Managing Risk in Compliance Staffing Decisions

by Kathryn Reimann

Prior to the Covid-19 pandemic, anecdotal and industry survey evidence suggested that compliance staff downsizing and compliance budget capping were taking place across the corporate world in response to perceived changes in the regulatory and enforcement environment.[1] More recent reports have indicated that downsizing may continue in tandem with broader budget cuts as companies take stock of their prospects in a post-pandemic world.[2] At the same time, the changing risk landscape and implementation of new programs related to addressing the pandemic or its economic impact translate into additional demands on compliance functions.

Appropriate compliance risk management, by definition, requires the periodic redeployment or readjustment of resources to address the most critical risks of the company in a changing environment. When the fortunes of a company change dramatically for the worse, down-sizing across units may be an unavoidable consequence. However, corporate compliance is subject to unique case law and enforcement standards that set a high bar for getting compliance staffing decisions right.

The long-standing Caremark[3] doctrine, and the post-Caremark pronouncements of enforcement authorities and commissions,[4] make clear that boards of directors have accountability for assuring the establishment of an effective and efficiently-resourced compliance function. Last week, the most recent version of Department of Justice guidance on the “Evaluation of Corporate Compliance Programs” elevated the adequacy of resourcing to an even more prominent place in its assessment of compliance program effectiveness by expressly referencing it in its three “fundamental questions.” It is not only the board that has potential liability for under-resourcing the compliance function. A recent enforcement action against a chief compliance officer illustrates that below the board level, individuals operating compliance departments bear risk in cases where their functions are not staffed sufficiently to enable the company to operate within the regulatory and risk appetite standards.[5] Under some circumstances, chief compliance officers asked to reduce staff may worry that they are juggling their standing within the company and their personal liability—especially if staying within a tight, pre-determined budget is a component of their performance assessment. One way to avoid this trap and protect the company at all levels is to reach agreement among the compliance head, business management, and the board on a clear set of criteria for conducting a compliance resource needs analysis. This analysis should be based on relevant data points, conducted periodically, and updated in connection with a proposed head count reduction or redeployment of compliance resources. An agreed-upon and established process can help make compliance budget management a less fraught exercise and curtail risk for individuals, firms and their boards. As with many risk management exercises, documenting and following a reasonably designed process in good faith is the starting point for avoiding second-guessing and liability.

As is the case with compliance risk management programs generally, “one size” doesn’t fit all when it comes to determining appropriate resource levels. However, the following are some common issues that chief compliance officers, executive management and board compliance or audit committees might wish to consider when assessing proposed changes to staffing levels, technology resources and budgets in compliance risk management functions[6], the timing of such changes, and whether new risk mitigations are necessary:

  1. How is it made clear that compliance remains a priority for the firm? Throughout any crisis, downsizing or period of uncertainty, executive management should continue to communicate the importance of compliance risk management to achieving strategic goals, highlighting continuing work and forcefully endorsing the compliance function. Timely communications should be constructed to underscore management’s continued support, allay concerns around the meaning and impact of changes, and dispel any unintended assumptions that a higher level of risk has become newly acceptable. In addition, communications should make clear how the health of the compliance program going forward will be defined and measured, in management and board reporting and in performance assessments. The ability to demonstrate an ongoing assessment of whether changes to resourcing have negatively impacted compliance program outputs can significantly enhance the credibility of management and board compliance commitment.
  2. What is the firm’s documented past record for timely completion of core compliance functions (i.e., policy updating, monitoring, testing, training delivery, regulatory filings, resolving exceptions, etc., over the past year)? Rather than assuming that any lapses were justifiable at the time, before adjusting resources, it is prudent to revisit how records may be perceived by an independent observer assessing staffing adequacy. The number of instances in which the data contradicts the best recollections of those involved at the time, or is perceived differently with the benefit of hindsight, is many times surprising. Further, if these activities were not sufficiently documented, that circumstance is also relevant to resource decisions. Finally, it is wise to check human resource records that may bear on staffing adequacy, such as whether staff are routinely failing to use their vacation time.
  3. Can the firm document compliance workflow changes made necessary by the staff changes? Put simply, where has the work gone? It is critical to map work formerly done by redeployed or released control personnel to show that: (a) the risk or obligation has diminished or disappeared (for example, a business unit has been eliminated, or a regulation repealed); (b) the tasks are now being done by others; or (c) the work is being handled differently (but still effectively); and that, in any case, the firm can still operate safely within its stated risk appetite and applicable standards. This mapping may reveal a need to line up resources that are both available and appropriately skilled to provide “emergency” reinforcement, if necessary. It may also suggest other talent management gaps, such as a need to update succession plans. Finally, documenting the business rationale for each personnel change demonstrates appropriate attention to risk management needs, as well as the functional independence of risk management functions.
  4. Do proposed resource changes match updated compliance risk assessments? Where diminished risks or needs are driven by an announced change in business strategy or downsizing of a business area, has a current risk assessment been performed to determine whether the change in business volume alone reduced the level of expertise required for adequate risk oversight? There are some areas in which basic levels of compliance expertise are “table stakes” regardless of transaction volume. If the decision is to take on additional risk, is this reflected in risk appetite statements? Even if a firm’s risk assessment is ordinarily updated on an annual basis, changes of the magnitude now being experienced in many industries may require some near-term adjustment—especially if compliance resources are being reduced, stretched thin or redeployed. While the health and economic viability of the company must be a shared and paramount priority, meeting a compliance budget reduction number that cannot be clearly tied to the company’s stated risk appetite and risk mitigation strategy may not be persuasive in the event of a future compliance lapse or regulatory examination.
  5. Looking ahead to post-Covid-19, will compliance capacity be sufficient to handle ramifications of changed customer, vendor and transaction behavior? Changing environmental factors and updated risk assessments often drive increased compliance workload. Currently, with daily consumer and commercial payment routines as well as supply chains disrupted, and fraudsters devising ways to exploit new vulnerabilities, levels and types of expected transactions and counterparties may have changed—and may continue to change dramatically. The need to reflect these and other changes that can be reasonably anticipated may warrant re-examination of numerous routines impacting compliance resource reallocation. For example, given potential mismatches between old documented patterns and profiles and a new reality, institutions required to monitor transactions for anti-money laundering or corruption purposes may experience increased alert volumes or changes in expected patterns, requiring compliance intervention and analysis. Customer and vendor profiles may need to be updated. The ease with which this can be done—or not—may highlight weaknesses or opportunities for improvement in the firm’s current monitoring platforms, as well as profile and case management systems. Further, as firms adopt work-from-home strategies, consistent, integrated and readily accessible data management systems and information sharing systems on which staff can rely will be critical. Staffing and resource analyses should reflect these risk issues.
  6. Has the effectiveness of new technology solutions meant to reduce staffing needs been validated? If increased reliance on robotics, artificial intelligence or new systems is supporting a current staffing needs analysis, has the new technology been independently tested and confirmed to be running effectively before staff is released? Is there data to correlate and map the savings in human hours to staff reductions? Compliance staffing should make sense in terms of both current risk/operations as well as longer term strategic and technology plans.
  7. Have you looked beyond formal job descriptions to assess the “influence” impact of proposed changes? Taken together, will proposed changes result in excessive “juniorization?” Is there confidence that there are still enough compliance risk managers and advisors of sufficient experience and stature, with the right depth of decision-making and influencing skills, to engage effectively at appropriate levels of the firm? If middle managers were made redundant along with the staff they were managing, did those managers play additional roles or have unique expertise that the enterprise regularly drew upon? Organization charts and frequently outdated job descriptions alone often fail to tell this story.
  8. Have you examined the compliance program coverage model for effectiveness in a holistic way? Are coverage models being adjusted so that there remains a visible (physically or virtually), accessible and active presence of compliance risk management and control culture carriers assigned to higher risk activities? Where employees are now working remotely, have controls, systems access, key risk indicators and data reports, as well as monitoring and testing, been adjusted accordingly? Finally, given the importance of role models, mentors and collaboration generally in carrying forward culture, how will the changed environment support these cultural attributes?
  9. Do proposed resource changes continue to support program maintenance and change management? If compliance programs have “matured” past the building stage and now require only maintenance work, has the task of keeping them current—i.e., reflecting changes in law or business processes in a timely manner—been assigned formally to personnel with the skill, bandwidth and other resources to implement such changes effectively, and monitor for emerging risks?
  10. Have you considered and, if necessary, prepared for, any loss of “institutional memory?” Is the enterprise sufficiently prepared for other collateral impacts of a downsizing, such as loss of historical memory, and are the organization’s compliance processes sufficiently documented to provide blueprints needed to make future changes and adaptations? If the answer to either of these questions is no, it may be wise to make adjustments to the timing of changes, or the disclosure and acceptance of the risks the organization is prepared to assume. Anecdotal evidence suggests that an absence of documented, up-to-date process maps poses a difficult challenge for control functions attempting to manage risk and change remotely.

It is unquestionably an added burden to perform the assessments described above. This is particularly so when the crisis at hand brings with it new programs to implement and control, as was the case in the banking industry during the financial crisis in 2009, and as is also true today. However, a documented, deliberate risk-based approach to right-sizing compliance staff and supportive resources, particularly in times of stress, demonstrates the kind of oversight, care and transparency necessary to prevent back-sliding in the strength of an entity’s risk management program and culture. It further provides assurance that both existing and new obligations can be met, and ultimately supports greater efficiency over the longer term. Equally important, clearly documenting staff and coverage decisions inspires stakeholder confidence in the firm’s decision-making process, and can help preempt future second-guessing and regulatory liability.

Footnotes

[1] For example, a Hogan Lovells report identifies a downswing in the allocation of compliance resources to Anti-Bribery and Corruption compliance in the face of increasing risk and responsibilities. High Seas: Steering the Course II, Hogan Lovells ABC Portal. Similar concerns about understaffing have been reported in surveys of other compliance sectors. See, e.g., Indicator Survey Shows That Substantial Risk, Compliance Concerns Remain for U.S. Lenders, Wolters Kluwer (Dec. 4, 2019).

[2] Kristen Broughton, Compliance Layoffs, Budget Cuts Raise Prospect of Looser Internal Oversight, Wall Street J., Risk & Compliance J. (May 25, 2020).

[3] In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959 (1996).

[4] See, e.g., U.S. Sentencing Guidelines § 8 (U.S. Sentencing Comm’n 2018); U.S. Dep’t of Justice, Evaluation of Corporate Compliance Programs (June 2020) (PDF: 210 KB); Ethics & Compliance Initiative, Principles and Practices of High Quality Ethics & Compliance Programs 19 (2016) (PDF: 900 KB).

[5] The recent FinCEN enforcement action and fine against Michael LaFontaine, the former Chief Operational Risk Officer of U.S. Bank National Association (“US Bank”) illustrates an apparent choice between two perceived alternatives: (1) requesting an increased compliance budget to cover more staff and/or installation of more effective AML case management and reporting tools to handle the appropriate alert output, or (2) depressing alert output to a level that existing compliance resources are able to manage in a timely manner. FinCEN assessed an individual fine of $450,000 against Mr. LaFontaine based on two deficiencies: (1) failure to prevent violations of the Bank Secrecy Act (BSA) during his tenure and (2) deficiencies in staffing. As reported by FinCEN, the Bank used an automated transaction monitoring system to identify potentially suspicious activity. However, rather than calibrating the monitoring system to the Bank’s risk profile, the Bank capped the number of alerts that the system generated so as to limit the volume of alerts that the monitoring staff needed to review and process. According to FinCEN, Mr. LaFontaine’s staff alerted him that the cap was inappropriate and that “the AML staff is stretched dangerously thin,” but he failed to address or escalate either the monitoring program deficiencies or the deficiency in staffing to fulfill AML compliance duties.

[6] Compliance risk management programs are tailored to the needs and risk profile of a firm. As such, while the “compliance risk management function” always includes those staff specifically assigned to and reporting within a compliance function in the “second line of defense,” reviews of the sufficiency of staffing may include in-business (“first line of defense”) personnel performing control functions and/or audit personnel performing compliance testing.

Kathryn Reimann is an Adjunct Professor of Law and PCCE Senior Fellow at New York University School of Law; a regulatory adviser at Hummingbird RegTech, Inc.; and a former Chief Compliance Officer of leading financial services firms. 

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.