If the greatest challenge you face is silos within your anti-corruption compliance program, stop reading now: you are so far ahead of the game that you don't need to read any further. The challenge for the rest of us, when we examine our anti-corruption compliance programs, can usually be summed up with either "lack of resources," or "need to enhance our due diligence program," (usually a euphemism for "we have no real due diligence program"), or just plain business push-back because of real or perceived inefficiencies.
What if I told you, however, that with one adjustment, you could
- increase---at no additional cost or addition to the budget---your anti-corruption resources
- answer all your business-side critics and nay-sayers, bringing them almost instantly on board with your anti-corruption program
- break down silos between anti-corruption and the rest of compliance
- vastly improve your substantive anti-corruption program in a real (i.e. not purely optical) way, and at the same time improve your program in other areas as well
- and give you a much better story to tell the DOJ or SEC.
With one adjustment, you can reap all these benefits. The adjustment is a concept I've been promoting called compliance convergence.
Compliance convergence originates in the idea that many, if not all, compliance programs involve the collection and processing of information. What makes compliance convergence not only possible but almost inevitable is that many different functions within an overall compliance program look for the same information. Yet in many---if not most---organizations, information is not shared between compliance functions, tools that analyze information in one context are not utilized in others, resources dedicated to one area don't cross-pollinate or otherwise make their information, decisions, or even their experience available for other areas.
Let's spend a moment on a compliance officer's most frequent effort, the root cause analysis. Compliance until fairly recently has been immune from the relentless drive toward efficiency that has engulfed the business world. In a lot of companies, there was fear that "efficiency" meant "budget cutting," and that regulators would not look kindly on budget cutting in compliance. But efficiency means more than controlling spend on a Salary and Benefits budget line. And because compliance is notably bereft of businesspeople, there isn't the natural drive to get the most out of each dollar. In a lot of cases, especially in a crisis, there's a spare-no-expense mentality that morphs into wildly useless expenditures on accounting firms and outside counsel, and on implementing their sometimes-overly-cautious recommendations. Even recently, efforts to control costs within compliance programs have revolved around staff cuts or reassignments, rather than engaging in a true effort to identify and implement efficiencies.
The other root cause of compliance inefficiency---and one more relevant to the concept of convergence---is the subspecialization that regulations require. Companies handle life risk by risk. Banks have anti-money laundering risk, sanctions risk, FCPA/anti-corruption risk, operational risk, plus others. They hire experts in each field to develop programs to assess and mitigate those risks. Those experts develop their programs in somewhat of a vacuum. They buy technology they "need," they write up resource requirements, they write policies, develop procedures, and create training. There is no overarching analysis, however, that would identify potential efficiencies among the various risks.
Anti-money laundering, for example, is a subject area whose compliance is ripe for convergence with anti-corruption. A staple of an effective anti-corruption compliance program is an ability to do due diligence on third parties, often in faraway lands. Owners have to be identified, negative media checks completed, questionnaires completed and analyzed. Usually, this process is either grown in-house or designed and implemented through outside counsel. Outside counsel drafts the questionnaire, and the company decides how they're going to deal with third parties on a case by case basis. Anti-money laundering programs, however, have some of these same requirements. A staple of anti-money laundering program is due diligence on individuals and corporations who are customers. Media checks are done, and an entire approval process---usually through some sort of risk committee comprising senior leaders in the region---is used. Most banks have units dedicated to this investigation, called Financial Intelligence Units. They have media search keyword taxonomies already in place; most have even undergone regulatory scrutiny in some form. There is case management technology in place for when red flags come up.
Even the Wolfsberg Group---famous for their anti-money laundering guidelines---recently revised their anti-corruption guidelines. These guidelines specifically suggest convergence:
The leveraging of anti-money laundering monitoring processes to address bribery risks should be considered when developing an effective approach to monitoring for bribery.
I believe the Wolfsberg group understates their suggestion: why not include anti-money laundering controls, not just monitoring, in all parts of anti-corruption compliance? Descriptions of effective anti-money laundering compliance programs read so similar to anti-corruption requirements it's eerie. Tone from the top, due diligence (aka Know Your Customer) requirements, training, monitoring, risk analysis, all should be leveraged between AML and anti-corruption compliance. Suddenly, your entire FIU also serves your anti-corruption program. You use consistent methodologies to address risk across frameworks. Your anti-corruption compliance program has access to excellent (and expensive) technology at no incremental hard cost. And the expertise that's injected into your anti-corruption compliance analysis is invaluable. You also tie into already-established, up and running processes that have business buy-in. Anti-money laundering compliance is part of the DNA of financial institutions. There's little or no push-back from the business; it's simply a fact of life. By tying anti-corruption initiatives into anti-money laundering, you sidestep business concern. The business, for example, is used to going before the regional AML risk committee. Discussing bribery in the same forum won't generate the kind of resentment and attempts to circumvent as it would with a brand new anti-corruption specific process.
Even when you have specific anti-corruption needs, like specific questions that must be asked in a questionnaire, you can tie it into AML. For example, it's required in anti-corruption compliance to establish if the officers of a third party you're going to hire are government officials. In anti-money laundering Politically Exposed Persons are required, in some jurisdictions, to undergo additional diligence processes. Why not tie your anti-corruption searches into your PEP monitoring? The people doing the searching, and clearing "hits," are experts at that very task. Why burden your anti-corruption strategist with those details?
Examples of further convergence opportunities are as numerous as your individual programs. Use your current travel-and-expense reimbursement system to identify government-related expenditures. That's usually an easy tweak to an already-existent system. Use your sanctions screening technology to evaluate third parties. Use a pre-existing training channel to cover anti-corruption. Use grey-market end-user resources to evaluate potential anti-corruption issues. Use export control compliance to help evaluate freight forwarders for anti-corruption risk, and to help understand pricing issues in deals where money could be left on the table---export people deal with transfer pricing questions all the time, they're generally experts on how internal goods are priced. Use your litigation eDiscovery software---designed to analyze emails and documents---to enhance your internal monitoring. Use enterprise search technology to ensure the corporate left hand knows what the corporate right hand is doing.
By converging your compliance functions, you generate efficiencies that not only help your bottom line, but also create a holistic program from a patchwork one. By tying your anti-corruption compliance program into your overall control framework, you create a much more stable, much more defensible platform.
