The Board's Role in Overseeing the Management of Financial Crime Risk and Compliance
A board must understand beyond the regulatory obligations and risk of non-compliance.
Setting the baseline for this article.
If we’re being honest, boards typically do not take an interest in anti-fraud and anti-money laundering programs unless there is a significant fraud loss or regulatory pressure through examination or enforcement. In short, most boards see fraud as a buried operational function, and AML as a compliance function. Moreover, rarely do organizations have an integrated approach to managing financial crime risk.
So, can boards provide adequate oversight if that is the reality of the current state? Perhaps the better question is whether boards should be providing more adequate oversight. The answer is absolutely and much like the cross-industry push for cybersecurity to be a staple of board issues; financial crime broadly has a rightful place on the board agenda.
To further establish the baseline for this article we need to define and better understand the scope and boundaries of financial crime risk and compliance.
What is financial crime risk and compliance?
Five (5) domains fall under the financial crime umbrella: (1) fraud, (2) cybercrime, (3) money laundering, (4) corruption, and (5) sanctions. Each domain presents a risk management and regulatory compliance burden to financial services firms and corporations in other commercial segments.
Who is responsible for financial crime risk and compliance?
Ultimately the board is responsible for ensuring that management has implemented programs designed to mitigate financial crime risks and comply with applicable laws and regulations.
What role should the board play in overseeing the financial crime risk and compliance function(s)?
The first role of the board is to set the imperatives for management. The imperatives should be simple and concise.
Mitigate financial crime risk.
Comply with applicable laws and regulations.
Ensure the efforts are done so in the most cost-effective manner.
The second role of the board is to evaluate management’s strategy and plan for executing against the imperatives. Here is what the board should look for in management’s strategy and plan.
Leadership
The board should verify that a person has been designated as the Head of Financial Crime Risk Management (FCRM) and that person reports directly to the Chief Executive Officer (CEO). Moreover, the board should interact with the designee and begin to build a direct relationship to ensure a free flow of information.
The board should also see the Head of FCRM as an integral member of the management team; operating with autonomy and equitable authority amongst other peer direct reports to the CEO.
Culture
The board should verify that mitigating financial crime risk and complying with laws and regulations is a firm-wide responsibility and is advantageous to the growth and success of the firm. The best way to find evidence of a cultural commitment is to ask the right questions of business leaders and associates outside the FCRM function.
Design
The board should verify that management has designed a functional business unit that is well-positioned to meet the imperatives. Considerations by the board should run across finance, people, technology, operations, and the use of professional services (like consultants and advisors).
Conventional thinking amongst the board will seek peer comparison and validation. The real role of the board in verifying a good design is to think harder — measuring best-in-class standards against itself vs. any industry peer(s).
The third role of the board is to track and monitor management’s performance through effective oversight (asking the right questions). A single slide covering SAR filings, fraud losses, audit and exam issues/results does not give the board the information it needs to understand if the FCRM function is hitting the imperatives.
A thinking board will ask these intelligent questions and then reference data provided in a slide or presentation.
How is the problem of financial crime evolving and how is it impacting our current strategy and plan to manage it?
How are transformative strategies, approaches, and technologies being evaluated and how can we benefit from them?
How is the business function performing across finance (budget to actual), people (attrition, retention, development), operations (efficiency ratios, delivery, optimization efforts), and technology (reliability, use, road map)?
Experience and expertise among board members are not required but should be sought.
Not every board member must be an expert in financial crime risk and compliance. However, for regulated financial institutions having a former risk and compliance executive on the board can be advantageous. A practitioner and operator view can accelerate the interpretation of management strategies and plans; as well as build rapport with the Head of FCRM.
If this article sounds disruptive to the current state of industry norms, it is meant to be. Decades-old status quo approaches will never tackle the problem of financial crime (and its underlying illicit activities).