The Intersection of Corporate Governance and Compliance: Helping Your Directors Fulfill Their Responsibilities
An Interview with John Walsh, CEO, SightSpan
Serving on a corporate board is a great honor and a great responsibility, especially for those involved in financial services organizations. Gone are the days when directors were management’s rubberstamp. And particularly since the global financial crisis of 2008, significantly more is expected of non-management corporate directors. Today’s directors must understand the risks their companies face and be informed and empowered overseers of key areas, including risk, audit and compliance.
The responsibilities facing today’s directors might seem overwhelming, but they don’t faze John Walsh, CEO of SightSpan. Walsh—who makes his living advising and educating corporate directors on tough issues like risk management, money laundering, terrorist financing and other Bank Secrecy Act and USA PATRIOT Act topics—contends that directors of financial services firms, and those contemplating becoming directors, needn’t be fearful of the responsibilities they face, but they must be educated and proactive. “It’s all about responsible corporate governance,” he says.
Intrigued, we sat down with Walsh and asked him to tell us more.
Paybefore: Why is it all about responsible corporate governance?
John Walsh: The global financial crisis of 2008 was the spark for regulators and shareholders to take a hard look at corporate responsibility and to ask, “Who’s in charge?” This scrutiny applies to all kinds of companies, not just financial institutions or financial services companies. And, it applies worldwide, not just to companies in the U.S. The result is the emergence of a new global business environment, with more stringent and defined corporate governance surrounding boards and their responsibilities. Corporate governance is a No. 1 priority.
Paybefore: Great slogan, but what does it mean?
JW: Corporate governance is the framework that supports the efforts of an organization’s executive management and its board of directors in doing the right thing, regardless of the challenges they must address or the decisions they must make.
Among other things, a quality corporate governance framework includes educating board members on key issues, such as money laundering, terrorist financing and compliance; having active board-level committees, including, at a minimum, audit, compliance and ethics; and establishing an agreed-upon risk appetite position.
Good corporate governance reduces opportunities for capricious decisions, provides a system of checks and balances between management and the board, and increases transparency in an organization—helping prevent the consolidation of all authority in the hands of an individual. And, this is what investors and government want to see in a business.
Paybefore: How does a company pick the kinds of directors that will help it achieve responsible corporate governance?
JW: If I’m the board chairman, I want to be active in the selection and approval of board members whom I believe will participate actively on the board and make appropriate contributions, and are willing to take on the risk of this position. There is a fiscal, social and corporate responsibility that goes with sitting on a board, and the board members must understand they will be held accountable.
Paybefore: Accountable is a scary word.
JW: It can be a scary word but only for people who want to lead from behind and not drive change with a clearly defined strategy. I had the opportunity once to work with the CEO of Microsoft, Steve Ballmer, and he said great companies have high cultures of accountability. I believe this is very true in today’s marketplace and very true with your readership. Accountable boards and accountability-based management teams are the only ones that will survive and rise to the top of the marketplace.
Paybefore: We’re pretty accustomed to hearing that prepaid and emerging payments are risky—mostly, I guess, because we keep hearing that from regulators and law enforcement. Does this mean that directors of companies dealing with prepaid and emerging payments accept a higher level of personal risk by sitting on the boards of those companies?
JW: I have to disagree with the initial statement. With the correct controls in place, prepaid isn’t any more risky than traditional financial services. At the end of the day, all financial services firms accept a level of risk. If they don’t, they can’t make money. What’s important in prepaid or traditional banking is the risk/reward model—and this should be part of the corporate governance model. The board and executive management need to agree on the company’s risk appetite—and everyone has to buy in and sign on. Once the risk appetite is established, consistent decisions can be made within the risk appetite framework. Anything the management team contemplates—a new product, for example—must fit the risk appetite, determining whether the inherent and residual risk are consistent with the acceptable and approved risk levels mandated and approved by the board.
Paybefore: So, let’s say, the board chairman thinks you’re the kind of person who is able to accept the fiscal, social and corporate accountability needed for a director. And, you’re asked by a bank—or another entity in financial services that isn’t a bank but is covered by the USA PATRIOT Act or subject to the authority of a regulator, like the Consumer Financial Protection Bureau or even the Federal Trade Commission, for example—to serve on its board. What should you do before saying yes?
JW: The first thing I’d do would be to read and evaluate the quality of the company’s anti-money laundering (AML) and data security policies and practices. While you may not understand the intricacies of AML and data security at the outset, you’ll be able to judge if you’ve been provided with insufficient information or if you’ve been deluged with so much documentation that it’s not feasible to read it all with any beneficial level of understanding. Both extremes are clear warning signs.
Then, I’d ask for and read the company’s last three years of audits and any remediation plans and progress reports, if appropriate. Having this documentation would give me—as a potential director—a good understanding of whether the company I was contemplating getting involved with has a robust corporate governance infrastructure and a culture of accountability.
Paybefore: Is it OK if you don’t understand everything you’ve read as part of this process? I can’t imagine that someone coming into this without a background in this area would be able to make heads or tails from what he or she read.
JW: It is OK. As I mentioned, the potential director may not understand everything put in front of him/her as a result of the initial requests for information. And, if that’s the case, the next question needs to be about the training he/she will receive.
Good board members and good boards demand training. If formal training isn’t possible, then the directors must go out and get the information themselves. And, if they can’t or aren’t willing to do that, there’s no way around it, they must decline the invitation to join the board. Or, if they already sit on the board, they must leave it. With accountability and corporate governance goes personal responsibility.
Paybefore: What about directors and officers D&O liability insurance?
JW: Of course you should ask, and of course you shouldn’t accept the position if this coverage isn’t provided, which would be unusual in today’s environment. But, you also need to realize that there are situations in which D&O coverage won’t apply, like if the firm you’re entrusted to guide acts in an unlawful manner or is engaged in financial crimes, such as money laundering, terrorist financing and/or fraud. This is why it’s extremely important for directors to do their own due diligence on companies before joining boards and to understand and carry out their responsibilities thoroughly once they join the board.
Paybefore: Let’s jump from corporate governance to compliance. I have two questions on directors’ responsibilities regarding compliance, because this is a topic Paybefore covers closely. First, can you summarize what those responsibilities are? And, second, what are the most significant compliance issues that today’s directors must be aware of?
JW: Let’s be clear, it’s not a jump from corporate governance to compliance. Great compliance is essential to responsible corporate governance—it’s more like an intersection.
In response to your first question, there are circumstances in which you can be held personally responsible for business decisions that are effectively unlawful: for example, money laundering, terrorist financing, tax evasion and a host of matters related to security of staff and client information. The board must ensure that the company complies with all laws and regulations relevant to its business. One director, at least, should be familiar with each of the following areas of the law: AML compliance, tax and insurance obligations, and security matters.
Second, money laundering and threat financing are significant risk factors for any business but more so for financial services firms. Financial crime is a growing concern of all economies. Boards and company management need to review AML/Counter-Terrorism Financing issues regularly, and risk management techniques and global best practices must be incorporated into every area of business development and client management, including transaction monitoring and internal client oversight.
Paybefore: Directors are overseers of compliance; they’re not on the front line of the business day to day. So, what should directors expect of the company’s internal compliance function?
JW: Boards need to empower their management teams to lead and, once the risk appetite is established, allow management to expand and manage the business in a defined and consistent manner. A major risk to any business is not expanding into new and relevant areas and markets. The key to success is expanding with a clear risk management process, which is clearly outlined and auditable. Risk management is a skill set and, once embraced, is rewarding in terms of liability and profits. No firm can succeed and grow without risk management processes in the forefront of all management discussions and strategic planning processes.
Paybefore: So, to fulfill their compliance obligations to their regulators, the banks are going to conduct frequent audits on their partners?
JW: That’s right, and I know that there’s been some grousing because the best bank issuers in prepaid have become extremely rigorous in conducting audits of their partners, but that rigor is good for everyone. Directors of the issuing bank and the company being audited should welcome rigorous audits.
A tough audit process is good for the issuing bank because it verifies it’s hands-on and consistent oversight of its partners; it’s good for the directors of that bank, who can feel comfortable that its compliance obligations are being fulfilled; and it’s good for the organization being examined because if there are issues, the audits can identify problems that can then be remediated.
To a large extent, government is requiring businesses to share the responsibility of compliance as a part of strong corporate governance.
Paybefore: You mentioned at the outset that the strong corporate governance movement isn’t limited to the U.S.
JW: People are often surprised that the corporate governance movement is a global phenomenon, especially when I tell them that some countries that many consider higher risk have the most aggressive rules, for example, some countries put very tough laws on the books, but do little to enforce them. That will be the challenge of the next few years, building a global environment that adopts and enforces strong corporate governance and seeking a balance between allowing firms to expand globally but doing so in a rational manner.
Paybefore: Let’s not beat around the bush. In many situations, you’re the guy—and I mean you, personally—who’s hired by bank management to go into the board room to educate directors on their responsibilities with respect to compliance. And, you’re the one who’s telling them—in some situations, for the first time—that they’re responsible for ensuring that the bank isn’t involved in money laundering and terrorist financing, which is pretty scary stuff. How do boards react?
JW: If it’s the first time, then, to start, the directors will be a little quiet; oftentimes because they didn’t previously realize that these areas were part of their oversight responsibilities as directors. Then, they begin to understand that although we’re talking about very serious issues, there are things they can do to educate themselves. Directors follow a path based on their personal experiences and skill set to bring passion and subject matter expertise to the larger group, perhaps in a leadership position on a risk management committee, such as audit or compliance and ethics.
The education process empowers directors to fulfill their responsibilities. I’ve never seen any director turned off by the offer of education or additional training; they are appreciative because they realize there are resources to help them fulfill their responsibilities.
After a while, I believe, they look forward to education and training because it makes them more confident in carrying out their board duties.
Paybefore: How can directors help promote a culture of compliance?
JW: It’s not all on the board. Creating the culture of compliance is a joint responsibility of management and the board. But, it’s important for directors to take a leadership role in this area, and if compliance isn’t a priority of management, the board needs to make it become a priority.
More than one board chair has told me that he didn’t understand that it was the board’s role to create and nurture a culture of compliance. That view is why board education and talking about the topic in venues like Paybefore are important.
Paybefore: If friends asked your advice about joining the board of a financial services firm, what would you say?
JW: By all means, I’d say go for it. Yes, it is a big responsibility, but it’s also a huge honor that I want my friends to have. I’d just want to make sure they went into their directorships with their eyes wide open, and I’d give them a copy of our discussion to introduce them to the questions they should be asking management and an overview of the responsibilities they’d be taking on. But, yes, go for it!