Compliance Confessionals
Regulatory compliance: who is on point – Legal or Compliance?

Compliance expert and former Head of Compliance, Sylvia Yarbough, shares secrets and insights from the heart of the compliance team.

If you have a compliance confession, or are worried about emerging regulations, visit our Compliance Confession Booth.

I was on the phone the other day with an old colleague, let’s call him Sam (name changed to protect the innocent), who called me to vent his frustrations with a new legal partner. They both supported the same business line. You see, Sam and his last legal partner had found a kind of middle ground when handling compliance issues. Just as they were starting to get along, that legal partner moved on and Sam is now at odds with the replacement.  

Sam’s story is an old one but it goes like this…  

The business was outsourcing a process to a 3^rd party vendor (Fintech, I might add) and he identified some concerns in the way the vendor was handling Reg E (Electronic Fund Transfer Act) disputes. Based on previous conversations with the new legal partner, Sam knew he was not well versed in regulatory compliance. Therefore, he reached out to the legal partner letting him know that he would bring this topic forward as an issue with the business at the next meeting. He took the time to explain what specifically was problematic with the vendor practices from a regulatory perspective, and even discussed with the Legal partner a fix that would work in interim while the vendor worked on a long-term solution. He thought he and the legal partner were in agreement and therefore in a position to avoid any contention during the meeting with the business.

Sam thought he had taken all the right steps, then came time for the business meeting. Sam knew the business was very wedded to making this vendor relationship work, so he chose his words carefully but delivered the message concerning the Reg E compliance issues. The business partner, who had lobbied for the vendor contract, became increasingly agitated and then asked the legal partner for his opinion.

The legal partner did a one-eighty on Sam. He took the conversation down the path of legal responsibilities and liabilities under the contract. Sam kept trying to redirect the conversation to the regulatory requirements that the bank was responsible for ensuring were carried out – regardless of it being outsourced – and that the organization could not ignore the issue because the vendor was contractually liable.

How did it end?

Well let’s just say Sam is still fighting the good fight. The Legal partner basically muddled up the focus of the issue from being regulatory to one of contractual obligations. True to form, the business often will look to the person who is willing to say that no issue, exists especially if the feedback is from Legal.

Legal v Compliance

During the course of most compliance officers’ careers they will have run across this issue, “Who is on point – Legal or Compliance” when trying to provide business partners with appropriate guidance from a regulatory perspective.  We all have experienced it (or if you are new to the game, you will experience it).  It doesn’t even matter if the Compliance team reports under Legal, these conflicts still arise.

We all know that there are wonderful, well-meaning and well-grounded Legal partners out there, so how do some of us find ourselves in this quicksand on whose guidance matters when it comes to regulatory compliance. More importantly, how can we make sure we are all on the same page when trying to give the business good, sound regulatory compliance advice and guidance.

My personal challenges with my legal partners where different from my friend Sam. Because I oversaw Regulatory Change Management for the organization, my team made a concerted effort to engage Legal in all aspect of the process. This included selection of the platform, regulatory content sourcing and areas of coverage. Early on in development of the process, the majority of these meetings were even with the Chief Legal Officer to ensure full understanding and collaboration.

My team was doing well with the partnership, until we started rolling out state regulations. Remember this was in the early days post Dodd-Frank when organizations wanted to stand on federal pre-emption to avoid dealing with state regulations. The business got Legal involved and I spent the next few years dealing with Legal’s waffling on whether federal pre-emption applied one state reg at a time. At one point we even had a series of meetings about establishing some level of guidance by product, business, state, etc.  — well, that led us nowhere. Every time we thought we had good agreement, the next call with a business partner would prove to us that we still were not on the same page.

Over-time, Compliance basically conceded. We would defer to Legal on whether or not the business needed to implement a state regulation. From an oversight perspective, we just made sure it was properly documented when implementation was deemed unnecessary.

Over-time, Compliance basically conceded. We would defer to Legal on whether or not the business needed to implement a state regulation. From an oversight perspective, we just made sure it was properly documented when implementation was deemed unnecessary.

Why did we concede oversight of state regulations to Legal?

When it came down to enforcement, it falls on every state’s attorney general to deal with enforcement. Since our organization was federally charted, enforcement would be in a form of a state lawsuit which would fall clearly into Legal’s area of responsibility. When it came to Federal regulations, whether it was the CFPB, OCC, FRB, etc., whatever federal regulatory having jurisdiction would be squared off with the Chief Compliance Officer which made it Compliance’s responsibility.

What I learned from my time dealing with Legal was if Compliance was responsible for the risk, we needed to have final say. However, this did not have to be contentious. Sam’s efforts were spot on.

Steps I would recommend

• Build a relationship with your legal partner. Get clarity in how each of you see your roles in helping the business deal with regulatory compliance.
  

• If legal wants to have final say on state regulations, let them. As long as it doesn’t run afoul of any federal related regulation and any agreement on how to handle a state requirement is appropriately documented (Yes, a little CYA never hurts).
  

• Try to have those pre-emptive discussions with Legal on issues that maybe contentious with the business to ensure that you are both on the same page in how to address the issue.
  

• When it comes to work that is outsourced, make sure it is clear to all parties that even though the vendor is responsible for carrying out the process while following the regulatory requirements, the business is still responsible for ensuring the regulatory requirements are being met – regulators do not care about contractual obligations and neither do your customers.
  

• Make sure that in your role as a compliance officer, you are well versed in the regulations that apply to your business and level set on how they are implemented and managed. You are responsible for helping the business mitigate risk, ultimately the business owns the risk (see my article on the Compliance Officer Role in the Digital Era).

In addition, what I found helpful, with some of the more complex business, was having standing meetings with the first line risk partner, compliance, legal, and business operations leader. No matter how big or small the organization, there are individuals with these responsibilities officially or unofficially.

These meetings should be focused specifically on regulatory change, regulatory issues, and (when necessary) regulatory remediation efforts. If you have a lot of outsourced processes some one responsible for managing the vendor should be included. Standing meetings and review routines with a well thought out agenda can aid in the continuous dialog around regulatory compliance and help keep the guard rails in place.  It also doesn’t hurt to have a well-oiled regulatory change management process in place so your business is not left scrabbling and looking for the easy way out.

In closing, I not only remember those contentious meetings with Legal and the business, but I also remember some good conversations where Legal had Compliance’s back. Both Legal and Compliance can often be strong partners in risk management if we see each other as allies instead of adversaries. It is not who is on point, I am firm believer that we are all on point. We need to understand each other’s roles and respect one another’s point of views.