by Robert W. Werner

The compliance infrastructure for managing financial crime risk at financial institutions is intended to be based on utilizing a risk-based, rather than rule-based, approach.  A risk-based approach seeks to allocate resources commensurate with varying risk levels, reflecting the fact that financial institutions cannot eliminate all the risk of illicit activity occurring within an institution without completely shutting down all of its business.  To optimize compliance, financial institutions must balance the need to provide legitimate and critical financial services and products with appropriate controls designed to mitigate the financial crime risk associated with those services and products to appropriate levels.

Where activity would violate law or regulation, the calculus is easy because the activity is simply prohibited.  However, most legitimate activity will necessarily allow for some level of risk that it may be abused by criminals to facilitate illicit conduct or to exploit products and services for illicit purposes. Arriving at the right balance within this context requires an understanding of the risks, what level of controls can reasonably be put in place to mitigate that risk, and then making judgments based on an institution’s tolerance for reputational, regulatory and operational risk, about whether to engage in the activity.  This last element, the exercise of judgment, must be arrived at within the framework of an institution’s risk appetite statement.

Generally, most financial institutions operate their financial crime risk management program through a three lines of defense model.  The first line of defense is comprised of the risk management and control responsibilities of an institution’s front offices, middle offices and back offices of its businesses, and includes risk assessments, monitoring, quality assurance and business line controls.  The second line of defense is comprised of the independent control functions, and they should not be responsible for operational control decisions.  They establish, with the approval of the Executive Committee and Board of Directors of an institution, the policy and implementing standards of the compliance program, and they advise the business on adherence to those policies and standards and monitor the first line’s compliance with them.  The third line of defense refers to an institution’s internal audit function.

The actual successful day-to-day operation of this program depends on the development and implementation of a risk appetite statement and framework, supported by appropriate metrics and monitoring.  To arrive at a comprehensive and sustainable risk appetite framework, it is imperative that the first line of defense understands its role in setting and managing the institution’s risk appetite, which is comprised of an institution’s tolerance for, and acceptance of, reputational, regulatory and operational risk.

Unfortunately, at many financial institutions, the three lines of defense model continues to be implemented in a manner that places most of the management of the program on the second line of defense.

The second line should be responsible for compliance related requirements, but policy implementation through procedures and management of client selection and exit decisions, transactional authorizations, and product risk assessment and decisioning must rest with the first line of defense for a program to be effective. It is important to understand that this is a different concept and skill set from the provision of legal and compliance advice and analysis relating to legal and regulatory restrictions and requirements.  It is inherently a commercial decision.  However, recent enforcement actions and fines centered on compliance personnel continue to demonstrate the flawed implementation of the current structure across the financial services industry.

Making the balancing determinations between what risk will be accepted by an institution, i.e., inherent risk mitigated by controls leading to an acceptable level of residual risk, is fundamentally a business decision once the activity in question is determined not to be a violation of the law or applicable regulation.

This balance can only be accomplished by considering the client, product or activity through a financial crime risk filter, similar to what financial institutions currently do for credit risk and other commercial considerations.

To do this successfully, the first line of defense, i.e., the business, must be intimately involved in developing an institution’s risk appetite statement and standards, including the metrics used to monitor the institution’s adherence to that risk appetite.  The business must be trained extensively and continuously, including providing feedback, and performance and compensation must be tied to appropriate application of the risk principles in order to create the right level of accountability.  Data relating to adherence to or deviations from the risk appetite principles must be escalated to, reviewed by, and assessed by an institution’s Executive Committee and Board of Directors.  Risk committees, chaired and staffed by senior business executives, must have a process for reviewing and approving commercial decisions proposed by front line staff that includes the elements of the financial crime risk appetite statement.

In short, the responsibility for developing, understanding, monitoring and adhering to a financial institution’s risk appetite framework must rest squarely and unequivocally with those making the commercial decisions to onboard and retain clients, engage in transactions, do business in jurisdictions, and provide certain products and services, and that is the business. Compliance personnel should provide assistance in assessing risk and suggesting controls, but they are neither qualified nor appropriately positioned, as the independent second line of defense, to make those decisions for the financial institution.

In conclusion, as tempting as it may be to place the burden of developing and implementing an institution’s risk appetite on compliance staff, this is neither a good long term strategy for an institution’s ultimate success as a business enterprise, nor something that is within the expertise of most compliance personnel. Institutions can and must incorporate the development and implementation of their risk appetite statements into the first line of defense’s business decision making process, leaving the second line to fulfill its independent advisory, monitoring and testing roles.

Robert W. Werner is the CEO of Green River Hollow Consulting, the former Global Head of Financial Crime Compliance at HSBC, and the former Head of FinCEN and OFAC.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.