Avoiding Enforcement: Lessons from the Regulatory Front Line

The Two Routes to Enforcement

Enforcement typically arises through one of two avenues.

• The first is recklessness or dishonest behaviour such as fraud or providing false and misleading information to clients or the regulator. These cases make headlines but represent only a minority of enforcement action.
• The majority of enforcement cases arise through a second route:  a business in distress that gradually drifts deeper into difficulty. In many such cases they ignore the early warning signs, tensions rise, controls slip, decision making becomes increasingly strained and failures compound. Regulators often encounter a suite of governance failures that culminate in a painful ending, aptly described by one panellist as “death by a thousand cuts.”

The Most Common Governance Failures

During the discussion, several recurrent governance failings were highlighted.

• Dominant personalities within boards. When a single individual is driving decision-making in a way that is unchecked and overpowering, other directors may become reluctant to challenge the thinking or decisions. It is classic ‘boardroom dictatorship,’ where governance structures exist in theory but are weakened in practice.
• Lack of assessing the effectiveness of boards. This should happen with a degree of regularity, yet many boards delay or deprioritise this activity. Seeing ways of being more effective in the area of corporate governance can be challenging for busy Directors. Where board self-assessments aren’t being prioritised, independent external assessment can provide the credibility and objectivity that is needed to enact change.
• Documenting the problem and even more importantly what action will be taken to address the problem including by and whom the target date for the matter to be resolved is a key part of minute taking. A well-operating business maintains accurate records of discussions and decisions. As one panellist noted, ‘if it isn’t written down, it didn’t happen.’
• Overly complex and underused policies and procedures. Some organisations attempt to respond to control weaknesses by adding more policies. The panel shared the view that quantity does not equal effectiveness.

A business with a healthy culture will be active in taking a critical look at itself and asking its staff to contribute suggestions on how the AML defences and corporate governance can be improved. The cost of doing so is a tiny fraction of the costs that can be incurred through neglect or regulatory sanction. Assessing AML culture across an organisation can be easily achieved and sends a powerful message to regulators that a business is proactive rather than reactive in dealing with issues.

Heightened Supervision: Is it really Last Chance Saloon?

For regulated firms, entering a supervisory period might feel like another step towards enforcement. Increased regulatory engagement often brings greater scrutiny and more frequent information requests. However, for those organisations that are able to respond constructively and with effective and sustainable remediation, enforcement is usually avoided.

Building Strong Relationships with your Supervisor

Panellists emphasised the need to be on the same wavelength as regulatory supervisors.  Key principles referenced included:

• Understanding where you sit on your supervisors RAG (Red, Amber, Green) scale rating.
• Ask for clarification on what your supervisor wants prioritised and align your goals accordingly.
• Provide all necessary facts and context to your supervisor. Transparency builds trust and helps regulators understand the full position and context.

Risks Associated with Acquisitions

Acquisitions can introduce significant risks, particularly where regulatory due diligence is excluded from the earlier discovery stage or not conducted effectively at the time of purchasing.

No-one wants unforeseen compliance issues down the line. Where there are possible legacy issues needing attention, there are ways of ringfencing potential problem files, and holding funds in Escrow post purchase to fund remediation.

• Operational Disparities
  • Following an acquisition, your workforce will be spread across different policies, procedures, systems, and control frameworks that require immediate attention and integration. Blending two workforces with different cultures can be particularly challenging but there are some useful strategies that should be considered early in the process to ensure stability.
• Increased Regulatory Scrutiny
  • The Jersey Financial Services Commission (JFSC) naturally becomes more interested in your operations pre and post-acquisition. This heightened scrutiny necessitates a thorough understanding of compliance and regulatory obligations to mitigate risks effectively. Any acquirer will need to demonstrate that they have the capacity to deal with any regulatory shortcomings of the target company and have undertaken detailed due diligence as part of the acquisition to understand the scale of the remediation.

Ways to Improve

The discussion closed with practical steps firms can take to strengthen governance and culture, ensuring they stay on the right side of enforcement.

• Encourage and embrace challenges at Board level and ensure blind spots aren’t being missed because of overly dominant voices
• Ensure policies and procedures are digestible and accessible. Rationalise where possible to make policies straightforward and easily understandable. No one wants to wade through several hundred pages of dense policies and procedures. Avoid the tick box approach. Staff need to think of the risks.
• Give careful consideration to compliance board reports and demonstrate as a Board that you are actively overseeing the correction of any deficiencies identified and documenting the progress made.
• Submit suspicious activity reports (SARs) promptly. Don’t let perfectionism hinder the submission of SARs. It’s crucial to get reports done promptly to comply with regulatory requirements and mitigate risks effectively. A healthy AML culture is frequently demonstrated by a healthy number of SARs and a high percentage of internal SARs being submitted to the FIU.
• Ongoing Monitoring and Accurate Risk Ranking: Ensure that monitoring processes are continuous and that risks are accurately assessed and ranked. This proactive approach allows for early and decisive intervention.
• Be sure that your training actually engages: Treat training as a means to make people feel. Where possible deliver quality face-to-face training. Avoid online training that fails to inspire staff to buy into the need to combat financial crime.

Conclusion

The panel referenced the detrimental nature of public statements and enforcement action, and their lasting impact – legally, commercially, and culturally.  Enforcement and regulatory warnings carry huge weight and once reputation is damaged, it is difficult to recover. You only lose your integrity once.