What is compliance resiliency, and why is it crucial for your organization to have it? Examples from recent enforcement show how developing a concise business continuity plan might prevent a dangerous management shuffle.
Compliance resiliency is the process of proactively ensuring a firm’s compliance function is neither undermined or weakened by the absence of a key employee. It is possible that this employee is the only full-time compliance officer in the organization, or it is possible that their compliance responsibilities are compartmentalized so that no one else is aware of what they are doing or how they are doing it.
Recently, enforcement actions were taken against a small Puerto Rican bank and an investment adviser with offices in New York, in part because of their inability to comprehend and prepare for the sudden departure of a crucial compliance officer.
Nodus International Bank, which has its headquarters in Puerto Rico, was cited by the Treasury Department's Office of Foreign Assets Control in October for breaking American U.S. sanctions against Venezuela by processing a number of transactions on a blocked account without first obtaining permission from OFAC.
Nodus informed OFAC that its compliance officer had left the bank throughout the course of the investigation, depriving it of any documents and conversations pertaining to its management of the banned property.
Nodus disclosed the infractions on its own, and OFAC issued a finding without levying any penalties.
The Securities and Exchange Commission (SEC) fined E. Magnus Oppenheim & Co. (EMO), a New York-based investment adviser, $50,000 in March for failing to carry out best execution assessments after the passing of the company's founder and chief compliance officer.
The SEC said it informed the firm in 2019 its examiners identified substantial problems in the firm’s compliance with federal securities laws and SEC guidelines. E. Magnus Oppenheim died in June 2019. He was the company's president, chief investment officer, and chief cash officer.
After Oppenheim passed away, EMO appointed a portfolio manager, an administrative worker, and a compliance officer from a third-party agency to oversee the company's daily operations. Many of the same compliance issues were discovered again in a 2021 SEC examination, and the company failed to adequately address them, the agency claims. For "failing to establish procedures in the event of the loss or incapacitation of key individuals, including Mr. Oppenheim," the SEC cited the firm.
According to experts, there are actions a business should take to make sure no employee changes endanger compliance efforts.
Standard operating procedures (SOPs) for each compliance function should be documented, according to Ellen Hunt, principal consultant and advisor with Spark Compliance Consulting. Hunt previously served as senior vice president, audit, ethics, and compliance officer at nonprofit AARP.
Even if there is only one member of the compliance team, SOPs should outline their specific duties. Particularly if they are handled by just one person, certain compliance roles, including the handling of conflict of interest or sanctions compliance, should be explained in major firms' SOPs.
A document like this "doesn’t replace judgment and experience, but it’s important to know how that person did things and why they did what they did," according to Hunt.
An organization might also benefit from conducting stress tests on a company's compliance department and recording the findings to better understand who does what and why.
Compliance officers should also draft a memo outlining their primary duties, any pressing issues, and their long-term goals. Basic information like how to access systems like the whistleblower complaint line or the contact details for significant vendors and consultants should be included in that paper.
“Think of it as your ‘hit by a bus or won the lottery memo,’” Hunt added. She suggested that it should specify "what needs to be done in the event I’m not here."
Tim Rohrbaugh, a former chief information security officer at JetBlue Airways, suggested that integrating compliance into business decision-making in order to ensure that regulatory, IT, and cybersecurity risks are recognized and adequately budgeted for at every stage of the process. According to him, this kind of thinking may be used for anything from brand-new sales initiatives to employing important vendors.
"Compliance needs to be brought into the contracting process because most of the time it’s an afterthought," Rohrbaugh added. " What I mean by this specifically is every business relationship has transitive exchange of threats and many times a transitive exchange of regulatory compliance requirements."
"This is not just a sunk cost, many times because the deal comes with new or greater threats and new or greater regulatory requirements. This way, the organization won’t be caught off guard and will be able to properly price the engagement and budget for it."
According to him, another advantage of the strategy is that a wider spectrum of internal stakeholders are aware of and understand compliance concerns.
Additional ways to ensure compliance resiliency include:
- Rotating compliance officers across various departments within the business, either to cover for employees who will be out sick or as part of a plan to teach other staff members about important compliance roles. This can create empathy and understanding for the job responsibilities of other employees, Hunt said.
- Mentoring. Consider having that compliance officer mentor his or her replacement for a brief period of time if planning for a significant change is feasible, such as when a compliance officer retires or moves internally to a new position.
- Checking in with the company’s compliance or audit committees and reading meeting minutes for the past several months. It might be made clear what has and has not been working properly in the firm's compliance operation, according to Hunt.
Always be prepared with a plan of action for these kinds of circumstances. Companies should hope for the best but plan for the worst.
By fLEXI tEAM