| | | Effective PR

The Marginalisation of the Compliance Officer

BIScom Subsection: 
Nigel Morris-Cotterill

There are two principles in the soft conversion of societies to various forms of centralised control, be that control from the left or right of politics, from vested interests or religion.

The first is the manipulation of language: using terms in ways that are inaccurate and, even, the direct opposite of what they truly mean.

The second is to give individual members of society the illusion that they have status, even a degree of control when in fact what they have is responsibility without authority.

Welcome to the worrying world of today's Financial Crime Risk and Compliance Officers.

As regulators and prosecutors begin to realise that laws and regulation drafted in the early-1990s and since create personal responsibility for compliance officers and financial crime risk officers (in all the various names they are given around the world), and to act on that realisation, the response to that recognition is that companies are giving ever-grander titles, even elevating it to "C-Level." Moreover, regulators, encouraged by the World Bank's International Finance Corporation, have begun to demand that banks, and some other companies, appoint a "Chief Compliance Officer" and define the functions.

But it's window dressing. And the trouble with window dressing is that it gets damaged when the windows break.

Worse, while the title may sound grand, and its holder might give it access to a higher management level, the essential element for the holder's protection is missing. What is that? Even under the World Bank's scheme, he does not have autonomy and is subject to supervision and being over-ridden by the CEO and the Board. In this aspect, at least, the title makes the CCO into a lightning rod for investigations and offers him no more protection than e.g. head of compliance, or any other title.

To give an indication of just how complex the function is widely perceived to be, it might interest readers to know that a boilerplate "job description" for a CCO in a large financial institution who is "responsible for developing, implementing and administering all aspects of the Bank's Compliance Management Program by planning, organising, and controlling the Bank's day to day administrative, lending, and operational compliance activities" is available on an internet site for just USD30.

The salary scale, according to payscale.com, in New York, averages USD112,000 per year. The website says that the skills that most increase the pay for the job are Operations Management, Counter-Money Laundering, and Legal Compliance. The same website puts the average salary for "Chief Human Resources Officers" across the USA, not only in New York, at about USD158,000 per annum. Top salaries far exceed those relating to Chief Compliance Officers.

So, a flashy title that does not provide equivalent authority, increased risk and poor pay. Can it get worse?

It does.

For twenty years, the essential functions of an effective compliance officer have been gradually usurped by other departments while the responsibility for failure has been left with the compliance officer.

Twenty years ago, the watchwords for staff education were "training and awareness." Today, that's almost entirely lost and simple, one might argue simplistic, training is focussed on, almost exclusively, law and regulation with narrowly defined examples of suspicious conduct, often taken directly from the regulator's own "guidance notes." This meets the minimum "training" requirement at the lowest cost. Awareness has, in many, many organisations, gone away entirely.

The reason for this is simple: as soon as the word "training" appears, the authority over it shifts to where the budget is and that's "Human Resources."

"No, you can't go to that seminar. You've already spent your personal training allowance on your CPE for membership of this institute or that association and there's nothing left for you to learn the advanced stuff."

How often have compliance officers heard something like that from an HR officer after learning of a seminar that would improve job performance? Or even help reduce the CO/FCRO's personal risk and liability?

And how much more difficult is it for you to arrange high-level in-house seminars that aim at changing culture across departments and, even, across borders.

And yet, seminars that aim to achieve similar aims for, for example, sales are generally signed off, more or less, without question.

The marginalisation of Compliance Officers in relation to education of themselves and the institution's staff is at the heart of one of the biggest problems across the industry: lack of buy-in and a failure to build an effective corporate compliance and risk management culture.

And yet it is not the only reason for marginalisation. The acquisition, management and use of financial crime risk management data has also been subsumed into another department, in this case I.T. Once again, a magic word, "computer," is enough for the job to be taken over by the department that manages the budget.

The human intelligence aspect of risk awareness and risk assessment, having already been undermined by simplified training, is effectively wiped out as staff are increasingly reduced to data-input clerks and the in-house systems (as distinct from I.T. systems) put exception reports into a box somewhere else in the organisation and deny the person with direct access to the original data the option to immediately react to a warning.

Critically, a failure to identify falls back on the Financial Crime Risk and Compliance Officer. It is he that faces prosecution and jail or regulatory investigation and expulsion, plus whatever financial penalties may be applied.

There is absolutely nothing new in this. It was the case in laws drafted in the early 1990s and in pretty much every law since; it was obvious then that departments would seek to cherry pick parts of the authority of the compliance role while not taking the responsibility. Compliance posts have always been underfunded and Compliance Departments have rarely had budgetary control over those matters for which they carry responsibility.

Moreover, COs and FCROs have never had the power to say "absolutely not" to business which compliance officers think is too risky: commercial intrusion into the compliance officer's function has always been a fact of life. Now, they must realise, it can be a fact of career death.

It is essential that authority goes with responsibility. Yet companies deny this and leave their compliance and financial crime risk officers exposed both professionally and personally.

It's a disgrace.