While there are conflicting views on whether the FinCEN files should have been leaked, it has been a critical reminder about how much work still needs to be done by the financial services sector to combat financial crime. Within the 2,657 leaked files, 2,121 were suspicious activity reports (SARs) representing over $2 trillion worth of transactions, which in itself is only a small fraction of total SARs submitted during the same time period.

There are many lessons to take away from the leaked files, and yet the most visible is the lack of will or disconnect between the identification of suspicious activity and the ultimate action taken to address it. Banks are doing their duty in reporting suspicious activity, but many haven’t shown much interest or ability in going further than that, particularly with clients who bring in a steady stream of revenue. At the root of this problem is the prioritization of compliance or, in other words, an immediate pressure to do something about the suspicious activity in question, a resiliency in seeing the action through and a determination to achieve a confident conclusion.

To this point, one of the biggest obstacles cited for achieving compliance is its cost, when in fact the simplest and perhaps most essential solution is effectively free: that is, establishing a culture of compliance.

Having a culture of compliance states that everyone in the organization, not just those tasked with AML and financial crime prevention roles, should be vigilant and know the consequences of a lack of compliance. Unlike investments in AML technology or the headcount expense of hiring more compliance officers, this particular solution requires only an adjustment in mindset and a commitment by employees across the organization to exemplify that mindset in their daily work.

More articles about company culture from CCI’s archives

It sounds like a simple solution, and perhaps this seeming simplicity is why it is particularly difficult to achieve in reality. Many financial institutions have tried to instill a culture of compliance and have failed because there are so many other competing priorities, including balancing business growth objectives and meeting regulatory requirements. However, building the foundations for a strong culture of compliance has become ever more critical to the success of financial institutions in fighting financial crime, and there are a few cornerstones that can help to establish and maintain it. These are what I refer to as the 3 R’s.

Review

We’ve heard the term “tone from the top,” and whether it’s a culture of compliance or some other corporate cultural identity, the pillars of that culture must first be created at the top, often by the board or C-Suite executives. For most organizations, an established attitude toward compliance likely already exists, which is why it may be more important to review existing attitudes and policies and adjust them accordingly.

We live in a very different world today from when some of those policies were first created; financial crime has expanded, compliance regulation has changed, perpetrators have become more varied and they often have more resources at their disposal. It is therefore imperative that organizational leaders revisit and review the framework within which they approach compliance. That includes everything from official policy to internal and external messaging, informal behaviors and, most critically, assessing AML risks in today’s environment of accelerated adoption of technology. Only a consistent conversation at the top can help set the tone for the rest of the organization in terms of expectations and urgency on compliance.

Reinforce

Reinforcement is core to ensuring that the tone from the top actually becomes everyday behavior. It is one thing to see, read or hear something; it is another thing to do it. Reinforcement is usually what’s missing when it comes to that bridge between knowing and doing. No one wants to feel as if they’re the only individual doing something, and motivation comes much more easily from being part of a bigger movement than being alone. This part of culture-building rests heavily on the shoulders of managers and decision-makers at all levels of the organization, and it includes governance structures, employee engagement, open communications and consistent monitoring.

The best way to demonstrate how this works is through the eyes of a new employee: Not only should they see prioritization of compliance from the top, they should also immediately feel this prioritization through proper training and interactions with their colleagues. Their takeaway should be that when it comes to compliance, there is an implicit understanding of its importance and an explicit acceptance of the clear series of steps to take if there is an issue – and no question at all that those steps should be taken.

Reward

Finally, a culture of compliance should be rewarding for those who belong to it. There is an ongoing debate around whether reward or punishment is the right “incentive” when it comes to promoting compliance, but it should be understood and promulgated that whether or not punishment comes into play, rewards should always be a part of the equation.

Rewarding an employee is often much less complicated than punishing an employee, and it only increases the positive reputation of an organization. If we can ensure that rewards are visible, valuable and relevant for the employee, we increase the chances that a culture of compliance is welcomed and supported by everyone in the organization. Part of this is also ensuring that being rewarded for compliance is not in conflict with other incentives, such as sales targets or other metrics. By ensuring that employees across the organization are rewarded for their positive work toward a culture of compliance, cultivating and maintaining this culture will only become easier over time and ingrained in the very fabric of the organization.

In wrapping up, I am reminded of an analogy the chairman of the board of a pan-Asian financial institution shared with me back in 2010: He described a culture of compliance as equivalent to “preventive medicine.” Once you get sick, it takes a long time to recover; similarly, without the right culture of compliance, the financial institution will take a long time to recover from the resulting reputational, legal and financial risks.