Editor’s note: Compliance Week is thrilled to honor Tamar Frankel for Lifetime Achievement in Compliance at the 2022 Excellence in Compliance Awards. Frankel, who worked 50 years as a law professor at Boston University, has authorized Compliance Week to share excerpts from her book “Institutional Self-Regulation.” Below is a passage from the book’s chapter on investigations to prevent violations of the law.

Culture involves rules of behavior that are accepted and imposed by the group or group leaders. It is the attitude of “we do not do this here!”

So, what does culture in noneconomic terms mean? It seems to include business behavior: (1) fair treatment of the customers; (2) maintaining the institution’s reputation for trustworthiness; and (3) legal behavior or compliance with the law. This view focuses on the actors’ approach, habits, and behavior. In short, it focuses on people.

For example, risk avoidance culture in noneconomic terms seeks to establish:

  • How do employees actually behave?
  • What drives behavior within the organization? What incentives, rewards, and advances are provided to induce behavior? Are the compensation and punishment policies aligned with risk culture?
  • How are the activities within the organization aligned with risk avoidance policies?
  • Notwithstanding government and corporate written policies, the important question is: Do the board, management, and employees really mean it on a day-to-day, consistent basis and even when no one is watching?
  • How do the bottom-up and top-down structures contribute to risk management? Do the board and the CEO focus mostly on profits, regardless? Or do they also ask how the profits were made?

Regulators aim at considering the root problem and documenting it. An unhelpful but truthful answer about compliance is: You know risk management culture when you see it. Regulators will expect institutions to develop their own programs and focus on the issues that might result in violations of the law. To find out the answers to these questions, we ask:

  • Do the actors within the enterprise follow the written policies?
  • Do they follow the policies, even if they are exposed to enticement or coercion? Do they like to behave in this fashion?
  • Are they proud of behaving in this way?
  • Does the firm conduct a self-assessment when it sees a red flag?
  • Are there patterns of behavior that have to be addressed? For example, how long did it take to resolve a risk problem or a supervision problem?
  • Recognize the internal conflict raised by “risk appetite.” The firm and its leaders, management, and employees face a conflict, described as an institutional or personal “risk appetite.” We may call it “financial returns appetite.”

There are many temptations and justifications for people to take risks, especially if (1) they risk other people’s money; (2) the government is backing at least some of the risk; and (3) there is a reasonable probability of higher returns. After all, returns are more tangible and positive.

Here are suggestions for mediating between the business and the restrictive law:

  • Business: What is the dollar difference between acting and not acting? Should we slow or terminate the activity all at once? Is it a long-term or short-term issue? Does the rule affect the business as a whole or only part of it?
  • Law: What is the chance of action? What is the chance of it reaching the legal violation stage? What is the chance of the actors being caught? What is the chance of their being held responsible for a violation? How serious is the violation going to be?
  • Test: What is the nature and extent of the harm to society, the firm, the growth of the firm, and the actor?

How could firms, their management, and employees be induced to curb their “risk appetite”? Numbers do not help in this case. One suggested key to the answer is judgment, based on experience.

Regulators have begun to pay far more attention to the activities and leadership of the boards of directors and their impact on business managers. The regulators expect the board of directors to (1) distinguish between the various departments in the organizations with respect to risk; (2) identify the impact of the departments on the choice of personnel; and (3) evaluate personnel behavior.

For example, regulators pay more attention to (1) HR hiring policies and personnel activities outside of the policies; (2) the personnel’s response to the occurrence of lapses; and (3) attendance and assessment of consultants and surveys of third-party assessments.

Unlike active supervision, culture involves internal value guidelines and self-regulation. The more employees are policed, the less they might feel obligated to behave as they should on their own. Therefore, there must be a balance between policing and respectful trust that would induce employees to behave as expected and be proud of being trusted rather than fearful of being caught.

At the same time, supervision, and awareness of supervision, is necessary. There was a case of a small bank that hired three people from a very large bank. They were granted authority to trade in securities, placed in a separate building, and hardly supervised. They brought this small bank down.

What was wrong with this arrangement? Was their background checked? Why did they leave the large bank? What were their ambitions? When they were hired, what facilities were given to them and how much supervision was imposed on their activities?

The regulators’ new approach is not free of criticism. First, if the small or big banks do not take any risk or very little risk, they open the door to “shadow banking,” which may not be regulated and may harm investors. Second, smaller institutions are not expected to impose the same level of formality as large ones do, and yet there is a concern that these small organizations can expose investors to unfair predatory services. They present unfair competition for regulated institutions.

One response to this criticism is that shadow banks, which are small, do not pose risk to the entire economy or financial system. In addition, large banks can publicly demonstrate their tighter regulation in ways that small institutions cannot. Therefore, large institutions can compete by demonstrating their trustworthiness. Arguably, business partners of large banks may have greater “risk appetite” with the support of the large banks. They may pose risk for the system as the banks themselves do. Therefore, the banks should choose their partners with great care and ensure their reliability.

The harm of bank failures is borne by the financial system as well as unsophisticated investors. However, banks that practice investment management must comply with the Investment Company Act of 1940 as well as the regulation of broker-dealers to give investors suitable advice. If they fail to do so, investors suffer.

It is impossible and undesirable to impose the same rules on each of the bank holding company’s varied activities, yet they are all performed under the same roof. It is difficult to keep different cultures under the same roof as well.

As we already noted, the liabilities of the boards of directors are very difficult to define. The boards must set the risk parameters and expectations, but by definition range is not specific and is subject to judgment. Management must execute a business plan that meets the parameters. The regulators do not require boards to ensure compliance yet have not found the appropriate word for the degree of the board’s responsibilities.

The words used may be “oversee” or “responsible for an appropriate culture” or “execute an appropriate culture”—all of which are just short of “ensure.” But the board can pick up some signals: If managers are resentful of constraints, employees will be; if management delays responsibility, so will other employees.