As chief compliance officer (CCO) at Goldman Sachs from 1993 to 2016, Roger Begelman witnessed the most dramatic period for the global investment banking, securities and investment management firm when the financial crisis hit and triggered a wide range of new and revised rules and regulations that impacted the industry in a profound fashion.
Roger attributes his ability to successfully navigate this choppy period to his diverse and empowered team, capable of creating a culture of compliance that went well beyond well-meaning words on a mission statement.
The formula sounds so simple. But without a strong compliance team accompanied by a supportive tone from the top that is backed by actions from senior leadership, the compliance function risks becoming “the cop on the beat,” monitoring past transactions rather than advising on the right path to move forward.
We recently spent some time with Roger, discussing his tenure as CCO at Goldman Sachs Bank, USA, and the issues that continue to occupy the thoughts of the men and women charged with regulatory compliance in this continuing, interesting time for the industry:
Grant Thornton: You were a senior compliance officer for more than 20 years and a CCO for part of that time, during a sometimes exciting, sometimes turbulent era for the financial services industry. What advice would you give to a new CCO?
- The real threat of money laundering
- Maintaining rigor in the risk assessment process
- Best use of new risk management technologies
- The impacts of a shifting regulatory landscape
It sounds simplistic, but start with building your team. The quality of your people needs to be your first area of focus. Find diverse talent; take the time to develop them to their full potential; rotate them in different roles so they benefit from a wide range of experiences; and, most important, empower them to become leaders in their own right. You can have the best systems and most technologically advanced surveillance tools, but you need your people to feel empowered and to know that they’re there to help.
I started my career as a prosecutor. Obviously, I think highly of a prosecutorial background, and people from law enforcement often go into the compliance function. But I didn’t want a team that all thought like me. I wanted a team with diverse backgrounds who could offer a wide spectrum of opinions and perspectives.
Grant Thornton: What role should the CCO play in establishing the compliance culture?
Culture is a difficult thing to describe. It’s really the unwritten norms that guide behavior and ethical standards, and it has to start with the tone from the top.
If the compliance function is viewed as “the cop on the beat,” it sends a wrong message. Yes, there are times when the compliance team needs to say no. But it doesn’t work if you are just seen as the department of no. You need your compliance team and senior leaders working hand in hand to grow the business in the right way.
My personal experiences have been very positive. There were always a few exceptions where someone disrupts the norms. I think that’s to be expected with a large organization and can be dealt with accordingly. But I always felt like I worked with leaders who had a very good compliance conscience. If we couldn’t figure out a way to move forward without banging into regulatory impacts, my role was to advise on a path that still met the business objectives in a compliant manner.
Grant Thornton: How important is it to establish a risk appetite statement?
I think they’re helpful. I would say that they need to be hand-in-hand with the culture and the tone from the top. The problem arises when they’re written and then just sit in a drawer, or if they are written primarily for the regulator as opposed to the bank employees who are really your first line of defense.
Grant Thornton: What are the top issues for CCOs today?
One of the top issues has to be anti-money laundering (AML) and adhering to the Bank Secrecy Act regulations. The risks involved with AML are so high and the penalties can be so punitive that every CCO must pay close attention – we’re talking “b” as in billions in fines. You have very sophisticated criminal syndicates involved in drug smuggling and terrorism, looking for access to financial markets and developing intricate plans to get around the regulations and sanctions. You have to have incredibly strong controls that must be maintained, updated and constantly tested.
It’s bad enough when you think about what happened to Equifax and the extent of their data breach, but imagine the carnage if some bad actor got access to an investment bank’s gray list. That thought should keep any CCO up at night.
Cybersecurity is another top issue. While it’s my view that the technology team is the group with the skill set to “own” cybersecurity, the compliance function needs to work hand-in-hand with the technologists to train people on what is appropriate and what is inappropriate in terms of how to use their personal technology. This gets very complicated in today’s world where an innocent-looking email link could be a sophisticated attempt at phishing.
Grant Thornton: How do you establish a strong controls environment to deal with priority issues and compliance requirements?
I like starting with the classic risk assessment process. Start by reviewing your inherent risks and assessing existing controls. Everything flows down from there. If your risk assessment process is strong and you have a good team of people, you have the foundation of your compliance program. You know where you have sufficient controls and where extra effort is needed. A formal risk assessment process also requires documentation on the approach, which is essential because you have to be able to present your methodology and rationale to the audit committee and the board.
I would look to a team of senior people in the compliance department to hash out what they think the priorities are, probably with representatives from the technology team also at the table since many risk reduction protocols involve a fair amount of technology. Force ranking of risks also is a good approach: It makes people think hard about the greatest risks and accelerates decision making. Forced ranking can sometimes help you recognize low-hanging fruit, which you can address and then move on.
There are times where you just have the issue du jour that comes to the top of the list because that’s where the regulators are focused. You need to be flexible. But having a well-established, well-documented risk assessment process means you also have a well-understood path to alter your prioritized risks.
Grant Thornton: Where do you see the regulatory pendulum trending?
Obviously the new administration is intent on swinging back toward a pro-business environment. What does that mean in practical terms?
I would not be surprised if a significant part of the Volcker Rule is rescinded. It is very difficult to implement. It is difficult to maintain. It is extraordinarily expensive. I’m still not sure that anyone had a clear understanding of how to define proprietary trading in the world of swaps and helping clients in the swap markets. I also would not be surprised to see a change in what qualifies as a “systemically important financial institution.” In fact, there are two pieces of legislation, one by the House and one by the Senate, looking to change that definition to ease the burden on smaller banks that currently qualify.
That said, I don’t think anybody in the compliance world can lose sight of what’s still important. I think the capital requirements will stay the same. Those changes have reduced systematic risk; in fact, all of the major banks passed the living will this year. Finally, I don’t foresee any changes to AML rules.
Throughout my career I have seen swings back and forth. I’ve also seen that regulators watch what is happening in one part of the world to look for best practices. Regulators study new frameworks in one part of the world to make sure they do not inadvertently allow “regulatory arbitrage” in their backyard; no major economy wants to make their market the one that allows bad practices. Even though the regulatory burden in the U.S. is easing, bank CCOs still need to spend a good deal of time understanding what regulatory changes are happening around the world and what those changes could mean for the business.
Grant Thornton: You mentioned the importance of understanding the global compliance landscape. That sounds challenging. How do you stay abreast of global regulations across multiple jurisdictions?
You know, it really goes back to the first point in the discussion about your team. You need strong people around the globe who understand what’s going on and have the ability to communicate concerns to both their leadership team and to their local regulators.
I found it important to move people around to get new experiences. You didn’t keep the people in London just in London and the people in Hong Kong just in Hong Kong. I would look for opportunities for my team to get exposure to new geographies whenever I could, even if it was to cover for people during two- or three-month stints. I wanted to give my team the opportunity to learn from their colleagues and to make sure that they understood global regulatory and compliance issues.
Grant Thornton: It all goes back to talent and the team.
You know, it does. One of the things that concerns CCOs is the talent pool. The best compliance people are in high demand, and the talent pool is constantly getting tapped. My final advice is to invest in good people, empower them and make sure they get the opportunities and experiences to develop into well-rounded compliance professionals and leaders.