Teachable Moments: Transforming Mistakes into Lessons for Compliance Professionals

Recent arrests, fines, and regulatory censors suggest there is still a lot that the crypto and compliance communities can learn from one another. Regardless of the root cause or source of these external events, compliance professionals should transform mistakes into teachable moments. These moments leverage hindsight, help form dynamic feedback and awareness loops, and contribute to improving the organizations’ management of non-financial risks.  

Although risk assessment tables are great tools to house what is leveraged and learned from mistakes or external events, they can be difficult to envisage and extract key or relevant learning points. A stepped lesson template that is focused on considering the mistakes, highlights one’s controls and the impact on the organizations’ strategic growth can be a powerful tool. Rather than focusing on how the risks would be remediated, the template considers risks contra point aka opportunities. Correctly utilized opportunities derived from lessons learned can help organizations exceed Regulatory expectations, tighten controls, and demonstrate that by owning teachable moments, compliance professionals are a value-add go-to function.

When Bad News is Good News

The recent arrests and convictions coupled with Regulators’ pronouncements on money laundering, fraud, terrorist financing, and cryptocurrencies are reminders that even historic bad behavior will be found and punished. Rightly, these events remind society that old laws are very applicable to modern situations and that Law Enforcement /Regulators will pursue historic maleficence, regardless of the organizations’ then maturity status. While the convictions may not apply to the individual organization, compliance officers can still transform mistakes into lessons.

Why is it important?

Once a risk has happened there can be a tendency to focus on the root cause, consequences, and impact rather than insight opportunities. When compliance professionals focus on the opportunities they:

  • learn more ways to navigate 
  • help build better products and services
  • better apply compliance governance to the 4R principles (retain, review and record your rationale) 
  • future proof strategic objective
  • contribute to a wider range of non-financial risks
  • showcase relevance and value-add of compliance

Given all firms know how imperative it is to remain in existence, functions must be able to contribute to strategic growth and customer protection. Therefore, it is important to focus on the opportunities. Compliance professionals know the importance of retaining revenue versus paying money away through unnecessary fines and short-sighted practices.

History will repeat itself!

Successful traders create models that learn to predict patterns and leverage past mistakes and opportunities! It is unquestioned that for traders mistakes or crises create opportunities in the form of ‘teachable moments’ that allow firms to profit in the future. Negative events can include costly remediation or restricted strategic growth by losing your license to trade or take on new clients. Positive events offer opportunities to enhance the firms’ reputational brand with competitors, customers, or Regulators. But to take advance of the positive or negative, compliance professionals must have templates that are alive to the opportunities. These templates should allow compliance professionals to look at mistakes and lessons, through a prism of positive risk assessment or gap analysis.

Lessoned learned template

The first lesson provided by George Santayana when he famously wrote: Those who cannot remember the past are condemned to repeat it.” Read carefully, this aphorism provides compliance professionals with a template to take advantage of teachable moments.  

Here’s a suggested template:

Step 1: Replace the words ‘repeat it’ with ‘miss the benefits and opportunities of hindsight’ 

Use this aphorism to underpin the objective of the task i.e. “using hindsight to find opportunities” that improves compliance!

Step 2: Read your organization’s 5 years strategic objective 

Highlight references to compliance policies, BAU role, AML, Sanctions, or risk-based approach.

Does the strategy reference digitalization, compliance obligations, client protections, licensing, crypto, management of economic crime risks, new payment platforms value add, or sustainable growth?

Step 3: Create a simple table 

Use rows and headings events and risks.

Find examples from the decades of ABC, AML, CFT, Conduct, Fraud, Markets Abuse, Sanctions, Scams, TBML, TM, and Trade violations, and mistakes. Summarize the background to relevant mistakes and violations. This will form the rationale. Your Ops Risk team might be able to help with examples from their ORX databases, provide standardized event wording or library descriptions from their Non-Financial taxonomy. 

Step 4: Add columns

  1. Probability: Has this happened to my firm yet? If ‘Not yet’, does this present any opportunities? e.g. Update training & awareness, add risk flags, or work with a third-party vendor to optimize AML/TM systems. Is this risk, cyclical? i.e. Ponzi and investment scams typically follow periods of economic stress or low-interest rates, or high unemployment.
  2. Lessons Learned: Top lesson learned/teachable moments for the impacted firm, industry, regulator, and organization.
  3. Prevention / Opportunity: What did compliance and the business/risk owner learn? Advance thought leadership and thinking or tighten controls? With hindsight could more be done? Calculate potential cost savings. Does the team possess sufficient diversity of thought to address similar future events?

Step 5: Reflecting on Step 4.3, repeat step 2

Leverage existing feedback loop to make others aware of opportunities (and risks). Present the teachable moments to Ops Risk and Risk Owners. 

By being proactive you’ve shown compliance: adds value, arguments sustainability and, positively contributes to the strategic objective. Take a small bow.

A worked example

Let’s work through an example. As mentioned, the objective is to focus on identifying opportunities, rather than remediating. 

Step 1:

Read OFAC’s action against BitPay

Step 2:

Assume the reader has read their firm’s 5-year plan. Assume reader is employed at a financial institution, crypto, or virtual assets service provider that facilitates and engages in online commerce or process transactions and has a documented AML/Sanctions OFAC compliant sanctions control framework.  

Step 3:

Sanctions
For ease, events and issues are merged with the background and description below.
  • OFAC non-compliance.
  • Failed or ineffective sanctions system and controls.
  • ML/TF violations.
  • CDD/Onboarding weaknesses.
  • Background:

    On February 18th, OFAC fined BitPay. This fine settled BitPay’s ‘potential’ civil liability for 2,102 apparent violations of multiple sanctions programs requirements between 2013 and 2018.  According to OFAC, BitPay allowed persons who appeared to be located in sanctioned jurisdictions (in Cuba, Iran, North Korea, Sudan, Syria, and in the Crimea region of Ukraine) to transact with its active merchants in the US and elsewhere.

    BitPay’s platform permits transactions in digital currencies. BitPay’s systems and controls were able to gather locational information. The locational information included IP addresses and other locational data, about those persons before effecting the transactions. This information would / should have caused BitPay regulatory compliance systems and controls to stop, prevent, freeze, or at minimum report these transactions.

    BitPay’s crypto payment service commenced in 2011 and in 2013 appears to increase their active merchants. OFAC acknowledged BitPay had financial crimes compliance systems and would continue to implement enhancements to CDD and travel rule processes.

    Additional Reading: 

    • OFAC – BitPay
    • Serbian Founder of Digital-Asset Companies Indicted in International Cryptocurrency Scheme
    • Founder Of $90 Million Cryptocurrency Hedge Fund Charged With Securities Fraud And Pleads Guilty In Federal Court
    • The governor of the Reserve Bank of India (RBI), Shaktikanta Das has raised fresh concerns over the impact of cryptocurrency investments on the country’s economy but is optimistic about the launch of a digital rupee
    • Bitfinex and Tether have been banned from operating in New York and must pay a fine of $18.5 million as part of a settlement with the New York Attorney General’s (NYAG’s) office over a case dating back to 2019
    • The guidelines set out four principles for all CBIRC-regulated financial institutions to incorporate in their reputation risk management systems.

    Step 4:

    Has this happened to my firm yet? Not yet.

    ProbabilityLessons Learned /Teachable MomentPrevention/ Opportunity
    High.
    1. Not fined yet
    2. Firm is expanding suite of online products and
    BitPay: Using CDD and client data did not implement a risk-based approach before permitting transaction.
    Industry: Strength and weaknesses of payment gateway transparency/ infrastructure. Compliance matters.
    Regulator: Quality of 5yrs of payments data and IP tracking software.
    Org: Importance of e-2-e financial crime controls
  • Reduce silo/align transaction monitoring, name screening, and sanction controls –non-remediation savings $5.5M.
  • Draft policy and ensure a clear understanding of cryptocurrencies, digital wallets, investigations, CTR, SAR, STR, use of IP addresses in client on-boarding, and network analysis.
  • Opportunities:

    Update, optimize anti-money laundering, sanctions, and transaction monitoring controls. Reach out to third-party vendors, are they releasing or updating their modules?

    Step 5:

    The firm’s 5-year plan is to permit existing, new clients and connected clients to transact (purchase, hold, and buy) use digital currencies, including crypto, CBDC, and Stablecoin. Compliance recognizes international Regulators’ requirements and expectations on these currencies.

    In particular compliance notes regulation on that the travel rule, record-keeping, payment transparency, social networks, STR reporting, and digital wallets are applicable across all financial and non-financial companies (including VASPs) risks and controls. Compliance sees an opportunity to collaborate with business on a new product, enhance existing CDD processes to make these products immediately available to applicable clients, and use payment transparency data to improve the STR filing and streamline e-2-e controls. Also, compliance sees opportunities to work with investigations in IP address/social networks. We can (i) showcase our proposal to the Regulator in Q3 and (ii) in advance of any new product, add new risks and controls Ops Risk Non-Financial taxonomy library. 

    Conclusion

    Through the BitPay notice, OFAC reminded financial institutions and the crypto community, supervised or not, of its expectations that systems and controls conform to a basket of new and old rules and regulations. The notice showed that while some of the rules might have aged they remain applicable to the modern situation. There are a lot of mistakes the crypto and compliance communities could leverage.

    Given the recent fines and widening of gatekeepers to include VASP and non-financial service providers, learning and not repeating mistakes should be viewed as opportunities that allow the compliance professionals and the business we support to look forwards!

    SPEAK TO OUR EXPERTS

    Request a Demo

    Request a demo of our compliance tools to ensure your business is protected.

    Request a Demo

    Related content:

    The State of Financial Crime

    Technology, regulation, and the future of financial crime compliance. Read annual report…

    Read

    The Challenges of PEPs

    Global financial authorities require banking and FIs to implement suitable PEP screening measures…
    Read

    Case Study: Santander

    Santander partnered with ComplyAdvantage to automate their onboarding process…

    Read