The U.S. Treasury Department recently confirmed that it had levied only a small fraction of a potential maximum penalty from a U.S. unit of Deutsche Bank AG due to the bank’s compliance efforts before and after their violations had occurred as well as their cooperation during the subsequent investigation. The bank’s savings were surely in the hundreds of millions of dollars (for details on this particular case see Deutsche’s Compliance Procedures Limit Damage of Sanctions Settlement – note, subscription may be required).
This begs an obvious question – how does one get an “A for (compliance) effort?” It turns out that regulators will almost always offer fairly exhaustive guidance on these matters. However, as I’ve pointed out before (see Three words that will make or break your compliance programs) – this type of guidance is intentionally riddled with meaningfully ambiguous terms in order ensure the flexibility needed to keep up with changing threat, technology, and social landscapes/norms.
For example, The Office of Foreign Assets Control ("OFAC") of the US Department of the Treasury enforced the sanctions in the Deutsche’s case above and OFAC lays out their guidance in Economic Sanctions Enforcement Guidelines (31 CFR Part 501) The weighting of compliance programs is most definitely emphasized throughout.
In the roughly 15-page section, Appropriate is used 52 times, Reasonable is used 12 times, and Effective 5 times. Other equally ambiguous terms like consistent (7 times) and adequate (5 times) are also worth noting.
Software and Compliance
The WSJ article concludes with an intriguing hypothesis.
“The penalty indicates OFAC might be more lenient with companies whose compliance software fails them, as long as they have a robust compliance program in place.”
First, note the presumption that every company will be using some form of compliance software – I don’t think this is wrong at all. However, the fact that a company uses compliance software will not translate into the company having a “robust compliance program.” In fact, quite the opposite. Since it is assumed that every company will have some sort of compliance software in place, it’s likely to make no difference whatsoever.
The question at hand is HOW that software is being used within the organization. Is there (appropriate, effective, consistent, adequate, ….) training, staffing, assessment, remediation, reporting, etc.? Understanding how these terms will be interpreted is they key to getting that A FOR COMPLIANCE EFFORT.
What’s the takeaway here?
Effective compliance programs will not only help your organization sustain principled growth and success, they will materially reduce the damage (and therefore the risk) stemming from breaches/violations/… when they do occur.
Your compliance software (and organizations will most likely have LOTS of components that fall into this bucket) must be easy to use and update and must simplify/streamline controls, monitoring, remediation, and reporting. If your compliance software is cumbersome, complex or brittle, you will – ironically – end up investing more resources, time, and expense while potentially failing to get that high-value “A for compliance effort.”
Is your monitoring, reporting, and remediation solution simplifying or impeding your organization's agility?