It’s Groundhog Day for 2020. Why? Well, U.S. financial regulatory agencies have once again declared Anti-Money Laundering/Bank Secrecy Act (AML/BSA) compliance as a top examination priority this year. By default, this includes compliance with economic sanctions from the Office of Foreign Assets Control (OFAC), though not explicitly stated, since both generally go hand-in-hand when it comes to financial crime risk management. Even the Securities and Exchange Commission (SEC) has upped its game. Its Division of Corporate Finance has issued a series of requests to U.S. public companies for information about how their corporate activities might impact compliance with U.S. economic sanctions. (See “The SEC Expands its Regulatory Activity into Economic Sanctions.”) So, what is going on?
One thing is for sure: Financial crime compliance expectations will not be easing in our lifetime. Don’t look for elected officials to have sympathy and pass sweeping legislation to reduce compliance program burdens. There are simply too many bad actors and it is getting worse. Criminals and terrorists are becoming more creative every day in laundering money and evading sanctions. So, rest assured that regulators and law enforcement will remain vigilant in ensuring that individuals and companies who are subject to anti-money laundering and economic sanctions laws and regulations have robust programs to avoid being used to facilitate money laundering and terrorist financing.
The challenges with AML/BSA compliance are nowhere new. But now, with the proliferation of criminal investigations in Europe, the U.S. is no longer the most active enforcement and prosecution jurisdiction. Meanwhile, U.S. economic sanctions compliance risk has been ramped up and further complicated with the focus on Iran, North Korea, Russia, and Venezuela.
No Silver Bullet …
All the technology in the world will not be enough to get the compliance job done. A combination of procedures, processes, and technology, along with experienced personnel, is the recipe for a successful and sustainable compliance program.
Yes, new technologies are promising that artificial intelligence will reduce the persistent challenge of false positives in due diligence and monitoring, but companies need to be wary of medicine men who sell huge promises that they cannot keep. Boards and senior management, exercising oversight responsibilities under revenue pressure, need to understand that any technological weapon for reducing financial crimes compliance staff needs to be closely reviewed before being locked and loaded.
Companies need to remember three things: that the requirements really haven’t changed; that the staffing and technology challenges, while maybe a bit different than in the past, are still significant; and that government agencies are simply not lowering their expectations for robust risk management programs.
… But Deliberate Steps Forward
So, what is a company to do in this continuing environment of tough regulatory oversight and law enforcement activity? Here’s the drill:
- Know Your Board. Make sure your board and senior management understand the landscape. Compliance officers owe it to them. And since directors and managers live through numbers, leverage metrics whenever possible to get your points across and support your program.
- Know Your Regulators. While some people don’t buy into it, I have never found it to be a bad idea to be transparent with and keep your regulators informed. Periodic meetings and updates go a long way.
- Get Back to Basics. Make sure the elements of your compliance program cover every aspect of what is expected under applicable law and regulatory guidance. Everything from a robust risk assessment to a knowledgeable and value-added internal audit department is extremely important to the effectiveness of every compliance program.
- Self-Assess. Don’t wait for an audit or an examination. Conduct periodic self-assessments by either an independent internal function or external advisor to get a perspective of your compliance program.
- Use Technology that Works. No technology seems to work perfectly, and some don’t work well at all. Too many companies have purchased the wrong tools for their risk profile, products, and services. Make sure you deeply research any technology before you commit to it. Seek outside help on identifying the right technology, vetting vendors, and implementing. It is simply too huge of a commitment and expense not to get it right.
- Make Sure It is Sustainable. Everything is a waste of time, effort, and money if a program is not sustainable. Commitment from the top (a culture of compliance), along with an ongoing process to ensure that the program is working as required, must be part of every program framework. Metrics are extremely important in both managing to sustainability and evidencing that a program is being sustained.
Companies continue to fall short—whether simply lacking robust procedures or grappling ineffectively with new technology. Yet there is now so much experience—so many lessons learned—for companies to apply to their own advantage. This is no time for short-term memories, heads in the sand, and inappropriately funded (aka unsustainable) programs. Ultimately, it is much less expensive to get it right than to get it wrong.