Compliance by International Banking Organisations: The Need for Prioritisation, Balance and Cooperation

01 October 2006

H Rodgin Cohen, Sullivan & Cromwell LLP

For international banking organisations, the challenges of compliance increase exponentially. These institutions must deal with multiple regulatory regimes that have different and even conflicting standards, laws and expectations. They must deal with the tension between the demands for enterpriserisk management and local responsibility. 

Robust compliance is obviously crucial for the individual institution, as vividly demonstrated by the severe sanctions imposed on numerous banks. Although many of these penalties have been imposed by US regulatory and law enforcement authorities, the regulators in a number of other countries have also imposed sanctions. The principal focus of these has related to anti-money laundering (AML) and anti-terrorist financing (ATF), but a wide variety of other regulatory areas, including accurate books and records, consumer fraud and failure to prevent fraud by customers, have been the subject of sanctions. 

The importance of robust compliance extends, however, well beyond the individual institution. It touches the banking system as a whole, because individual violations lead to collective regulatory burden. It affects regulators, who are subject to their own form of sanction if violations go undetected or inadequate compliance programmes go unrecognised. It relates to strong national and global economies, because a strong banking system enables savings and capital to be used most effectively in financing growth, provides liquidity for individuals and businesses, and affords the efficient payments services necessary for today’s modern economy. Finally, it extends to the safety and soundness of individuals and institutions throughout the world, as compliance plays an ever-increasing role in combating terrorism and other criminal acts that are indiscriminate in their targets and ultimately anarchic in their purpose. 

To achieve a robust global compliance system, there are three essential elements. First, individual banks and the banking community must make a huge commitment in terms of policies, procedures and personnel. Second, the regulatory and law enforcement agencies must use balance and judgement in adopting standards and imposing sanctions. Third, there must be a cooperative effort between banks, banks and their regulators, and banks and regulators across national boundaries. 

Whatever the cost of regulatory compliance for a single bank, the cost of non-compliance is substantially greater. Substantial fines are just the beginning of the cost of a major violation. A bank that has been penalised for regulatory noncompliance can be precluded from engaging in any expansion transaction until the bank can demonstrate that it has remedied the failings that led to the violation. In a rapidly consolidating world, this ‘penalty box’ approach can prove extraordinarily punitive. 

Although, to this point in time, the impact of sanctions for compliance failures on the overall reputation, business and financial condition of the penalised bank appears to have been relatively limited, future reactions may be less benign. If the market were ever to question whether sanctions threatened the financial stability of a bank, the almost instinctive reaction would be to sever funding and other business relationships and ask questions later. Bank funders and financial counterparties are not paid to take credit risk. 

The stakes become substantially higher if law enforcement authorities seek to impose criminal sanctions. In the United States, a conviction for, or a guilty plea to, a felony can disqualify a bank and its affiliates from engaging in a wide variety of activities without formal exemptions from the Securities and Exchange Commission and the Department of Labor. In a number of states, a felony conviction precludes a bank from accepting new fiduciary accounts without a formal pardon by state parole authorities. At the extreme, certain money laundering-related offences invoke the so-called ‘death-penalty’ provisions. These permit, or in some cases require, the Federal Deposit Insurance Corporation to determine whether a bank should lose its federal deposit insurance – a decision that would almost certainly sound the death knell for the bank. Even if a felony conviction or plea did not legally require the cessation of business relations, major customers of the bank may be unwilling to accept perceived risk to reputation. 

Moreover, these severe consequences create the potential that even an indictment of a banking institution could have virtually the same impact as a conviction. How can a customer, particularly one acting in a fiduciary or fiduciary-like capacity, continue to deal with a bank that has been branded a criminal? The demise of accountancy firm Arthur Andersen may not be a precedent, but it will be at least a reminder for many years to come. 

These severe risks of a regulatory violation mandate that banks do whatever is necessary to assure a robust compliance programme. At the top of the compliance list is tone from the top. The most senior management must be seen throughout the bank as genuinely committed to compliance. This is not just a matter of speeches and written messages, but a system of rewards and punishments that matches the commitment. 

Next comes a strong compliance department. This is a question of quantity of personnel, but also of quality. Banks must be willing to devote some of their best and brightest to compliance. A successful career in compliance must be recognised as would a successful career in any of the business lines or other staff areas in the bank. Another crucial component of a strong programme is independence. If the compliance function is beholden to the business units, it cannot be truly effective. 

An effective compliance unit is highly dependent upon two other staff units – legal and auditing. Legal must be able to provide both knowledgeable – and the right – advice. Audit must be able to review not only the numbers and controls, but the effectiveness of compliance, which will require internal and external audit staff skilled in compliance. 

The complexity of the regulatory scheme and the sheer multiplicity of payments and transactions require the application of advanced technology. Individuals, no matter how skilled, cannot do it alone. They need the technology to enable them to focus on the transactions and areas of greatest risk. 

A final key element of an effective compliance programme is found in policies and procedures that are consistent with industry best practices. These will not provide assurance against a violation, but they minimise both the risk of occurrence and the level of sanction if a violation occurs. 

Essential to truly effective global compliance are regulators that have the ability to detect violations (and, of even more importance, compliance deficiencies that could result in violations), as well as the balance and judgement to avoid sanctions that are inappropriate or unfair. That, in turn, requires regulators to recognise that the welter and complexity of banking laws and regulations mean that 100 per cent compliance is a chimera and violations are inevitable. Regulators must distinguish between bad judgement, or even negligence, on the one hand, and intentional wrongdoing, on the other. In the absence of clearly stated, prior regulatory criticism, remedies should be prospective and structural not retroactive and punitive. Moreover, even if certain bank employees do act irresponsibly or even intentionally in bad faith, the related punishment should be against the individual and not the entire organisation, unless such action involves the highest levels of management or is chronic. 

In the specific area of AML/ATF compliance, regulators and law enforcement authorities need to recognise the magnitude of the effort and the novelty of the task. Traditional bank compliance has been directed at protecting bank customers. AML and ATF programmes are directed at protecting society against the bank’s customers and potential customers. This requires a fundamentally different outlook and approach to compliance. 

If every violation that is discovered is punished, much less punished harshly, the banking system will suffer. Individual banks will be unduly damaged and system-wide costs will soar. At the extreme, banks could fail, with systemic implications. 

The need for global cooperation to deal with the regulation of global institutions is paramount. The most obvious case is where there is a direct conflict between the laws of the home and host countries. For example, the laws of one country might require disclosure of customer-specific information that is forbidden by the laws of the other. Cooperation at the regulatory level can often produce a ‘work around’ that avoids placing the bank in a position that requires it to violate the laws of one country or another. 

The conflict of laws issue becomes particularly intractable when one country attempts to enforce its laws extraterritorially. Regulators must not only strive to limit such extraterritorial application, they must seek to persuade their related law enforcement authorities to follow the same path. 

One other key area where regulatory cooperation is needed is resolution of the conflict between enterprise-wide compliance management and strong local management. Should there be universal policies and procedures, or should they be adopted, or at least subject to modification, on a countryby- country basis? Should compliance personnel in a particular host country report to the head of the bank’s unit in that country or to a central compliance function? There are no universally applicable answers to these and related questions. This requires the regulators to respect different views and approaches. 

The one area of regulatory compliance in which these principles have the most immediacy, and often present the most difficult problems, is AML/ATF. Criminal elements gaining access to the financial system undermines the societal core; terrorists gaining access to the financial system strikes directly at that core. A robust global AML/ATF system should therefore be a paramount goal for society. 

Achievement of this goal has three essential ingredients: (i) improved screening of access to the financial system; (ii) enhanced information sharing; and (iii) greater transparency. 

The first, and by far the most important, line of defence against penetration of the bank payment system by criminals and terrorists is the point of entry. The financial institution at which an account is opened is the most capable of assessing the potential customer and monitoring the customer’s transactions on an ongoing basis. 

Indeed, the global payment system is the weakest link with respect to the effort to combat money laundering and terrorist financing. Once those who seek to subvert the payment system penetrate it, the likelihood of their ultimate success is substantial. Consequently, notwithstanding the challenging issues involved, a more rigorous effort must be mounted to encourage countries and financial institutions to enhance their AML/ATF regimes. 

Banks are data rich and information poor. Although they have basic data about their customers and about payments made through them, they often lack crucial information about the parties to the payments and the transactions underlying the payments that would enable them to detect money laundering and terrorist financing.

Much of this information is maintained by government law enforcement and intelligence agencies. Accordingly, banks could enhance their detection and prevention if the level of information sharing by the government could be increased. Much of the current focus on AML/ATF in the global arena relates to the issue of payment transparency. This issue has its origin in the initial design of the international payment system, which was intended to promote efficiency by transmitting only the information essential for processing payments. As a result, intermediary banks (and sometimes the beneficiaries’ banks) are often unaware of the identity of all the parties to the payments they are asked to process. The unintended consequence of this system is that those who wish to hide details of a particular transaction from intermediary banks have an opportunity to do so. 

Within limits, increased transparency could provide meaningful assistance in detecting and preventing money laundering and terrorist financing. Intermediary banks may have access to more or different information than the originating and/or beneficiary bank or, in some cases, be more proficient in their detection programmes. 

It is essential, however, that the limits of greater transparency be recognised so that banking institutions are not subject to undue regulatory expectations. Transparency will improve the potential for detection; it will not ensure it. The banks will still be scrutinising the new payment data from the same information base. Moreover, the instantaneous nature of payments means that identification must be computer-based; there is simply insufficient time for human screening. It will also take some time to develop effective computer programs to deal with the new data. Finally, although the question of transparency is often directed to so-called cover payments – which involve the use of two payment messages: one from the originator’s bank directly to the beneficiary’s bank, notifying it of the payment; and a second from the originator’s bank to its correspondent, instructing it to ‘cover’ the originator’s bank’s obligation to pay – it must be recognised that the issue is much broader. Any form of payment coverage can be more or less transparent. 

* * * 

A variety of exogenous factors have propelled compliance to the forefront of major issues for the banking industry. Banks must recognise and responsibly address the prioritisation of this issue. They cannot, however, simply be left to their own devices to develop effective compliance programmes. Regulators and law enforcers must exercise balance and judgement in reviewing banks’ compliance efforts. Finally, there must be collaborative effort by banks and regulators in detection, implementation, prevention and enforcement. That collaboration must assume international dimensions in dealing with international banks.

It is not possible to buy entry into Who's Who Legal

terms and conditionscontact us