Will your company’s compliance programe withstand the nCOVID-19 tsunami?
Dr. Emmanuel Moore ABOLO is the President, Institute for Governance, Risk Management & Compliance Professionals/GMD, The Risk Management Academy Limited.
April 13, 2020999 views0 comments
The coronavirus (nCOVID-19) outbreak is causing widespread concern and economic privation for the government, consumers, businesses and communities across the globe. The situation is changing nippily with widespread effects.
At this point in time, the nCOVID-19 has infected 1,605,790 individuals globally, and killed 95,766 with 357,003 recoveries since being identified in China at the end of last year, spurring governments in nearly all continents to ask many people to work from home and refrain from intermingling with one another, among other dire measures to curb the outbreak.
No doubt, the number of regulations companies would face would increase and the cost of compliance may skyrocket. Companies would continue to deal with sensitive information daily to deliver services without compromising that data. To manage these challenges, there may be the need for robust solutions that can make jobs easier and also take compliance more seriously.
Too often, the cost of implementing an automated process has been high. Because of this, many companies rely on manual processes, using legacy or ad-hoc cloud systems, which means they’re duplicating data and replicating precious resources without an adequate audit trail.
Data protection systems need to be an integral part of the security and governance posture of any organization. It is, therefore, necessary to build capacity to be able to assess the application security, compliance and privacy needed to adhere to strict guidelines before deployment without impacting the production system or increased cost.
For the sake of driving home the point, we shall focus on the banking industry even though the lessons would not be lost on other industries/sectors.
It will be recalled that when regulators were drawing up plans to preclude a repeat of the global financial crisis of 2008, they correctly hit upon the inkling that banks should hold substantial buffers in terms of capital and liquidity that would ensure their survival through another histrionic downturn.
As banks built up these buffers, regulators averred that each bank would be subject to an annual stress test to see if they would be able to subsist a worst-case economic scenario. That worst-case scenario was one most bankers thought was not just unduly harsh, but inconceivable.
Today, as the coronavirus – and governments’ responses to its chilling consequences – infects the global economy to the point of virtual shutdown, daily predictions of GDP decline in the second quarter of 2020 are getting worse by the day. Predictions that the world’s GDP could decline by at least 25% might be exaggeratedly optimistic.
To be sure, buffers were aimed at helping banks withstand an unprecedented downturn. As it turns out, the scale of what was coming was far beyond the imagination of even the most pugnacious regulator.
Many companies have, no doubt, put in place a robust and effective compliance program that comprise the following key elements:
• Written policies and procedures;
• Designated compliance officer and compliance committee;
• Effective training and education;
• Effective lines of communication;
• Internal monitoring and auditing;
• Enforcement of standards through well-publicized disciplinary guidelines;
• Prompt response to detected problems through corrective actions;
• Compliance metrics reviewed by Compliance Committee to assess program effectiveness;
• Compliance leadership as part of executive performance reviews; and
• Prompt, balanced and effective decisions regarding compliance activities that require Compliance Committee involvement.
It is also true that many Chief Compliance Officers [CCOs] are fantastic motivators because they believe in what they do. They work hard to implement their compliance programs and they know deep down they are living in a land of risks that could create gaps in their compliance programs.
But they are continuously, with optimism, seeking to advance their program, embrace new ideas and build more effective strategies. For this, the compliance profession stands out for its leadership and perseverance. I say all these not necessarily because I was once in this territory in one of the leading DFIs in Nigeria.
But that is not the important point that concerns us here. To be clear, no matter how good a program is, it cannot remain static because the environment is very stochastic and dynamic. The nCovid-19 is one discontinuity that has shaken the world so hard since creation. You are free to disagree.
Remote work and other impacts to company workforces from the novel coronavirus pandemic are likely to result in practical limitations on usual environmental, health and safety and regulatory compliance programs and activities across a wide multiplicity of industries.
We are already seeing some regulatory agencies across the globe issuing new guidance and orders with implications for compliance and enforcement, and it is worth noting that regulatory agencies will also likely be impacted by their own workforce capacity issues in this environment.
As the world faces the threat of the coronavirus (COVID-19), many leaders around the world are beginning to recognize it as a genuine security threat that will impose fresh regulations with implications on compliance programs.
A recent research states quite succinctly that in human behavior terms, the threat is not from an external enemy but from individuals and organisations who refuse to comply with guidelines and instructions and fail to change their behaviour to adapt to the developing situation. With nCovid-19, the individual or companies refusing to comply is an active and ongoing threat to others as well as or sometimes more than to themselves.
The obvious threats are the outright refusers. From a purely psychological perspective, these are people who are either oppositional in their attitude or in denial regarding the effects of their refusal. While the former understand that by intentionally violating guidelines they are creating risk for others, the latter deny it, at times adopting an “it won’t happen to me” attitude.
While understandably not popular with those that value the protection of civil liberties, the suspension of these protections in times of national emergency may prove to be central in reducing mortality, as well as in limiting the economic consequences of a protracted battle with an unseen enemy hiding in a friendly population.
Let’s go back to the issue at hand. How should CCOs respond in order to protect organizational compliance programs and the future of their organisations? Good question.
Compliance officers, especially in Banks, must reassess their approach to monitoring transactions to account for dramatic shifts in customer behavior amid the global pandemic.
As citizens practice “social distancing,” and elderly people in particular are confined to their homes, banks may see a spike in large cash withdrawals and growing use of digital financial services by customers who typically would not engage in such activity. Although, the CBN cashless policy would help here.
Three senior compliance officers in the US stated that they have had to adjust, or plan to adjust, various thresholds that trigger alerts for suspicious transactions as their clients modify their financial behavior to respond to the pandemic. The same could happen in Nigeria.
Banks are likely to receive multiple suspicious activity reports, or SARs, flagging attempts by fraudsters to exploit fears of the pandemic to sell sham cures, raise funds for fraudulent charities and dupe victims into handing over money by impersonating government officials, among other scams.
Such schemes reflect typologies typically seen after natural disasters. CCOs need to be aware of this and reflect same in their compliance programs.
I am also aware that many banks are taking steps to protect their employees, including by having their AML staff largely or entirely work from home. Staff assigned to tasks like model risk validation are already teleworking or Zooming, while other critical employees are still going into the office, but in shifts that enable them to keep their distance from one another and still actively monitor for potential sanctions violations and other suspect transactional activity.
I think banks need to focus resources first on sanctions, second on fraud and third on AML. The order or sequence may change depending on the peculiarities of each bank.
With reduced resourcing available and growing reporting and filing demands on Banks, it is conceivable that the regulator will be amenable to granting general and/or bank-specific dispensations for reporting data which is not deemed as significant or systemically important.
This is particularly true for new or emerging requirements which are not yet in force, so called ‘in-flight’. There is a broader point around implementation of new regulatory measures which may either be delayed or where it may be sensible to advocate for suspension/ regulatory forbearance.
Many regulatory rules will have to be reconsidered in the context of sustained remote working .Particular attention must be drawn to market disclosure obligations for listed entities.
CCOs can easily be bullied by forces that oppose their need for resources, their mission and increased influence. CCOs have to rise above this; they should not alter their opinions just to keep everyone happy and avoid ruffling feathers.
A compliance program built on a CCO’s misstatements, weaknesses and omissions will only fail in the long run. Such a strategy not only threatens the company’s culture but could easily be discreditable to a CCO’s standing and career.
So, the question then is: will your company’s compliance programme be able to withstand the nCovid-19 epidemic? A lot would depend on the action that you decide to take. Ensure that you do not work in silo; leverage on governance and risk management [GR] platforms for stellar results. Goodluck!