Why “Paper” Compliance Programs Fail – A Wake-Up Call for Financial Institutions

Introduction:
In today’s regulatory landscape, compliance is no longer optional. Yet, many organizations fall into the trap of “paper compliance” — programs that look good on paper but fail in practice. From international scandals like Toshiba and Wells Fargo to local penalties on banks and exchange houses, the warning signs are clear: ineffective compliance can cost reputations and licenses.

The Dangers of Paper Compliance

Corporate scandals at Toshiba, Wells Fargo, Siemens, and Enron prove that compliance programs that exist only on paper will eventually be exposed. Closer to home, penalties have been issued against banks, exchange houses, and insurance companies for failing to implement truly effective compliance frameworks.

Case Study – Toshiba

Toshiba, once regarded as a leader in corporate governance, had adopted American-style governance principles. Yet, in 2015 it was revealed that the company had overstated profits by $1.2 billion over several years. The underlying causes included autocratic leadership, a lack of speak-up culture, and — most critically — the absence of meaningful internal auditing. The audit department conducted little actual auditing, focusing instead on consulting activities, which allowed risks to remain hidden.

Why Do Compliance Programs Fail?

1. Weak Oversight by Boards

Many Boards lack the knowledge and awareness necessary to oversee compliance effectively. The independence of Compliance Officers is often undervalued or compromised, and when revenue targets take precedence over compliance priorities, oversight suffers. Without genuine commitment from senior leadership, “tone at the top” is absent, and compliance remains a symbolic, ineffective exercise.

2. Superficial Risk Assessments: A table job done by consultants

Regulations require financial firms and DNFBPs to assess their ML/TF risks, but many risk assessments are “copy-paste” reports prepared by consultants with no engagement from frontline staff. There is often no RCSA (Risk and Control Self-Assessment) process, no operational input, and no challenge from the Board. As a result, reports fail to capture an organization’s unique risks and are produced solely to satisfy regulators.

3. Policies and Procedures That No One Reads

Lengthy, jargon-filled compliance manuals — sometimes exceeding 140 pages — are rarely read or understood by employees, even though they certify they have done so. Policies should be concise, aligned with the risk assessment, and written in clear language. Why not a simple 5-page document in simple English? Organizations can take inspiration from the SEC’s “A Plain English Handbook - How to create clear SEC disclosure documents”, designed by Securities Exchange Commission (SEC) of the United States of America to inform investors in simple English without the use of jargon.

4. Undermining Compliance Officers

A compliance program cannot succeed without an independent, empowered Compliance Officer. The U.S. Department of Financial Services fined the Agricultural Bank of China’s New York branch for curtailing its Compliance Officer’s independence and silencing concerns raised with management. Limited resources, conflicts of interest, and interference from leadership severely undermine compliance effectiveness.

5. Internal Audit – The Missing Link

Internal Audit is the third line of defense and a vital source of assurance for Boards. Toshiba’s scandal revealed how ineffective Internal Audit can be when diverted into consulting rather than objective auditing. Organizations must adopt the “Three Lines of Defense” model, ensuring Internal Audit remains independent and does not design compliance programs or draft policies and procedures. Second line functions should not be added to Internal Audit.

6. Ineffective, Tick-Box Training

Training is critical to an effective Compliance Program. Unless staff can internalize the learnings from a Training session, it is likely to be tick box activity, Attendance and Evaluation quiz. Training sessions must be engaging, involve two-way communication and be relevant to the needs of the participants. Training programs must be synergistic. For example, in 2012, despite attending seven compliance training sessions and receiving 35 reminders, a Morgan Stanley employee, Garth Peterson engaged in bribing a government official, highlighting that training quality and relevance matter more than frequency. Ultimately, DOJ brought criminal charges against him.

From Paper to Practice – Ensuring Real Compliance

The US Department of Justice asks prosecutors to ask three questions to gauge the effectiveness of a Compliance Program:

1. Is the program well-designed?
2. Is it applied earnestly and in good faith, with enough resources and authority?
3. Does it work in practice?

Building a True Culture of Compliance – FINCEN’s Six Rules:

• Visible Leadership Commitment – Leaders must demonstrate active support for compliance.
• No Compromise for Revenue – Compliance priorities should never be overridden by commercial targets.
• Cross-Organizational Information Sharing – Compliance teams must have access to relevant data.
• Adequate Resources – Both human and technological resources must be allocated to compliance.
• Independent Testing – Programs should be reviewed regularly by independent, competent parties.
• Understanding SAR Impact – Staff should know how suspicious activity reports are used to deter illicit activity.

Conclusion:
A compliance program that isn’t living and breathing within your organization is as good as no compliance at all. True effectiveness comes from culture, commitment, and continuous testing — not just from having a thick binder labelled “Compliance.”

To know more about our training programs in AML, Compliance, coaching for CISI, ACFCS, GCI exams and for customised professional development program, contact [email protected] | +971553438693 | Crowe UAE Academy