ABA bank compliance magazine, March/April 2017 issue
Not long ago, I stopped by the grocery store to pick up some sugary, assorted sweets. The cashier took one look at my packages of cupcakes, frosting, multi-colored sprinkles, and various candies. “Looks like you’re having a party,” she drily surmised, only to learn they were for a college-level law school class I teach at Suffolk University called “Compliance Practice Skills.” The delectable party treats were targeted for a more restrained use, namely, a class exercise on drafting policies and procedures. More on this shortly...
When you think about compliance skills, what comes to mind? Are they rules-based skills? Well, yes, as regulatory knowledge is certainly critical for compliance officers to do their jobs. But a compliance officer must also understand the building blocks of their discipline—especially the seven factors that, according to the Department of Justice’s U.S. Sentencing Guidelines1, must exist for a compliance and ethics program to be considered effective—and which are foundational to any compliance program. But subject matter expertise and knowledge of the tenets of compliance are not the only necessary components. Skills that have historically been viewed as “soft skills,” such as collaboration and communication, are of vital importance to your program.
And increasingly, soft skills are being viewed as essential in building a sound compliance culture—and in incorporating a compliance culture throughout the entire organization.
Eat dessert first
What many in the business world have traditionally—and somewhat dismissively—labeled as soft skills are today taking on critical importance for those working in compliance roles. For example, the concept of “culture” has historically been viewed in the soft skill category, and the formation of “culture” would simply sort itself out as an organization developed its compliance program. Culture was firmly set in the “nice to have” or “it’ll work itself out” column.
Today, those charged with compliance responsibilities try best to keep pace with the frenetic volume of regulatory changes, constantly adjusting for those changes, training staff on requirements, testing programs, reporting on progress to leadership, rating and managing risk, preparing for regulator inquires and inspections…and that’s just Monday.
If you were to think of compliance as a formal meal, the main course would include many task-based elements (drafting policies and procedures, testing risks and controls, monitoring regulatory changes, etc.). These are fairly easy to identify, as there are clearly defined best practices for each compliance discipline. But how does one define, much less set in place, a clear notion of culture within a firm? Is culture something we can’t really define but, to paraphrase the famous Supreme Court ruling on a very different matter, something that we just “know it when we see it?”2
Compliance officers are so caught up in keeping pace with the day-to-day requirements and doctrinal laws, that what are considered soft skills have often been relegated somewhere towards the back.
But culture—and the soft skills that make it possible, has in fact, become a very real “thing” in today’s business world, and regulators have increasingly made it part of the regulatory lexicon. The Office of the Comptroller of the Currency’s July 2016 Exam Handbook mentions “culture” 45 times, with an entire chapter entitled “Establish an Appropriate Corporate Culture.” In 2016, the Federal Reserve Bank of New York hosted a conference on culture and behavior. This event built upon two conferences that the New York Fed held in October of 2014 and November of 2015 on culture and behavior in the financial services industry. The conference focused on expanding the definition of culture include the perspectives of institutional investors and financial institution supervisors, and included sessions on methods of culture assessment and the influence of technology on culture. As one prominent conferee stated—someone who had prosecuted dozens of cases involving lapses indicative of a poor compliance culture-- “everyone from the mail room to the board room needs to feel it in their bones—that the bosses care about integrity.”3
A fundamentally important aspect in assessing the health of your firm’s compliance culture lies in evaluating your compliance team’s soft skills. And if soft skills and culture are the desserts of your compliance program, perhaps we should be focused on eating dessert first. After all, what good is a compliance program that solely exists within the bounds of the compliance department? If a compliance officer cannot work with the lines of business, cannot communicate effectively or train a team without inducing a collective coma, then no matter how good the compliance initiatives look on paper, efforts toward building an enterprise-wide compliance program are doomed to fail.
Soft skills as elements of a compliance program: Frosting your policies and procedures
The DOJ’s U.S. Sentencing Guidelines require that a firm establish standards and procedures to prevent and detect criminal conduct. Now, let’s get back to why I brought cupcakes to a law school class. The supplies were for a lesson illustrating the importance of drafting policies and procedures that reflect the actual practices of the institution. The goal was not to teach the “how” of drafting policies, but rather to demonstrate the “why” behind the policies and, to the extent possible, clarify “who” the policies impacted.
The class was divided into two departments: Compliance and Operations. The Operations department was instructed to frost and decorate the cupcakes. The Compliance team was instructed to draft the policies and procedures related to frosting the cupcakes. This hands-on lesson is usually a lot of fun. It’s often sticky. And, there are always some truly interesting outcomes. However, the outcomes are not really surprising if you’ve worked as a compliance officer for any length of time.
At the end of the task, Compliance is asked to read its cupcake frosting procedure to Operations. The result we consistently find is that the policy does not match the actual practice! Now it’s important to note that both teams are in the same classroom, sitting next to each other. To date, never in this exercise has Compliance looked up from its drafting to ask Operations, “Hey, how do the cupcakes get frosted in this company anyway?” Instead, they always guess. Outside the classroom, if our policies and procedures do not represent the actual way that the “cupcakes” are frosted, we will have much to answer for with our regulators.
During the debriefing, the Compliance team explains its policy drafting process. There are two main reasons typically cited for not tapping others’ help. The top reason? “You didn’t tell us that we could talk to each other.” Yet the instructions make it clear that the groups are working for the same firm. The next most cited reason is something to the effect of “I’m the compliance officer (or attorney), and it’s my job to interpret the policy, and everyone needs to do what I say—this is how a cupcake is frosted.”
There is a lot to unpack in that statement. Yes, your job within Compliance may be to draft policies and procedures and the business must follow them, but if the rules don’t make sense to the business, or aren’t reflective of the business that you’re in, or if the business doesn’t understand them, or if they are too afraid to have this conversation with you because you’re the boss, that’s not a desired outcome.
Actively collaborating with stakeholders is not generally something taught in school. Neither is the art of communicating with co-workers, and working diplomatically to diffuse difficult situations. But maybe they should be, as soft skills are crucial to the success of the compliance program.
Compliance officers, especially those newer to the profession, can be downright dogmatic in their approach to the rules, policies and procedures. In the absence of significant experience or understanding of the rules, they often see things in black and white terms, i.e. “this is the right and only way to frost a cupcake.” New compliance officers will need to be able to collaborate with colleagues who may have significantly more experience than they do. Accordingly, if a compliance officer’s stance is that they are always right because they are from Compliance, they ultimately may not be “heard” by the business, no matter whether they are in the right. Generally, more seasoned compliance professionals know, through painful experience, that there is more than one way to frost a cupcake.
The DOJ’s U.S. Sentencing Guidelines require that banks and
other organizations take “reasonable steps to communicate periodically and in a
practical manner its standards and procedures, and other aspects of the
compliance and ethics program.” This is accomplished by conducting effective
training programs, and otherwise disseminating information appropriate to such
individuals’ respective roles and responsibilities.4
Training is important, but it isn’t as easy as it sounds. Does your compliance department draft the training, do you have a training department, an outsourced learning management system, or some combination of all three? Training is a combination of skill sets. Subject matter experts are often brought in to help, but there is an art to training that transcends just the transfer of information. Just because you’re a compliance expert doesn’t mean you can teach it to others.
When it comes to training your staff, it shouldn’t be enough to return to your office with the training materials and check the “done” box. Effective compliance training is a cornerstone of your program. How can anyone follow a policy or procedure if they don’t know it exists? And how will training be absorbed if participants don’t understand the materials being presented?
For compliance officers who deliver training programs, examine your training deck. Is it a 70-page deck, with each slide packed with tiny, unreadable text? Does the only discernible white space appear on the final “Questions” slide in large type, followed by a string of question marks? If this sounds like your deck, you may need to reconsider your presentation.
Years ago, I was charged with giving a compliance training to the sales and marketing department at my firm. To my mind, all of the words in every rule that I planned to cover were important. An hour and a half and 25 yawning faces later, the head of the sales division approached me, thanked me for putting the materials together, and summarily ended the presentation. Later, she gave me some great advice: remember the “rule of three’s,” that most people essentially remember, typically, up to three things at a time, whether it’s three bullet points or three concepts. Whether you agree with this or not, the “rule of three” forces a presenter to be succinct and keep to the essential concepts. And fewer words on the page makes it less likely that the presenter will simply read from their PowerPoint presentation, a sure way to alienate one’s audience.
Consider your audience
Absolutely consider your audience in terms of subject matter—and in the different ways people learn. Studies indicate that the mind needs a change in direction every 15-20 minutes. Consider changing up your traditional compliance presentation by adding in some recent news or case law examples that will illustrate your main points. Make the training as interactive as possible and get the information out in a way that resonates with your audience. Small groups, role playing, and real life examples (anonymous of course) all help to further the goal of understanding. Once the training is complete, solicit feedback. Invite management from other departments to participate in the dialogue--and use the feedback to help shape further trainings.
As a seasoned compliance officer, I’ve taken innumerable compliance training courses and tests, and attended countless panel discussions and conferences. At the highest level, many sessions usually dive deep into the very serious business of deconstructing the topic/rule in question. Certainly the doctrinal law is important, as you can’t advise the business if you don’t understand the rule. But we usually give very little attention to the methods by which we advise the business. We think of these methods, such as the role playing and interactive communications approaches mentioned above, as soft skills, implying that they’re not as important as other skills within your compliance officer’s toolbox. However, the business won’t listen to your fabulous advice if they can’t hear it over the noise of your less-than-artful delivery.
The soft skills of compliance are just as important as your subject matter knowledge. After all, anyone can learn a body of law or regulation. What is more difficult is teaching understanding, empathy, and the importance of communicating effectively.
1United States Sentencing Commission, Guidelines Manual, §3E1.1, from Chapter 8.b.2 (Nov. 2015): http://www.ussc.gov/sites/default/files/pdf/guidelines-manual/2015/GLMFull.pdf
2 U.S. v. Jacobellis, 1964 U.S. Supreme Court ruling on pornography definition.
3 Preet Bharara, U.S. attorney for the Southern District of New York.
4 United States Sentencing Commission, Guidelines Manual, §3E1.1, Ch. 8.b.2