If corporate compliance officers need another example to show senior executives why a strong compliance function is so important, the U.K. Financial Conduct Authority has provided one — a monetary fine recently imposed upon a bank CEO personally, for his failure to nurture a strong anti-money laundering compliance program.
The bank in question is Sonali Bank UK, which had been under FCA scrutiny at least since 2010 when regulators first raised questions about Sonali’s AML compliance efforts. The bank promised it would address those concerns.
In 2012 the bank hired Mohammed A.R. Prodhan as CEO, and he remained chief executive until May 2015. All the while, Prodhan knew about the bank’s prior conversations with regulators about its AML compliance shortcomings and its promises to remedy the situation.
Suffice to say, Sonali’s compliance troubles continued anyway. In December 2016 the FCA imposed two fines for the bank’s persistent shortcomings: £3.25 million against Sonali itself, and £17,500 against the bank’s former AML compliance officer.
Now the FCA has imposed a £76,400 penalty against Prodhan as well, for his failure to elevate the importance of an effective compliance program, both practically and culturally.
As the FCA put it, because of Prodhan’s lax oversight, Sonali’s staff “failed to appreciate the need to comply with AML requirements, and the [AML compliance] function was ineffective in monitoring their compliance. This led to systemic failures in SBUK’s AML systems and controls throughout the business.”
What CEO Oversight Truly Entails
The FCA’s sanction is a reminder that CEOs are responsible for risk oversight, and effective compliance programs are part of that oversight. If the CEO ignores the compliance program, that poor tone from the top can echo throughout the rest of the organization and cause specific, real failures.
Preventing such outcomes is the goal of the Senior Managers Regime, the set of rules Britain enacted in 2016 to hold executives at financial firms more accountable for misconduct and risk at their businesses. Principle 6 of the FCA’s Statements of Principle and Code of Practice says executives performing higher management functions “must exercise due skill, care and diligence” in their duties. Part of that care and diligence: “take reasonable steps to adequately inform themselves about the affairs of the business.”
So, for example, if a firm’s compliance or audit team brings concerns about a weak compliance program to the CEO, and the CEO then takes no action to address those weaknesses — that is a failure to uphold Principle 6’s standards. (It’s also what happened at Sonali; the internal audit team raised specific concerns about the AML program in 2012 shortly after Prodhan arrived.)
None of this means the CEO must take personal charge of a firm’s compliance program. It simply means that the CEO supports a strong compliance function, and that others in the enterprise can see that support and take their cues from it.
Likewise, the CEO (and the board of directors) should pay attention to compliance concerns and consider them as he or she develops broader strategic plans. That might take the form of a regular discussion about compliance at board meetings; or questions about compliance asked during strategy sessions.
What can’t be allowed is a CEO ignoring warnings from compliance, audit, or other risk management functions. A firm can’t allow its compliance program to wither into obsolescence, as modern risk and regulation march forward. The program has to keep up.
The compliance officer’s job is to maintain that capable program, but the CEO’s job is to give the compliance officer the resources, attention, and support to do it. CEOs ignore that responsibility at their own personal peril.