Institutional or corporate culture is much in the news lately, both inside and outside of banking. Amidst the uproar over Volkswagen's intentional compliance failure relating to emission standards, senior company management felt compelled to admit that the company's culture favored misconduct, not compliance or even a timely admission that significant errors had been made. A tolerance for rule breaking gave way to a "chain of errors" because of this institutional attitude.

In short, Volkswagen lacked a "culture" that favored compliance over misconduct, even if the errors of judgment were eventually uncovered and damaged the company's reputation, sales and standing. The company's extraordinary admission of compliance failure and subsequent press reports seemed to reveal widespread knowledge of the cheating but no tolerance for exposing it and challenging superiors. Senior management claimed to have had no knowledge of these misdeeds, but ongoing investigations will ultimately determine the extent to which the management and the supervisory board have responsibility for the scandal that happened on their watch.

But what does the Volkswagen diesel engine scandal have to do with the business of banking? Everything, it would seem. Since the financial crisis of 2008, the culture of banks at the center of the crisis has been cited as both a contributing factor to the financial meltdown and as a symbol of the need for attitudinal change at banks generally. In response, regulators have encouraged banks to take steps to establish appropriate risk and compliance cultures and to encourage them to step forward and "partner" with governmental agencies in the name of "compliance." Each of these efforts, more of which are likely to come, bears some scrutiny by bank boards of directors and senior management.

In a 2014 speech, William Dudley, the President of the Federal Reserve Bank of New York, described an organization's culture as "implicit norms that guide behavior in the absence of regulations and compliance rules—and sometimes despite those explicit restraints . . . .Like a gentle breeze, culture may be hard to see, but you can feel it. Culture relates to what 'should' I do, and not to what I 'can' do."¹ For all its ephemeral qualities, industry leaders recognize that a strong risk culture throughout an organization—from the very top to the lowest staff position—is a necessary adjunct to regulatory review in rooting out bad behavior.²

The most comprehensive and formal effort to codify a risk culture is the Office of the Comptroller of the Currency's (OCC) adoption of Guidelines establishing a heightened risk governance structure for national banks, thrifts and federal branches of foreign banks with $50 billion or more in consolidated assets. While limited in scope to larger federally chartered institutions, these Guidelines are likely to be informally absorbed into the regulatory consciousness of the other federal and state banking regulators and become "best practices" for banks of all sizes.³

The Guidelines acknowledge that there is no relevant definition of "risk culture." However, it is recognized that it can be considered as "shared values, attitudes, competencies and behaviors present throughout the covered bank that shape and influence governance practices and risk decisions."⁴ In terms of compliance with rules and regulations, it is that which infuses a sense of responsibility for compliance at every level and at every desk within the financial institution, not merely for those whose stated responsibility is compliance or internal audit. By all accounts, Volkswagen's culture was just the opposite, namely, one that out of fear for job security or an unwillingness to admit failure, tolerated breaking the rules.⁵

FinCEN on "Culture of Compliance"

Under U.S. banking rules, such tolerance for rule breaking is not accepted or justified. For example, in August of 2014, the Financial Crimes Enforcement Network (FinCEN) of the Treasury Department issued an advisory to financial institutions that targeted BSA/AML compliance but spoke of the need for a "culture of compliance" at every institution, without specifically defining what that would be.⁶ However, the advisory made it clear that nothing less than full adherence to federal anti-money rules was required without regard to "revenue interests." Moreover, a "culture of compliance" requires a well-functioning system of sharing information within the institution and sufficient human and technological resources dedicated to compliance along with an independent monitoring function.

FinCEN made it clear that the responsibility for the establishment and maintenance of a "culture of compliance" starts with the board of directors and senior management and also includes owners and "operators." The commitment to such a culture has to be visible throughout the institution so as to influence all employees in the organization and to have compliance with the rules in mind as they carry out their daily responsibilities.⁷

This "culture of compliance" (at least as FinCEN sees it) requires information sharing across the entire institution. Removing silos and encouraging a broad degree of information integration among all units of the institution may be the key to risk culture analyses.⁸ Moreover, most recently, the OCC endorsed this view in an enforcement action which specifically required that front-line staff, such as relationship managers, monitor and assist in the identification of unusual or suspicious activity in accordance with specific procedures, in addition to those employees regularly engaged in compliance oversight.⁹

With these regulatory attitudes in place, it is important to understand how the larger picture of risk management at a financial institution should lead to an overall "risk culture" that would stop a Volkswagen-type scandal of noncompliance from forming in the first place. Obviously, the highly regulated world of banking should act as a brake against such aberrant behavior but some would argue that the financial crisis was born out of a lack of risk culture and that the regulatory oversight alone was not sufficient to prevent the practices that led to the crisis.¹⁰

Leadership Sets the Tone

It is generally agreed that the tone of an institution's cultural values—particularly its risk culture attitudes—begins at the top with the leadership of its Board of Directors and senior management. Every bank board must take the lead in establishing and promoting the proper risk culture for the institution, its values and awareness of the hazards of the business in which it operates, the importance of institutional communications and transparency and the maintenance of discipline.

The process must start with an assessment of the organization's "risk appetite," taking into account future plans, strategic emphasis, capital blueprints and financial projections. The focus then must shift to the institution's capacity for risk given geography, market sectors, legal and regulatory restraints and institutional size. These considerations—coupled with strong compliance and internal audit functions—set the framework for the development of a strong and long-term risk culture. It is then up to management to embody these concepts and determinations throughout the organization with compensation plans, performance reviews and other business unit supports.

These steps are not one-time occurrences but part of an ongoing dynamic that must be reexamined, refreshed and repositioned on a regular, periodic basis. The world of financial services is in a constant state of flux and the enterprise must respond quickly and decisively to those changes.

With this in mind, here are three takeaways from this commentary. First, self-policing is the best defense against misbehavior or failures, and thus an organization's employees must feel empowered to speak up without fear of retribution. Second, prompt self-reporting of identified deficiencies or failures up the management chain allows for expeditious reporting to the regulatory authorities and active remediation where necessary. Third, senior management and the Board should continually ask the question, "Could an announced cultural failure at another institution happen here?"

Reproduced with permission from BNA's Banking Report, Vol. 106 No. 15, 04/11/2016. Copyright 2016 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com.

1See Speech by William C. Dudley at the Workshop of Reforming Culture and Behavior in the Financial Services Industry, Federal Reserve Bank of New York, October 20, 2014.

2See, e.g., Speech by Charles L. Evans, President of the Federal Reserve Bank of Chicago at the Chicago Banking Symposium, June 3, 2015.

3See 12 CFR Parts 30 and 170, adopted in September 2014 and effective at varying dates stated in the Guidelines. These Guidelines are encompassing and include the OCC's expectations of standards of behavior for boards of directors. These Guidelines are enforceable under the powers granted to the OCC under "safety and soundness" standards.

4See Statement accompanying the adoption of the Guidelines at page 58.

5See News Release of Volkswagen, AG, dated December 10, 2015. See also The Wall Street Journal, December 11, 2015, and The New York Times, December 14, 2015.

6See FinCEN Advisory FIN-2014-A007, August 11, 2014.

7Remarks of Stephanie Booker at Bank Secrecy Act Conference in Las Vegas on June 18, 2015, available at www.fincen.gov/news_room/speech/html/20150618. The Department of Justice has made it clear that going forward, wrongdoing will now focus more heavily on individual misdeeds, in the hope and expectation that holding individuals personally accountable will change a compliance culture that might otherwise have been seen as tolerating individual failures and treating corporate wrongdoing as a mere cost of doing business. See Remarks by Deputy Attorney General Sally Quillian Yates delivered at New York University School of Law on September 10, 2015, available at www.justice.gov/opa/ speech.

8From FinCEN's perspective, and its goal of enforcing BSA/AML rules and tracking cybersecurity threats, this type of internal sharing of information ultimately benefits law enforcement, particularly if it leads to the sharing of information with law enforcement authorities, either formally or informally. However, from the institution's perspective, information sharing strengthens risk management and reinforces the "culture of compliance."

9See In the Matter of Wells Fargo Bank, National Association, Consent Order, Comptroller of the Currency, AA-EC-2015-79, entered on November 19, 2015.

10Lest one think that these suggested structures are only for "big" banks, it is likely that given the apparent regulatory emphasis on all banks for specific credit quality issues and governance-related matters, the issues of "risk culture" or "culture of compliance" will be a significant part of supervisory attention. See, e.g., Joint Statement on Prudent Risk Management for Commercial Real Estate Lending issued on December 18, 2015, at FDIC FIL-62-2015.