You may have seen news last week that a Swiss bank, LLB Verwaltung, paid $10.7 million to the Justice Department to settle charges of tax evasion. The deal is notable because the bank’s compliance officer had warned senior executives about the risks they were taking — warnings that senior bank executives chose to ignore. So that’s a victory for the importance of compliance officers, right?
I’m not sure that’s the most useful lesson to take away from the Verwaltung case.
Don’t get me wrong; I’m all for any enforcement action that underlines the importance of heeding a compliance officer’s advice. But the misconduct in question happened 10 years ago, in a foreign country with a deep culture of bank secrecy. One can’t be too surprised that Verwaltung executives behaved the way they did at that time.
That, to my thinking, is the better point to ponder here. Verwaltung is about the maturity of a corporate compliance function. Compliance officers can use the facts here to diagram an immature compliance function, and gain a better understanding of how mature your own organization’s approach to compliance truly is.
Let’s start with the statement of facts for the case. In the 2000s, Verwaltung worked with an external asset manager in Switzerland to woo U.S. clients. That manager (we don’t have his name) created various ownership structures to mask the identity of U.S. citizens who owned assets in Switzerland, to help those people avoid paying taxes. He put that detail in solicitation letters. It was no secret.
First, Verwaltung allowed that external asset manager to prepare the bank’s account opening and Know Your Customer documentation. Second, by 2008, when U.S. law enforcement made clear that it was cracking down on tax avoidance, Verwaltung’s parent bank in Liechtenstein (LBB Vaduz) banned U.S. citizens from becoming clients — but Verwaltung itself did not.
Third, even after press reports emerged saying the external asset manager was under investigation for tax evasion, Verwaltung kept using him for two more years. Only after the asset manager was indicted did Verwaltung close his clients’ accounts.
Command and Internal Control
I kept going back to that part about the parent bank, Vaduz, cutting off U.S. clients, while Verwaltung itself didn’t. We know that the parent bank didn’t order Verwaltung to follow the same policy, but the statement of facts doesn’t say why not.
Well, there are a few possible reasons. Even if we never know the true reason in this specific case, compliance offices can still derive a lot of insight about how effective compliance programs should work by pondering those possibilities generally.
Start with what we know: the parent bank Vaduz didn’t control what the subsidiary Verwaltung was doing. Either Vaduz couldn’t control Verwaltung’s onboard procedures and choice of third parties; or Vaduz wouldn’t control those things. Neither scenario is ideal, especially by today’s compliance standards.
If Vaduz couldn’t control what its subsidiary was doing, that’s a breakdown in command and control. A corporation is supposed to work as one coordinated unit. If parts of the enterprise can disregard instructions from the governing authority, that suggests any number of failures around internal control, policy, and procedure.
If Vaduz wouldn’t control its subsidiary, that’s a flawed tone at the top. Either management didn’t understand what it should have done to govern Verwaltung, or it didn’t care.
In 2009, with two foreign companies perhaps not well-acquainted with U.S. jurisdiction, and the global financial crisis weighing on everyone like two tons of bricks — either one of the above reasons could be true. We can’t condone either one, but you can understand where those reasons come from. They fit the facts at hand.
But when you look at today’s understanding of corporate compliance programs, none of this would be acceptable. That’s a more useful analysis to do here.
If an organization doesn’t know, or doesn’t understand, why good conduct and governance of its subsidiaries is important, that’s a terrible tone at the top. You need to question the wisdom of the senior leaders in place. Or if the issue is a command-and-control breakdown, where senior leaders can’t impose their will on subsidiaries, they need to identify why, and fix those weaknesses.
Lessons From Guidance
Let’s start with a failure of command-and-control from headquarters down to the subsidiaries. Central Command devises a policy (“No more U.S. customers trying to dodge taxes!”) and wants the subsidiaries to implement that, but can’t force the change. Why not?
I turned to my trusty COSO Framework for Internal Control to find some examples of why that might happen. Right away my eye went to Principle 12.
Deploys control activities through policies and procedures that put policies into action. That’s the meaty stuff. That’s what a compliance or audit executive wants to assess when confronted with something senior leaders want to roll out across the enterprise. Assess what, exactly? COSO includes a few “points of focus” that you can examine in your company’s own operations. For example…
- Establishes responsibility: Does management assign specific persons to implement a policy and its attendant procedures? Like, does the C-suit tell the sales team: “You are responsible for not onboarding sketchy customers any more”?
- Takes corrective action: When sales leaders ignore that dictum anyway, does the company follow through with disciplinary procedures? Does it have backup controls to prevent further transactions with the forbidden customers?
- Performs in a timely manner: Whatever corrective action the company might want to take, can it take that action promptly? (This is yet another reason you could cite to integrate compliance with the company’s accounts payable function, so you can block payments directly.) And even before that corrective action, do you have the systems in place to implement the policy and procedures in a timely fashion first?
Those are just a few examples, from just one COSO principle. We could find many more. (Principle 14, for example, is another good candidate: “internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”)
Weak Tone at the Top
If the problem is that Central Command isn’t interested in guiding its subsidiaries to a better standard of governance, a different set of issues comes into play. For example, you could certainly look to COSO principles 1 and 2:
- Principle 1: The organization demonstrates a commitment to integrity and ethical values.
- Principle 2: the board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Both principles are vital if one wants a parent company to care about what its subsidiaries are doing. Above all, the board should have enough vim and interest to kick management in the rear if executives aren’t bothering to govern the company’s subsidiaries well.
Still, let’s not delude ourselves. Most directors on most boards won’t be that well-versed in COSO control principles. Neither will senior executives, who have day jobs caring about strategy and operations.
In that case, turn to the Justice Department’s guidance on effective compliance programs. That document has a whole section on senior executives’ commitment to compliance, ethics, and governance too, with the bonus that you can add, “…and this is what prosecutors will ask about if we’re ever under investigation.” Here’s one relevant passage —
Somewhere among these questions above, and the COSO internal control principles, is a path to good governance across a big, sprawling enterprise. That’s what a compliance team needs to figure out for its organization.
So that original lesson from Verwaltung, that a company should heed is compliance officer’s advice? Yes — but that should be obvious these days.
The better exercise is to map out all the mistakes and bad habits that could lead to that scenario; and consider ways to improve controls and corporate leadership so nobody repeats those mistakes today.