Creating a Culture of Compliance—Can it truly be done?

Over the past few years we have been reading more and more about “creating a culture of compliance” and “doing the right thing.” At the same time, anti-money laundering (AML) regulation is becoming increasingly tougher by the hour and the day-to-day of any professional working in compliance is becoming an even bigger challenge.

So, how does one cope with all the changes? How can AML professionals prove to regulators that a “reasonable steps defense program” is in place and that all necessary steps were taken to protect the organization against money laundering (ML) and terrorist financing (TF) and to prevent a regulatory breach?

First, you need to appreciate that you can never be perfect. In fact, no one is. There is no “zero failure,” but there are a number of reasonable steps you can take to protect yourself and to ensure that your part of the business—and in effect your organization—is controlled effectively and complies with the relevant regulatory requirements. You are expected to assume responsibility and make common sense calculated decisions when performing your duties.

There is no set formula to follow, but it all depends on each organization and its senior management to take steps tailor-made to that particular industry, organization and specific responsibilities. Regulators will seek to determine whether senior managers, the board of directors, and in effect, the organization’s employees, behave with integrity, understand their business areas and relevant risks and comply with the law.

Revisiting Corporate Governance

The first step would be to revisit and enhance the organization’s corporate governance, meaning the mechanisms, relations, the rules and processes by which an organization is controlled. Proper and active corporate governance is what provides organizations with leadership and defines its direction and sets the procedures for decision-making and responsibility.

In that framework, the overall vision and strategy of an organization needs to be clearly defined. There should be a clear focus on why the organization exists, who its clients are, what business is conducted, and where—as well as how—it is conducted. Compliance should become core and should be at the back of the mind of everyone involved in the organization at all times. These desired standards of conduct and general behavior should be clearly determined and should be reflected in a Code of Conduct and a number of other relevant policies. A well-written and current Code of Conduct can lay down the expectations regarding appropriate behavior and can thus provide a road map for an organization’s employees and management.

Policies provide a framework for an institution’s operations and determine the boundaries for all major decisions and actions. Robust compliance policies, including a clearly defined Customer Acceptance Policy, are very important to document an institution’s commitment to “doing the right thing.” It is vital to include a whistleblowing policy that aims to encourage employees across the organization to speak up and identify unacceptable conduct. For whistleblowing to work, senior managers should encourage open-door reporting lines of communication and demonstrate willingness to listen to what their employees have to say.

If there is a clear definition of what is “the right thing to do” at the top of an institution and senior management demonstrates full support for compliance, then the rest of the staff in the institution will follow suit. After all, communication itself begins at the top.

The message needs to be specific, clear, consistent and frequently repeated. In turn this will help middle management adopt attitudes similar to those of the senior management and help encourage the right mood in the middle.  Sometimes middle managers get carried away with traditional performance indicators and fail to translate the tone at the top into the procedures and practices that drive everyday behavior, which effectively undermines the importance of compliance and “doing the right thing.” Senior managers should make sure that compliance becomes a permanent priority for everyone in the organization, as a healthy mood in the middle is necessary to make sure there is the right “echo” at the bottom. This is achieved only when individuals in the organization know exactly what is expected of them. Employees look at their supervisors for guidance on how to behave or operate and it is the responsibility of senior managers to demonstrate their commitment to the institution’s vision of a culture of compliance themselves, so that everyone else in the organization can feel comfortable to follow suit and have compliance in the back of their mind when performing their daily duties.

Organizational Structure

A robust and transparent organizational structure will not only ensure accountability but also assist senior management in transferring the right messages to all employees in order to ensure engagement to core values and principles. The structure should be as simple as possible to provide for clear roles and responsibilities, accountability lines and alignment of interest across the institution. It should be transparent and should ensure easy monitoring processes. It should also specify the distribution of responsibilities amongst different participants in the organization, define clear reporting lines and lay down the rules for decision making.

Accordingly, job descriptions become of significance. Job descriptions are usually very high level general documents. It is important for job descriptions—not only at the senior management level, but across the organization—to be detailed enough but not excessively detailed, so that they document exactly what a role covers and how performance in regards to obligations is measured. Job descriptions should include compliance with regulations, policies and procedures as a performance indicator and they should be live. In other words, they should be continuously adoptable to changing circumstances ensuring there is no duplication or mixed responsibility, unless explicitly required, in order to ensure transparency in accountability. In such a way, job descriptions are useful when someone is new to the job, and also will remain a useful reference to everyone in the organization throughout the period of their employment.

Identifying and Understanding Risk

In compliance and when following a risk-based approach, one should take steps to identify risks, assess the risk and concentrate on the higher risk areas when applying measures to mitigate those risks. Lower risk areas are also important, but they come second in priority.

If you do not identify and understand the risks, it is impossible to make sure the right steps are taken to efficiently and effectively tackle those risks. When the risks are identified, organizations must assess the likelihood and seriousness of violating laws and regulations, prioritize those risks and design the right tools and methodologies. In addition, organizations must identify the right people in an institution to tackle those risks.

In AML it has become apparent that the best way to deal with the risks, is a clearly defined and well documented AML program that represents an organization’s efforts to tackle the identified AML risks and demonstrates its commitment to “doing the right thing.” Put simply, an AML program is a set of policies, procedures and actions, but also perhaps more importantly, the relevant attitude required to guard against someone using a firm to facilitate ML or TF.As a result, it is the foundation or bedrock for creating a culture of compliance in an institution to support its AML efforts and should be tailor-made to the specific organization (e.g., its products, services, its customers, its geographic location and traditions).

It all comes down to choosing the right AML officer (or money laundering compliance officer) who will be responsible for designing and implementing the AML program itself, making necessary changes and providing information about the program’s progress to key staff members and the board of directors.

The AML officer must be a senior member of a firm’s staff, must be competent, inspirational, trustworthy and knowledgeable. In addition, the AML officer should always ensure he/she stays current on legal and regulatory developments in the field. However, knowledge should not merely be theoretical. The AML officer should have a good grasp of the business he/she looks after. This is essential because in order to be able to initiate measures to protect your business, you first need to understand the business as well as the risks it carries with it. It is important for the AML officer to be qualified, to network, exchange experiences and thoughts on day-to-day challenges, but also be open to receiving and providing advice on how to handle complex and sophisticated cases. The senior management and the board of directors of the organization should ensure that the AML officer remains independent and has sufficient resources available at all times.

The AML officer is responsible for drafting and implementing internal policies and procedures, which should be simple and easy to follow. They should be as specific as possible, providing employees with guidance on how to act under certain circumstances. At the same time, they should encourage and cater for the necessary use of commercial judgment.

Having the right internal controls, independent review processes and frequent testing of procedures and systems is also important. Again, it is vital that those reviewing and testing processes and procedures commit themselves to learning the business they are overseeing, and effectively protecting.


A solid training plan for an organization’s staff, its management and the AML officer is essential for a successful AML program and creating the right culture of compliance. A firm’s staff needs to understand their compliance obligations and why they are asked to do the right thing. Staff needs to understand what they need to do if they encounter potential ML or inappropriate conduct and should appreciate that they should not be rigid or mechanical in their day-to-day decision-making and judgment calls, but should exercise judgment and document their decisions. Training does not have to be limited to formal, classroom sessions and can include e-learning, webinars and any other form of communication that serves to educate and inform employees, such as emails, internal memos or newsletters and even frequent, regular staff meetings.


In a nutshell, creating a culture of compliance to support your AML efforts is not easy. It takes time, but it can truly make a difference in safeguarding your institution and demonstrating your efforts.

You should make the time to know the business well, seek and make sure you get appropriate training and be aware of the compliance policies and procedures in your organization. Regardless of whether you are a senior manager, the chief compliance officer, the AML officer, or a member of the compliance committee of the board of directors in your organization, you should be able to demonstrate that you have the right programs, systems and processes in place to tackle the relevant regulatory risks and comply with local laws and regulations. You should further ensure the organization’s relevant policies, risk methodologies, and compliance programs and their judgment calls are properly and appropriately documented. After all, if you do not document it, it never happened.

On the other hand, it is equally important for regulators to cooperate with financial institutions and support and encourage them to do the right thing. This does not happen with a set of rules and more boxes to tick, but rather with encouragement, training, guidance and cooperation. The regulator should come closer to the organizations under its supervision and get to know the challenges they face and the risks that come their way. When failures are detected at a regulated institution, the regulator or supervisor should apply actions that are appropriate and proportionate, as well as guidance on how to improve in order to protect the system from further misuse. Otherwise, it would seem that the only way to deal with the risks, the increasingly difficult-to-follow regulatory rules and the continuous fear of being sanctioned, is to shut down your organization and go home.

Gregory Dellas, CAMS, manager compliance risk management, International Banking and Wealth Management, Bank of Cyprus Ltd., Nicosia, Cyprus,

Leave a Reply