Andy Grove, the founder and former CEO of Intel, famously said, "Only the paranoid survive." He also wrote a business book with the same title. Is there evidence that paranoia has reached the compliance department and, if so, is that a good thing?
A (drill) bit too far?
There are a number of recent case studies that make the opposing case; perhaps compliance officers are not paranoid enough. Consider the case of Transocean, the Swiss company that provides drilling equipment for oil and natural gas exploration. The firm inked a deal with CNOOC, the state-owned Chinese energy company, to provide the drilling rig Actinia for exploration off the coast of Myanmar. However, CNOOC had partnered with China Focus Development. This firm, formerly known as Golden Aaron, is completely owned by Steven Law (aka Tun Myint Naing) and his wife Cynthia Ng (aka Ng Sor Hong). Law and Ng are listed on OFAC's Specially-Designated Nationals (SDN) list due to their involvement both with the military junta in Yangon and in the Southeast Asian drug trade.
While Transocean maintains U.S. offices in Houston, Texas, the company claims that they were not in violation because Law's name did not appear on the contract signed with CNOOC. They also argue that, since the Actinia is a Panamanian vessel and that Transocean is a Swiss company, the transaction is not subject to U.S. oversight. Or is it? Certainly, if the contract was solely negotiated and the transaction facilitated in the 12-person Swiss offices, OFAC could not fine the firm, as no "U.S. persons" would have been involved with the execution of the contract.
The company's first claim points to a lack of compliance rigor. Due diligence of business partners extends to the beneficial owners of those firms. To give Transocean some credit, China Focus Development is not listed on the SDN list. However, a cursory review of the CNOOC web site mentions the change of name and that Golden Aaron appears on the SDN list.
Transocean's second argument, while potentially valid, misses the point. Even if it could provide it should not be subject to a civil penalty, the company could, in theory, end up on the SDN list themselves. Perhaps, a cynical calculus factored into the company's thinking process: Would the U.S. government sanction a firm so integral to the U.S. energy industry? That is a big gamble, especially in light of the dollar figures involved; the firm charged U.S. $206,000 per day that the Actinia was leased.
Not Ship Shape
In 2010, Maersk, one of the world's largest shipping companies, was fined approximately U.S. $3.09 million for violations of the Iranian and Sudanese sanctions. Maersk is a Danish company, but some of its vessels fly the U.S. flag, making those vessels subject to U.S. regulations.
In general, the firm had dotted its i's and crossed its t's. The vessels that docked in Iran were not U.S. cargo vessels, and the company had received specific OFAC licenses for shipments of food aid to Sudan.
Where Maersk ran afoul of U.S. regulations was in not having sufficiently detailed systems and related controls. The Iranian shipments, despite not involving U.S. goods, became subject to OFAC oversight because they were transshipped on U.S. vessels. Better compliance systems would have caught the conflict before it had happened and made Maersk allocate other vessels to the transfer of the cargo.
Similarly, while the food shipments were authorized, additional cargo also was shipped to Sudan. Improved systems and controls could have shifted the unlicensed goods to non-U.S. vessels.
Is the shoe on the other foot?
So these are cases where firms large enough to know better did not and considered compliance in too narrow a context. Transocean's sin was in not going far enough in vetting its business partners, while Maersk's failure to plan and track its shipments in greater detail led to a significant civil penalty.
Does the opposite problem exist as well? In other words, is there evidence of excessive care—casting wider and wider nets in a futile effort to identify anything that remotely could raise a red flag, regardless of whether it represents an actual violation, much less one that would raise regulatory scrutiny?
In Name Only
Recently, a number of Tier 1 banks have requested a list of the 100 most common Burmese names so as to try to identify transfers to Myanmar. These firms have noted that, increasingly, references to Burmese individuals omit address details such as city and country. These efforts at evasion are consistent with other schemes, such as naming Burmese firms with common Western names (e.g., the Yangon-based firms New York and Hong Kong). The banks justify the request on a cost basis by noting that Burmese names are reasonably unique and are not likely to be confused with those of other peoples.
There are two problems with this silver bullet scheme. The first reason that such a wide-ranging effort to stop Burmese transactions is ill advised is that none of the major sanctions programs imposed on Myanmar, including those of both the European Union and the United States, calls for a total ban on business with the country and its citizens. The OFAC sanctions, for example, explicitly permit financial transfers from Myanmar to the U.S., and personal remittances for those not explicitly listed on the SDN list or described in the sanctions flyer. By setting a higher bar, these firms incur greater operational costs and possibly turn down legitimate business. Would not adherence to the listed entities, perhaps enhanced by commercial data vendors to include the categories of persons specified in the sanctions flyer, be a more targeted way to address the same issue?
The second issue is a moral one: is this a well-intentioned effort to defeat a more sophisticated scheme of avoiding detection, or does it border on racial profiling? Should a non-resident Burmese individual have recourse if their business transactions are delayed, solely on the basis that they have a common last name? Surely, were equivalent efforts in place to identify people with Muslim or Hispanic names, the uproar that would result would quickly quash those efforts.
A second trend that borders on overreaching is the scanning of news sources for stories with negative implications. Many firms, as part of their onboarding and regular Know Your Customer (KYC) processes, scan adverse media for identifying undesirable clients. The major data providers all participate in an arms race of sorts for this data; the number of data sources has become a point of competitive advantage.
How could this be a bad thing? At what point is denying services—or even pricing in a risk-based premium—justified?
Compliance officers will argue that someone under investigation at least warrants greater monitoring. Does that not, however, depend on the size and scope of the offense? Does it also not depend on the quality of the source? Do compliance professionals know enough to gauge the veracity of the tens of thousands of news outlets that provide such stories (according to one of the largest adverse media providers)? And what is the cost of weeding through the mounds of false positive matches?
The problem, by the way, is not performing adverse media scans for your customers, or trying to see which ones appear on Politically Exposed Persons (PEP) databases. The problem is performing such activities for all clients, regardless of other risks. If a client is otherwise a very low-risk client, will most adverse media stories materially affect the way their relationship is managed?
There are other examples of how, when compliance officers are given a shiny new hammer, there is an overwhelming desire to consider everything a nail.
Sometimes, innocently or maliciously, data shows up in the wrong place in a business transaction. While a company name may appear in a "name" field, "in care of" information may appear in the address field, due to lack of a separate field for such information. Other times, two parties will appear in a single field due to lack of sophistication at the other end. And, yes, there are times where sensitive information is buried in a field where the sender hopes the receiver is not checking. Checking for these rare events, however, is expensive; a review of cross-border ACH activity at a major U.S. bank showed that more than 40 percent of the records requiring review had matches to regulatory sanctions lists in those fields.
There is resistance to limiting the extent of such activities, even when presented with regulatory pronouncements on risk-based programs. Within the last month, the aforementioned U.S. bank screening ACH traffic and a major international bank have stated that any regulatory response is not acceptable to them. The firms wanted to avoid even receiving a warning, like a Cautionary Letter from OFAC, which does not accompany a public finding or a civil penalty. Being willing to incur significant ongoing operational costs in order to avoid an inconsequential "consequence" seems more consistent with paranoia than with appropriate risk management.
Moderation in All Things
So, are compliance professionals managing risk—or just trying to avoid it? In the current environment, is the focus on avoiding even petty crimes being committed on our watch?
Perhaps a lesson can be learned from the insurance industry. Insurance policy pricing is based on statistical and demographic factors; younger drivers pay more for car insurance because they are more likely to be in an accident, while older people pay more for life insurance premiums because their policies are more likely to have a claim on them during the policy period. One forward-thinking U.S. insurer offers a device to monitor driving habits so that lower-risk customers can prove their worthiness for lower rates.
How does this inform us? Perhaps the level of compliance checking applied to a relationship or a transaction should be commensurate with the potential risk that the client represents. A client requesting a $50,000 line of credit likely does not warrant an adverse media review. And, perhaps, a $250 cross-border ACH credit does not require searching for bad guys in street address fields, or for references to Iranian cargo vessels.
(A disclaimer: all of this is dependent on the mindset of your regulator and the transparency with which they operate. A conversation with someone with a sympathetic ear would be fruitful in cases where those answers are unclear.)
If there is a desire to prove an extra level of rigor for even those under-the-radar relationships and transactions, perhaps alternate approaches should be considered for those items. Statistical sampling and regular spot-checking of excluded items are both suitable ways to validate both a compliance department's risk-based decision process and its program controls. Why not pick a random day and look for those pesky Burmese names on a post-mortem basis, to satisfy management, auditors and regulators that the actual level of risk involved has not materially changed? On a monthly basis, a scan of a subset of excluded customer accounts against adverse media sources could produce a report that could be more efficiently reviewed than using an online case management system, especially when the assumption is innocence, and only the exceptions need affirmative action.
It is worth noting that, despite the best efforts, the likelihood of most apparent red flags being actionable is low. The trick is to know when a low-frequency event becomes noise that can be ignored and when it demands our attention.
Compliance without regard to the costs is unsustainable; it puts companies at a competitive disadvantage. However, non-compliance without regard to the costs is also unwise; regulatory responses can severely crimp a firm's ability to conduct its business.
What is needed is a clear-eyed assessment of the regulatory risks and, just as importantly, the likely regulatory responses. Assuming the most severe response, or donning rose-colored glasses, will both incorrectly price the risk, which will cause an improper investment in compliance efforts. That way, we can concentrate on adhering to regulations in ways that can have a material impact on our firms' P/L statements and focus less on those which are extremely unlikely to.