Measure twice, cut once
Behind closed doors, compliance has been described as a necessary evil. At worst, an intentional and unfair obligation imposed on Bermuda for the benefit of the onshore world.
On the other side of the argument, compliance is idealistically venerated as some form of corporate culture perfection.
In the former, compliance is bad (“well, I didn't mean that bad” says the sceptic qualifying their remarks). The latter, compliance is wonderful (“well, so long as it's appropriate” says the promoter qualifying their remarks).
Quite ironically, both of these temperaments will drive a compliance programme into the ground.
The former position will create a minimalist approach to compliance. The compliance programme will be a web of vague statements that are so flexible, they actually don't require anyone to do anything.
It's not hard to know if you're looking at one of these programmes. They always start with a near copy-paste of the legal requirement, go on to discuss the obligation as would a student essay and the whole thing is infested with qualifiers such as ‘may', ‘could' and ‘as appropriate'.
This approach is amazingly nonsensical and contains zero accountability. This programme is so intangible that it provides no instruction when circumstances arise, such as statutory filings, surges in the volume of work or a risk materialises.
But where compliance is held so sacrosanct that it is above reproach, it creates a dark humour consequence. This is a programme where aspiration meets rigidity and creates unachievable expectations.
This is best evidenced by Byzantine documentary requirements for customer due diligence or know your client (CDD/KYC).
Simply put, the stunningly long list of requirements is often seen when neither the legal requirement nor the risk were assessed. In other words, no one knows why any one document is being collected so it's agreed to collect all possible documents that could be collected — you know, just in case. It would be funny if it wasn't so infuriating to the clients.
This approach has two great flaws; beyond driving customers up the wall.
First, the inflexibility creates an unachievable expectation. Whether it's a millennial without a hard copy utility bill (it is after all 2016) or that elderly person who has been using a passbook since 1942, no single document set can accommodate the various customer types.
Second, the system incentivises workarounds. The inflexibility makes the system difficult to work with. So to accomplish the day-to-day tasks, staff and clients will make every effort to find a way not to do what is required.
In Bermuda, there are many reasons to avoid ill-conceived CDD/KYC document sets. After all, our children go to the same schools, the client lives four houses down (you know, by the pink house with the dog and the blue car), I know the client from our school days, she was on the football/softball team with me, we're cousins; and the list goes on and on.
Either way, when a file review is conducted, there will be a lot missing.
The Byzantine method has a worse consequence than failing a file review though. When the failure is detected, the same mindset which created the first problem, creates a tighter, firmer framework. And like a perpetual motion machine, the more rigid the approach, the more chaos it induces. More money gets spent on staffing the tighter requirements and/or more stress is put onto the existing staff.
Soon the consequence of the initial mistake disturbs other functions. Staff turnover increases, computer systems can never get fit-for-purpose (too costly to accommodate all the variations in the compliance requirements), internal audits show a worsening situation and on-site examinations get more severe in their criticism.
Getting compliance right, at the start or even when in the circumstances described above, requires the patience to measure twice and then cut once.
The attitudes, compliance is bad/good, nearly always end in the panic-induced frenzy which creates more work for everyone.
Meticulous attention-to-detail, thoughtfulness and a willingness to undertake research, works every time.
Look at the alternative. We can implement compliance on the basis of our own personal attitudes, and then wait for the disaster.
Jarion Richardson, FICA, Certified Professional, CAMS, is the managing principal of Certainty, a compliance and regulatory consulting firm. He is a fellow of the International Compliance Association, Certified Anti-Money Laundering Specialist and formerly a Bermuda Monetary Authority examiner and Detective Constable in the Bermuda Police Service. He can be reached at www.certainty.bm.