Flaws in corporate culture in recent corporate and institutional scandals have been drawing the public’s attention to corporations and other large entities. The concept of “corporate compliance culture” has come under increasing scrutiny by the public and other parties due to these incidents. Regulators are treating it as a high priority, and boards of directors are increasingly pushing for a sound corporate culture in their organizations. The increased attention on “compliance culture” is impacting our companies every day.
Everyone working in the financial services industry is well aware of the term “compliance”, whether it be applied to deposit and lending products, operations or even financial reporting. Even with our familiarity with the term, compliance is frequently misunderstood. But what is “compliance”? An all-encompassing definition of “compliance” could be summarized as “following the rules”. While these rules usually originate from external sources, “compliance” also involves following the organization’s internal rules, policies, and procedures, and acting in accordance with ethical practices.
Legal Requirements to Maintain Compliance Programs
There were some legal requirements for corporations to maintain compliance programs on multiple federal and state laws prior to 1980. However, the term “corporate compliance culture” became popular during the late 1980s due to widespread misconduct occurring at some of the nation’s largest corporations that was perpetrated by high-level individuals and that occurred despite the existence of corporate compliance programs. Congress’ frustration with such corporate scandals led to the passing of the Sentencing Reform Act of 1984. With this law, Congress curtailed the federal judges’ discretion in sentencing convicted organizations and individuals by creating the United States Sentencing Commission as an independent agent within the federal judiciary system. In 1987, the Commission promulgated guidelines for sentencing individuals. In 1991, the Commission promulgated guidelines for sentencing organizations. Both sets of the Guidelines are contained in the same manual which is updated by the Commission annually and are accessible in the Commission’s website (www.ussc.gov).
Chapter 8 Federal Sentencing
Chapter 8 of the Federal Sentencing Guidelines provide a detailed blueprint regarding the requirements a corporate compliance program must meet before qualifying the organization for a potential fine reduction in the event of being accused of organizational misconduct. This Chapter has been used by the federal banking regulatory agencies in their examination manuals and these basic principles are also used as reference to evaluate the compliance functions at the institutions they supervise.
The Uniform Financial Institutions Rating System (UFIRS)
Federal banking regulatory agencies also adopted The Uniform Financial Institutions Rating System (UFIRS) since 1979 as an internal supervisory tool for evaluating the soundness of financial institutions on a uniform basis and for identifying those institutions requiring special attention or concern. Composite and component ratings are assigned to financial institutions based on a 1 to 5 numerical scale. A 1 indicates the highest rating, strongest performance and risk management practices, and least degree of supervisory concern, while a 5 indicates the lowest rating, weakest performance, inadequate risk management practices and, therefore, the highest degree of supervisory concern.
Responsibility of Management
One of the components evaluated at every financial institution is “Management” and is defined as “the capability of the board of directors and management, in their respective roles, to identify, measure, monitor, and control the risks of an institution’s activities and to ensure a financial institution’s safe, sound, and efficient operation in compliance with applicable laws and regulations”. Generally, directors need not be actively involved in day-to-day operations; however, they must provide clear guidance regarding acceptable risk exposure levels and ensure that appropriate policies, procedures, and practices have been established. Senior management is responsible for developing and implementing policies, procedures, and practices that translate the board’s goals, objectives, and risk limits into prudent operating standards.
The “compliance culture” of the institutions is measured and rated under the “Management” component. According to the federal banking agencies, a strong “compliance culture” will be rated “One” defined as follows: An institution in this category is in a strong compliance position. Management is capable of and staff is sufficient for effectuating compliance. An effective compliance program, including an efficient system of internal procedures and controls, has been established. Changes in consumer statutes and regulations are promptly reflected in the institution’s policies, procedures and compliance training. The institution provides adequate training for its employees. If any violations are noted they relate to relatively minor deficiencies in forms or practices that are easily corrected. There is no evidence of discriminatory acts or practices, reimbursable violations, or practices resulting in repeat violations. Violations and deficiencies are promptly corrected by management. As a result, the institution gives no cause for supervisory concern.”
Compliance Management System
Federally regulated institutions then need to consider their “Compliance Management” practices as a top priority. “Compliance Management” is the means by which organizations can assure compliance in accordance with the rules, regulations, laws, and other requirements to which the organization is subject. A Compliance Management system is how an institution:
- (a) learns about its compliance responsibilities;
- (b) ensures that employees understand these responsibilities;
- (c) ensures that requirements are incorporated into business processes;
- (d) reviews operations to ensure responsibilities are carried out and requirements are met; and
- (e) takes corrective action and updates materials, as necessary.
The complexity of the Compliance Management system will depend on the size and complexity of each institution. The type of oversight needed for a Compliance Management program can also vary considerably depending upon the scope and complexity of the organization’s activities, the geographic reach of the organization, and other inherent risk factors.
So, how is a strong “compliance culture” created?
Common elements of a strong “compliance culture” include top level involvement and example, effective communication and continuous education, assessment and correction. These common factors should be incorporated in the institution’s strategic vision and aligned to their strategic goals.
- Board and Management Alignment and Supervision
Regulators expect that the compliance culture must be managed as an integral part of any financial institution’s business strategy. To be able to do so, Boards of Directors and Senior Management need to take a hard look at their organization’s corporate culture and how determine business activities flow in their organizations.
Questions like “What messages are being sent, not just through words but through actions?” “What is acceptable behavior in the institution?” “How do managers and team leaders respond to employees or customers’ concerns?” Without a fundamental change in the way people in the institutions, and in particular, its leaders, behave, companies cannot build a legal, ethical culture, regardless of the sorts of issues that they face. Effective leadership is the single most important element in building a culture of honesty and integrity.
Leaders set the example for everyone else in the organization to follow. When management cuts corners or do not follow the established rules, employees see it as acceptable business practice. On the other hand, leaders who demonstrate that the values of integrity and honesty are important to them set a powerful example. The institution’s leaders need to live by those values themselves and take prompt, appropriate action when others’ behavior contradicts those values.
In addition to ensuring that their own behavior embodies the institution’s values, leaders also need to verbalize the message effectively to their employees. Managers and employees are often the front line to clients, vendors, and regulators. If they do not fulfill their responsibilities through ethical, legal behavior, the institution will suffer through the loss of customers, regulatory actions, increased scrutiny, negative public image and/or lost sales or revenue. As a result, Boards of Directors and Senior Management need to understand not only what their responsibilities are but how their actions are tied to the bottom line.
To ensure an effective approach to compliance, the Board and Management should make compliance a high priority. The participation of Senior Management in the development and maintenance of a compliance program is essential.
- Effective Compliance Communication and Education
Once the institution’s leadership is aligned, education and training are required to effectively communicate to employees and other participants the requirements of the corporate compliance program. The message from the top should be in terms that compliance is expected and enforced throughout the organization. Mission statements, policies, corporate values, codes of conduct and ethics, and other guidelines should incorporate the expected compliance standards.
Effective training should be designed around the following questions:
- What are the reasons for delivering this training?
- What are the goals/objectives of the training?
- Is the content and delivery method aligned with the goals/objectives of the training?
- Have indicators been developed for the training to measure knowledge retention and effectiveness?
- Are the skills or information included in the training incorporated into the performance evaluation system of the institution?
- Is there an alternate communication system implemented or available to reinforce the training topics?
Education of the institution’s personnel is essential to maintaining a strong compliance culture. All personnel should be generally familiar with the applicable general laws and standards and should also receive comprehensive education in other laws and regulations directly affecting their jobs. They must also be trained in policies and procedures adopted by the institution to ensure compliance with those requirements. The communication method may vary greatly depending on the size of the institution or unit, time requirements, and the importance and complexity of the subject matter.
Effective compliance training and other communications reduce costs, protect your organization’s brand and reputation and helps avoid potentially crippling legal liability.
- Assessment of the Effectiveness of the Compliance Program
The Federal Sentencing Guidelines require that effective compliance programs be periodically reviewed and evaluated for effectiveness. There are multiple elements that institutions can use to determine whether its compliance program is meeting its objectives. But before attempting to measure effectiveness, the institution must identify its objectives for the compliance program. Once those objectives have been identified, the institution can begin to measure effectiveness against the objectives.
Here are some sample steps to consider:
- Identify the objectives (expected goals)for implementing the compliance program: for example, comply with federal regulation; reduce litigation; increase management effectiveness; reduce complaints from clients; increase deposit retention, etc.
- Examine what common practices are currently in usewithin the institution to support the compliance program: for example, is compliance training completion included in performance evaluations? Does the compliance training program contain a testing element? Are other communication opportunities available to disseminate compliance information? How is feedback from employees and other stakeholders obtained and assessed? How are improvements or changes to the compliance program tracked?
- Determine what potential challenges existto an effective implementation of the program: The institution needs to anticipate possible problems or limitations that could obstruct progress in the compliance culture environment. For example, some roadblocks to consider include support from all stakeholders involved, commitment to success from appropriate parties, time or budget constraints, interference from other business areas, or gaps in communication and feedback.
- Develop an action plan for improving the compliance programbased on the program objectives: Begin with small areas and increase the complexity as changes are implemented and tested. Focus on a few specific desired outcomes to identify clear and measurable results. Identify gaps in knowledge, behavior, skills, objectives and/or expectations. The action plan should include a process for escalating to appropriate senior management any significant event or exception to expected outcomes. Include mechanisms for reporting the results of corrective actions or resolutions taken and documentation of remediation efforts.
- Evaluate and implement any additional preventive, detective and/or correctivecontrols necessary to adjust actual results to expected outcomes. Identify the root cause of each problem and ensure that the corrections taken address them. Assessment also involves determining what changes in business objectives, the market, the business environment, technology, and the regulatory and compliance environments signal a need for corrective action at the strategic, tactical and operational levels. All updated measures should be properly documented and communicated to affected units.
- Ensure that the compliance program is independently reviewedon a recurring basis. Audit assessments should be used as another measuring tool and to ensure consistent implementation and coverage of areas of greatest risk. Areas of lesser risk could be examined less frequently as long as results align with expected outcomes.
An institution that makes it a routine practice to manage, measure, and report compliance activities will enjoy the confidence of employees, customers, business partners, and other stakeholders as they recognize the characteristics of integrity, consistency, and competence in all their dealings with the organization.