Having A Conscience | With No Top-Down Compliance Culture

By Coral Erkkila, Compliance & Risk Manager


With my children leaving the nest it was time to head out on my adventure. I had been working in the Trustee industry for several years and was a qualified financial advisor under the FMA.


I decided to travel to the Pacific because of the Trustee Industry with six trustee companies based there. And with an interest to change my lifestyle and ‘going troppo’ was an ideal choice. For the first year, I worked for one of the trust companies, however, in my second year I secured a job as the Compliance & Risk Manager for a private bank where I remained for approximately 6 years.


Life as a Compliance & Risk Manager


Two weeks into my role someone senior in the organisation asked me my thoughts on an AML compliance matter. I considered the question posed and gave my reply to which the response was “I didn’t realise we’d hired a Compliance Manager with a conscience” It was then that I realised that this would be the most challenging role of my career.


For the first few years, there was very little, if any support from the top-down as far as Compliance was concerned. It was almost as if I was there on paper, employed to meet a regulatory requirement but not accepted as having or adding value to the business.


Not having the support from the top down to encourage a strong compliance culture meant that there were constant challenges in training the staff, funding being one of them and getting their buy-in to implement new processes and improve the overall standards. It felt like being isolated within the company as though compliance was considered a low priority or an evil necessity.


During the first few years, other major challenges presented themselves and in early 2016 I was settling into my new role, getting familiar with all aspects of the operations of the bank when due to a worldwide de-risking phenomenon we suffered the loss of our main correspondent bank and as a result, were nearly forced to close.


This experience highlighted one of the most important risks that faced our bank (loss of correspondent partners through de-risking) and the importance of achieving and maintaining a good reputation both on the island and internationally. Fortunately, with the support of the majority of our clients, and a lot of hard work in sourcing further correspondent partners and perseverance we managed to avoid the worst-case scenario, closure.


New regulations, total overhaul


My second year saw a new set of regulations introduced under the Financial Transaction Reporting Act 2017 which meant huge changes to requirements and a total overhaul of all policies and processes to meet those requirements.


I found myself writing the bank’s Risk Appetite statement, Risk Management Framework and everything else that fell under that umbrella. This was a huge challenge and learning curve for me and through a lot of research and hard work managed to create a framework that not only met our regulatory requirements but the bank’s overall strategy.


2018 brought the country’s Mutual Evaluation by the Asia Pacific Group (APG). The bank was one of the entities selected to participate in the question/discussion sessions with the APG panel. The process highlighted the need to work together with regulators to achieve high standards and a good reputation not only for the bank but also for the country as this could affect our business long term.


Our bank employed approximately 10-12 people with four staff forming the senior management team, three men and myself.


Male senior managers were always included in decisions affecting the bank, where I was often excluded. On one occasion a strategy planning session was organised which was to include all the Board members as well as senior management. It came to my attention through an email that there was a query about whether or not I should be included. It was apparent that my opinion was considered unimportant and of little or no value.


On numerous occasions, I was not advised by other senior managers of risks posed to the bank. Often, I only found out a long time after the fact and then only because I overheard a conversation and queried it.


An example of this was a ransomware attack threatening the bank and wanting a bitcoin payment. When I queried why this hadn’t been brought to my attention, I was told it was on a need-to-know basis. When I challenged this decision, I was simply dismissed.


Learnings


I have learnt to be strong and stand up for w