Compliance Role—The DOJ will review whether Compliance
was involved in training and decisions relevant to the misconduct.
Did Compliance or other control functions ever raise a concern in
the area where the misconduct occurred? In a misconduct investigation, all roads will eventually lead back to essential control
functions to gain a full appreciation of the bank’s control DNA.
Of course, not all compliance departments are responsible within
every organization to oversee staff conduct, but given the clear
similarity to the comprehensive compliance management system
you’ve worked hard to implement, your compliance department
can be a great asset to whomever in your organization does have
Stature—Key questions posed here by the DOJ include:
■ ■ ■ Does the Compliance function really matter in the overall
context of the bank?
■ ■ ■ How does the Compliance function compare with other strategic functions in the bank in terms of stature, compensation
levels, rank/title, reporting line, resources, and access to key
■ ■ ■ Is Compliance an area of stability, or is it experiencing turnover
at a higher than normal rate for the bank and peer institutions?
■ ■ ■ Most importantly, what role has Compliance played in the
bank’s strategic and operational decisions?
■ ■ ■ If Compliance doesn’t hold a seat at the table, there may be
Experience and Qualifications—Does the Compliance function
attract and retain appropriately qualified personnel? Appropriately
qualified compliance professionals must possess a wide range of
technical knowledge; be able to manage complexity and change;
problem solve; and effectively interact with people at all levels
of the enterprise.
Autonomy—Does Compliance report in some manner to the
Board of Directors, and how often? Are members of executive management present for these meetings? Also, who reviews the performance of the Compliance function and determines compensation,
bonuses, raises, or has the power of termination?
Empowerment—If your bank is the subject of a misconduct
investigation, would Compliance and other control functions be
in a strong position to raise concerns or objections in the area in
which the wrongdoing occurred?
Funding and Resources—Is the allocation of personnel and resources for the Compliance function providing adequate coverage
for all legal and regulatory requirements across the enterprise in
relation to the bank’s risk profile?
Outsourced Compliance Functions—Does your bank outsource
all or part of its compliance function to an external firm or consultant? It is important to continually assess the effectiveness of
the outsourced process to ensure that it is effectively managing
risk for your bank.
Policies and Procedures
Design, Integration and Accessibility—Does your bank have a
formal process for developing and implementing new policies and
procedures? Is there a document governance process firmly established to ensure policies have an owner and that they are reviewed/
updated on a regular basis? Are all policies and procedures made
available to all staff or are they treated in any way as though there
is a “need to know” control around them?
Risk Management Process—The methodology and data input
banks use to identify, analyze, and address conduct risk will
Information Gathering and Analysis—Where a potential case
of misconduct may be detected, what information or metrics is the
bank collecting and using to help detect the type of misconduct in
Training and Communications
Risk-Based Training—The DOJ includes in its list of investigative considerations, the training that employees receive and how
bank-sponsored training is tailored specifically for employees
responsible for controls in high risk areas of the bank.
Form/Content/Effectiveness of Training—Are you satisfied
with how your bank measures the effectiveness of compliance and
ethics training? Are you satisfied that the message is yielding the
desired result? These are age-old challenges, but in the face of ethics and conduct risk, perhaps more deliberative effort is required
on the part of managers in discussing ethical expectations with
Communications about Misconduct—In addition to the core
compliance and ethics training curriculum, how does senior
management convey the bank’s position on ethics and compliance?
Cultivating and nurturing a culture of compliance and ethical
behavior is an ongoing message that should be continually communicated by management in various forms. There have been a
large number of negative examples of misconduct in the press
in recent months. Does your organization seize the opportunity
to send the message that the negative conduct that makes the
news is not tolerated?
Availability of Guidance—Technology enables tracking and
can generate metrics for identifying employees who seek out
appropriate guidance in various circumstances. This data could
prove to be valuable in an investigation. The lack of this data
could also provide an indication (if not evidence) of a weakness.
Confidential Reporting and Investigation
Effectiveness of the Reporting Mechanism—Knowing what risk
information is collected, analyzed, and organized for purposes of
management reporting can demonstrate how the bank assesses
and communicates risks faced by the enterprise.
Properly Scoped Investigation by Qualified Personnel—Within
Risk Management or Compliance, has your bank established an
investigative unit with designated personnel? Think of it as an internal CSI unit that would ensure that investigations are properly
scoped, independent and objective, appropriately conducted, and
Response to Investigations—Of interest here is the effectiveness
of processes for remediation of findings. What is being communicated with respect to findings, and to what level of management
is it being escalated?