Today's post is by guest blogger, Michael Blaes.
On Tuesday, JP Morgan Chase (JPMC) and U.S. District Attorney Preet Bharaha announced a landmark settlement of claims arising from the fraudulent schemes perpetrated by Bernard Madoff. As reported in the New York Law Journal (subscription required), Bharaha took the opportunity to highlight the message that it should stand as a clear and critical message on reporting compliance for banks and as a harbinger of things to come.
The article and the investigation both demonstrate a principle I like to call the “Mosaic Theory” of non-compliance. Each of the myriad compliance failures, while serious, could not possibly justify the magnitude of enforcement action taken against JPMC. When viewed as a whole, with the benefit of hindsight, though, each insular failure becomes part of terribly damaging portrait of systemic insufficiency.
It is not as though no oversight was being performed. It was. The investigation highlights many points at which the oversight of the Madoff accounts roused the suspicion of qualified employees. But, JPMC’s failure to aggregate the points of suspicion into one holistic body of evidence eventually damned them.
When the scheme inevitably came toppling down, a sober review of the evidence showed that JPMC, at various points, knew that suspicious activity existed in the accounts and either didn’t investigate further or even allow their own disparate points of suspicion to coalesce into the necessary motivation to sound the alarm bells with the government. Ultimately, it appears JPMC decided not to file Suspicious Activity Reports many times. Although each decision may have been defensible, the government nonetheless held the company responsible because taking no action, given so many points of concern, was not.
So what can the compliance community to take away from this? I think the answer is twofold:
- The pivot away from the American attitude toward technical compliance with a set of rules and toward a more European model of compliance with a set of principles will continue.
- Bharaha’s message seems to be that our compliance programs cannot achieve the goal of protecting customers with a set of prescribed policies and procedures, without an overarching culture of compliance with an eye toward constant personal vigilance. The point: a compliance officer cannot possibly be everywhere, so everyone has to be a bit of a compliance officer for the program to be effective.
On the first point, the agreement between JPMC and Bharaha represents a very serious change in the tone of enforcement in the U.S. It does not seem that JPMC had an opportunity to propose that in each insular case it behaved within the strict prescription of the rules and therefore avoided liability. Instead, Bharaha concluded that because JPMC failed to meet the principle purpose of the rules they failed to fulfill their duty. If that is the case, then our collective obsession with merely meeting the technical compliance with regulations is misplaced, and we must begin to evolve toward a more principles-based approach. That approach will demand that compliance officers devote more time and energy toward educating all stakeholders, enterprise-wide, about compliance initiatives. Compliance must not merely be a department that has to be dealt with, but rather an attitude to be embraced universally. That’s the only way to assure that both the rules are met, and the principles underlying them are adequately represented.
Secondly, if we can be prosecuted based on principles, then we must be able to demonstrate that we have incorporated those principles into our everyday actions. Accordingly, the compliance officer will become less of a manager of technical programs and more of a champion of the compliance culture – helping employees understand the dangers of non-compliance, highlighting the business benefits of doing the right thing and empowering everyone to make it their business to assure compliance even if it might impact short-term returns. Only by engaging employees and empowering them to not only note but also take action upon their compliance concerns will we create the necessary culture of compliance that will insulate us from liability.
I won’t speak on whether or not I feel the agreement is appropriate in scope or magnitude. But I think that if it moves us as a compliance community toward building a culture of compliance, and away from our fixation on meeting the rules without regard to the purpose underlying them, it just might be a good thing.
Michael Blaes leads Counsel On Call’s office in Minneapolis, Minn., and designs innovative legal and compliance solutions for clients across the U.S. He is a former senior compliance officer for IMI Cornelius and U.S. Bancorp, and worked as an associate with law firms in Minneapolis and Chicago.