What Compliance Managers Should Report to the Board: Interview with a Board Member

Due to time constraints and other speaking engagements, we were unable to host an AML Compliance Grey Matters webinar in October or November. In lieu of a broadcast, we are providing a transcript of an interview with a Cayman Islands-based retired attorney-at-law and a current and former board member of several AML regulated companies. In order to speak openly, our interviewee asked to remain anonymous.

Compliance professionals are often required to provide periodic reports to their senior management. But what should be included in a report? What does a business’s management need to know about its AML compliance status?

Management is responsible for navigating the business through difficult economic, regulatory, and market conditions. Compliance is just one facet of the business, but like all the others it has to function smoothly.

As a former compliance officer, I remember writing lengthy update reports to my senior managers. I now realise that those reports were likely not even read.

This realisation is not a criticism of my manager. After almost a decade of running my own business and being responsible for strategy, cash flow, customer acquisition and retention, and many other obligations, a detailed report from any one of the departments not run by me would likely go unread. Too much detail is unnecessary for management. I know that now.

So, what do managers need to be able to demonstrate to regulators that they are fully informed? And how do they encourage a culture of compliance?

To get some answers, I reached out to a Cayman Islands based current and former board member of several AML regulated companies. In order to speak openly, our interviewee asked to remain anonymous.

As a board member, what do you expect from compliance?

“I’m very aware of two things when it comes to compliance. First, compliance is also about reputational management. Both are critical to a business so making sure that the Board are able to oversee compliance is pretty important. Second, sh*t only seems to flow uphill! If compliance is not doing its job, it will become apparent and soon be; very much a Board problem.

That said, it’s not just compliance issues that can become explosive issues. Boards are also navigating the company through the strategic challenges that each business faces in its sector including increased regulatory scrutiny in all areas. Additionally, we could be looking at new acquisitions or being an acquired target by another. Anything related to AML compliance is likely going to be a seemingly minor point on a lengthy agenda. Unless it’s a huge problem that could cause the company reputational damage.”

Interesting. You want to ensure compliance is doing its job, so you don’t have to deal with the fallout. In your opinion, what do you look for in a compliance manager or MLRO so you can later avoid having to deal with messy compliance issues?

“Companies come in all sizes, and so do compliance teams. Compliance may be one person, or it could be a large team. Larger teams often have an MLRO report to a Chief Risk Officer. And the Chief Risk Officer could either be on the Board or reports directly to the Board. Smaller firms often have the compliance officer and MLRO and CRO duties performed by the same person, who may report directly to the Board.

That said, when I’m joining a Board, I want to know that the person in the MLRO/CRO role is someone with good relevant experience and qualifications and has good instincts for assessing if something isn’t quite right.
We’re also looking for someone proactive. The regulatory landscape is moving quickly. It’s not uncommon that even the regulators are still finding their feet and are often reactive to external pressure. An MLRO/CRO must be able to anticipate the pressures and be proactive and quickly implement new changes.”

Good suggestions. And as to the regular reports to the Board? What do you want to see in those? What would you read?

“It’s important that the Board gets a regular update on status of key compliance metrics. Such as number of new clients onboarded, number of clients that may have been rejected during the onboarding process or as a result of a failure to provide relevant information. But for the most part, Board members are not reviewing to the same level of detail lengthy reports from compliance. Most Board members are not compliance trained and are likely to assume the MLRO/CRO has a better understanding of compliance issues and is dealing adequately with operational matters. It is the MLRO/CRO’s job to raise any operational issues that may need the Board’s attention.

What I would like to see, however, is a quarterly presentation from the MLRO/CRO on anything that is keeping them up at night. During this presentation, I want the compliance officer to speak their mind. This presentation is when I’ll get helpful information. And, as a Board member, I’m then better informed on what we need to do to act.”

And what if compliance is keeping you up at night? What do you do if you suspect someone on the compliance team, such as the MLRO, is not performing well?

“Should it ever arise that the MLRO/CRO is not up to the job, I’m going to want to see management deal with the problem sooner rather than later while being cognizant that any change could impact our ability to keep operational matters flowing.

If the problem is simply that the MLRO/CRO lacks some technical skills or needs additional support, then I want them to get those extra resources. I am aware of a situation of an entity needing to move an MLRO sideways – much to their relief – when the Board realized that the individual was out of their depth in the role. But they had excellent skills otherwise.

Don’t let someone flounder – either give them the tools and training they need or move them off that position. And it’s perfectly okay to ask for help or to be transferred out of the role. It’s not for everyone.”

What other input can compliance provide to the Board or senior management of their company? I once observed that marketing activities resulted in new clients that weren’t passing the compliance requirements in a company. It begged the question of why compliance was not consulted before the company spent marketing dollars in a particular high-risk jurisdiction.

“Absolutely, and the same can apply with respect to M&A activity. If say you are looking to acquire another company, part of our due diligence will be to send in our own compliance team to audit the target company’s compliance. Their assessment could help determine the valuation of the business because if we’re going to get rid of half of the client portfolio because it’s too risky or non-compliant, then that can de-value the company.

There’s also the question of ensuring a strategic review of compliance remains part of the mindset of strategic decisions. For example, suppose the company is considering entering new markets, jurisdictions, or offering a new service or product. In that case, I want to hear from compliance what kind of clients we can expect if we move forward. What will that mean for our risk? What’s the regulator like in that new jurisdiction?

Thank you very much for spending an hour with me and providing me with your perspective. Any final words of guidance for a compliance professional that reports to the Board?

“As you suspected, some board members don’t want overly detailed reports, if the point can be made more succinctly. But remember, my perspective is mine alone – others may be different. If you have a board member who has in-depth experience of AML regulations or has been assigned the responsibility to oversee compliance, they may well want to see more detailed reports. But don’t assume that all Board members are reviewing them from the same level of experience or knowledge.

Effective communication is key when it comes to keeping your board informed. Keep your reports brief, clear and to the point. If you need to show backup materials or data, attach them as appendices. You don’t want to be wordy. Or overwhelm management with information they don’t need or can’t use to navigate the business.

If you do overwhelm them, the risk is that when you really need the Board to act on an issue, your need goes unheard because your report was unread or skimmed over with a cursory glance. And as I stated before, boards are sometimes dealing with potentially explosive issues that can result in reputational damage to the business.

It’s the compliance officers job to make sure any potential issues are reported to the board efficiently and timely, with the objective that the Board can then help you out before there is any reputational damage to the company.”

With many thanks to our guest for spending an hour with me discussing this topic.

If you have a topic that you would like our team to research and present or you can be a guest on a future broadcast of AML Grey Matters, please contact me at kimberly@silocompliance.com.