Latest Products

Remediation and having the Right People

Thursday 4 May 2017

When it comes to the banks, culture is a major topic. In the Australian context, however, it has been ASIC, the conduct regulator, that has been talking loudest about culture and conduct risk in financial services, and how that needs to change to facilitate better outcomes for consumers and the Australian financial markets as a whole.
Despite this, discussion at the GRC Institute’s 3rd Annual AML & Financial Crimes Congress is evidence that, regardless of the technological disruption arising out of Fintech and RegTech, the well-known mantra of ‘people, processes and things’ in the risk and compliance space remains relevant, even with the current emphasis on those same people to specialise and to be more tech-savvy than they once were.

Having the right people & training

When it comes down to it, the initial inputting of the right data is still the responsibility of people.
Carolyn Hanson, Head of Financial Crime Compliance & Specialist Advisory Services, Wealth Management, CBA, said that compliance, “…is about that behaviour. And, to use another analogy somebody told me the other day—it’s the difference between having really straight roads, or really good drivers. You can have really straight roads, but still watch everybody veer off them. If you have really good drivers, however, then you have a better chance of success.”
Paul Derham Partner at Holley Nethercote, said that having the right culture in your organisation is not just an Australian issue, but a global one.
“Medcraft is lobbying, or has been lobbying, to have increased powers around taking action against senior managers, for example, because of the organisation or their part of the organisation,” Derham said. “We’ve already seen the SMR regime in the UK, where senior managers are essentially held responsible for their behaviour, as well prudentially-regulated organisations.”
According to Derham, this illustrates the shift towards accountability for culture—that culture is not just a ‘fizzy word’, but it is also defined in the Commonwealth Criminal Code.
“So any of you who have studied law, or who have been to proceedings, will know that to establish a crime, you first must establish two elements,” Derham said. “First, you must establish the guilty act, the Actus Reus; then, you must establish the guilty intention, the Mens Rea. But how do you show the company has a guilty mind?”
Derham added the criminal code indicates that, in order to establish a company’s guilty mind, the regulator can look at the board or at the culture of the organisation.
ASIC’s examination into regulating the code of conduct being rolled out by the Australian Bankers Association (ABA) is a big step towards tackling this very issue and embedding culture into a different ‘rule framework’.

AUSTRAC’s view on culture
Derham mentioned some comments that have come out of the Australian Transaction Reports and Analysis Centre (AUSTRAC).
Paul [Jevtovic] says here that Greg Medcraft is suggesting we ignore culture in organisations,” he said. “And, as regulators, it can go to the very heart of systemic issues. I am not qualified to tell private enterprise what kind of culture best suits them. What I can tell them about, however, is the kind of culture that is going to draw AUSTRAC’s attention. Surely the board of that organisation is going to want that information, because why would you want a regulator all over you?”
In the context of TABCORP, Derham quoted Jevtovic, who said that the breach in the gaming company’s case was, indeed, a breach of corporate culture and an indication of TABCORP’s indifference to AML/CTF risks, until the regulator’s intervention.
This is in-line with what Armina Antoniou, Financial Crime Risk, said about culture, and that is that trying to change culture in a large organisation is a challenge that involves changing the legacy of that culture.
What this illustrates is that it is not only important to meet regulatory obligations according to the letter of the law, but also, it is about meeting these obligations in the spirit of law. This comes back to having the right people—or the drivers—in the right places.
“Lead from top,” Derham said. “You can have all these other elements in place, but if you don’t appoint people who want to do the right thing, or if you don’t appoint people who understand good culture, then the organisation is going to suffer anyway.”

The Importance of training
Derham also suggested that, in addition to having good people who want to do the right thing, there also needs to be good training.
Having good training should be an integral part of an organisation’s compliance framework. Good people with good culture still must be trained, or the organisation’s procedures will not be worth very much.

Monitoring supervision and remediation
In addition to training, there must also be sufficient staff to supervise the business and to ensure everything is happening as it should. However, it should also go beyond merely having enough supervision—it needs to be about ensuring the organisation has the right processes.
Focus should be on monitoring, supervision and remediation.
“You get the procedures,” Derham said. “You make sure they are 10/10. You communicate them to your organisation with the best kind of training you can…but the fact is that, even if you train well, people are going to be distracted.”
Derham said the hallmark of a good culture is one that also looks at remediation strategy—that is, how a flagged issue has been dealt with. “It is real cultural problem if the issue has been flagged, but has not then been escalated to the next level.”
The key is to have the right culture. To do that, you need to have the right people who need to have the right training. Then, you need to monitor and supervise, and to keep monitoring and supervising to ensure the organisation is not resting on its laurels or falling into the ‘set and forget’ trap that has claimed so many.