Building a good compliance culture

A good culture is the foundation upon which a compliance control framework is built and operates.

We are used to hearing how a good organisational culture attracts the best talent, enhances employee engagement and retention, increases customer satisfaction and improves reputation. It can be measured using a number of metrics, such as employee retention rates, increased productivity and diversity of the workforce.

Regulators around the world have been focused on culture for a while, believing that a healthy culture helps ensure good conduct and deliver good customer outcomes. Did you know that some regulators look at company profiles on websites such as Glassdoor, which provides insight into organisational culture through the eyes of employees?

Getting culture wrong can have profound consequences for a business, with many high profile examples to attest to the calamitous results of cultural failures.

The end of 2023 saw Binance, the world's largest cryptocurrency exchange receive an eye watering $4.3bn fine in the US for money laundering offences. The CEO agreed to plead guilty to money laundering, pay a  $50m fine individually and resigned from the company.

The start of 2024 has seen public outrage directed at the Post Office following the hit TV dramatisation of the Horizon software scandal, resulting in the UK government announcing a new law, the ex-Post Office CEO handing back her CBE and widespread condemnation of the Post Office.

Following on from our previous article on mastering remediation, this briefing recaps on indicators of poor compliance culture and shares building blocks for a good compliance culture.

Compliance culture

If culture is the way things are done in organisations, then compliance culture is the way compliance is done – more specifically, how compliance risk is managed, mitigated and monitored.

The ultimate responsibility for compliance culture sits with the board. It involves a clear commitment to adhering with legal obligations and regulatory requirements and implementing controls to manage inherent compliance risk effectively, including:

• setting a strong compliance culture

• exercising proactive risk management and maintaining oversight of compliance risk

• ensuring appropriate compliance resource

However, as the AML / CFT / CPF Handbook recognises, the "prevailing culture of an organisation is intangible. As a result, its impact on a supervised person can sometimes be difficult to measure".

So how can the board assess that they have laid the foundations, set the right compliance culture and that it is embedded in their organisation?

Indicators of a poor compliance culture

A public statement issued by the JFSC in December 2022 concluded that the root causes of the issues identified were the ineffective operation of the board and an organisational culture without due regard for compliance.

It provides clear insight into indicators of poor compliance culture, highlighting the following in relation to the board:

• Lack of diversity of skillset in composition

• Insufficient understanding of obligations, responsibilities and best practice in areas of governance, risk and compliance

• Failure to adequately consider potential conflicts, independence or cultural barriers

• New members received no formal induction on appointment, lacked personal development plans and were not provided with training to meet development needs

• Risk and compliance were not prioritised, which considered compliance matters to ultimately be responsibility of the compliance function

• Failed to recognise compliance reporting as being inadequate to enable it to exercise appropriate oversight of compliance matters

Building a good compliance culture

Inverting the above red flag indicators can highlight some of the blocks that can be used to build a good compliance culture, but what else?

Commitment

• Invest in your human firewall, the front line is the first defence against compliance risks. Recruit the right people give them the right tools and provide them with the right training
• Ensure the compliance function is adequately resourced and supported. In a tight employment environment, consider alternative arrangements, such as third party support or outsourcing resource intensive activities, for example compliance monitoring
• Provide compliance training, tailored to the business and its organisational values:
  • Repeat key messages in different formats
  • Focus on a few critical messages
  • Deliver in bitesize chunks
  • Explain the "why"

Communication

• Openly discuss, define and document the compliance culture, along with the criteria and objectives set to measure it. The organisational attitude to compliance culture should be intentional, documented, easily articulated and understood.

• Model and communicate culture via "tone from top, tone from above and tone from within"[i]

  • Tone from the top: the role of leadership in setting, communicating and embedding the organisation's culture by setting the parameters and expectations

  • Tone from above: senior management to lead and communicate the importance of culture, reinforcing the tone from the top

  • Tone from within: communicate the expected culture throughout the organisation, embedding through middle and lower management for them to drive forward with staff, to develop individual accountability and engagement

• Raise awareness of the importance of culture through all the layers of the organisation, using real life examples of cultural failures, for example staff briefings following public cases.

• Ensure policies and procedures are aligned to and reflective of the culture of the organisation.

Challenge

• Appoint a compliance SME to the board and/or a NED, where appropriate. A NED will provide more independent scrutiny and challenge and can play a role in reminding execs of their regulatory responsibilities. Where this is not possible designate a 'devil's advocate' to challenge decisions and encourage healthy debate

• Provide sufficiently in depth compliance training to board members to enable adequate understanding and oversight of compliance risk: consider the training provided to non finance directors, as a comparable – consider whether as much time invested into compliance training

• Interrogate MI, data and reporting to identify any themes emerging, particularly from breaches, complaints or backlogs. Take appropriate action in response

• Ensure momentum around actions: consider whether board actions are being monitored and resolved appropriately. If not, understand the blockers and move to action

• Encourage employees to speak up if they spot something which is not quite right, and react positively if they do

Embed

• Instil personal responsibility around compliance behaviours: integrate compliance outcomes into employee performance management

• Integrate a compliance ethos throughout the organisation: incorporating compliance into product and process design and workflows at the start and throughout development, instead of relying on checklists that bolt on at the end

• Empower employees by delivering appropriate training - tailor, where possible, to roles and experience. The greatest mitigation for compliance risk is embedding front line employees with an enquiring compliance mindset

• Support employees (not just those in the compliance function) to take compliance courses, appoint compliance champions within the first line and reward this commitment

How Ogier can help

Ogier Regulatory Consulting can provide regulatory support including:

• Compliance managed services: cost effective and independent solutions to help manage and execute your compliance monitoring programme

• Compliance control framework support: assistance with the design and implementation of risk-based controls, tailored to your business

• Regulatory reviews: full or themed health checks to test compliance with the regulatory framework, assessment of the board or compliance functions

• Training: designing and delivering training packages to support boards in understanding their responsibilities under the regulatory framework

To learn more, visit our website or contact Sarah Valerkou.

[i] Speech by Mark Steward, Executive Director of Enforcement and Market Oversight 26 April 2021 (Compliance, Culture and Evolving Regulatory Expectations | FCA)

About Ogier

Ogier is a professional services firm with the knowledge and expertise to handle the most demanding and complex transactions and provide expert, efficient and cost-effective services to all our clients. We regularly win awards for the quality of our client service, our work and our people.

Disclaimer

This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.

Regulatory information can be found under Legal Notice