The recent issuance of Resolution No. 4595 of the Brazilian Central Bank (“BACEN”), late August, seems to have finally shed light on what is expected of a Compliance program in a financial institution.
Indeed, the resolution brings some measures worth mentioning.
The most relevant measure adopted, besides its simplicity, is the prohibition to link the financial compensation of Compliance team members to the performance of the institution‘s businesses area. This prohibition constitutes a good regulatory rule to avoid conflict of interests. It is a measure of governance that might seem simple, and however, more than in any other sector, in the financial system it is a role of the Compliance team to prevent certain negotiations, whenever present the risk of money laundering related to persons involved in the transaction (such as a politically exposed persons, individuals listed at some fiscal black list or related to suspicious activity, etc.).
Thus, the requirement of an independent compensation plan sets the Compliance in a legitimate comfort zone in order to raise the red flag and point out potential issues in transactions that look beneficial under commercial standards.
Other settings from the Resolution should also be highlighted.
The rule sets forth the establishment of the “classic” structure of Compliance programs to the banking universe: settlement of a Compliance department, specialized staff, trainings, etc. So far, nothing new. However, the Resolution’s fifth section, item VII, innovates by specifying that the Compliance function must be performed with widest access to “the necessary information for the exercise of its tasks”.
The novelty is indeed to assure the Compliance with a power – of access to information – that normally lacks in the hands of high level managers: the power to access information of all portfolios (especially if the bank Compliance area is unified for the conglomerate, which means, to the entire corporate group.). Compliance must have unrestricted access both: to the portfolio of legal entities and to the profile of private banking clients and their transactions.
Yet, in this scenario, a mind note to Compliance professionals: the mere refusal of releasing those information to the Compliance indicates a red flag, even if classified as of minor importance. Usually, timing is a key factor to a well executed Compliance program. As an example, certain suspect transactions must be reported to Financial Activities Control Council ("COAF") in the very next day after the Compliance identifies the red flag.
The Resolution also makes a good point by requiring banks to keep records of Compliance activities throughout an annual report, that must be kept for at least five years.
The appearance of the Resolution is a necessary step to consolidate "Anti-Money Laundering Compliance" (“AML”), which is already settled in international banking regulations and whose legal enforcement has been crowned in Brazil by the Money Laundering Law reform in 2012. Nevertheless, the Resolution sets some challenges.
The first one refers to interna corporis relations. Besides the fact that the Resolution has established that the Compliance must report directly to the Bank’s Board (to whom it shall also report annually, or to the Officers, in case the Board is not installed), it missed the opportunity to give directions to financial institutions regarding the confluence or segregation of the activities attributed to the Compliance and the ones attributed to the audit committee, an obligatory board in big financial institutions.
In absence of regulation, banks might rethink the audit committee’s structure and its own intern audit, given that much of the work of detection of money laundering red flags can be performed by the internal controls that will be executed by the internal audit. Besides that, not all functions shall coincide between the Compliance sector and the internal audit. Those might remain as two segregate teams, in a way to avoid conflict of interests.
It is worth highlighting that the Resolution clearly points that bank Compliance may perceive the institution in a systemic way, which means to not only take into account the money laundering and corruption but also “other risks incurred by the institution”. It makes reference to the risks related to the financial activity itself (liquidity risk, credit risk and market risk, all considered as operational and legal risks intrinsic to Compliance).
For this reason, the structuring of the Compliance team should consider a multidisciplinary group, formed by legally qualified individuals, responsible to analyze legal risks, but also by economists and others experts, capable of giving relevant inputs to the compliance activities.
It is important to emphasize that specialized training qualifications in money laundering or in the financial market must be taken into account.
In this complex context, a key issue remains: is it clever to maintain an unified Compliance for the entire economic group?
We believe that the institution has to consider two factors in order to answer to this question.
The first one refers to the reasons that led the segregation of the institution activities in different companies.
If the economic group has been formed to serve the demand of different kind of services for one same group of customers, an unified Compliance can be a highly efficient solution.
Although, if the different companies of the group handle with varied customers profiles, an unified Compliance might be inefficient. For example, if a company from an economic group focuses in public-private partnership project financing, it is interesting to consider segregating the Compliance sectors and enhancing anti-corruption controls – reminding that financing activities that damage the public property are considered a misconduct under the Brazilian Anti-Corruption Law.
In this case, it doesn’t mean that structuring a Compliance system parallel to the entire economic group might be the answer, it is rather about detaching some employees to focus on making deeper analyses under an anti-corruption perspective, beyond AML control.
Another factor that deserves attention is the fulfillment of obligations undertaken abroad – an unified Compliance might best satisfy the legal enforcement from international regulators (compliance with FCPA's accounting provisions, SOx requirements, SEC reports, OFAC requirements, etc.).
At the same time, if the exposure to the foreign legal “risk” is well segregated, it might not be necessary to execute the abovementioned controls on the entire group, because it increases operational costs.
To end, if the segregation aimed at distributing distinct activities (for example, real estate investments, agribusiness investments, etc.) it might be necessary to consider the possible need of specific AML controls for certain activities developed by companies of the conglomerate.
To suit the Money Laundering Law and the regulators that act alongside with COAF in the control of suspicious transactions, the Compliance tends to be more functional when sectored by portfolio.
BACEN Resolution No. 4,595/2017 certainly clarified some paths that have been acknowledged for decades, given that the financial market has pioneered AML Compliance. Yet, as far from now, the Resolution main achievement was to elucidate that the internalization of the Compliance function is an extremely complex governance task, which requires specialized assessment.
While banks accelerate to comply with the deadline to implement their compliance programs by December 31st, Compliance operators should pay attention to specific demands arising amid the financial market and to the future regulatory norms that are expected.