Should CEO's take the blame for ML/TF failures?

Based on a recent post "Swedish authorities charge former CEO of Swedbank for fraud and market manipulation" we ran a poll to find out whether our audience knew which bank's CEO was charged. We got a very high participation and the responses were quite varied.

Looking at the enthusiasm in our poll, I was quite impressed to find out people giving importance to accountability right at the top, correct result did not matter. This made me think. Should the CEO take the fall in the first place?

Whenever an institution is fined, the failure does not happen overnight. Cracks develop at the weakest link which can lead to the sinking of the complete ship. Taking this analogy, who is responsible for the crack? If captain of the ship has put faith on his maintenance staff and the staff does not do their job properly, you do not expect the captain to go and check every nut and bolt on a daily basis. In similar fashion, it's quite easy to blame people higher up but what we do miss is the fact that these CEO's put full trust in their Compliance and First Line (business/relationship managers) staff to do the right thing, have the right checks and balances in place.

Having given knowledge awareness sessions on ML/TF topic to members at board level, I can tell from experience that the willingness to do the right thing is definitely there, but they are not experts by far. Sometimes the CRO (Chief Risk Officer) may have an oversight of what is going on and the direction the organisation should take from a Non-Financial Risk perspective, but may not be completely aware that one location in a far away region may have opened flood gates to allow unlimited cash. Do you really expect a CRO or a CEO to look at your Transaction Monitoring rules and assess whether they are working well or not? Let's make it tangible. In the case of ING Bank's fine, section 3.7 of the FIOD report (refer here) mentioned about "topping" (limiting generation of alerts). This must have been a conscious choice made by the team responsible for TM and not the then CEO Ralph Hamers. Of course there were some other structural issues (which again the respective teams should have taken care of) but still, what do you want to achieve by charging Ralph Hamers? If this is for teaching a lesson, should all the CEO's start micro-managing? Let me give another example, from ABN AMRO. Among other thing, one of the major concerns raised by the Public Prosector was the incorrect CDD risk classification (e.g. for clients known to be cash intensive; associated PEP's etc.). It's the primary responsibility of the business. They are the gatekeepers and should do their job well. If not, they we cannot simply start jumping and complain about the CEO! The reason I took the ABN AMRO case is because there is a specific reference to three individuals.

"...Furthermore, the criminal investigation has to date revealed that three natural persons presumably are effectively responsible for the violation of the AML/CTF Act by ABN AMRO. These three former members of the Board of Directors have now been identified as suspects. This does not necessarily entail that they will be prosecuted by the NPPS... "

If there is evidence then by all means charge them and prosecute them. However I am of the opinion, there are other ways to tackle organisational failures rather than a symbolic gesture (charging the CEO for example). As long as the pain (fine in this case) is not felt by each an every person who is part of the chain, it will always be considered as something covered by the “insurance policy”… hope you get the pun ;-)

Something needs to be done... right?

This brings me to an important point. As a captain of the ship, what should the C”X”O’s of banks do which will bring a change? As far as I have experienced, the information about what is happening reaches the top via .. via.. via… Moreover the information is static in nature and by the time it would reach the top (if at all), situation on ground may have changed and hence any action taken does not make any sense. As AML/CFT is very high up on the attention scale, I believe a small squad/team should be setup which reports directly to the C level executives.

This team’s primary responsibility should be independently assessing/analyzing data driven risk overview across the bank/FI. They should assess impact of know trends, check classical failures in the first line, TM monitoring results and follow-up etc. Why I say data driven because such an overview will offer dynamic insight which can be a change or no-change, reflecting the direction your bank/FI is heading from a risk perspective (by the way, in this day and age, I fail to understand why are we still use memos/presentations, i.e. static medium, to share insights!). Such a team, close to the executives, can drive the mandate and demand action. I know I am over simplifying the solution, but a solution has to start simple otherwise you will end up making things so complicated, you may lose track why you started going in a particular direction in the first place ;-). 

If you are interested, read my other article where I have done a slight deep dive into "How did we end up in this mess?".

I will be very much interested to know how you perceive this topic and what you think might be a tangible way to bring a change in the organisation.