Training and the culture of compliance in financial services

Posted: 24th April 2019

Attitudes toward training and culture are fundamental to the way a company and its employees conduct themselves.

The Huntswood Payments team was recently commissioned by the Emerging Payments Association (EPA) to write a white paper on the subject of financial crime. The resulting work provided a number of recommendations for firms, targeted at specific sectors and disciplines such as Open Banking, digital identity and data modelling.

This article explores the very first, and perhaps most vital, recommendation in the report:

“Promote training and awareness for financial crime staff [across EPA membership], to strengthen understanding of the importance of their role in tackling serious detriments to society."

How culture affects people

When people think of culture, they think of beliefs, traditions, mindsets and history. It refers to their outlook on life and the way they approach certain situations. Sometimes people's actions can be inconsequential but, more often than not, they affect others in ways that they may not have predicted.

This is how culture affects people – they pick things up unconsciously by immersing themselves in their surroundings and absorbing everything around them. Eventually, people end up acting like natives in their spheres, without explicitly being taught the rules. In business, and especially in financial services, it is important to ensure that staff not only understand the rules, but also why the rules are there in the first place.

The consequences of financial crime are far-reaching and personal where human trafficking, terrorist financing or drugs are involved, although many of the motivations behind compliance initiatives remain purely commercial. There is more talk of protecting brand integrity, credit risk and financial stability than societal risk.

Even when the human element is introduced, it is in depersonalised terms, referring to a reduction in harm for consumers. Yet the real harm could be being felt elsewhere, not just by a customer or a user of a firm's services, but by a fellow citizen.

Training: what is new?

Training is already a requirement, however, so what is new?

Regulated firms are already obliged to ensure their staff undergo anti-money laundering (AML) training, and responsibility for this rests with the money laundering reporting officer (MLRO).

How many of these training courses are effectively delivered and understood, however? How many, for example, are completed as box-ticking exercises to fulfil obligations? How many staff have simply clicked or swiped through a series of screens? How many managers, in contrast, have meaningful coaching conversations about each person's role in conduct, compliance and financial crime?

The cliché is true; people do what is counted, not necessarily what counts.

Promoting training and awareness must go beyond the compliance-for-compliance's-sake project that is completed once a year and should instead be designed to foster an ongoing culture of "doing the right thing". Otherwise, people could be conditioned to doing the wrong thing without even realising.

Indeed, whistleblowers at one of the country's largest telecommunications firms last year reported that customer service agents were being rewarded for customer satisfaction outcomes based on a single call, even if that single call may have been instrumental in handing over control of the account to a criminal pretending to be the legitimate account owner.

If firms are to be serious about fighting financial crime, they need to de-commercialise their motivations and think about the consequences of their actions. This usually begins from the top, from the directors that are so-called because of their ability to provide direction to a firm and lead by example.

An unlocked screen, a tailgated entrance, a shared password may be everyday occurrences that seep into people's subconscious and provide the foundations for wrongdoing.

The service staff at the previously mentioned telecommunications business, for example, had been conditioned into allowing callers to access accounts even if they failed to answer security questions correctly. As staff immerse themselves gradually in a firm's toxic culture, suspicious activity can start to become normalised and, therefore, not reported. This lack of reporting is not some sort of conspiracy or "cover-up", it is simply that the activity becomes expected behaviour.

Artificial intelligence and machine learning

Artificial intelligence and machine learning are hot topics at the moment, but computers themselves are not the panacea.

Specialist staff are still required to clean data, train the models and respond to alerts and red flags. These red flags are more easily spotted when staff are empowered to make decisions with a clear and unbiased conscience. Staff who have been conditioned to turn a blind eye for the good of the company's bottom line may well have completed their AML training – but have they actually learned anything?

Ultimate beneficial ownership

A consistent message within the industry is that the issue of concealment of ultimate beneficial owners (UBOs) has to be overcome.

At the launch event for the previously mentioned white paper, John Davies, deputy EPA chair and founder of Kompli-Global, provided an example that highlighted the scope of the issue: a single, unassuming terrace house was being used as the registered address of more than 4,000 businesses and was calculated at the time of discovery to have the largest turnover per square foot of any UK location.

This sort of thing should be easy to spot in a customer onboarding context, but if staff are surrounded by triggers and messages that influence them into discounting questionable filing activity at Companies House (maybe because a manager has assured them that it is technically compliant), what message does this send about a firm's real motivations for tackling financial crime?

Outsourcing

The increasingly fragmented financial services ecosystem means that while specialist companies are providing opportunities for regulated firms to outsource certain activities, this reliance comes with a large element of trust.

Principle card scheme members, for example, can streamline their operations in this way, but agent relationships mean that the principle is further removed from the end activity (i.e. the cardholder or the merchant).

How much does a firm really know, for example, about the company to which it has outsourced its "know-your-customer" (KYC) checks, or the agency providing its sales leads? How much does it really know about their culture? An outsourced agent needs to be regularly, and objectively, audited on-site, not only to ensure that they are fulfilling their contractual obligations, but also to ensure that a firm can consider them as a trusted extension to its business.

Considerations for staff training

• Look for ways of incorporating some sort of interactivity
• Tailor it to the firm's specific line of business
• Ask for regular, relevant feedback to test that staff are engaged
• Ensure managers guide their teams to understand the risks for their areas, how they can offset them, and how they can demonstrate great conduct every day

Staff simply remembering the date that various acts and laws were introduced is not going to be as effective or valuable to them as being able to spot examples of criminal activity in their specific line of business.

As the FCA has recognised, however, focusing solely on suspicious activities is not enough. Firms with a more general awareness will be able to contextualise events and appreciate the wider picture.

Firms must be serious about staff completing their training, so must go beyond telling them that it is sufficient just to comply with legislation. Instead they should tell staff that, by understanding the consequences and knowing where to get support, they can take a genuine pride in their work.

This article was first published on Thomson Reuter's Financial Risk Solutions portal in February 2019.