Building a culture of compliance

The most detailed, rigorous compliance programs are useless if staff ignore them outside of training sessions or compliance meetings. With regulators or a cyber-attack lurking right around the corner, the stakes for being compliant couldn’t be higher.

Today, firms are building compliance cultures with a few key elements. First, they make sure senior management understands and commits to the compliance program, and regularly demonstrates that commitment. They schedule regular meetings to discuss compliance developments, make policy and approve the next steps. They deploy technology to automate every regulatory form or approval process they can, and regulate staff behavior online when possible. Formal training takes place at least once a year, with interactive programs that often involve outside experts. And every compliance program involves ongoing communication with the staff, to ensure the program remains relevant to the latest regulatory news.

But any compliance program can falter if senior management doesn’t support it with the proper resources, or their own behavior. Some partners may look to avoid training sessions or be exempt from IT rules, but they do so at their own peril. “It’s important that top executives attend training alongside everyone else and that they’re engaged, and that means not being on their smartphone the whole time,” says Luke Wilson, a partner with ACA Compliance Group. But what if senior management balks at the cost or the trouble?

To bring senior management on board, it’s important to communicate why the existing program requires a policy change or new procedure. “Senior management isn’t going to build compliance into its budget if they don’t think it’s vital,” says Wilson.

Compliance officers tap outside counsel, fellow chief compliance officers (CCOs) and recent regulatory headlines to build the case that it’s worth the investment. Given the parade of cautionary tales in the news, most firms are willing to spend money to make compliance a priority.

But it takes more than money to convince the rest of the staff. A firm’s leaders have to set an example themselves. “Our co-chief executives made our firm’s 45-minute cybersecurity training mandatory,” says Eric Feldman, the chief information officer of global firm Riverside. “It’s that level of support that allows me to get it done.”

Exempting partners or other firm leaders from compliance standards can send the wrong message and jeopardize the entire effort. “Sometimes senior deal professionals don’t have to use passwords or can download software without restrictions,” says Wilson. And that can mean other staffers feel compliance standards can be disregarded. “It has a trickle-down effect.”

One of the key ways senior management can demonstrate that commitment is formal compliance meetings. For larger firms with more than 20 staff, quarterly meetings appear to be the standard. Smaller firms may only require a mid-year and end of year meeting, but only if the person tasked with compliance has frequent access to leadership.

“In addition to our formal compliance training, we have a number of informal discussions during the year on various compliance topics. These usually happen at our weekly firm meetings when we are all in attendance,” says Nickie Norris, the chief operating officer and chief compliance officer of structured equity firm Heritage. Small shops might also be able to handle compliance issues within the framework of existing leadership gatherings, so long as compliance is part of the formal agenda on a regular basis.

For larger firms, the quarterly meetings consist of a twofold process, looking outward and discussing relevant regulatory developments and looking inward, to discuss internal firm policy and behavior. “We don’t just focus on compliance violations, but any policy or procedural changes. We identify anything that needs a closer look, even technology matters, where we need to build a consensus on how to handle it,” says Adam Reback, chief compliance officer of investment manager J Goldman.

Some firms have launched specialized compliance committees devoted to cybersecurity. Riverside’s chief information officer explains: “We built an IT security steering committee, chaired by me, that includes the CCO, a European compliance officer and two members of our HR department that meet on a quarterly basis.” Many CCOs arrange to meet IT staff on a regular basis so they can incorporate relevant regulatory updates into tech initiatives.

Some CCOs are building their culture by involving individuals from the departments that are most capable of executing the policy or procedure. “We’ve spread ownership across different parts of the organization,” says Jason Ment, general counsel and chief compliance officer of StepStone. “For example, a member of our finance team owns the preparation of all track record presentations and has been trained by the compliance team on the related rules and best practices. We’ve effectively grown our compliance team without increasing our headcount and have created another compliance standard bearer in the organization.” Some CCOs suggest delegating can also keep compliance top of mind in departments within large firms that may not meet with the CCO on a regular basis, such as IR staff.

But all the meetings in the world can’t prevent an employee from clicking the wrong link and causing a data breach. So a lot of firms deploy technology to censor risky online behavior. For example, they do not allow employees from using their own devices to access the firm’s servers. Instead, they will provide remote desktop access or laptops for home use and install security measures on mobile devices that allow them to be scrubbed remotely.

Technology is also being used to streamline and automate the entire compliance process. Many CCOs have invested in software to automate regulatory filings, compliance approvals and reporting. “Everything from tracking employee attestations to compliance manuals, pre-trade clearances, even any political contributions gets tracked [with our software],” says Candice Richards, compliance officer at MidOcean Partners. “So we’re able to pull audit trails and logs easily.” Most compliance officers admit the current software options may be clunky, but are worth the investment given there’s so much to track and file these days.

Technology can help, but building a compliance culture still remains primarily an education effort, and that means robust and frequent training sessions. Most firms have required compliance training once a year, but few stop there. “We’ll have two to four compliance sessions a year, usually involving investment staff,” says Reback. “But there are separate training sessions tailored for back office and IT staff as well.”
Anyone can sit through a slide presentation for a day, so CCOs need to tailor training sessions that employees actually pay attention.

“Training sessions are conducted in a small-group setting for each of our teams,” says Sara Dasse, partner and senior compliance officer of Adams Street Partners. “With a team-by-team approach, we are able to focus on the compliance topics of greatest interest to each team, and employees seem more comfortable raising questions.” The best training sessions are interactive, so no one has the chance to zone out.

“For our recent cybersecurity session, my presentation included film clips, documentaries and dramatizations, anything to resonate with them,” says Richards. And she would stop the presentation at various points to take questions or comments. “It gets them comfortable with compliance in an informal manner, even if the setting is formal.”

Real-life examples and training that link recent regulatory decisions to the firm’s behavior is also important. “The more you can make the training relevant to them, with real-world examples as opposed to citing specific rules or statutes, the more likely they are to understand and internalize it,” says Jeff Wright, the associate general counsel and chief compliance officer at Chicago-based GTCR.

Many firms will tap outside counsel or a compliance advisory firm to administer the training or at least speak during the session. “It’s one thing to hear from me, but it adds weight to the presentation and communicates the importance of it,” says Richards. Some CCOs value outside counsel for a different or more specialized perspective, and vary outside speakers at every training session.

Some compliance programs formally involve every employee during training. “We have integrated a compliance assessment, or quiz, which is specifically designed to
focus employees’ attention on important issues and to spur discussion,” says Dasse. And for any web-based training, an end of session quiz is crucial. “It’s one way to help ensure they aren’t multi-tasking throughout the training,” says Wilson.

No matter how in depth or rigorous the training session may be, there will always be issues that arise outside of the scheduled meetings. Most CCOs make a point of sharing key news stories or recent regulatory developments as they happen. “I’ll do a summary on an issue, court case or a high profile regulatory story and connect how it impacts us,” says Kelly Riera, director of compliance at TA Associates.

Then there are the questions that arise in the regular course of business that might give an employee pause. And that’s where a compliance culture isn’t merely a rulebook, but a tone that fosters an open dialogue on compliance matters every day. “You need to be visible and approachable and that means helping your team get to ‘yes’ within the regulatory framework,” says Ment.

And that requires balancing the compliance staff’s role as both business partner and internal auditor. It’s never cutting corners, but allowing best practices to emerge out of a dialogue. “My best ‘no’s are when I don’t even have to say it,” says Richards. Instead, she discusses the issue so the investment professional or staff member can draw the right conclusion on their own.

And the truth is, even people with the best compliance cultures will still need to have that conversation, given how complex staying a task compliant is these days.