Commentary: Credit Suisse, Silicon Valley Bank, FTX are reminders that risk and compliance shouldn’t be seen as a chore
The collapse of Silicon Valley Bank, Enron and FTX are lessons about the lack of controls. Hugosave’s Julia Chin weighs in on the need for companies to have a risk and compliance culture.
SINGAPORE: Sam Bankman-Fried’s cryptocurrency exchange FTX collapsed over 10 days in November 2022. Last week, Silicon Valley Bank (SVB), a medium-sized bank little-known outside tech start-ups, crashed within 48 hours after spooked depositors rushed to withdraw their money.
And there is currently a sense of unease around Credit Suisse as the Swiss bank’s shares plummeted after acknowledging “material weaknesses” in its internal controls on Tuesday (Mar 14).
Some have pointed to SVB not having a chief risk officer for most of 2022 as a key reason why the bank took wrong risks that led to its downfall. Others argue that loosened regulations on smaller banks to reduce compliance burden during the Donald Trump administration meant US regulators did not have their eye on the ball.
John Ray III, who took over as FTX CEO after Bankman-Fried’s fall from grace, said in court documents: “Never in my career have I seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here.” Strong words, considering Ray oversaw Enron’s liquidation in 2001.
The world has seen the collapse of Barings Bank and Enron, experienced the Asian Financial Crisis and saw the fall of Lehman Brothers which ultimately led to the Global Financial Crisis. 2022 saw the cryptocurrency crash. United States regulators stepped in to shut SVB, followed by Signature Bank, and had to introduce emergency measures, out of concern it might trigger a broader systemic banking crisis.
Major financial events in the last 25 years should drive home the message that risk and compliance culture is critical and needs to be deeply entrenched for sustainable business. Having no or insufficient checks and governance in place is a recipe for failure.
COMPLIANCE TYPICALLY SEEN AS A CHORE
But risk and compliance are often seen as a box to be ticked to keep regulators satisfied. Businesses tend to view compliance as a roadblock to business growth, with onerous policies, controls and processes. Often colleagues in business units can see compliance as a chore – something to get over and be done with, rather than a crucial step.
In the early 1990s, compliance primarily focused on the Know-Your-Customer journey to combat money laundering. In the 2000s, the urgency to implement financial crime programmes to combat money laundering, counter financing of terrorism, and administer sanctions were introduced in the wake of the September 11, 2001 attack.
Today, risk and compliance functions have become even more critical, with digital offerings proliferating and a growing need to protect customers against online fraud.
Attitudes towards compliance have improved over the years and more companies are now taking more concerted efforts to get their compliance functions right.
Could SVB have survived if there had been more regulatory supervision? Perhaps. But a tighter regulatory environment still requires companies’ compliance to work.
FTX and SVB made me, like it must have others in the risk and compliance profession, reflect on how much more is needed, particularly when it comes to the importance of embedding a compliance culture in our organisations.
LESSONS FROM PROMINENT FAILURES
What are some lessons to learn from the fall of global financial players?
First, companies have a responsibility to their customers, especially those who seek wealth and investment services who tend to have FOMO, or a fear of missing out, and may not fully understand service providers’ business models and systems.
There is still a long journey to go on consumer protection and to ensure the financial ecosystem remains safe and fair for all. How can we protect and educate those who are vulnerable, including our grandparents, our uncles and aunties, even our crypto-curious kids?
American business guru Warren Buffett once said that every employee must be his own compliance officer. More broadly, every employee, senior leader or even investor needs to be confident of what they stand for and make sure they have done due diligence before making any decisions.
At the bare minimum, companies need to ask if they feel comfortable recommending their products and services to their loved ones. Are we confident that our companies’ systems and controls are robust, that personal data is well-protected? It starts with each employee taking personal responsibility and being accountable for the quality of choices, products and services.
Second, compliance culture must be an integral part of every business and not an afterthought. In fact, doing it right is better than doing more.
Especially in fintech start-ups, change is a constant. If the compliance team is involved in the activities of business units, it allows them to raise and resolve issues and gaps early.
Of course, every financial institution has its unique set of risks and vulnerabilities. Standard regulatory requirements provide a good guide and framework, but in truth, there is no one-size-fits-all solution, especially when it comes to policies to deal with financial crime. A good way to start is to understand the regulatory landscape and industry practices before designing a tailored programme that specifically caters to the organisation’s needs.
WOULD IT HAVE CAUGHT RED FLAGS?
Employees with a compliance mindset may not have much impact if the problems start at the top.
Enron had the values it extolled - integrity, communication, respect and excellence - painted on the company’s walls and highlighted in annual reports, but the leadership team still fooled regulators with fake holdings and unethical accounting practices.
With FTX, it was a case of lack of governance. There was no board to question the controls as Bankman-Fried treated the company as his “personal fiefdom” and gave free reign to his inner circle.
But these are ultimately extreme examples. They should tell us that for most companies, the approach to compliance needs to move away from the idea that it is simply a matter of preventing fraud.
Instead, it must be aimed at integrity management - honouring individuals’ moral, ethical and spiritual values which are key elements for proper functioning of organisations. The responsibility of managing risk and compliance is not just on a person or a division. It is about doing the right thing. Throughout entire organisations, everyone must be trained and educated on what the right thing to do is, and how to react when something goes awry.
The post-pandemic operating environment will throw organisations novel challenges and require changing mindsets and robust corporate governance.
To deal with this, companies will need to re-evaluate and build a culture of compliance that corresponds with the demands of innovation, employees, regulators and the community. Those who recognise the importance of this will have first-mover advantage.
Julia Chin is the Head of Compliance at Hugosave, a local savings app.