doing so that we don’t run into problems. Maybe we should have a dedicated BSA officer or an MLRO that’s done this before. Or maybe we should, you know, get a firm in here to just do an analysis to see, like, what training needs we have, a training need assessment.”
That might be helpful, particularly if you’re small, because you don’t wanna get in over your head, right? Particularly if you’re brand new to compliance. Just get the tools you need and keep in mind that if you’re in the role of a BSA officer, it’s a statutory requirement that you have the resources you need to do your job. That includes training and personnel. So, never be afraid to ask for help whether it’s internal or external.
Q: In big banks, fixing the current gaps in compliance technology needs huge budget for multi-year projects. How do you get budget?”
A (John): That is the big challenge, right? It’s about how you present it. That’s a leadership skill of really how you’re presenting project plans.
You may want to start with “Listen, we’re this huge bank, we’ve been doing this for a number of years, but everything’s antiquated, we wanna move to this thing, we’re gonna need 20 davs, we’re gonna need a consulting firm,” you need to come up with a really good presentation for that. Because if the whole board subscribes to, “If it ain’t broke, don’t fix it,” they’re not gonna invest in it. Start bringing things up.
You can be like, “Hey, you know, we’ve noticed that our system’s really antiquated, and this is the impact.” Next meeting, “You know, our systems are still antiquated, we really wanna get a solution, and we’re starting to look at these solutions. Hey, we have this initial plan, I wanna bring it to you.” Squeaky wheel gets the grease, right?
You wanna have this relationship where they see the need because you’ve demonstrated over time. Or if you’re able to link, “Listen, you know, the last four board meetings, we realized we have these five issues. They’re all linked by this common cause, antiquated systems, or lack of investment technology. Here’s our grand plan for how we’re gonna fix it.”
And things can be expensive. TransferWise is very thrifty. We try and have the lowest costs for our customers, which means we have to often build things in-house and really shoestring budget it. If you’re looking at any big project, and I always say this, my old consultant friends might not like me for saying this, but get competitive bids.
We had a small engagement with compliance recently at TransferWise, we had a number of bids for the project, the price range varied wildly for the same amount of work, beyond wildly.
Just because you’ve used one vendor for 20 years doesn’t mean they should be your vendor for the next 20 years. Always be open to checking new things. Always be open to seeing what other solutions are out there. Technology changes overnight. What was good for you yesterday might not be good for you three years from now.
So, look at your costs, get competitive bids, communicate your needs ahead of time, that leads to a better marriage and a better relationship with senior leadership.