In recent years, the number of news stories regarding ethical lapses at many leading organizations reminds us of the critical importance of a strong ethical culture. Regulators and enforcement authorities around the world are progressively of the view that an ethical and compliant business culture is one of the most important tasks for corporate boards and C-suite executives.[1] In this environment, companies must ensure they have sustainable cultures of integrity that empower personnel at all levels to make the right decisions in light of whether it is right, legal, and fair.
An ethical culture is the core element of an organization’s compliance program. If the culture of the organization does not support principled performance, then all of the written policies and procedures, people, processes, and technologies that are put in place to mitigate ethics and compliance risks will not be effective.[2]
You should resign. You should give back the money you took while this scam was going on, and you should be criminally investigated by both the Department of Justice and the Securities and Exchange Commission.
– Senator Elizabeth Warren[3], Senate Banking Committee hearing, September 2016, to Wells Fargo Bank CEO John Stumph
As personal liability becomes a focus for regulators around the globe, executives and compliance officers must take a closer look at their individual accountability in ensuring proper compliance procedures are in place. Monitoring is a weak area in many compliance programs, and executives are concerned as companies struggle with monitoring and auditing their organizations programs.[4]
The specific areas that ethics and compliance departments focus on will vary depending on the size of the organization, ownership structure, the type of sector and industry, nature scope and complexity of operations, risk profile, and the level of regulation. However, for all organizations, what is clear is that yesterday’s compliance program will no longer work.
One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.
– U.S. Deputy Attorney General Sally Yates, Yates Memo, September 2015
For the 21st century, in order to implement a sustainable ethics and compliance program that is truly effective in shifting behaviour and mitigating risk, corporate leadership should look at moving from a strict “governance, risk and compliance” mindset to a “governance, culture and leadership” mindset. Targeting actions that will build and maintain a values-based compliance program – as opposed to a command and control compliance program – if implemented effectively with full support of the organization, should improve compliance as a result of real, tangible and sustainable behaviour change.
Summary
Regulators understand that organizations without a “culture” of integrity, are likely to view their ethics and compliance programs as a set of “check the-box activities”, or worse, as a roadblock to achieving their business objectives. Organizations responsible for some of the most egregious acts of malfeasance have had quite impressive, formalized ethics and compliance guidelines. The problem was that either leadership or a group of influential insiders operated outside of those guidelines.
Ethics have become an organizational priority. In the 21st century, ethics is neither a luxury nor an option. There is a growing impatience within society with selfish and irresponsible actions that impoverish some, while enriching the crafty.
– Stephen Brimmer, The Role of Ethics in 21st Century Organizations
An organizational culture that encourages ethical conduct as well as a commitment to compliance will not happen accidentally – and no number of rules, policies, monitors, or top-down controls will suffice to shape or substitute for it. The culture of an organization is the expression of its values in action; and to be successful it is up to those who shape it—in particular its leaders and personnel.
It is generally accepted that values drive behaviors, and behaviors drive outcomes.
The introduction of the concept of “ethics”—values based principles, as opposed to rules-based compliance— and the increased focus on culture reflects a growing recognition that an unethical organizational culture was a significant factor in driving the misconduct and scandals that brought down Enron, WorldCom, Adelphia and other major corporations.[5]
Regulators understand the importance of culture. As a fundamental component of an effective ethics and compliance program, ‘culture’ is referenced by the U.S. Federal Sentencing Guidelines for Organizations, which includes an expectation for companies to promote an “organizational culture that encourages ethical conduct” and “compliance with the law.”[6]
- In the UK the introduction of the Bribery Act in 2010 expressly put the onus of developing and maintaining a culture of ethics and compliance on company boards.[7] The importance of corporate culture has become a major focus as the UK continues to wrestle with the issue of re-establishing trust in business lost during the financial crisis.[8]
- The Australian Compliance Standard contributed to the global conversation with the adoption and definition of a ‘compliance culture’.[9]
- The Organization for Economic Co-operation and Development (OECD) and World Bank reference corporate culture in their anti-corruption and pro-development frameworks.[10]
- Canada’s regulator for banks and related financial institutions, the Office of the Superintendent of Financial Institutions (“OSFI”), has identified the importance of “strong and appropriate risk cultures” to compliance, noting that the “echo from the bottom” must match the “tone from the top”.[11] OFSI’s Superintendent has stated:[12]
“[O]ur interest in culture … focuses specifically on the institution’s norms, attitudes and behaviours related to risk awareness, risk taking and risk management and how these reinforce, or undermine, responsible risk management.
What we are looking for is a culture that consistently supports risk awareness, and prudent behaviours and judgments about risk-taking. A culture that reinforces the risk governance framework. A culture that values the recognition of emerging risks and risk-taking activities that are beyond a financial institution’s risk appetite and sees that these are assessed, escalated and addressed in a timely manner.”
In a business environment where reputational threats lurk around every corner, a strong culture of ethics and compliance is the foundation of a robust risk management program. The lessons learned related to scandals and organizational crises that trace back to the early 2000s make one thing clear: without an ethical and compliant culture, organizations will always be at risk.[13]
If there is one unfortunate corporate theme for defining the first sixteen years of the 21st Century, it may well be corporate greed, negligence, and malfeasance[14]. Many of the biggest corporate scandals in history happened during this time period, including: Enron (2001), HIH Insurance (2001), WorldCom (2002), Freddie Mac mortgage scandal (2003), AIG accounting scandal (2005), Lehman Brothers investment bank and subprime mortgage crisis (2008), Libor (London Interbank Offered Rate) fixing scandal and Barclays Bank (2012), Volkswagen DieselGate (2015), Wells Fargo bank scandal (2016), as well as the 2008 credit markets’ disintegration that cascaded into the global financial meltdown that significantly threatened global capitalism.[15]
Total enterprise risk management is critical, but implementing it is both expensive and easier said than done. Even the most sophisticated financial institutions are still basically silo risk managers.
– Danny Klinefelter
The role of the Compliance Department, and the Chief Compliance Officer where there is one in place, has changed. This evolution can be tracked back to the corporate scandals referenced above. Compliance has now emerged as a specialty, important as its own department in highly regulated industries, and a career path complete with its own professional literature, conferences and “bottomless pool of anxieties”.[16]
“How would a global company build a big enough bureaucracy to ensure that all 100,000 employees in its operating companies worldwide follow each and every law and regulation? Even further, how could the CEO of that company be assured that his or her people were acting according to the even higher standard of behavior demanded by its stakeholder community? The answer? They can’t. Even if this company were 99.9 percent successful in its compliance efforts, that’s still 100 instances of non-compliance every day…. This is the moment to rethink how we operate, how we govern, how we lead and how we relate to society.”
– Dov Seldman[17]
There is a need to identify the kinds of behaviours required to protect companies and society from lurching from crisis to crisis. To be truly effective in shifting behaviour, organizations – to the extent they have not done so – should review the benefits of embracing a “governance, culture and leadership” mindset.[18]
A strong ethics and compliance program is based on values, but requires a risk-based approach to understanding and prioritizing limited resources to prevent and/or reduce risk facing the organization. The key objective of an ethics and compliance program should be an emphasis on an ethical culture and business values (i.e. articulate, communicate, and measure the culture as defined by the board of directors and executives), and systems of internal control that adequately identify, measure and manage the risks that the organization faces. The most effective ethics and compliance programs pursue as a primary mandate “ensuring ethical behaviors and alignment of decision making and conduct with core values”.
In any organization, written rules and procedures exist alongside unwritten rules, norms and expectations. These unwritten rules, which we can call an organization’s “culture”, for want of a better word, can reinforce the written rules. Or they can undermine, or at times even supplant, the written rules.
– Superintendent Jeremy Rudin, Office of the Superintendent of Financial Institutions
A strong culture helps to build positive relationships with regulators and it helps attract long-term investors. Ultimately, a culture of integrity is reflected in superior, long-term performance.[19]
What does a culture of integrity look like? Deloitte, and organizations like the Global Risk Institute[20], indicate that such cultures are generally characterized by:[21]
- Organizational values: A set of clear values that, among other things, emphasizes the organization’s commitment to legal and regulatory compliance, integrity, and business ethics.
- Tone at the top: Executive leadership and senior managers across the organization encourage employees and business partners to behave legally and ethically, and in accordance with compliance and policy requirements.
- Consistency of messaging: Operational directives and business imperatives align with the messages from leadership related to ethics and compliance.
- Middle managers who carry the banner: Front-line and mid-level supervisors turn principles into practice. They often use the power of stories and symbols to promote ethical behaviors.
- Comfort speaking up: Employees across the organization are comfortable coming forward with legal, compliance, and ethics questions and concerns without fear of retaliation. [22]
- Accountability: Senior leaders hold themselves and those reporting to them accountable for complying with the law and organizational policy, as well as adhering to shared values or organizational values.
- The hire-to-retire life cycle: The organization recruits and screens employees based on character, as well as competence. The on-boarding process steeps new employees in organizational values, and mentoring also reflects those values. Employees are well-treated when they leave or retire, creating colleagues for life.
- Incentives and rewards: The organization rewards and promotes people based, in part, on their adherence to ethical values. It is not only clear that good behavior is rewarded, but that bad behavior (such as achieving results regardless of method) can have negative consequences.
- Procedural justice: Internal matters are adjudicated equitably at all levels of the organization. Employees may not always agree with decisions, but they will accept them if they believe a process has been fairly administered.
Based on the information known at this time, the Wells Fargo bank was missing many of these characteristics in its culture. As a direct result, in September 2016, U.S. Federal Reserve Chairwoman Janet Yellen promised the U.S. House Financial Services Committee that the central bank will scrutinize all big banks in the wake of the Wells Fargo bank scandal, and will launch “a broad review of big bank compliance regimes”.[23]
Commentators have indicated that because regulators did not hold senior executives personally accountable for their conduct and the events that led to the 2008 financial crisis, there is an increased scrutiny and emphasis on personal liability in the financial services industry today. In September 2015 Deputy Attorney General Yates issued new guidance to the U.S. Department of Justice (DOJ) outlining the importance of individual accountability in DOJ prosecutions, which appeared to herald individual liability as one of the most effective ways to combat corporate misconduct. In line with the increased scrutiny, the U.S. and UK have recently proposed controversial new laws that will impose criminal responsibility against company executives in certain circumstances.[24]
In respect to companies generally in the U.S. and UK, it is anticipated that senior corporate officers are expected to be held more accountable from now on, and many compliance officers believe that regulators are or will be looking at them in particular.[25] Executives and compliance officers – rightly or wrongly – are feeling the heat of a climate perceived to be targeting senior individuals within companies.[26]
Regulators increasingly want to make sure compliance officers aren’t merely rubber-stamping bank decisions and that there are penalties in place when the executives willfully overlook bad behavior or fail to see it through monitoring systems they have signed off on.
– Emily Glazer, Wall Street Journal[27]
In Canada, OSFI has made some policy movement in publishing a revised guideline on regulatory compliance management, which includes revised provisions for responsibility and regulatory expectations.[28] The OSFI Superintendent has noted that “Boards of Canadian financial institutions have responded, becoming more engaged on risk issues and exerting more oversight over senior management”. However, Superintendent Jeremy Rudin stated that “many boards need to make further improvements in their performance”, and if boards “fail to become fully engaged on the important issues”, OSFI “will hold them accountable; you can be sure of that”.[29]
Wells Fargo Scandal – a ‘case study’
Wells Fargo – the second largest bank in the United States – is in the news, and for all the wrong reasons.[30] The bank’s behaviour has been referred to by U.S. Regulators as “outrageous” and a “major breach of trust”.[31] John Stumpf, CEO of Wells Fargo, apologized last month in respect to his bank having opened millions of fake credit card and bank accounts in order to meet daunting sales targets. The California and Federal regulators fined Wells Fargo a combined $185 million on the basis that the company’s employees illegally opened millions of these unauthorized accounts for their customers in order to meet the aggressive sales goals set by senior management.[32] The Federal Regulator stated:[33]
“Wells Fargo built an incentive-compensation program that made it possible for its employees to pursue underhanded sales practices, and it appears the bank did not monitor the program carefully”.
Approximately 5,300 Wells Fargo employees were terminated by senior management in connection with the behaviour, most of them low ranking staff.[34] Called before the Senate Banking Committee, CEO Stumph was told that the dismissals did not go far enough up the chain of authority.[35] In reference to “responsibility”, Senator Elizabeth Warren “tore into [CEO] Stumph” and told him he should “resign” in light of the fact that not a “single senior executive” had been fired, while he had personally earned over $200 million while this inappropriate conduct took place under his program.[36] Senator Warren called the CEO a “gutless leader” who should be criminally investigated by the department of Justice and the Securities and Exchange Commission.[37]
Leaders who don’t listen will eventually be surrounded by people who have nothing to say.
– Andy Stanley
Within days of the Senate Banking Committee hearing, Wells Fargo’s board of directors stated that it was launching its own independent investigation, and that its CEO and retail banking executive would forfeit $41 million and $19 million respectively in stock awards, and there may be further salary clawbacks.[38] A shareholder class action lawsuit was filed against the bank.[39] The Labor Department is investigating whether Wells Fargo abused its employees while driving them to meet the lofty sales targets.[40] In a statement, Lead Independent Director of the Wells Fargo bank said that the board of directors would “take all appropriate actions to reinforce the right culture and ensure that lessons are learned, misconduct is addressed, and systems and processes are improved.”[41]
Workers have described a pressure-cooker atmosphere where they risked losing their jobs if they did not hit unrealistic sales targets. They say this pressure defined working for Wells Fargo and directly led to widespread fraud in the opening of bogus accounts.
– Olivia Oran, Reuters[42]
It has been subsequently learned that between 2010 and 2014 at least five Wells Fargo employees had sued the bank or filed complaints with regulators alleging they were terminated after reporting the opening of customer accounts without their permission. Questions are now being raised as to how early Wells Fargo knew about such allegations and how the executives handled them. Three senators have called on the SEC to investigate Wells Fargo for potentially misleading investors and violating whistleblower protection rules.[43]
Service managers, branch managers and district managers were well versed in the art of creative selling. Customer sales staffers had direct orders to mislead customers. Little did I know that my complaints to the ethics hotline of Wells Fargo Bank on these practices would be openly and directly conveyed to the very managers.
– Birinder Kaur Shankar, former Wells Fargo customer sales representative[44]
In a second hearing in September 2016 on Capitol Hill, CEO John Stumpf then told the U.S. House Financial Services Committee that Wells Fargo bank is expanding its review and that bank executives’ roles would be reviewed “across the board” in an inquiry by Wells Fargo’s outside directors. The CEO admitted “under questioning that employees stole money”. Committee Chairman Jeb Hensarling told the CEO “Fraud is fraud. Theft is theft”.[45]
Wells Fargo employees who failed to meet management’s outrageous sales goals were fired. Employees who tried to sound the alarm about the creation of fake accounts were fired. Their lives turned upside down. Wells Fargo CEO Mr. Stumpf will do just fine: he keeps his job and most of the money he made while massive fraud went on under his nose.
– Senator Elizabeth Warren[46]
As a result of the two hearings on Capitol Hill, Federal Reserve Chairwoman Janet Yellen promised lawmakers the central bank will scrutinize all big banks in the wake of Wells Fargo’s phony account scandal, the latest sign that fallout from the firm’s missteps could affect the entire industry. Several Democrats said the Wells Fargo scandal was an indication that big banks are too big to manage and should be broken up. The comments were a “reminder of just how unpopular big banks are in Congress, and how much pressure Ms. Yellen and other regulators face to crack down on them”. The Federal Reserve was told to “hold bank executives accountable”.[47]
Leadership and Personal Accountability – Regulators raising the bar for Corporations and Compliance
Management is doing things right. Leadership is doing the right things.
– Peter Drucker
Leadership matters[48]. The articulated need for better leadership and leadership education is due, in significant part, to the apparent deficit of effective and ethical judgment and decision-making on Wall Street or Bay Street.[49] Many challenges leaders in business face involve questions of values. Unfortunately our business leaders do not always ‘pass’ this test.
There are some things you don’t take liberty with no matter how innovative you are when you lead. For instance, to have integrity means to tell the truth. To be ethical is to do the right thing. These are not fuzzy concepts.
– Rosa Say
In a U.S. survey, industries that the largest numbers of people would like to see “more regulated” are oil, pharmaceutical, health insurance, banking, tobacco and electric and gas utilities. When asked which industries are “generally honest and trustworthy so that you normally believe a statement by a company in that industry” over one third of Americans reply “none”.[50]
The Edelman Trust Barometer, a global survey which polled 1,000 Canadians and 33,000 people globally, shows that Canadians are distrustful of business leaders “and believe government needs to step in to more heavily regulate industries so that consumers can be protected against them”. On an individual level, Canadians are incredibly cynical about business leaders, ranking the CEO of an organization as second-least trusted spokesperson. Unfortunately, corporate boards — whose role it is to oversee the workings of the CEO and C-suite — were trusted only marginally more than CEOs:[51]
“Perhaps the most striking number emerging from the study was that 42% of Canada’s “informed public” believes there is not enough regulation of business, with 53% calling for more regulation of the already heavily regulated financial services sector, 51% calling for more regulation in energy and 48% claiming there needs to be more oversight by government of the food and beverage industry. A staggering 69% of Canada’s informed public believes the government’s role in business is to protect consumers from irresponsible business practices and to regulate business activities to ensure companies are behaving properly.”
The financial crisis that erupted in 2008 exposed weaknesses in the risk management and oversight practices of some of the world’s financial institutions, pointing to failures in corporate governance in the global financial sector. Post-crisis, regulators around the world, Canada’s financial regulator the Office of the Superintendent of Financial Institutions (OSFI) included, responded by introducing new regulatory requirements and enhanced supervision of corporate governance, raising the bar for boards of directors.[52]
When asked last year: “should somebody have gone to jail” in respect to the 2008 financial disaster, former U.S. Federal Reserve Chair Ben Bernanke famously said “Yeah, I think so”, stating that there should have been “more accountability at the individual level”. The 2008 financial crisis required “massive government bailouts and emergency stimulus programs” to “stabilize the system” – but “only after many lost their jobs and wellbeing”.[53]
And now we have the Wells Fargo bank scandal. As a result, U.S. Federal Reserve Chairwoman Janet Yellen has promised the House Financial Services Committee that the central bank will scrutinize all big banks in the wake of the phony account scandal, launching “a broad review of big bank compliance regimes”.[54]
It is widely accepted that prudential regulators and supervisors must be concerned with the risk culture, behaviour and conduct of financial institutions. Over $235 billion in fines related to misconduct have been levied since the financial crisis, which points to the prudential risk that this area represents. The fact that over half of the world’s global systemically important banks have had such misconduct-related fines levied against them, demonstrates that misconduct is not limited to just a few bad apples.
– Assistant Superintendent Jamey Hubbs, Office of the Superintendent of Financial Institutions (Canada)
The fact that regulators did not hold senior executives accountable for their conduct and the events that led to the 2008 financial crisis has fueled the increased emphasis on personal liability in the financial services industry today.[55]
A 2016 DLA survey of in-house counsel and CCO’s found that “most (91%) expect increased scrutiny from federal regulators, and 81% are concerned about their personal liability following last fall’s so-called “Yates Memo” [penned by Deputy Attorney General Sally Yates] heralding individual liability as one of the most effective ways to combat corporate misconduct.[56] While all senior corporate officers are expected to be held more accountable from now on, compliance officers believe that regulators are or will be targeting them in particular.[57]
As personal liability becomes a major focus for regulators around the globe, compliance officers must take a closer look at their individual accountability in ensuring proper compliance procedures are in place.[58]
Significant misconduct anywhere in a financial institution is almost certainly evidence of an important gap between the institution’s written rules or stated policies, and the way things really work. [I]t is evidence of a culture that undermines, or even supplants, the written rules.
– Superintendent Jeremy Rudin, Office of the Superintendent of Financial Institutions (Canada)
Culture and Leadership
Regulators require companies to have an effective internal compliance and ethics program.[59] Organizations must manage and monitor ethics and compliance risk as part of an overall ethics and compliance program.[60]
As you would expect, most organizations have written ethics and compliance practices to govern business practices, transactions, processes, employees and relationships. However, as the growing number of scandals and legal issues attest, this solution may often appear to be “smoke and mirrors”, and not an integrated part of the corporate culture and business operations.[61]
Integrity in compliance and ethics involves walking the walk — not just talking the talk. Integrity is measured by what a corporation does and does not do when it thinks it can get away with something.
– Michael Rasmussen, Compliance Risk Management in the 21st Century
‘Corporate culture’ plays a role in ‘charging decisions’ in the United States. In their ground-breaking joint guidance, the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) explored in depth the impact of the compliance program in charging decisions for FCPA (Foreign Corrupt Practices Act) purposes. Fundamental to that examination is consideration of “the commitment of corporate leaders to a ‘culture of compliance’ and [of whether] this high-level commitment is also reinforced and implemented by middle managers and employees at all levels of a business.”[62]
Regulators came to the realization that without a “culture” of integrity, organizations are likely to view their ethics and compliance programs as a set of “check the-box activities”, or even worse, as a roadblock to achieving their business objectives. In fact, organizations responsible for some of the most egregious acts of malfeasance have had quite impressive, formalized ethics and compliance guidelines. The problem was that either leadership or a group of influential insiders operated outside of those guidelines.[63]
An organizational culture that encourages ethical conduct as well as a commitment to compliance will not happen accidentally – and no number of rules, policies, monitors or top-down controls will suffice to shape or substitute for it. The culture of an organization is the expression of its values in action; and to be successful it is up to those who shape it—leaders and everyone who follows.[64]
Culture is one of the biggest determinants of how employees behave. Strong “value based” cultures with strong leadership have two common elements: there is a high level of agreement about what is valued, and a high level of intensity with regard to those values.[65] It is generally accepted that values drive behaviors, and behaviors drive outcomes.[66]
While executive leadership may work hard to establish a culture of integrity at headquarters, something often gets lost in translation as one moves farther away from the central office. This is why attention to culture needs to be active and continuous, especially in large organizations with distant outposts.[67] U.S. Bank executives – who spoke to Reuters on condition of anonymity –mostly acknowledged their institutions have more work to do:[68]
- Morgan Stanley CEO James Gorman has said that a creating a culture of integrity is among his top priorities.
- JPMorgan CEO Jamie Dimon said in the bank’s 2014 annual report that his firm needed to “redouble” efforts to reform its culture after making “a number of mistakes – some of them quite painful and costly – over the last several years.” The mistakes included a $13 billion deal with the U.S. government to settle allegations of overstating the quality of bad mortgages to investors. Since then, JPMorgan launched an examination of its culture that included interviews between senior executives and over 16,000 employees.
- Citigroup Inc. also recently launched an internal video series in which senior executives discuss how they handled business decisions in gray areas of ethics. The bank also lets employees know when colleagues are dismissed for inappropriate conduct, such as in 2014 when it dismissed 12 employees after finding fraudulent loans in Mexico. This was communicated to the firm in a memo from CEO Michael Corbat.
- Morgan Stanley’s risk and compliance officers are evaluating “material risk-takers,” such as bankers and traders. This feedback will play a factor in promotion and compensation decisions.[69]
- European bank executives are also focused on promoting a culture of honesty.
- Deutsche Bank AG CEO John Cryan has spoken publicly about the German lender’s need to change.
- Former Barclays PLC CEO Antony Jenkins focus on improving the British bank’s culture led to employee inspired nickname ‘St. Antony’.
In Canada, OSFI has scrutinized the country’s financial institutions to determine whether their internal “culture” is sufficient to quell the type of risk-taking that led to the financial crisis. Canadian Professor of law in governance and ethics, Richard Leblanc, has stated that the issue is significant as “culture may rival financial performance in importance”.[70]
It can appear that an institution is very much on board with what we’re doing, but if it’s not really gaining traction in the institution, it’s not accomplishing any of the things that we need to it accomplish, … we’re looking for evidence that the bank’s – and insurer’s – stated policies don’t really have traction in the organization.
– Jeremy Rudin, Superintendent of OSFI
Superintendent Rudin noted that OSFI is committed to probing deeper even in cases where the senior executives and the board of directors are obviously setting the right “tone from the top,” and that means digging well below the surface of written policies, all the way to the front lines of business.[71]
Most leaders believe they understand and can define their organization’s culture. However, often there is a gap between management’s perception of the culture and how the rest of the organization views it. It is a mistake for leaders to assume they always have their finger on the pulse of the organization’s culture. To get a more accurate picture, organizations can set up listening posts, such as cultural assessments using employee surveys and outside observers. It is especially helpful to offer avenues, such as focus groups, run by third parties, for employees to provide open-ended responses that truly reflect their perceptions of the organization.[72]
Values—with ethics and integrity at their core—must be clearly and consistently communicated. Messaging needs to be explicit and repeated, so that it becomes embedded in how work gets done. Communicating culture can be especially challenging when crossing borders. It is important that everyone understands the expected behaviors of the organization and the principles against which decisions will be made.[73]
Organizations will have their values and ethics defined somewhere. Either management will lead, or others will define it for them. Where values and ethics are not centrally defined and communicated by leadership as a part of corporate culture, the organization risks going in a direction it never intended. Additionally, an ad hoc approach to defining corporate values leaves the door wide open for corruption.
This requires the organization to define its culture at the top, but also to communicate and model it down to the lowest level employee. No longer can an organization sit back and show unwillingness to influence employee behavior. The job of the Compliance Officer and Compliance Department is to articulate and communicate the culture as defined by the board of directors and executives, establish it in policies and procedures, and monitor compliance on a continuous basis. In the past this was done in reaction to Regulators and legislation in a post-Enron world. This has changed significantly. Expanded regulations, a flat world, increased criminal and personal liability on executives, extensive decentralization of the enterprise, social media, the era of WikiLeaks, an agitated public, and stressed economic markets all require that the organization do more than talk about integrity.[74]
Companies with culture and business values as key priorities (value-based or principle-based program or model) are more than twice as likely to sustain highly effective ethics and compliance programs than those which do not, and also have substantially improved compliance related outcomes. The most effective ethics and compliance programs pursue as a primary mandate “ensuring ethical behaviors and alignment of decision making and conduct with core values”, which is true of less than half of the least effective programs which give the highest priority to “ensuring compliance with rules and regulations” (command and control program or model).[75]
The lack of effectiveness of even some very comprehensive command and control compliance programs to prevent serious and hugely damaging misconduct has been exemplified on countless occasions in highly regulated industries, including pharmaceuticals, financial services and energy. By definition, large players in these fields have significant rules-based systems of controls and layers of oversight. The repeated failure of these systems is evidence enough of their limitations.[76]
As some research has shown, instead of a “command and control” culture – a poor management method that is limited in its ability to engage employees or elevate behavior – there should be a focus on a purpose driven and values/principle-based behaviours culture that includes a Code of Conduct, guidelines and procedures, training, and appropriate oversight.[77]
Leadership’s ability to inspire others to work towards positive and ethical change is critical to the success of an organization. People want to believe in the ability of their leaders to guide change and achieve success. For a corporation to have integrity, it must be an ethical environment with employees and business partners willing to follow and enforce corporate culture, policies, and procedures. Employees want to work for a corporation committed to doing the right thing, in sync with their personal values and beliefs, and which has the integrity to live by their communicated practices and commitments.[78]
The potential of your organization rests on the strength of its people. Build great leaders.
– Craig Groeschel
A strong culture helps to build positive relationships with regulators and it helps attract long-term investors. In due course, a culture of integrity is reflected in superior, long-term performance.[79]
Chief Compliance Officer (CCO)
Compliance is a difficult and prevalent business concern, in part because of the large number of regulations that require companies to be vigilant about maintaining a full understanding of their regulatory compliance requirements.[80] In the U.S. there are thousands of new regulations each year.[81] Multinational organizations must be particularly cognizant of the regulatory compliance requirements of each country they operate within. Similarly, the implications of many new rules and policies introduced in other countries will affect Canada, and those effects need to be monitored and carefully considered.[82]
Today, organizations in highly regulated industries generally have a Chief Compliance Office (CCO) – a senior executive within the company – who has a duty to his or her employer to work with management and staff to identify and manage regulatory risk.[83]
The role of the Compliance Department, and the Chief Compliance Officer where there is one in place, has changed. This evolution can be traced back to the various corporate scandals. Compliance has now emerged as a specialty, important as its own department, and a career path complete with its own professional literature, conferences and “bottomless pool of anxieties”.[84]
The role is evolving from several compliance areas to become a strategic pillar of the organization. Regardless of the actual title utilized in a particular company, what was scattered across business functions — with a concentration in legal — is now coming of age as a senior executive role in many sophisticated organizations, and in particular in highly regulated sectors or industries.[85]
The role of compliance and a COO depends on the size of the organization, ownership structure, the type of sector and industry, nature scope and complexity of operations, risk profile, and the level of regulation. As noted by Deloitte:[86]
“While for some organizations the CCO role remains frozen in time, for others, it has transitioned into one that is both strategic and value-adding. Companies with world-class ethics and compliance programs make sure they have a world-class CCO leading the charge. These individuals have helped to bring the profession to a new level.”
What’s happening is corporate America is seeing that the position they once thought might be more of a mid-level is more of a higher level.
– Roy Snell, CEO, Society of Corporate Compliance and Ethics[87]
The traditional role of compliance management is transitioning out of legal and other areas, and taking on broader responsibility for ethics, compliance, integrity, culture, and social responsibility across the organization. With the burden of increased scrutiny, oversight, and ethics the position of CCO is climbing the corporate ladder to a higher status. In the U.S., the Federal Sentencing Guidelines—as well as a number of corporate integrity agreements from multiple federal agencies— appear to favour a strong, independent compliance function, led by a full-time CCO who is separate from the general counsel and ideally has a direct reporting relationship to the CEO and the board of directors.[88]
- This is most frequent in highly regulated industries.
- Some organizations are differentiating between operational compliance and legal compliance by having legal monitor and interpret laws that impact the organization.
Going forward, it is anticipated that pressure will increase from regulators and government agencies for one role to have oversight and be accountable for compliance risk management. For highly regulated industries and large sophisticated organizations that will likely be the Chief Compliance Officer.[89]
Regulators are also focusing on who the compliance executives report to. The Office of the Comptroller of the Currency recently told some big banks that it doesn’t want the compliance officers to report to executives who run businesses directly … The idea is to give compliance officers more independence from those executives who help set policies and manage people in the field.
– Emily Glazer, Wall Street Journal[90]
The 2016 DLA Piper survey noted that “most CCOs – 44% – report to the chief legal officer; followed by 25% who report to the CEO”.[91]
The CCO must embrace a strategic view that satisfies the demands of different stakeholders, while “meeting organizational objectives and delivering strategic value” within an integrated ethics and compliance approach. In other words, the organization must meet its objectives while being compliant with the boundaries set by laws, regulations, contractual and corporate commitments, and social responsibility obligations.[92]
The challenges companies face domestically and internationally demand a COO with a steady hand, a cool head, the ability to think carefully, and the competence to act timely and in an appropriate manner when the circumstances require.
As a key player at the center of the strategic team of the enterprise, the Compliance department and role (i.e. the CCO, or General Counsel or other compliance lead if there is no CCO) must build collaborative relationships with other governance, risk management and compliance roles across the business (i.e. Privacy, Risk Management, Legal, etc.)[93], and address wide-ranging stakeholder demands and concerns, such as:[94]
- The desire to move compliance from corporate cop to champion of values, ethics, and culture within the organization.
- Key external stakeholder (investors, regulators, NGOs, local communities) demands for transparency and evidence of effective compliance and ethics.
- The board and C-suite need clear and reliable information about ethics, culture, and regulatory risks to drive strategic decisions and future outcomes.
- Compliance executives need to allocate limited resources to minimize exposure to significant compliance and ethical risks.
- Line executives need policy communications, training, surveys, and compliance risk assessments that do not disrupt operations, as well as coordinated compliance calendars, and content.
- An overarching need for improved efficiencies and reduced risk throughout the extended enterprise that align business relationships with the organization’s values and code of conduct, while meeting compliance obligations.
- Management of decentralized organizations where compliance owners and managers are located around the world.
- Identification, assessment, and management of operational risk.
- Establishment of clear lines of accountability to gain greater control and responsibility for compliance/operational risk. A “three lines of defence” structure that is appropriately robust depending upon an organizations size, ownership structure, nature, scope and complexity of operations, corporate strategy and risk profile.
- Validation that the organization’s culture and practices align with other commitments to corporate social responsibility and sustainability.
There is a difficult path ahead for ethics and compliance management. Today’s CCO plays a strategic role within the organization, helping to shape organizational strategy, setting the “tone at the top” while gauging the “mood in the middle” and the “buzz at the base.” The CCO – if properly supported by the Board and CEO – can and should be instrumental to making compliance a dynamic, rather than a reactive, endeavor and establishing an ethics and compliance program that safeguards both the organization and its reputation.[95]
Ethics and Compliance program – emerging best practice models
Managing an organization’s ethics and values is challenging enough.
However, as noted, the Compliance Officer has more to do than find and fix problems and ensure compliance requirements are met. Today’s Compliance Officer has to ensure compliance risk is understood and managed, that organizational obligations are more than written policies but part of the fabric of business operations and interactions, and that there is a strong corporate culture that ensures social responsibility as part of the ethical environment. A strong ethics and compliance program is based on values, but requires a risk-based approach to understanding and prioritizing limited resources to prevent and/or reduce risk.[96]
Yesterday’s compliance program will no longer work. The 21st century demands a robust values-based compliance program to manage the breadth and depth of ethics and compliance risk that bears down on the organization today. Today’s Compliance departments must utilize real-time risk intelligence gathering, and leverage technology to enable smart decision making and risk management.
Strong organizations are choosing to create additional structure around their ethics and compliance program. This can include the appointment of a Chief Ethics Officer (or expanding the Chief Compliance Officer’s role to include specific responsibility for the ethics program), enhancing the code of conduct and related controls and procedures, and improving accountability for ethical behavior through training and performance assessments.[97]
In particular, an effective compliance program should be based on common core processes and best practices that Compliance can establish to manage the organization’s compliance risk (a business process framework). However, the activities that define the organization’s compliance program should be customized based on its unique situation. This would include taking into account the organization’s underlying risks, nature scope and complexity of the business, products, customers, type of sector and industry, risk profile, and level of regulation. Traditional compliance models were designed in a different era and with a different purpose in mind, largely as an enforcement arm for the legal function. Organizations, especially in highly regulated sectors, should review and consider appropriate emerging best-practice models to manage and monitor compliance risk.[98]
The 2016 DLA Piper survey found that monitoring is the weakest area in the majority of compliance programs.[99]
What does the future hold?
Broad Review of Compliance Regimes
U.S. Federal Reserve Chairwoman Janet Yellen has promised the U.S. House Financial Services Committee that the central bank will scrutinize all big banks in the wake of the Wells Fargo phony account scandal, and is launching “a broad review of big bank compliance regimes”.[100]
Increased Emphasis on Personal Liability and Accountability of Executives
The fact that regulators did not hold senior executives accountable for their conduct and the events that led to the 2008 financial crisis has fueled the increased emphasis on personal liability in the financial services industry today.[101] At the hearing on Capitol Hill, the regulator was told by at least one lawmaker (Representative Stephen Lynch) to “hold bank executives accountable”.[102]
Americans should never believe, even incorrectly, that one’s criminal activity will go unpunished simply because it was committed on behalf of a corporation.
– Deputy Attorney General Sally Yates
This pronouncement by U.S. Deputy Attorney General Sally Yates[103] was made a day after she issued new guidance to Department of Justice (DOJ) attorneys outlining the importance of individual accountability in DOJ prosecutions. The new guidelines, issued September 9, 2015[104] and referred to informally as the “Yates Memo,” articulated several changes to DOJ policy, applicable to criminal as well as civil enforcement matters. The shift in policy appeared to be a response to repeated criticism that too many executives evaded punishment for wrongdoing related to the 2008 financial crisis and a related push to improve integrity within the banking sector.[105]
The Yates Memo states that “one of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing”.
The words sent “waves of apprehension through the corporate compliance world last fall”, and “seemed to signal a new era of scrutiny and personal liability for senior executives and compliance officers”.[106]
Defence Attorney Dennis Boyle wrote a ‘guest comment’ in the Washington Business Journal in January 2016 stating that the goal of the Yates Memo “is more people in prison.”[107] In more diplomatic circles, the so-called “Yates Memo” has been referred to more tactfully as “heralding individual liability as one of the most effective ways to combat corporate misconduct”.[108] There appears to be a “new emphasis on individual accountability” as Department of Justice attorneys appear to be under clear instruction to prosecute corporate employees.[109]
Other jurisdictions that have made policy initiatives include the UK, Canada, and Australia:
- In the UK, a new law was implemented in March of this year that introduced more stringent requirements and expectations for senior managers in respect to accountability, and may be stricter than any other jurisdiction in the world (Senior Managers and Certification Regime).[110] The regime requires organizations to allocate prescribed responsibilities clearly to individuals and document the accountabilities in formal ‘responsibility maps’.
- In Canada, OSFI published a revised guideline on regulatory compliance management which includes provisions for responsibility, accountability, and regulatory expectations.[111]
- In Australia, the Chairman of the Australian Securities and Investments Commission has initiated a plan to incorporate culture into its role as a conduct regulator, which although not clear, some commentators suggest may have implications for personal liability or at least accountability.[112]
As one would expect, “the anxiety level is up”.[113]
In respect to companies generally, it is anticipated that all senior corporate officers are expected to be held more accountable from now on, and many compliance officers believe that regulators are or will be targeting them in particular.[114] Compliance officers are feeling the heat of a climate targeting senior individuals, and believe that their role “carries the most personal liability,” instead of the chief executive.[115]
Compliance should become its own profession with its own clearly delineated standards for admission into the profession, much like lawyers and accountants and auditors already have arranged. An inevitable result of this kind of clarification of the role of Compliance, with its emphasis on professionalism and business knowledge and training, will be an elevation of the reputation and prestige of the compliance function and the individuals who reside within it.
– Robert Cusumano
The Thomson Reuters, ‘Rising personal liability–perception and reality: how best to manage personal regulatory risk,’[116] appears to confirm this trend. The report is based on a survey of more than 2,000 risk and compliance practitioners at Thomson Reuters client summits in New York, London, and Sydney, as well as other global regions, and included those representing banks, brokers, insurers and asset managers.[117] Among the key findings of the report are that:[118]
- Sixty-seven percent of those at the New York summit, and 59 percent at the London summit, say that compliance officers carry the most personal liability for failing to catch high-risk behavior. The chief executive is cited second, by 22 percent of summit participants in New York and 30 percent in London.
- Ninety-three percent of respondents in New York say they expect compliance officers’ personal liability to increase in the next year, with 64 percent anticipating a ‘significant increase.’
- Sixty-four percent of respondents report there is a worldwide trend in regulatory regimes focusing more on individual accountability.
Regulators have increasingly taken the position that they want to make sure compliance officers aren’t merely rubber-stamping bank decisions and that there are penalties in place when the executives willfully overlook bad behavior or fail to see it through monitoring systems they have signed off on.[119] Even prior to the Well Fargo fiasco, several recent enforcement actions found compliance officers personally liable for mistakes within their firms, and compliance officers at several financial institutions have faced fines, banishment, suspension, or firing for their alleged roles in violating regulatory rules.[120]
Some U.S. commentators are of the opinion that compliance officers have in fact been singled out by U.S. regulators, including the Securities and Exchange Commission, the Financial Industry Regulatory Authority, and the Treasury Department’s Financial Crimes Enforcement Network.[121] In response, some executives are increasingly seeking their own lawyers, asking for more protection in employee contracts, and requesting banks pay for liability insurance coverage.[122] In this vein, insurance broker Marsh has recently announced it has launched a new product aimed at covering the costs of chief compliance officers who are targeted by regulators for being gatekeepers for non-intentional conduct” (i.e. regulator finding fault with design of a compliance program and ascribing blame on the CCO). The insurance is “not intended to protect intentionally criminal behaviour”.[123]
Compliance officers say they feel unfairly singled out.
– Emily Glazer, Wall Street Journal[124]
Andrew Ceresney, director of the SEC’s Enforcement Division, said he was aware of the concern within the industry over the recent enforcement actions but has stressed that the agency brought cases “only when the conduct crossed a clear line”[125], and that compliance officers are not an enforcement target.[126] The SEC Enforcement Director has said that there is no trend and no second-guessing of a chief compliance officer’s professional judgment, and noted in a speech to the National Society of Compliance Professionals:[127]
- “Rather, we have brought actions when there was a wholesale failure to develop such policies or to implement them.” Of more than 8,000 enforcement actions since 2003, only five were against individuals with CCO-only titles at money manager firms, absent other issues.
- “We look hard at the facts and fairness concerns in each case. The overwhelming majority of the cases we bring involve CCOs who crossed a clear line by engaging in affirmative misconduct or obstructing regulators, or who wore multiple hats.”
- “There has been no change in our long-standing careful and measured approach to determining whether we should charge a CCO.”
- The SEC brings cases against CCOs “when they are directly involved in fraudulent activity or other conduct that harms investors.”
- Recent SEC enforcement actions should serve to bolster the CCO’s role, by demonstrating the need for adequate compliance resources, cooperation and transparency within a firm.
Other commentators suggest that although regulators may not be changing the role of the compliance officer (which is to identify risks and help direct the organization’s response), they appear to be increasingly willing to articulate their expectations about the role, and to enforce failures to meet their expectations.[128] It is perceived that the SEC’s oversight of compliance officers is changing in tone, and that “tone has turned a little more skeptical.”[129]
Officials of the National Society of Compliance Professionals (“NSCP”) have sought to raise their concerns about “liability by hindsight” in U.S. investment cases where the compliance officer might or should have known of ways to prevent a violation. The Executive Director has said that “increasingly, the liability standard being applied is one of simple negligence.” At the heart of compliance officers’ concern is the pursuit of enforcement actions under what is called the “Compliance Rule” (Rule 206(4)-7 of the Investment Advisers Act), which requires registered investment advisers to adopt and implement written policies and procedures designed to prevent violations.[130]
Civil Actions by Institutional Investors
The growing scrutiny of compliance programs has also drawn the attention of institutional investors, who “are becoming much more attuned to the quality of compliance programs”. Some experts in the area predict that a major investor may sue a chief compliance officer, in light of recent SEC actions and speeches to the effect that the CCO’s job is to protect investors. Critics believe the actual rule requires a CCO to implement reasonable policies and procedures so that a firm complies with securities laws, not that the SEC or Congress has specifically mandated that a CCO’s job is to protect investors. The suggestion being that this interpretation may take a CCO’s liability too far.[131]
Controversial New Laws imposing Criminal Responsibility Proposed
In line with increased regulatory scrutiny, the U.S. and UK are looking to introduce controversial new laws that will impose criminal responsibility against compliance officers and company executives:
- In the United States – New York’s principal financial regulator, backed by New York Governor Andrew Cuomo, wants the power to seek criminal charges against compliance officers in some cases.[132]
- In the United Kingdom – Prime Minister Theresa May’s proposed UK criminal finance bill seeks to make companies and directors criminally responsible for failing to prevent money laundering, false accounting, and fraud by employees. It is central to the Prime Minister’s high-profile plan to curb “boardroom excess” and improve corporate governance in UK companies. Attorney General Jeremy Wright notes that prosecution can be avoided by taking “the actions necessary to discourage such offending in the first place”.[133]
Unintended Consequences – Anxiety Level Up: Compliance Officers reconsidering their Profession
A recent survey indicates that increased scrutiny from both the U.S. Department of Justice (DOJ) and Securities and Exchange Commission (SEC) — both of whom have declared their intent to hold individuals personally liable for corporate misconduct — has many chief compliance officers (CCOs) reconsidering their chosen profession.[134] The anxiety level is up. The heightened accountability is driving experienced people to be more cautious about the profession.[135] The DLA Piper survey found that 65% might hesitate to remain in their current position or consider future compliance roles to avoid the risk of personal liability.[136]
Not surprisingly, approximately three dozen senior bank-compliance executives in the United States left their jobs in 2015, three times the number in 2014. Most of those were in positions overseeing anti-money laundering or financial crime. They are also often responsible for getting banks to adapt to the inundation of new regulations in recent years.[137]
The concern in this environment is how to “attract the best and brightest to be compliance officers? You don’t want to chill good people from this very important job.”[138] The DLA Piper survey report notes that it may indeed be more “difficult to find qualified candidates for compliance roles, particularly for early-to-mid career professionals who may be unwilling to spend the next several decades bearing the risk that a corporate misdeed will ruin their career and/or personal life”.[139]
The fear is that if the pool of compliance professionals shrinks, internal corporate problems will grow unchecked to the public’s detriment.[140]
Conclusion
An ethical culture is the core element of an organization’s compliance program. If the culture of the organization does not support principled performance, then all of the written policies and procedures, people, processes, and technologies that are put in place to mitigate ethics and compliance risks will not be effective.
Government regulators from a host of disparate disciplines are intensely focused on ensuring organizations have the appropriate controls in place relevant to their sector, industry, and business. Navigating regulatory matters in most industries has never involved more challenges than it does today.
In a business environment where reputational threats lurk around every corner, a strong culture of ethics and compliance is the foundation of a robust risk management program. The lessons learned related to scandals and organizational crises that trace back to the early 2000s make one thing clear: without an ethical and compliant culture, organizations will always be at risk.
Good risk management fosters vigilance in times of calm and instills discipline in times of crisis.
– Dr. Michael Ong
Many challenges that leaders in business face involve questions of values.
For the 21st century, in order to implement a sustainable ethics and compliance program that is truly effective in shifting behaviour and mitigating risk, corporate leadership should look at embracing a “governance, culture and leadership” mindset.
Leadership matters.
Eric Sigurdson
Endnotes:
[1] DLA Piper’s 2016 Compliance & Risk Report: CCO’s Under Scrutiny [www.dlapiper.com/compliance_survey/?utm_campaign=e4&utm_medium=social&utm_source=FRblog&utm_content=personalliability]; Deloitte, Corporate Culture: The second ingredient in a world-class ethics and compliance program, 2015 [http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-corporate-culture-112514.pdf]; Wayne Brody and Mark Rowe, Corporate Culture and Compliance in the 21st Century, New York Law Journal: Compliance, October 27, 2014 [http://nylawyer.nylj.com/adgifs/specials/2014_1027_ssCompliance.pdf]; Dina Medland, Corporate ‘Culture’ Is Not About Art, Forbes, March 22, 2015 [http://www.forbes.com/sites/dinamedland/2015/03/22/corporate-culture-is-not-about-art-no/#6e2ca6d81205]; Jamey Stubbs, Risk Awareness: Finding the Risks Before They Find You – Remarks by Assistant Superintendent Jamey Hubbs to the Northwind’s 2016 Financial Services Invitational Forum, Cambridge, Ontario, May 5, 2016, OSFI; Jeremy Rudin, Remarks by Superintendent Jeremy Rudin to the C.D. Howe Institute, Toronto, Ontario, Canada, June 17, 2016, Office of the Superintendent of Financial Institutions, osfi-bsif.gc.ca. Also see, Jeremy Rudin, Enabling More Effective Governance of Canadian Financial Institutions – Remarks by Superintendent Jeremy Rudin to the Global Risk Institute, Toronto, Ontario, June 14, 2016, Office of the Superintendent of Financial Institutions, osfi-bsif.gc.ca. Also see: OFSI Mandate, osfi-bsif.gc.ca; Office of the Superintendent of Financial Institutions, Corporate Governance Guideline, January 2013 [http://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/CG_Guideline.aspx].
[2] Deloitte, Corporate Culture: The second ingredient in a world-class ethics and compliance program, 2015 [http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-corporate-culture-112514.pdf]
[3] Jesse Ferreras, Elizabeth Warren Rips Wells Fargo CEO a New A**hole after Bank made Fake Accounts, Huffington Post, September 20, 2016; Bob Bryan, Elizabeth Warren: Wells Fargo’s CEO losing $41 million in stock is a ‘small step’, but not enough, BusinessInsider.com, September 28, 2016.
[4] DLA Piper’s 2016 Compliance & Risk Report: CCO’s Under Scrutiny [www.dlapiper.com/compliance_survey/?utm_campaign=e4&utm_medium=social&utm_source=FRblog&utm_content=personalliability].
[5] Wayne Brody and Mark Rowe, Corporate Culture and Compliance in the 21st Century, New York Law Journal: Compliance, October 27, 2014 [http://nylawyer.nylj.com/adgifs/specials/2014_1027_ssCompliance.pdf].
[6] Deloitte, Corporate Culture: The second ingredient in a world-class ethics and compliance program, 2015 [http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-corporate-culture-112514.pdf]
[7] Wayne Brody and Mark Rowe, Corporate Culture and Compliance in the 21st Century, New York Law Journal: Compliance, October 27, 2014 [http://nylawyer.nylj.com/adgifs/specials/2014_1027_ssCompliance.pdf]
[8] Dina Medland, Corporate ‘Culture’ Is Not About Art, Forbes, March 22, 2015 [http://www.forbes.com/sites/dinamedland/2015/03/22/corporate-culture-is-not-about-art-no/#6e2ca6d81205]
[9] Wayne Brody and Mark Rowe, Corporate Culture and Compliance in the 21st Century, New York Law Journal: Compliance, October 27, 2014 [http://nylawyer.nylj.com/adgifs/specials/2014_1027_ssCompliance.pdf]
[10] Wayne Brody and Mark Rowe, Corporate Culture and Compliance in the 21st Century, New York Law Journal: Compliance, October 27, 2014 [http://nylawyer.nylj.com/adgifs/specials/2014_1027_ssCompliance.pdf]
[11] Jamey Stubbs, Risk Awareness: Finding the Risks Before They Find You – Remarks by Assistant Superintendent Jamey Hubbs to the Northwind’s 2016 Financial Services Invitational Forum, Cambridge, Ontario, May 5, 2016, OSFI; Also see, Office of the Superintendent of Financial Institutions, Regulation and Guidance:
- Corporate Governance Guideline, January 2013 [http://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/CG_Guideline.aspx] – “culture” referenced in part III. The Role of the Board of Directors – Board Oversight of Internal Controls; part IV. Risk Governance – Risk Appetite Framework (requires all financial institution’s ‘risk appetite framework’ to be “embedded within the culture”, and that “all operational, financial and corporate policies, practices and procedures” within the company “support the risk appetite framework”.
- Operational Risk Management Guideline, June 29, 2016 – operational risk appetite statement, three lines of defence, identification and assessment of operational risk, etc. [http://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/e21.aspx]
[12] Jeremy Rudin, Remarks by Superintendent Jeremy Rudin to the C.D. Howe Institute, Toronto, Ontario, Canada, June 17, 2016, Office of the Superintendent of Financial Institutions, osfi-bsif.gc.ca. Also see, Jeremy Rudin, Enabling More Effective Governance of Canadian Financial Institutions – Remarks by Superintendent Jeremy Rudin to the Global Risk Institute, Toronto, Ontario, June 14, 2016, Office of the Superintendent of Financial Institutions, osfi-bsif.gc.ca. Also see: OFSI Mandate, osfi-bsif.gc.ca.
[13] Deloitte, Corporate Culture: The second ingredient in a world-class ethics and compliance program, 2015 [http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-corporate-culture-112514.pdf]; Wayne Brody and Mark Rowe, Corporate Culture and Compliance in the 21st Century, New York Law Journal: Compliance, October 27, 2014 [http://nylawyer.nylj.com/adgifs/specials/2014_1027_ssCompliance.pdf]
[14] Malfeasance: illegal or dishonest activity, especially by a public official or a corporation.
[15] Eric Sigurdson, Crisis Management and Corporate Wrongdoing: critical steps to crisis management in the 21st Century, SigurdsonPost.com, September 11, 2016. [http://www.sigurdsonpost.com/2016/09/11/crisis-management-corporate-wrongdoing-critical-steps-to-crisis-management-in-the-21st-century/]
[16] Robert Cusumano, Compliance: What is it and where does it belong?, Inside Counsel, March 17, 2016.
[17] Dov Seldman, Why Companies Shouldn’t ‘Do’ Compliance, Forbes, May 4, 2012.
[18] Dov Seldman, Why Companies Shouldn’t ‘Do’ Compliance, Forbes, May 4, 2012. – “How would a global company build a big enough bureaucracy to ensure that all 100,000 employees in its operating companies worldwide follow each and every law and regulation? Even further, how could the CEO of that company be assured that his or her people were acting according to the even higher standard of behavior demanded by its stakeholder community? The answer? They can’t. Even if this company were 99.9 percent successful in its compliance efforts, that’s still 100 instances of non-compliance every day. … That’s why I believe this is the moment to rethink how we operate, how we govern, how we lead and how we relate to society. As we do this, we should identify the kinds of behaviors we need to protect us lurching from crisis to crisis and propel us toward growth in our more interconnected and interdependent world. … To be truly effective in shifting behavior, and moving an organization forward, leadership must move from a “governance, risk and compliance” to a “governance, culture and leadership” mindset. Focusing on actions that will build and maintain a values-based system of “governance, culture and leadership” will mean less compliance activity, less cost, and more compliance as a result of real, tangible and sustainable behavior change.”
[19] Deloitte, Corporate Culture: The second ingredient in a world-class ethics and compliance program, 2015 [http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-corporate-culture-112514.pdf]
[20] The Global Risk Institute provides valuable support to boards of financial institutions in helping to address risk issue. The GRI was founded in 2011 as a result of an idea conceived by Mark Carney, Governor of the Bank of England and Jim Flaherty, former Canadian Minister of Finance. There was an initial group of sixteen financial institutions, with the Governments of Canada, Ontario, TD Group and Manulife being the core founders. [http://globalriskinstitute.org/about/gri-board-of-directors/]. Also see, Jeremy Rudin, Enabling More Effective Governance of Canadian Financial Institutions – Remarks by Superintendent Jeremy Rudin to the Global Risk Institute, Toronto, Ontario, June 14, 2016, Office of the Superintendent of Financial Institutions, osfi-bsif.gc.ca. Also see: OFSI Mandate, osfi-bsif.gc.ca
[21] Deloitte, Corporate Culture: The second ingredient in a world-class ethics and compliance program, 2015 [http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-corporate-culture-112514.pdf]
[22] Dina Medland, Corporate ‘Culture’ Is Not About Art, Forbes, March 22, 2015 – UK Business Secretary Vince Cable said: “improving corporate culture – so employees feel valued, listened to, and confident about raising concerns – requires further action.” [http://www.forbes.com/sites/dinamedland/2015/03/22/corporate-culture-is-not-about-art-no/#6e2ca6d81205]
[23] Ryan Tracy, Yellen Pressed to Scrutinize Big Banks in Wake of Wells Fargo Scandal: Fed Chief tells House lawmakers the central bank has launched a review of big bank compliance regimes, Wall Street Journal, September 28, 2016.
[24] Emily Glazer, The Most Thankless Job on Wall Street Gets a New Worry: Recent enforcement actions find compliance officers personally liable, Wall Street Journal, February 11, 2016 [http://www.wsj.com/articles/now-in-regulators-cross-hairs-bank-compliance-officers-1454495400]; Onyeka Osuji, Company bosses could be criminally liable for employee misconduct under a proposed new UK law, BusinessInsider.com, September 21, 2016; Bosses could face jail for failure to prevent fraud, BBC.com, September 12, 2016; Debbie Miller, Regulators pushing more personal liability for senior officers, Thomson Reuters says: Firms need to invest in systems that will increase senior managers’ ability to see and better manage risks in various business activities, Corporate Secretary, November 20, 2015. [www.corporatesecretary.com/articles/regulation-and-legal/13034/regulators-pushing-more-personal-liability-senior-officers-thomson-reuters-says/].
[25] Debbie Miller, Regulators pushing more personal liability for senior officers, Thomson Reuters says: Firms need to invest in systems that will increase senior managers’ ability to see and better manage risks in various business activities, Corporate Secretary, November 20, 2015. [www.corporatesecretary.com/articles/regulation-and-legal/13034/regulators-pushing-more-personal-liability-senior-officers-thomson-reuters-says/]; Emily Glazer, The Most Thankless Job on Wall Street Gets a New Worry: Recent enforcement actions find compliance officers personally liable, Wall Street Journal, February 11, 2016 [http://www.wsj.com/articles/now-in-regulators-cross-hairs-bank-compliance-officers-1454495400]; Also see, Samuel Rubenfeld, Compliance Officers Think Regulators Are Targeting Them, Wall Street Journal, November 9, 2015 – “Compliance officers feel like the authorities are targeting them for wrongdoing at their companies, according to a new survey, despite comments from regulators saying it isn’t the case”.
[26] Samuel Rubenfeld, Compliance Officers Think Regulators Are Targeting Them, Wall Street Journal, November 9, 2015.
[27] Emily Glazer, The Most Thankless Job on Wall Street Gets a New Worry: Recent enforcement actions find compliance officers personally liable, Wall Street Journal, February 11, 2016 [http://www.wsj.com/articles/now-in-regulators-cross-hairs-bank-compliance-officers-1454495400]
[28] OSFI, Regulatory Compliance Management No. E-13, Guideline, November 2014, osfi-bsif.gc.ca – “Regulatory Compliance Management (RCM) framework … should include a mechanism that holds individuals or areas accountable for their assigned duties or function. …“OSFI expects the RCM framework to include … clear lines of responsibility and a mechanism for holding individuals accountable”. Also see, Stacy English and Susannah Hammond, Rising Personal Liability – Perception and Reality: how best to manage personal regulatory risk, Thomson Reuters, 2015 [https://risk.thomsonreuters.com/content/dam/openweb/documents/pdf/risk/report/rising-personal-liability-perception-and-reality-how-best-manage-personal-regulatory-report.pdf].
[29] Jeremy Rudin, Enabling More Effective Governance of Canadian Financial Institutions – Remarks by Superintendent Jeremy Rudin to the Global Risk Institute, Toronto, Ontario, June 14, 2016, Office of the Superintendent of Financial Institutions, osfi-bsif.gc.ca. Also see: OFSI Mandate, osfi-bsif.gc.ca
[30] Ken Sweet, Wells Fargo CEO will forfeit $41 million in pay after banking scandal, Associated Press, Business Insider, September 28, 2016.
[31] Ken Sweet, Wells Fargo Fined for Opening Millions of Unauthorized Accounts, Associated Press, Huffington Post, September 8, 2016.
[32] Ken Sweet, Wells Fargo Fined for Opening Millions of Unauthorized Accounts, Associated Press, Huffington Post, September 8, 2016. Note: Wells Fargo bank will pay $100 million to the Consumer Financial Protection Bureau (a federal agency), $35 million to the Office of the Comptroller of the Currency, and $50 million to the City of Los Angeles; including restitution to affected customers.
[33] Ken Sweet, Wells Fargo Fined for Opening Millions of Unauthorized Accounts, Associated Press, Huffington Post, September 8, 2016.
[34] Ken Sweet, Wells Fargo Fined for Opening Millions of Unauthorized Accounts, Associated Press, Huffington Post, September 8, 2016; Reuters, Wells Fargo CEO forfeits $41 million as board orders review, Globe and Mail, September 28, 2016.
[35] Ken Sweet, Wells Fargo CEO will forfeit $41 million in pay after banking scandal, Associated Press, Business Insider, September 28, 2016. Also see, Olivia Oran, Wells Fargo scandal reignites debate about big bank culture, Reuters, Finance.yahoo.ca, September 28, 2016 – Senator David Vitter asked CEO Stumph: “Is it normal for 1 percent of a business unit to be fired over fraud?”. Senator Jeff Merkley later asked a panel of government officials who regulate Wells Fargo “why Stumpf attributed the problem to rogue individuals rather than a pervasive culture or structural incentives installed by bank executives”.
[36] Jesse Ferreras, Elizabeth Warren Rips Wells Fargo CEO a New A**hole after Bank made Fake Accounts, Huffington Post, September 20, 2016; Bob Bryan, Elizabeth Warren: Wells Fargo’s CEO losing $41 million in stock is a ‘small step’, but not enough, BusinessInsider.com, September 28, 2016.
[37] Patrick Rucker and Dan Freed, House panel lambasts Well Fargo CEO Stumpf over phantom accounts, BNN.ca, September 29, 2016; Bob Bryan, Elizabeth Warren: Wells Fargo’s CEO losing $41 million in stock is a ‘small step’, but not enough, BusinessInsider.com, September 28, 2016.
[38] Reuters, Wells Fargo CEO forfeits $41 million as board orders review, Globe and Mail, September 28, 2016; Associated Press, Wells Fargo executives to forfeit millions in bonuses: the company is accused of opening thousands of fake bank accounts to reach aggressive sales targets, CBC.ca, September 27, 2016.
[39] Jesse Ferreras, Elizabeth Warren Rips Wells Fargo CEO a New A**hole after Bank made Fake Accounts, Huffington Post, September 20, 2016; Ken Sweet, Wells Fargo CEO will forfeit $41 million in pay after banking scandal, Associated Press, Business Insider, September 28, 2016.
[40] Ken Sweet, Wells Fargo CEO will forfeit $41 million in pay after banking scandal, Associated Press, Business Insider, September 28, 2016.
[41] Olivia Oran, Wells Fargo scandal reignites debate about big bank culture, Reuters, Finance.yahoo.ca, September 28, 2016.
[42] Olivia Oran, Wells Fargo scandal reignites debate about big bank culture, Reuters, Finance.yahoo.ca, September 28, 2016.
[43] Sarah N. Lynch, Wells Fargo workers say they were fired for reporting ‘gaming’ of sales quotas, Globe and Mail, September 29, 2016.
[44] Sarah N. Lynch, Wells Fargo workers say they were fired for reporting ‘gaming’ of sales quotas, Globe and Mail, September 29, 2016.
[45] Wells Fargo CEO John Stumpf tells U.S. lawmakers bank is eliminating sales goals on Oct. 1, CBC.ca, September 29, 2016; Patrick Rucker and Dan Freed, House panel lambasts Well Fargo CEO Stumpf over phantom accounts, BNN.ca, September 29, 2016.
[46] Bob Bryan, Elizabeth Warren: Wells Fargo’s CEO losing $41 million in stock is a ‘small step’, but not enough, BusinessInsider.com, September 28, 2016.
[47] Ryan Tracy, Yellen Pressed to Scrutinize Big Banks in Wake of Wells Fargo Scandal: Fed Chief tells House lawmakers the central bank has launched a review of big bank compliance regimes, Wall Street Journal, September 28, 2016.
[48] Eric Sigurdson, Lawyers and Leadership: effective and ethical judgement and decision-making required to address societal and professional challenges, Sigurdson Post (sigurdsonpost.com), September 5, 2016.
[49] Eric Sigurdson, Lawyers and Leadership: effective and ethical judgement and decision-making required to address societal and professional challenges, Sigurdson Post (sigurdsonpost.com), September 5, 2016; also see, Donald J. Polden (Dean and Prof of Law, Santa Clara University), Leadership Matters: Lawyers’ Leadership Skills and Competencies, Santa Clara Law Review, Vol. 52, No. 3, September 21, 2012.
[50] Harris Poll, Oil, Pharmaceutical, Health Insurance, Banking, Tobacco and Utilities Top the List of Industries That People Would Like to See More Regulated, prnewswire.com, Dec. 15, 2011; Harris Poll, Oil, Pharmaceutical, Health Insurance, Tobacco, Banking, and Utilities Top the List of Industries That People Would Like to See More Regulated, prnewswire.com, Dec. 15, 2012.
[51] Dan Ovsey, Canadians say more government regulation of industry is needed despite relatively high trust of business, study shows, Financial Post, January 30, 2014.
[52] Jeremy Rudin, Enabling More Effective Governance of Canadian Financial Institutions – Remarks by Superintendent Jeremy Rudin to the Global Risk Institute, Toronto, Ontario, June 14, 2016, Office of the Superintendent of Financial Institutions, osfi-bsif.gc.ca. Also see: OFSI Mandate, osfi-bsif.gc.ca (fostering sound risk management and governance practices; supervision and early intervention; environmental scanning linked to safety and soundness of financial institutions; taking a balanced approach; contributing to public confidence in the Canadian financial system);What is compliance?, International Compliance Association [www.int-comp.org/careers/a-career-in-compliance/what-is-compliance/] – Although there is no unified theory of financial services, the overall key objectives of regulation for western countries (i.e. U.S., UK, Germany, Australia, Canada, etc.) and their regulators are:
- The protection of investors/consumers.
- Ensuring that the markets are fair, efficient and transparent.
- The reduction of systemic risk.
- The reduction of financial crime.
- The maintenance of consumer confidence in the financial system.
[53] Sam Ro, Bernanke: The DOJ should’ve locked up more people for causing the financial crisis, Business Insider, Oct. 5, 2015; Don Pittis, From Bell to VW, shareholders pay for executive sins, CBC News, Oct. 19, 2015. Also see, Eric Sigurdson, Crisis Management and Corporate Wrongdoing: critical steps to crisis management in the 21st Century, SigurdsonPost.com, September 11, 2016. [http://www.sigurdsonpost.com/2016/09/11/crisis-management-corporate-wrongdoing-critical-steps-to-crisis-management-in-the-21st-century/]
[54] Ryan Tracy, Yellen Pressed to Scrutinize Big Banks in Wake of Wells Fargo Scandal: Fed Chief tells House lawmakers the central bank has launched a review of big bank compliance regimes, Wall Street Journal, September 28, 2016.
[55] Debbie Miller, Regulators pushing more personal liability for senior officers, Thomson Reuters says: Firms need to invest in systems that will increase senior managers’ ability to see and better manage risks in various business activities, Corporate Secretary, November 20, 2015. [www.corporatesecretary.com/articles/regulation-and-legal/13034/regulators-pushing-more-personal-liability-senior-officers-thomson-reuters-says/]
[56] Tiffany Robertson, Survey finds potential personal liability impacting compliance profession, Thomson Reuters.com, July 22, 2016; DLA Piper’s 2016 Compliance & Risk Report: CCO’s Under Scrutiny [www.dlapiper.com/compliance_survey/?utm_campaign=e4&utm_medium=social&utm_source=FRblog&utm_content=personalliability].
[57] Debbie Miller, Regulators pushing more personal liability for senior officers, Thomson Reuters says: Firms need to invest in systems that will increase senior managers’ ability to see and better manage risks in various business activities, Corporate Secretary, November 20, 2015. [www.corporatesecretary.com/articles/regulation-and-legal/13034/regulators-pushing-more-personal-liability-senior-officers-thomson-reuters-says/]
[58] Tiffany Robertson, Survey finds potential personal liability impacting compliance profession, Thomson Reuters.com, July 22, 2016; DLA Piper’s 2016 Compliance & Risk Report: CCO’s Under Scrutiny [www.dlapiper.com/compliance_survey/?utm_campaign=e4&utm_medium=social&utm_source=FRblog&utm_content=personalliability].
[59] Wayne Brody and Mark Rowe, Corporate Culture and Compliance in the 21st Century, New York Law Journal: Compliance, October 27, 2014 [http://nylawyer.nylj.com/adgifs/specials/2014_1027_ssCompliance.pdf]
[60] Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011.
[61] Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011.
[62] Wayne Brody and Mark Rowe, Corporate Culture and Compliance in the 21st Century, New York Law Journal: Compliance, October 27, 2014 [http://nylawyer.nylj.com/adgifs/specials/2014_1027_ssCompliance.pdf]
[63] Deloitte, Corporate Culture: The second ingredient in a world-class ethics and compliance program, 2015 [http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-corporate-culture-112514.pdf]. Also see, Jamey Stubbs, Risk Awareness: Finding the Risks Before They Find You – Remarks by Assistant Superintendent Jamey Hubbs to the Northwind’s 2016 Financial Services Invitational Forum, Cambridge, Ontario, May 5, 2016, Office of the Superintendent of Financial Institutions (OFSI), and Jeremy Rudin, Enabling More Effective Governance of Canadian Financial Institutions – Remarks by Superintendent Jeremy Rudin to the Global Risk Institute, Toronto, Ontario, June 14, 2016, Office of the Superintendent of Financial Institutions, osfi-bsif.gc.ca:
In summary: Canada’s financial regulator (OFSI) utilizes a “principles-based approach” and “principles-based supervision”. The previous rules-based approach to corporate governance was set aside to avoid the risk of offering a ‘safe harbour’ to boards, allowing them to comply with the regulations through activities designed mainly to qualify for check marks on a generic to-do list. Effective governance cannot be achieved by ticking boxes. While the principles-based regulation of corporate governance is more challenging for boards, it may be more challenging for OSFI as regulator and supervisor. However, it is currently seen in Canada as a more effective way to pursue the regulator’s mandate.
[64] Wayne Brody and Mark Rowe, Corporate Culture and Compliance in the 21st Century, New York Law Journal: Compliance, October 27, 2014 [http://nylawyer.nylj.com/adgifs/specials/2014_1027_ssCompliance.pdf]
[65] Deloitte, Corporate Culture: The second ingredient in a world-class ethics and compliance program, 2015 [http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-corporate-culture-112514.pdf]
[66] Wayne Brody and Mark Rowe, Corporate Culture and Compliance in the 21st Century, New York Law Journal: Compliance, October 27, 2014 [http://nylawyer.nylj.com/adgifs/specials/2014_1027_ssCompliance.pdf]; Also see, David Greenberg, Ethics and Compliance in the 21st Century, Abbc.org (LRN corp), September 2015; Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011.
[67] Deloitte, Corporate Culture: The second ingredient in a world-class ethics and compliance program, 2015 [http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-corporate-culture-112514.pdf]
[68] Olivia Oran, Wells Fargo scandal reignites debate about big bank culture, Reuters, Finance.yahoo.ca, September 28, 2016.
[69] This is line with Canadian regulator the Office of the Superintendent of Financial Institutions re “risk culture”: “OSFI is reviewing performance management … looking to see if financial institutions consider the behaviours of individuals or departments against risk appetite when setting compensation levels and promotional opportunities” – Jamey Stubbs, Risk Awareness: Finding the Risks Before They Find You – Remarks by Assistant Superintendent Jamey Hubbs to the Northwind’s 2016 Financial Services Invitational Forum, Cambridge, Ontario, May 5, 2016, Office of the Superintendent of Financial Institutions; James Langton, World’s top banks still guilty of misconduct, Investment Executive, May 6, 2016.
[70] Barbara Shecter, Canada’s bank regulator probing links between risk and ‘culture’ at financial institutions, Financial Post, December 7, 2015.
[71] Barbara Shecter, Canada’s bank regulator probing links between risk and ‘culture’ at financial institutions, Financial Post, December 7, 2015.
[72] Deloitte, Corporate Culture: The second ingredient in a world-class ethics and compliance program, 2015 [http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-corporate-culture-112514.pdf]
[73] Deloitte, Corporate Culture: The second ingredient in a world-class ethics and compliance program, 2015 [http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-corporate-culture-112514.pdf]
[74] Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011.
[75] Wayne Brody and Mark Rowe, Corporate Culture and Compliance in the 21st Century, New York Law Journal: Compliance, October 27, 2014 [http://nylawyer.nylj.com/adgifs/specials/2014_1027_ssCompliance.pdf]
[76] Wayne Brody and Mark Rowe, Corporate Culture and Compliance in the 21st Century, New York Law Journal: Compliance, October 27, 2014 [http://nylawyer.nylj.com/adgifs/specials/2014_1027_ssCompliance.pdf]
[77] Wayne Brody and Mark Rowe, Corporate Culture and Compliance in the 21st Century, New York Law Journal: Compliance, October 27, 2014 [http://nylawyer.nylj.com/adgifs/specials/2014_1027_ssCompliance.pdf]; Also see, David Greenberg, Ethics and Compliance in the 21st Century, Abbc.org (LRN corp), September 2015; Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011:
Europe has been known for a principles-based (or outcomes-based) approach to compliance — which originates from the United Kingdom’s Financial Services Authority. They have turned their focus away from specific requirements toward understanding and interpreting compliance in light of the risk the organization faces, requiring a risk-based approach to compliance.
Australia, through the ASNZ 3806 standard, takes a principles-based approach to compliance. The 12 principles provide guidance to organizations designing, developing, implementing and maintaining an effective compliance program, encompassing: 1. Commitment 2. Implementation 3. Monitoring and measuring 4. Continual improvement.
[78] Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011.
[79] Deloitte, Corporate Culture: The second ingredient in a world-class ethics and compliance program, 2015 [http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-corporate-culture-112514.pdf], Note: Revolving leadership can undermine culture. It is important that the company culture not be dependent on a single person or group. A robust ethics and compliance program—appropriately designed, positioned, and resourced—will survive executive changes at the top of the organization, and key leaders and managers. Also see, Leah Eichler, Two-thirds of your employees are ready to move on, Globe and Mail, October 1, 2016 – plans should be in place to mitigate the flight risk of long term senior personnel who may take with them key experience and ‘institutional memory’.
[80] For example; Six Compliance Issues Your Business Could Face, Forbes.com, July 28, 2016; Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011.
[81] Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011.
[82] 2012-2015 Strategic Plan – The OSC: A 21st Century Securities Regulator , February 27, 2014, p.8, 14, [http://www.osc.gov.on.ca/documents/en/Publications/pub_20120228_osc-2012-2015-strategic-plan.pdf]
[83] What is compliance?, International Compliance Association [www.int-comp.org/careers/a-career-in-compliance/what-is-compliance/]
[84] Robert Cusumano, Compliance: What is it and where does it belong?, Inside Counsel, March 17, 2016.
[85] Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011; Robert Cusumano, Compliance: What is it and where does it belong?, Inside Counsel, March 17, 2016. Also see, Deloitte, The Chief Compliance Officer: The fourth ingredient in a world-class ethics and compliance program, 2015 – “In practice, the job responsibilities and the titles for these professionals vary, from chief compliance officer (with or without ethics responsibilities) to chief ethics officer (with or without compliance responsibilities) to many models in between. Despite these variables in organizational design, individuals leading efforts to protect the company from ethics and compliance risks have a unique role and special importance within an organization. The principles discussed here apply to those leaders regardless of their title”.
[86] Deloitte, The Chief Compliance Officer: The fourth ingredient in a world-class ethics and compliance program, 2015.
[87] DLA Piper’s 2016 Compliance & Risk Report: CCO’s Under Scrutiny.
[88] Deloitte, In Focus: Compliance Trends Survey 2013, Deloitte and Compliance Week; Deloitte, Ethics and Compliance Issues: Deciding Where to Focus, Wall Street Journal, Oct. 11, 2013 [http://deloitte.wsj.com/riskandcompliance/2013/10/11/ethics-and-compliance-issues-deciding-where-to-focus/]; Deloitte, In Focus: 2015 Compliance Trends Survey, Deloitte and Compliance Week; What is compliance?, International Compliance Association [www.int-comp.org/careers/a-career-in-compliance/what-is-compliance/]; Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011; Robert Cusumano, Compliance: What is it and where does it belong?, Inside Counsel, March 17, 2016; Deloitte, The Chief Compliance Officer: The fourth ingredient in a world-class ethics and compliance program, 2015.
[89] Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011 – Regulators and government agencies are in some cases requiring, or at least encouraging, the role of compliance to report outside of legal so it has greater ability to raise issues and see them resolved:
“What is becoming critical is the CCO’s ability to report to the board of directors. Since 1996 in the U.S., the board has had responsibility to see that a compliance and ethics program is in place. This was most recently made clear in the United States Sentencing Commission Organizational Guidelines that require that the board be knowledgeable about the content and operation of the compliance and ethics program, and exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program — with specific ability for the CCO role to have direct access to the board or an appropriate subgroup of the board.”
[90] Emily Glazer, The Most Thankless Job on Wall Street Gets a New Worry: Recent enforcement actions find compliance officers personally liable, Wall Street Journal, February 11, 2016 [http://www.wsj.com/articles/now-in-regulators-cross-hairs-bank-compliance-officers-1454495400].
[91] Tiffany Robertson, Survey finds potential personal liability impacting compliance profession, Thomson Reuters.com, July 22, 2016; DLA Piper’s 2016 Compliance & Risk Report: CCO’s Under Scrutiny [www.dlapiper.com/compliance_survey/?utm_campaign=e4&utm_medium=social&utm_source=FRblog&utm_content=personalliability].
[92] Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011.
[93] CCO should develop collaborative relationships with: Board of Directors; Chief Executive Officer (CEO); Chief Financial Officer (CFO); Chief Operational Officer (COO); Chief People Officer/Human Resources (CPO/HR); Chief Information Officer (CIO); Chief Risk Officer (CRO); Chief Audit Executive (CAE) / Chief Internal Auditor (CIA); Chief Actuary (CA); General Counsel / Chief Legal Officer (GC/CLO). See, Michael Volkov, Match Made in Heaven: Compliance and Human Resources, Volkovlaw.com, September 27, 2016;
[94] Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011; Office of the Superintendent of Financial Institutions, Regulation and Guidance:
- Corporate Governance Guideline, January 2013 [http://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/CG_Guideline.aspx] – “culture” referenced in part III. The Role of the Board of Directors – Board Oversight of Internal Controls; part IV. Risk Governance – Risk Appetite Framework (requires all financial institution’s ‘risk appetite framework’ to be “embedded within the culture”, and that “all operational, financial and corporate policies, practices and procedures” within the company “support the risk appetite framework”.
- Operational Risk Management Guideline, June 29, 2016 – operational risk appetite statement, three lines of defence, identification and assessment of operational risk, etc. [http://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/e21.aspx]
[95] Deloitte, The Chief Compliance Officer: The fourth ingredient in a world-class ethics and compliance program, 2015.
[96] Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011.
[97] Deloitte, Corporate Culture: The second ingredient in a world-class ethics and compliance program, 2015 [http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-corporate-culture-112514.pdf]
[98] For example see: Piotr Kaminski and Kate Robu, A best practice model for bank compliance, McKinsey and Company, Mckinsey.com, January 2016. For an older example, see Michael Rasmussen, Compliance Risk Management in the 21st Century, Corporate Integrity, September 2011 – Compliance program management; Compliance risk identification and assessment; Regulatory and risk intelligence; Policy definition, communication, and maintenance; Compliance risk reporting and accountability; Due diligence efforts; Training and communication; Ongoing compliance assessment; Enforcement of the control environment; Record and report issues; Conduct investigations; Implement communication and reporting processes; Third-party relationships. Also see: Jason Heinrich, Sean O’Neill, Neal Goodman, Cutting through the Complexity of Compliance, Bain and Company, Bain.com, May 13, 2015 – authors note that “organizational complexity lies at the heart of several compliance and risk management breakdowns”, and “Big Data is adding to the challenge: putting more data into bad processes and poor decision architectures clogs the system until it breaks down”. System failures have led to major financial penalties for companies and their executives
[99] Tiffany Robertson, Survey finds potential personal liability impacting compliance profession, Thomson Reuters.com, July 22, 2016; DLA Piper’s 2016 Compliance & Risk Report: CCO’s Under Scrutiny [www.dlapiper.com/compliance_survey/?utm_campaign=e4&utm_medium=social&utm_source=FRblog&utm_content=personalliability].
[100] Ryan Tracy, Yellen Pressed to Scrutinize Big Banks in Wake of Wells Fargo Scandal: Fed Chief tells House lawmakers the central bank has launched a review of big bank compliance regimes, Wall Street Journal, September 28, 2016.
[101] Debbie Miller, Regulators pushing more personal liability for senior officers, Thomson Reuters says: Firms need to invest in systems that will increase senior managers’ ability to see and better manage risks in various business activities, Corporate Secretary, November 20, 2015. [www.corporatesecretary.com/articles/regulation-and-legal/13034/regulators-pushing-more-personal-liability-senior-officers-thomson-reuters-says/]
[102] Ryan Tracy, Yellen Pressed to Scrutinize Big Banks in Wake of Wells Fargo Scandal: Fed Chief tells House lawmakers the central bank has launched a review of big bank compliance regimes, Wall Street Journal, September 28, 2016.
[103] Department of Justice Speech, Sally Quinlan Yates, Deputy Attorney General, Remarks at the New York University Program on Corporate Compliance and Enforcement (September 10, 2015) [http://www.justice.gov/opa/speech/deputy-attorney-general-sally-quillian-yates-delivers-remarks-new-york-university-school]
[104] Department of Justice Memo, Individual Accountability for Corporate Wrongdoing, Sally Quinlan Yates, Deputy Attorney General (Sept. 9, 2015) [http://www.justice.gov/dag/file/769036/download].
[105] Catherine Greaves, DOJ Stresses Individual Accountability in New “Yates Memo”, AmericanBar.org, ABA Health Law Section, Vol. 12, No. 2.
[106] DLA Piper’s 2016 Compliance & Risk Report: CCO’s Under Scrutiny, Executive Summary [www.dlapiper.com/compliance_survey/?utm_campaign=e4&utm_medium=social&utm_source=FRblog&utm_content=personalliability].
[107] Dennis E. Boyle (defence attorney), Guest Comment – Viewpoint: DOJ edict muddies roles, Washington Business Journal, January 8, 2016.
[108] Tiffany Robertson, Survey finds potential personal liability impacting compliance profession, Thomson Reuters.com, July 22, 2016; DLA Piper’s 2016 Compliance & Risk Report: CCO’s Under Scrutiny [www.dlapiper.com/compliance_survey/?utm_campaign=e4&utm_medium=social&utm_source=FRblog&utm_content=personalliability].
[109] Catherine Greaves, DOJ Stresses Individual Accountability in New “Yates Memo”, AmericanBar.org, ABA Health Law Section, Vol. 12, No. 2.
[110] Debbie Miller, Regulators pushing more personal liability for senior officers, Thomson Reuters says: Firms need to invest in systems that will increase senior managers’ ability to see and better manage risks in various business activities, Corporate Secretary, November 20, 2015. [www.corporatesecretary.com/articles/regulation-and-legal/13034/regulators-pushing-more-personal-liability-senior-officers-thomson-reuters-says/] — Beginning in March 2016, the new Senior Managers and Certified Persons Regime require banks and the largest asset managers to allocate prescribed responsibilities to individuals and document their accountability in formal ‘responsibility maps’. The UK’s efforts to show the serious consequences that individuals will increasingly face, such as handing down a 14-year prison sentence to a trader convicted of fraud, come in the wake of the Libor rate-fixing scandal. Also see, Deloitte, Senior Managers Regime: Individual accountability and reasonable steps, 2016; James Green, The Senior Managers and Certification Regimes – A Framework for personal accountability – employment aspects, Lexology.com, April 26, 2016.
[111] OSFI, Regulatory Compliance Management No. E-13, Guideline, November 2014, osfi-bsif.gc.ca – “Regulatory Compliance Management (RCM) framework … should include a mechanism that holds individuals or areas accountable for their assigned duties or function. …“OSFI expects the RCM framework to include … clear lines of responsibility and a mechanism for holding individuals accountable”. Also see, Stacy English and Susannah Hammond, Rising Personal Liability – Perception and Reality: how best to manage personal regulatory risk, Thomson Reuters, 2015 [https://risk.thomsonreuters.com/content/dam/openweb/documents/pdf/risk/report/rising-personal-liability-perception-and-reality-how-best-manage-personal-regulatory-report.pdf].
[112] Greg Medcraft, Meeting our long-term challenges: ASIC’s Corporate Plan, Speech by Chairman Greg Medcraft, Australian Securities and Investments Commission, September 15, 2016; Cathie Armour, Keynote address: Regulatory perspective on conduct risk, culture and governance, Speech by Commissioner Cathie Armour, Australian Securities and Investments Commision, August 18, 2016; Stacy English and Susannah Hammond, Rising Personal Liability – Perception and Reality: how best to manage personal regulatory risk, Thomson Reuters, 2015 [https://risk.thomsonreuters.com/content/dam/openweb/documents/pdf/risk/report/rising-personal-liability-perception-and-reality-how-best-manage-personal-regulatory-report.pdf].
[113] Hazel Bradford, Chief compliance officers prepare for closer SEC scrutiny, Pensions & Investments (pionline.com), January 11, 2016 [http://www.pionline.com/article/20160111/PRINT/301119976/chief-compliance-officers-prepare-for-closer-sec-scrutiny]
[114] Debbie Miller, Regulators pushing more personal liability for senior officers, Thomson Reuters says: Firms need to invest in systems that will increase senior managers’ ability to see and better manage risks in various business activities, Corporate Secretary, November 20, 2015. [www.corporatesecretary.com/articles/regulation-and-legal/13034/regulators-pushing-more-personal-liability-senior-officers-thomson-reuters-says/]; Emily Glazer, The Most Thankless Job on Wall Street Gets a New Worry: Recent enforcement actions find compliance officers personally liable, Wall Street Journal, February 11, 2016 [http://www.wsj.com/articles/now-in-regulators-cross-hairs-bank-compliance-officers-1454495400]; Also see, Samuel Rubenfeld, Compliance Officers Think Regulators Are Targeting Them, Wall Street Journal, November 9, 2015 – “Compliance officers feel like the authorities are targeting them for wrongdoing at their companies, according to a new survey, despite comments from regulators saying it isn’t the case”.
[115] Samuel Rubenfeld, Compliance Officers Think Regulators Are Targeting Them, Wall Street Journal, November 9, 2015.
[116] Stacy English and Susannah Hammond, Rising Personal Liability – Perception and Reality: how best to manage personal regulatory risk, Thomson Reuters, 2015 [https://risk.thomsonreuters.com/content/dam/openweb/documents/pdf/risk/report/rising-personal-liability-perception-and-reality-how-best-manage-personal-regulatory-report.pdf]
[117] Debbie Miller, Regulators pushing more personal liability for senior officers, Thomson Reuters says: Firms need to invest in systems that will increase senior managers’ ability to see and better manage risks in various business activities, Corporate Secretary, November 20, 2015. [www.corporatesecretary.com/articles/regulation-and-legal/13034/regulators-pushing-more-personal-liability-senior-officers-thomson-reuters-says/] — The report, co-authored by Stacey English (head of regulatory intelligence for Thomson Reuters) and Susannah Hammond (senior regulatory intelligence expert at Thomson Reuters), is based on a survey of more than 2,000 risk and compliance practitioners at Thomson Reuters client summits in New York, London, and Sydney, as well as other global regions and included those representing banks, brokers, insurers and asset managers.
[118] Debbie Miller, Regulators pushing more personal liability for senior officers, Thomson Reuters says: Firms need to invest in systems that will increase senior managers’ ability to see and better manage risks in various business activities, Corporate Secretary, November 20, 2015. [www.corporatesecretary.com/articles/regulation-and-legal/13034/regulators-pushing-more-personal-liability-senior-officers-thomson-reuters-says/]
[119] Emily Glazer, The Most Thankless Job on Wall Street Gets a New Worry: Recent enforcement actions find compliance officers personally liable, Wall Street Journal, February 11, 2016 [http://www.wsj.com/articles/now-in-regulators-cross-hairs-bank-compliance-officers-1454495400]
[120] Debbie Miller, Regulators pushing more personal liability for senior officers, Thomson Reuters says: Firms need to invest in systems that will increase senior managers’ ability to see and better manage risks in various business activities, Corporate Secretary, November 20, 2015. [www.corporatesecretary.com/articles/regulation-and-legal/13034/regulators-pushing-more-personal-liability-senior-officers-thomson-reuters-says/]; Emily Glazer, The Most Thankless Job on Wall Street Gets a New Worry: Recent enforcement actions find compliance officers personally liable, Wall Street Journal, February 11, 2016 [http://www.wsj.com/articles/now-in-regulators-cross-hairs-bank-compliance-officers-1454495400]
[121] Nicholas Elliott, Marsh Launches Insurance Aimed at Chief Compliance Officers, Wall Street Journal, September 21, 2016 [http://blogs.wsj.com/riskandcompliance/2016/09/21/marsh-launches-insurance-aimed-at-chief-compliance-officers/].
[122] Emily Glazer, The Most Thankless Job on Wall Street Gets a New Worry: Recent enforcement actions find compliance officers personally liable, Wall Street Journal, February 11, 2016 [http://www.wsj.com/articles/now-in-regulators-cross-hairs-bank-compliance-officers-1454495400]
[123] Nicholas Elliott, Marsh Launches Insurance Aimed at Chief Compliance Officers, Wall Street Journal, September 21, 2016 [http://blogs.wsj.com/riskandcompliance/2016/09/21/marsh-launches-insurance-aimed-at-chief-compliance-officers/].
[124] Emily Glazer, The Most Thankless Job on Wall Street Gets a New Worry: Recent enforcement actions find compliance officers personally liable, Wall Street Journal, February 11, 2016 [http://www.wsj.com/articles/now-in-regulators-cross-hairs-bank-compliance-officers-1454495400]
[125] Emily Glazer, The Most Thankless Job on Wall Street Gets a New Worry: Recent enforcement actions find compliance officers personally liable, Wall Street Journal, February 11, 2016. [http://www.wsj.com/articles/now-in-regulators-cross-hairs-bank-compliance-officers-1454495400]. But note:
In April 2015, the SEC fined Bartholomew A. Battista, chief compliance officer at BlackRock Advisors LLC, $60,000 for failing to report a conflict of interest involving one of the firm’s executives, according to the SEC. Mr. Battista was aware of the conflict and didn’t report it. The penalty was the agency’s first under a 2003 rule allowing it to hold compliance officers liable for such mistakes. Mr. Battista and BlackRock neither admitted nor denied wrongdoing.
Other regulators, including the Financial Industry Regulatory Authority and the Treasury Department’s Financial Crimes Enforcement Network, have taken actions against compliance officers in the last two years.
[126] Samuel Rubenfeld, Compliance Officers Think Regulators Are Targeting Them, Wall Street Journal, November 9, 2015.
[127] Hazel Bradford, Chief compliance officers prepare for closer SEC scrutiny, Pensions & Investments (pionline.com), January 11, 2016 [http://www.pionline.com/article/20160111/PRINT/301119976/chief-compliance-officers-prepare-for-closer-sec-scrutiny]
[128] Hazel Bradford, Chief compliance officers prepare for closer SEC scrutiny, Pensions & Investments (pionline.com), January 11, 2016 [http://www.pionline.com/article/20160111/PRINT/301119976/chief-compliance-officers-prepare-for-closer-sec-scrutiny]
[129] Hazel Bradford, Chief compliance officers prepare for closer SEC scrutiny, Pensions & Investments (pionline.com), January 11, 2016 [http://www.pionline.com/article/20160111/PRINT/301119976/chief-compliance-officers-prepare-for-closer-sec-scrutiny]
[130] Hazel Bradford, Chief compliance officers prepare for closer SEC scrutiny, Pensions & Investments (pionline.com), January 11, 2016 [http://www.pionline.com/article/20160111/PRINT/301119976/chief-compliance-officers-prepare-for-closer-sec-scrutiny]
[131] Hazel Bradford, Chief compliance officers prepare for closer SEC scrutiny, Pensions & Investments (pionline.com), January 11, 2016 [http://www.pionline.com/article/20160111/PRINT/301119976/chief-compliance-officers-prepare-for-closer-sec-scrutiny]
[132] Emily Glazer, The Most Thankless Job on Wall Street Gets a New Worry: Recent enforcement actions find compliance officers personally liable, Wall Street Journal, February 11, 2016 [http://www.wsj.com/articles/now-in-regulators-cross-hairs-bank-compliance-officers-1454495400] — The proposed rules by New York’s Department of Financial Services, which regulates some of the world’s largest banks, would require compliance officers to certify bank systems for monitoring suspicious transactions that violate U.S. economic sanctions and other rules. Senior officers who file incorrect or false annual certifications could be criminally prosecuted. The regulations go further than others, giving the agency more leeway to pursue money-laundering cases than federal banking regulators.
[133] Onyeka Osuji, Company bosses could be criminally liable for employee misconduct under a proposed new UK law, BusinessInsider.com, September 21, 2016; Bosses could face jail for failure to prevent fraud, BBC.com, September 12, 2016.
[134] Tiffany Robertson, Survey finds potential personal liability impacting compliance profession, Thomson Reuters.com, July 22, 2016; DLA Piper’s 2016 Compliance & Risk Report: CCO’s Under Scrutiny [www.dlapiper.com/compliance_survey/?utm_campaign=e4&utm_medium=social&utm_source=FRblog&utm_content=personalliability].
[135] Emily Glazer, The Most Thankless Job on Wall Street Gets a New Worry: Recent enforcement actions find compliance officers personally liable, Wall Street Journal, February 11, 2016 [http://www.wsj.com/articles/now-in-regulators-cross-hairs-bank-compliance-officers-1454495400]
[136] Tiffany Robertson, Survey finds potential personal liability impacting compliance profession, Thomson Reuters.com, July 22, 2016; DLA Piper’s 2016 Compliance & Risk Report: CCO’s Under Scrutiny [www.dlapiper.com/compliance_survey/?utm_campaign=e4&utm_medium=social&utm_source=FRblog&utm_content=personalliability].
[137] Emily Glazer, The Most Thankless Job on Wall Street Gets a New Worry: Recent enforcement actions find compliance officers personally liable, Wall Street Journal, February 11, 2016 [http://www.wsj.com/articles/now-in-regulators-cross-hairs-bank-compliance-officers-1454495400]
[138] Hazel Bradford, Chief compliance officers prepare for closer SEC scrutiny, Pensions & Investments (pionline.com), January 11, 2016 [http://www.pionline.com/article/20160111/PRINT/301119976/chief-compliance-officers-prepare-for-closer-sec-scrutiny]; Debbie Miller, Regulators pushing more personal liability for senior officers, Thomson Reuters says: Firms need to invest in systems that will increase senior managers’ ability to see and better manage risks in various business activities, Corporate Secretary, November 20, 2015. [www.corporatesecretary.com/articles/regulation-and-legal/13034/regulators-pushing-more-personal-liability-senior-officers-thomson-reuters-says/].
[139] Tiffany Robertson, Survey finds potential personal liability impacting compliance profession, Thomson Reuters.com, July 22, 2016; DLA Piper’s 2016 Compliance & Risk Report: CCO’s Under Scrutiny [www.dlapiper.com/compliance_survey/?utm_campaign=e4&utm_medium=social&utm_source=FRblog&utm_content=personalliability].
[140] Hazel Bradford, Chief compliance officers prepare for closer SEC scrutiny, Pensions & Investments (pionline.com), January 11, 2016 [http://www.pionline.com/article/20160111/PRINT/301119976/chief-compliance-officers-prepare-for-closer-sec-scrutiny]