The Cardinal Sins of Compliance

What are the 'cardinal sins' for compliance? What can organizations do to avoid the (good) book being thrown at them? Carroll Barry-Walsh tells all.

30 June 2023 5 mins read
By Jennie Clarke

On June 8, 2023, we welcomed leading compliance professionals to our London offices for our Compliance & Conversation event. The event included an engaging and entertaining presentation on ‘The Evolving Landscape of Conduct Risk’ from Carroll Barry-Walsh, Founder of Barry-Walsh Associates.

A theme throughout Barry-Walsh’s session was the idea of ‘sin’, and how organizations can work to avoid committing these sins in the eyes of regulators and oversight bodies. With the ongoing increase in regulatory scrutiny, the likes of the SEC, FINRA, and the FCA aren’t likely to forgive non-compliant organizations their trespasses. Barry-Walsh’s session highlighted several of the ‘cardinal sins’ organizations need to be wary of, and what they can do to avoid having the (good) book thrown at them.

First cardinal sin: poor information availability

“The information that’s going to be asked of you is going to be pretty extensive, and you’re going to have a hell of a job finding it under some time pressure and making sure it is accurate, complete, and reliable”.

Recent examples – including the SEC’s sanction against J.P. Morgan for the deletion of 47 million emails – show that having complete communications data  to-hand and archived securely, in a manner that makes it straightforward to access at a moment’s notice, is paramount when complying with regulators and investigations. 

Second cardinal sin: not understanding that non-compliance is a ‘when’, not an ‘if’

It is Barry-Walsh’s view that, when it comes to compliance issues, it is a matter of ‘when’ non-compliant activity will occur, not ‘if’. Though this may seem slightly fatalistic, the onus should be on preparing for problems to occur, and understanding how to handle them when they do:

“A good culture is one … that knows how to handle problems when they arise in an intelligent and sensible way which earns you some credit with how you handle that problem. It earns you that credit with your staff, with your clients, and with external stakeholders.”

The SEC’s Gary Gensler echoed this sentiment in December 2022, noting that “nothing motivates quite like accountability”. This was clearly demonstrated when FINRA issued an anti-money laundering (AML) compliance officer with a $25,000 fine and a suspension where he “took no steps to investigate or address” the firms surveillance and review process around AML. It was also made clear within action from the SEC whereby a Chief Compliance Officer received a $15,000 fine for knowing that the company had an “inadequately implemented” compliance program, but failed to act. From the regulator’s standpoint, there’s no time for burying heads in the sand.

Third cardinal sin: complacency

“Complacency is one of the worst sins that you can have in this industry – remember, it could be you.”

Complacency – an inability to look inwardly and with a critical eye at your behaviours and practices – can lead to stagnation within a business and compliance team. If you assume that you are working compliantly and meeting all standards, or that your practices are unlikely to be called into question, you set yourself up for a compliance crisis.

The importance of avoiding becoming complacent, and to constantly assess practices and procedures in light of changing regulations and legal burdens, has been recently emphasised in a statement from Michael J. Hsu, the Acting Comptroller of the Currency at the OCC. As part of the OCC’s semiannual risk perspective, Hsu counselled the need to “guard against complacency” – because to become complacent opens up the very real chance of exposing yourself to risk. For Barry-Walsh, risk is born of a consistent – and very human – element:

“If you employ human beings, I can guarantee you that somewhere, probably right now, one of them is doing something stupid.”

Fourth cardinal sin: Not understanding the need for compliance-positive culture

“Knowing what is going on in your firm is actually something that can be really positive and create a really really good culture.”

A key theme of the session was that of proactivity, rather than reactivity, when it comes to risk and compliance. Culture, according to the FCA’s Emily Shepperd, “underpins outcomes”, and is central to the UK regulator’s supervisory model. Firms “willing to turn a blind eye” Shepperd adds, expose themselves and clients to “unnecessary risks which could’ve been managed”.

Creating a pro-compliance and risk-aware culture should not be an afterthought, or seen as something that can be instilled by additional training. It is established from the top down, and is about professionalism at all levels, embedding professional conduct as a fundamental tenant in everything you do. The question to ask, according to Barry-Walsh, is not ‘can I do this?’ but ‘should I do it’?

About Article

Published 30 June 2023

About Author

Share Article