This is a transcript of the podcast Tyrone Griffiths and Julie DiMauro on employee training and treating managers as allies between GRIP US content manager Julie DiMauro and Tyrone Griffiths, Managing Director of FinCrime Protection, curated by Carmen Cracknell.
[INTRO]
Carmen Cracknell: Welcome back to the GRIP Podcast. Today I’m joined by our very own Julie DeMauro, GRIP’s US content manager, and Tyrone Griffiths, Managing Director of FinCrime Protection. Tyrone, firstly, I wanted to ask you to introduce yourself and your background a bit for us.
Tyrone Griffiths: Thank you Carmen and thank you Julie for having me and Mark as well in the background. So a little bit about me and please stop me because I do get carried away sometimes. So my name is Tyrone Griffiths. I’ve been in the industry probably over 30 years, a large percentage of that time working in the AML Financial Crime Compliance space, working my way up through the senior ranks. So I’ve done the job, you know, done the day to day requirements, taken various professional qualifications and recently just completed a Masters in Financial Crime and Compliance in Digital Societies with the University of Manchester.
I guess my claim to fame from a compliance point of view is- I was the person that identified the seven wash trades that brought down the demise of Tom Hayes for the LIBOR investigation. So I managed to travel to the EU in Belgium, CFTC, the Department of Justice in the States and spoke quite at length with the regulators and also our FIU, the National Library, I think it’s a SOCA at the time, Serious Organised, I can’t remember the acronym now, so many acronyms, but yeah, basically the new National Crimes Agency. So that’s a little bit about me. So yeah, thank you for having me.
Carmen Cracknell: Great to have you here. And Julie, do you want to say a bit about yourself? A little bit more of an intro.
Julie DiMauro: Thanks, Carmen, real quick. So I yeah, work on the US side of Global Relay, working for GRIP. And I’ve been writing and doing podcasts for them now. I’m a Content Manager there in the New York City office. And before that, I was the Director of Compliance Training at Compliance Week and before that at Thomson Reuters for a good 10 years. So erm, writing in their Regulatory Intelligence Department. So very, very, very happy to be here. Thanks, Carmen.
Carmen Cracknell: Awesome. We’re really looking forward to the chat. So we’re here to talk about sort of firms and compliance and human behaviour and training and all this kind of stuff. So I wanted to start by asking you, Tyrone, if regulated firms are taking anti-money laundering and financial crime as seriously as they say or think they are, why are they consistently failing and falling down in this area?
Tyrone Griffiths: Oh, very good, Carmen. Straight for the jugular. It’s a very interesting question. I’ve often wrestled with that question myself over the years, and I’ve come to the opinion that it is extremely difficult to implement a robust AML, financial crime compliance, regime culture within a regulated firm. And what I mean by that is so many interpretations of legislation and regulation. There’s interpretation of how your peers are conducting work and also there’s that cost element. And I recently wrote an article about if you treat compliance a bit like a family unit, I think you’d get better results. But I think going back to your direct question, I think it’s very challenging.
It’s not a question of not having the resources or not having the skill sets out there because people are out there and we’ve spent billions over the years. It’s about the application and doing the right thing and drilling down to get the right information from your customer and have the right resources and systems. So very challenging for regulated firms. But as you said, they’re constantly making mistakes and still getting fined.
Carmen Cracknell: Yeah, how does that family unit analogy help, do you think?
Tyrone Griffiths: Yeah, well, I often tell a story that if you’re a teenager and dying to go to a party, you’re bombarded by a series of questions from your parents, i.e. where is the party, who’s there, what time you’re going to be home, will it be alcohol, is there going to be adult supervision, etc, etc. And I think most, I won’t say rebellious teenagers, but most teenagers, if there is going to be alcohol, and say they’re around about a 16, 17 year old mark, they’re probably going to say no. And if there’s no parent supervision, they’re going to say no. So the parent asks these questions, kind of performs a risk assessment, determines whether their teenage daughter or son will be safe and then comes the conclusion, yep, they can go.
And then, you know, the teenager may have broken the timeline when they should have got in, i.e. they could have been told to come home at 12 o’clock, they’ve rolled in at 2 o’clock in the morning. There’s going to be consequences. And it’s very much similar to a regulated firm in terms of doing a risk assessment, understanding the risks, i.e. the parent has been there, knows the risks, understanding who’s going to be a party, i.e. understand who your customer is going to be. And is that customer acting in the way that you would determine that customer to have that relevant profile, same as whether your teenager has come in on time, not smelling of alcohol, cigarette smoke, etc, etc. So I think understanding your customer, i.e. parents understanding their children and knowing their children is really what the regulators are trying to get to, making sure that you know your customer and exactly what they’re trying to achieve in terms of transactions, etc, etc. So there’s a lot of similarities you can apply.
Carmen Cracknell: And Julie, how do you think that fits in with the concept of training that targets managers and seeing them more as allies and taking a more behavioural approach?
Julie DiMauro: Yeah, so, well, training, it can work in so many wonderful ways. And regulators in their enforcement actions keep talking about- you have to have training. When they talk about an effective compliance program, they always mention you have to have training. They have certifications, their qualification exams for investment advisors to take and broker dealers to take that, you know, obviously give them a lot of leverage and ability to be representatives, you know, for regulated businesses. So they believe in training and it’s so important. The fact is, though, that you can’t just rely on traditional training methods alone. And the reason being, and I use sexual harassment as an example, it’s just an example. But in that context, we’ve been trying to train people in sexual harassment for years. And there are seven states in the District of Columbia, speaking in terms of the United States, that actually mandated for private sector employees. More states do so for government, you know, state enterprises, but private sector employers need to have sexual harassment training in these jurisdictions. And I’m not saying that they’re that’s not a great idea. It’s a great idea.
The fact, though, is that they’ve done some studies that those persons that are more prone to engaging in sexual harassment or bullying, they’re not as receptive to the training. They are the ones to take it not as seriously. And it’s just a personality trait. It’s just, you know, it is what it is. And you can’t change people’s personality through training. You can change awareness and, you know, maybe some behaviours, but not exactly who they are as people. So training alternatives has come kind of into the forefront. Like what can we do in certain areas like sexual harassment where we could be a little more effective.
So they’ve done studies, and I’m quoting from Sharon Potter. She’s at University of New Hampshire’s Prevention Innovation Research Center. She’s done experiments in the harassment assault area in the workplace. And she started a bystander intervention training so that you’re empowering people to be the person that comes in and says, this is not happening. This conversation is ending. I’m taking this person out of the room. You need to stop, you know, reminding people of rules, et cetera, that you are the bystander that actually takes charge of the situation. And it empowers people to do that. It tells them, you know, you’re an ally. It’s treating people as allies. You’re allied with the person who is, you know, being subjected to something. And it’s just designed to nip misbehaviour in the bud as it’s happening. So that’s not dealt later when it’s more he said, she said, et cetera.
Then the other thing that they do is empower managers to stop harassment. You can do that by making them feel like a hero, building incentives into their performance reviews, et cetera. So just making sure that they feel accountable for this, you know, that it’s a conversation that they have with their higher ups. What are you doing in the workplace training area that goes beyond just the formal training in terms of your own role? And then, again, making behaviour a part of your business performance review process that, you know, it’s built in there. And so that it’s something that you say, like, listen, what have you done for your teams in terms of code of conduct training and in terms of going beyond training modules and changing behaviours. So I just wanted to emphasize those things. I think that gets back to some of the behavioural aspects that you’re in.
Carmen Cracknell: Yeah. And Tyrone, do a lot of firms fall down in this area in terms of regulation? Is misconduct one of the biggest issues for companies?
Tyrone Griffiths: You see a lot of parallels between misconduct, whether that’s internal, probably internal misconduct and maybe wittingly or unwittingly, especially when there’s pressure put upon those individuals to make a profit or to try and cut costs. And also there’s a link between just, you know, the macro economy or local economy when it comes to people feeling pressure. So, yes, there is a serious link. And it’s how proactive a firm’s controls are. Are they regularly assessing potential risk within a regulated firm? Are they speaking to individuals or speaking to relevant staff within a team and understanding what are the potential risks in terms of maybe internal fraud? How can the internal fraud occur?
I mean, there was a classic back in 2008 where you had brokers and traders pretending that they were taking out clients and clients in some cases weren’t even appearing. And those individuals were obtaining sign off for fraudulent meals, meals that didn’t occur. And it’s how robust those internal controls are. How are the senior management getting comfortable? Are they regularly doing checks, etc, etc. So there is and I’m sure misconduct still goes on. You’ll never you will never eliminate misconduct, but it’s been able to demonstrate from a regulatory perspective and also from a company perspective, you’re making efforts. You’re putting those controls in place and regularly testing those controls and reporting accordingly. And my final point is not just having it as a sort of a tick box exercise to say you’ve got something in place.
Carmen Cracknell: What do you think the regulators could be doing more of to foster that kind of environment?
Tyrone Griffiths: Yeah, excuse me. I actually think regulators nowadays are putting more onus on the actual regulated firm. You’re the firm, you are the regulated firm. You’ve obtained your license telling us that you’ve got robust controls in place. You’ve got robust policies, procedures that your staff are well trained. They’re holding a relevant SMF function, senior management function. I would encourage regulators possibly to do more checks. I think regulators in some ways because of the risk based approach, they will target what firm, they will target the firms that are perceived to be the high risk such as the retail banks. But I would encourage them to go to the low risk firms because by definition, if all money is coming into a retail bank or an investment bank or retail bank typically then into an investment bank or private bank, that money then goes, feeds down as part of the layering process into the medium and low risk firms. So by definition, money is always going to be of a high risk nature. And I think it’s these lower risk and perceived lower risk firms that do not have robust controls in place. So I think it’s effectively a chain reaction.
And I think regulators, whether that’s through not having the resources and obviously they’re subject to cuts, etc. But I would, if I was in a position to say, right, I would expect all firms to have ABC in place, you have attested to it. As of a particular date. And we expect them to be robust because we will check them in the next one or two years or ask them to send in their material as of today’s date to make sure they’ve got them. And I think you would see a significant change in the culture because then it puts it firmly on the map that all firms are going to be subject to a review at some stage.
Carmen Cracknell: Yeah, Julie, you spoke earlier about some stories you’d heard about why people commit bad acts at work. Can you talk a bit more about this?
Julie DiMauro: There are. So there’s always, you know, opportunity, right, that invites the people to start engaging in fraudulent behaviour. Let’s say reimbursement fraud for your computer purchases or something. If you know almost noone’s looking at these things or that they’re not looking at things below a dollar amount.
Tyrone Griffiths: Yeah.
Julie DiMauro: That gives you an opportunity. Also, and they have done so many studies on this. If you see other people engaging in it or you even think that they’re engaging in it, you feel left out that they’re getting a benefit you’re not getting. So you start doing it. That happens a lot.
Carmen Cracknell: Yeah. FOMO. Yeah, it’s classic FOMO.
Julie DiMauro: You know, another thing that companies could do better too is, you know, they’re always advertising. See something, say something like other people doing something you should report it. What you’re doing something like, and you regret it and you’re starting to have these guilty pangs and you’re like, I don’t know why I went down this road now it’s getting a little too bad like, why not incentivize self reporting, like true self reporting, so that again, especially in the cybersecurity area where you’ve done something wrong and time is of the essence to correct it. If you give people, I mean, you can’t promise them that you’re not going to, you know, sanction them in some way, penalize them in some way, you probably have to. But then it’ll be better if they come forward that you’re going to give them like the regulators do with the companies, cooperation credit that you’re going to actually take that into account that they came forward and told you in a more timely way, without letting the damage, you know, go on for a long time, etc.
You know, I just think those kind of incentives would be very, very helpful. Also, people, you know, in their stories about why they committed bad acts sometimes mentioned that their department lacked resources and they were using it as a workaround. We didn’t have the right technology and the number of people that I needed to do to do my job. So those are some of the reasons but I just, you know, think that a little more guidance from firms about how people can actually, you know, report their misdeeds might actually be something that they come up with.
Carmen Cracknell: And what about performing drills as a training exercise? That’s really useful, right?
Julie DiMauro: Very useful. Cybersecurity expert Ian Amit and Darren Hayes actually both have a really great discussion that we had. It was a written article, not a podcast, but those two experts really honed in on the fact that drills, real life drills need to happen to simulate what would occur in a situation that’s as important and dire to the company as a cybersecurity attack. And when Ian mentioned what he does with his team, it’s, you know, it’s tough on them. You know, generally speaking, companies are their most vulnerable on a summer Friday or any Friday before a holiday weekend, but often summertime Fridays, but holiday weekend regardless when you’re really just trying to cut out of there a little early and your mind’s on other things. That’s when businesses are most vulnerable to a cybersecurity attack. So he does the drills on those days, you know, so he’s really putting it to his team to like, you know, not when they’re more relaxed, actually, and maybe not thinking that this is going to happen. That’s when it happens so that, you know, when the day comes, they’re like, right, yeah, this is what we did.
Carmen Cracknell: Makes sense. Yeah. And Tyrone, you mentioned earlier the importance for businesses of understanding the customer. What could be improved in terms of customer communication, do you think?
Tyrone Griffiths: It’s funny you should ask. I was actually thinking about this this morning. I think all customers want to know or want to be comfortable or confident that their money’s safe. And, you know, we may have at some stage in our own lifetimes or sort of adulthood may have been on holiday and your bank may have contacted you to say, oh, we can see that your debit card’s being used abroad. And, you know, those calls are quite nice. You actually do like receiving those calls because, you know, your bank is actually looking after your interests. But in order for a bank to look after your interest, and this goes back to the customer education, the industry needs to collect the right amount of due diligence. And what I mean by that, it’s great obtaining passports, utility bills as proof of identity and proof of residence. But do you actually know where the individual’s money is coming from? Now, I have never known a criminal as part of an application for a bank, application for an account to tell you that they are a criminal. They’re going to tell you that they’re working in some profession. And there are a lot of firms that do not check to see if that individual does actually work within that profession. So the moment that person, that alleged criminal has got an account, you are effectively legitimizing that money coming in.
Carmen Cracknell: How easy or hard is it to do those checks?
Tyrone Griffiths: It’s not difficult at all. You know, if, you know, if I work in a particular field, if I’m employed, you show a copy of your contract.
Carmen Cracknell: So they can’t use the excuse of, oh, we had too many people to process, so we just didn’t have the time.
Tyrone Griffiths: No, you know, because you know…
Carmen Cracknell: That kind of sloppy admin.
Tyrone Griffiths: Well, the problem with compliance and a lot of firms have now made it automated. So you’re checked to see if an individual, individual, so Tyrone Griffiths living at such and such an address is Tyrone Griffiths and provided you pass a credit check, the credits, you know, from a credit scoring agency, Tyrone Griffiths is going to be Tyrone Griffiths living at a particular address. Now you may provide a passport copy and you may provide a utility bill, but I could put down anything as my occupation. Okay, so you understand who the individual is, you know, what they, you know, they’ve got their proof of address, proof of identity. The would-be criminal could put down any occupation effectively. Okay, so, okay, what is that individual, how much are they earning?
I don’t think it’s wrong to ask a client how much you’re earning because if it’s their primary bank account, they’re going to know because the money’s coming into your bank account. Okay, you’ve then got to understand, okay, if that individual’s only got one job and they’re on say 100,000 a year, you’ve got a rough idea of how much they’re going to be paying into their monthly, into their accounts on a monthly basis. Then that individual is going to have certain bills, rent or mortgage, electricity, gas, and you create a really good picture. But it’s making sure, and this is where it goes back to educating the customer, you’re requesting this information, not trying to upset your privacy, but we’re collecting this information and it may be more in detail so we can actually protect you. And that’s, I think we, well, I’ve seen in my career, a number of firms will, as an example, will ask, okay, we’ll check. We’ll check to see if the UK bank is a UK bank. Okay, but what about checking to see if that UK bank account belongs to that individual? I’ve seen firms that don’t do that. Doesn’t make sense because typically that means an individual can pay money in via a third party. So you haven’t performed the due diligence on that third party. You know, so there’s a number of examples out there where I think firms, for whatever reason, could go a lot further, could be a lot better in their processes. Rather than saying, well, we’re getting away with it today. We put some money aside, just in case we have a regulatory visit and a regulatory fine, why not do it correctly the first time round?
Carmen Cracknell: Yeah, Julie, what do you think about that?
Julie DiMauro: I’m thinking I was just going to ask Tyrone, and maybe we can talk about this. There are lots of firms that depend on regulatory technology to perform these tasks, right? To go through suspicious activity reports and do their customer identification program items. But they’re still having problems. So sometimes it’s a matter of, they don’t use the technology as fully as they could. The technology doesn’t sync up with some of their legacy technology that they have at the firm, right? Or that, you know, they’re just not keeping up with volume. So there’s a lot of different reasons. What are your thoughts on that?
Tyrone Griffiths: Well, it goes, and thank you for the question, Julie, and it circles back to what Carmen was asking at the top of the podcast. Why are firms getting it so wrong and why are so many firms receiving fines? And I’ve always been, I’m probably a bit more old school, I like to receive physical material in. So you’ve actually got something tangible so you can actually demonstrate to a regulator: I have asked that individual who they are, where they are, et cetera, et cetera. And most firms, and it’s understandable, especially if it’s a larger firm, will have to use technology because obviously it’s more cost effective. But are you using that technology in the right way? Are you making sure, and I think this goes back to what you were saying, Julie, are you, you know, are you just getting the technology just to reduce cost because you’ve got millions of customers, or are you using that technology to make sure, yeah, reduce cost, because that’s obviously more practical, but to get the right answers. And I, me being cynical, and I think this could be borne out in the amount of regulatory fines that have been issued over the years, globally, that firms are doing it from a cost perspective as opposed to doing the right thing. And then you’ve got the other issue. Okay, well, if I’m Bank A, Bank B, Bank C, we’re all doing the same thing, so why would we want to be an outlier as opposed to doing the right thing? And I think that’s where firms go wrong.
Julie DiMauro: And with technology, too, there’s always that risk that not only you’re not using it effectively, but that you’re not adding the human context element that you need to add to the findings, right?
Tyrone Griffiths: Yeah, exactly. You’re just. You’re just.
Julie DiMauro: False positives out there.
Tyrone Griffiths: Exactly. And that’s why I was just about to say that, you know, there’s solely relying on just the alerts that have been alerted by that piece of technology, as opposed to, okay, if it was the human eye, would you have those concerns or would you have further concerns? And the regulators and law enforcement and the courts will say, well, if an ordinary person from the street that wasn’t in the financial sector was to view that issue, would they see that as being a bit suspicious? Most people would say, well, how on Earth do they get away with that and not see it?
We always say that, you know, we always say that. But for some reason, when you’re working within the sector, it’s almost, I won’t say it’s see no evil, hear no evil and speak no evil, but it’s almost, we haven’t been, I won’t say we haven’t been caught yet, but it’s kind of turned a blind eye. I don’t even know if blind eye is the right phrase, but something happens when you’re working within the regulators sector, that seems, all common sense, sort of flies out the window.
Julie DiMauro: It’s true. Yeah. These are, you know, individuals, this is like a sophisticated sector that we’re dealing with in our wealth management groups. Therefore, it’s probably okay.
Tyrone Griffiths:: Yeah. And it can’t be that sophisticated. And you know, we’re not all highly intelligent because otherwise we’d be getting it right.
Julie DiMauro: All the time. Exactly.
Tyrone Griffiths: All the time. Yeah.
Carmen Cracknell: It sounds like they’re starting to (regulators) rely on AI systems to do jobs and the systems aren’t advanced enough yet to take these jobs on, right? So that, I’m actually really interested to lead onto an AI question because it’s such a big topic right now. If you guys want to talk about that briefly, to what extent can AI do you think take over in this industry or dominate in this industry? And to what extent will we continue to need the human eye and human judgment?
Tyrone Griffiths: I’m not a technical person. Obviously, I’m aware of AI, but the regulator would still want you to be able to explain that black box of tricks on how that AI solution got to that result and why you’re placing sole reliance maybe on that AI. And if you cannot answer those questions, then it doesn’t matter how well the system is. I mean, the system could be performing, you know, 10 out of 10. But if you cannot explain how it works and in the gubbings of it all, you’re going to still fall foul of the regulator. So I’m not averse to AI. It would just need to be considered in a way that you’re speaking to the right people with the right experts to get to the right result of that piece of AI technology. So that’s my concern. So yes, you would still need human intervention. I’m old school. So I’m probably at the latter end of my career. But, you know, I think you cannot beat that human touch to look at, you know, to identify something is suspicious and have that ability to speak up when something is suspicious and not be penalized, which probably goes back to what Julie was saying earlier about relevant training, making sure we have the right training. But people aren’t just doing the training to tick a box, but they’re using it in the right way to protect the firm and their staff and colleagues, etc.
Carmen Cracknell: Julie, any views on it?
Julie DiMauro: Yeah, much like Tyrone, I really think that it’s a great starting place. It helps you go through reams of data, right, and synthesize it. And it takes out a critical component, like a real time consuming aspect of your work, which is your preliminary data gathering. So it helps you do that in a quicker, more efficient way, which is great. But humans then need to parse through the data. And with their human judgment, and with context, and knowing that having relationships, I think relationships are important, you add so much value to the human, to the interpretation of the data. So that element of the interpretation of the data absolutely requires the human touch. But the initial steps of gathering the data, I do think, is extremely useful to have these tools. I think it’s great. I think we’re going to refine them over time, such that we’re getting more targeted results to our searches, which will be great.
And I think, importantly, adding the human context and judgment, like I said, but third, I want to just add, just for safety, again, let people know that you are using, and that hence, the disclosure proposal that is, proposals that are running around, like the SEC has one now, proposed disclosures for using data analytics. Let people, the idea behind it being, let people know that you’re using these tools, so that, you know, there is some risk involved, disclose the risk.
Tyrone Griffiths:: Yeah. And I think you made a good point about the data, Julie, because the system is only as good as the data that you’re collecting. And I think we’re a long way away, I think, from a, especially from a due diligence perspective, in collecting the right data.
Carmen Cracknell: Yeah, data bias is always going to be an issue as well.
Tyrone Griffiths: How often have we heard firms say, well, we don’t want to ask them too many questions, because we don’t want to upset them. Well, it’s not a question of upsetting them, it’s more of a question, we’re protecting our customers. And I think that’s, if you start protecting your customers, you will require more data. And the right data, locating the right spot and protecting, you know, in the secure location, then customers will be happy to provide it. And I think that’s the challenge we need to get around in making sure we get the right data that is fed into the right systems and is used correctly.
Julie DiMauro: Well, we haven’t said anything nasty about the regulators. But we have gone through pretty much all the questions. Is there anything I’ve missed? Are there any kind of big issues that either of you would like to discuss further?
Tyrone Griffiths: I think from my side, I’ll dive in quickly, I think I think compliance professionals, AML, or I’ll just talk from an AML financial crime professional perspective. I think we still have a long way to go. I think our industry isn’t quite seen, it’s getting there, but it isn’t quite seen as a legal, it isn’t seen in the same light as the legal profession.
Carmen Cracknell: Why is that?
Tyrone Griffiths: It’s a weird one, actually. It’s a very weird one, because the qualifications I’ve undertaken has taken me longer than if I was a lawyer. So I could have been a lawyer far quicker than when it’s taken me to do all of these exams. It’s almost we’re only required to jump into the breach when there’s a regulatory issue. And even then, they will most, especially large firms, will go out to one of the top law firms to get external counsel, which is kind of strange. But from a compliance point of view, it can be so subjective. What is a risk-based approach? So as an example, an ultimate beneficiary owner in the UK is classified as someone holding 25%. And I’ve had many a good discussion, actually, but the typical standard is drilling down to 10%.
So if I was a would-be criminal, I’m gonna go at 9% or 8%. So compliance is very subjective. And I think the more subjective you are, it could be seen as you’re being more onerous, difficult towards the business, as opposed to law is very, it’s interpretation, but it’s relatively black and white when it comes to you can either do this, or you can’t do that, or this will happen if you do that, etc. Where it’s not as always as tangible, compliance. And that is the problem. So the more things you put in place could be seen as a barrier. So I think compliance, we’re getting there. You know, it’s held in high regard. But we’re not in the same space, I don’t think, as the legal professional, the legal department, or maybe even HR in some cases.
Carmen Cracknell: Do you think that’s because people view compliance as more of a cure than a prevention? So they’ll take legal measures as a precautionary measure, but compliance is always in response to something that’s happened rather than preempting it?
Tyrone Griffiths: Yeah, so if you think about the legal professional accountancy profession, it’s almost you have to do that you have to issue all these accounts on an annual basis, you have to get the lawyers in when you’re looking at contract law, etc, etc. Whereas compliance, and this goes to your direct question, compliance is seen as, oh, what do we have to do? Can we cut the corners? Can we trim that fat off a little bit? And I was working with one firm, obviously, I won’t say who, but I was working with one firm. And I recommended, you know, something not nothing too onerous. And one of the managers said, well, as long as it doesn’t put more time on that processing, which is kind of, you know, so when I hear that, my heart sinks, because you’re, it’s all about the operational time, how quickly can we bring that customer on, as opposed to, well wouldn’t want to protect yourself, your customers and your stakeholders. And I think, you know, so I still see that and it tends to be in the, it tends to be, oh, actually, yeah, it tends to be, you know, firms that you would think would have robust controls in place, but I won’t say nine times out of 10, but there are a lot of cases where firms where you would expect them to have good robust compliance culture and procedures, do not tend to have those in place, unfortunately.
Carmen Cracknell: Too much of focus on efficiency and…
Tyrone Griffiths: Well, yeah, I would say, yeah, I would say efficiency and making sure that the bottom line isn’t impacted. I think that’s the challenge. And that’s where I would expect regulators to jump in, because it’s not always about the high risk sectors, like retail banking. It’s about all of the regulated sector pulling together to combat financial crime and obviously, if you’re combating it together, it creates a better society to all of us because that way taxes are collected and we can build more hospitals, more schools, et cetera, et cetera. So compliance does have a benefit.
Carmen Cracknell: Definitely. Julie, any more, any views on that?
Julie DiMauro: I was going to go back to your regular question, but I just to touch a little bit on what Tyrone said about compliance and legal. In the United States, still the majority of compliance officers are lawyers. And it’s an interesting kind of phenomenon that they are still, but that it’s changing, which I think is really interesting as well, that more people with high tech skills and even engineering backgrounds, health care professionals transitioning into compliance, I think it’s great. I think it’s going to be amazing for the industry actually to have all of these different skills that’s working together. I think it’s great.
But in terms of compliance and legal, I think because legal signs the contracts that get the deals moving and help the, you know, are associated with the business making revenue, I think that that’s kind of the distinction between, you know, compliance as a cost center, legal as a driver of the transactions, you know? So, and that’s unfortunate because you can’t do it all without compliance, right? I mean, you still have to be in compliance with laws and with regulations and best practices. So it’s, you know, unfortunate, but I do think there’s a little bit of a distinction.
In terms of the regulator and what I think that they could be doing a little bit better, I do think that in the training area, just to get back to that, I do think that they emphasize it, they talk about it. I’m not saying that they don’t, but maybe a little bit more pointedly in guidance, documents, and in speeches that are just about training and about, you know, what could be effective training, what we’re looking for in training, the importance of senior managers getting trained and board level executives. The real top of the top of the organization being trained in these things and held to account for knowing, you know, what the companies risks are and how to ameliorate them.
So, and keeping on top of these, I mean, risks change all the time, best practices in every single area from cybersecurity to AML keep changing. So, are your top executives keeping pace with these things and making sure that their managers underneath them are? So, I just wish that, you know, it was part of the corporate enforcement policy,that it was something, you know, that would get extra cooperation credit, that it was something that was, you know, had kind of its own, I guess, attention paid to it, that training had a little bit more attention.
Tyrone Griffiths: I think you made a good point there, Julie, actually, because you mentioned that regulators could probably have a bit more, provide a bit more training and guidance. The UK regulator, they’re very good for providing, especially guidance and guidance related material. And this goes back to the original question you asked me, Carmen, you know, why are firms getting it wrong? Or why are there so many firms that are receiving regulatory fines? And I do truly believe that every firm, or the majority of firms, I should say, that receive a fine, do not believe that they should have received a fine. They think they’ve probably done everything correctly in their eyes, or definitely a huge percentage. And I think if there’s, and some people would probably argue with this, I think if there’s better clarification on what the regulator actually expects, so we expect, I don’t know, as an example, you to collect all of this information for a new customer, we expect you to perform sanction screening every day, or every week for all of our customers, we expect, we expect.
So there’s no ambiguity on some of the basic things, because I think firms fail on some of the basics. And I think sometimes, and this is where compliance professionals come into their own, we can provide guidance, but a lot of those decisions, and ultimate signing off for to get the right information, right documentation, right systems in place, and the right amount of staffing still comes from senior management. And it’s the senior management that aren’t fully aware of what compliance requirements are needed, that will challenge compliance and ultimately, it’s the senior management team that will sign off. So in some ways, compliance are only as good as the senior management team. So I would say the regulators need to provide better guidance for the senior management in terms of what we expect, not we expect you to be educated, we expect you to make sure you ask for this certain requirement, you ask for this information, etc, etc. So more clarity, I think.
Carmen Cracknell: Yeah, do you think there’s an issue in the UK with the FCA in particular, with a lack of clarity? I know a lot of people have complained about the consumer duty, which just came in today and how unclear it is, because companies are supposed to self regulate.
Tyrone Griffiths: Yeah.
Carmen Cracknell: Is that an issue across the board, do you think?
Tyrone Griffiths: I’ve been very fortunate with my interaction with the FCA and I hold them in great esteem. Primarily because I’ve worked with them, well worked providing them information for the LIBOR investigation. So I’ve got a lot of respect for the FCA. It’s a tough one, because obviously, I think there’s about 66,000 regulated firms, and if you can’t provide too much information, so I’m kind of contradicting what I just said earlier. It’s almost, I think, when it comes to the guidance, there is guidance that’s issued, and I think the guidance needs to maybe go down into a bit more granular detail. As opposed to leaving it maybe, I won’t say it’s 3000 feet, but maybe come down to 1000 feet.
We expect these certain criteria as a bare minimum. It doesn’t mean you stick to the bare minimum, but when we come and visit you, we would expect these things to happen as an example. Because unfortunately, if firms are left to their own devices, remember compliance is always a cost, and in this day and age, firms are looking to cut costs, or not invest as much. So compliance, HR, training budgets, which goes to Julie’s point, they’re going to be snatched, staffing, whereas you can get better benefits if you’ve got the right amount of training, compliance, get the fundamentals right first, and whatever you earn today, you will keep tomorrow as opposed to lose via a fine.
Carmen Cracknell: Absolutely.
Tyrone Griffiths: That’s me.
Carmen Cracknell: That’s a great concluding point. I think we’ve touched on everything that you guys wanted to.
Julie DiMauro: We’ve solved all the world’s problems.
Tyrone Griffiths: Yeah.
Carmen Cracknell: We have. And we haven’t harmed anyone in the process.
Tyrone Griffiths: Regulators can speak to us. We can help. That’s the message, isn’t it, I think.
Carmen Cracknell: Awesome. Well, thank you both so much for coming on the podcast. Thanks very much for chatting and have a good day.