Nigel's Eyes

20230323 The disciplinary aspect of non-compliance

Businesses of all types have compliance policies and procedures. Where should breaches stand in the degree of seriousness?

When I started articles, my, er, articles included a provision that I would not use the office's stamps for personal purposes. I thought it funny but I was young and didn't realise that in many organisations this form of "pilfering" was quite a serious problem.

In fact, I already knew that dishonesty amongst employees was not merely commonplace, it was endemic.

I worked in nightclubs, even going through several months' training in a large group to be a manager. A large part of the training was on identifying fraud and/or theft in the F&B part of the business. When I go to friend's restaurants and bars today, I am amazed to see the same tricks in use. Nothing has changed since the 1970s except this: now it's the staff who are trained to commit the offences, techniques handed down from one to another. And often it's supervisors who are at the top of the tree: they do more than turn a blind eye, they participate for a share. Absentee owners are being cheated - and so are customers.

I knew one chain of bars where the staff bought inexpensive locally produced spirits and refill the bottles of more expensive brands. Those re-fill proof bottles? No: the valve is removed so that the bottles fit on optics. There's an accounting fraud, that goes with it and those are very well documented.

In supermarkets, there is "wastage"; in offices there is time spent doing anything that isn't for the benefit of the employer; in hospitals, there's billing for a battery of scans and other tests that are not necessary.

I also spent a summer driving a parcels delivery van from the coast to the hills in the north-east of England. I was quick. I was efficient. I was told to stop it. The foreman, also the trade union representative, took me to one side. He told me I was making everyone else look bad and show that, maybe, they didn't need as many drivers and, worse, if I kept doing what I was doing I would end up costing everyone overtime because, on Saturdays, if drivers timed their return right, they could take a second load and get paid at overtime rates for a second half-shift. And in the week, I was often back and ready to go home several hours before everyone else. So what did I do? I fell into line. I spent afternoons at a girlfriend's house (until someone reported that a van was spending too long in their street!). And I took the second shift on Saturdays because it was the culture, even though I knew it was dishonest.

The thing is that when dishonestly is found, it is usually a cause for immediate dismissal. Why? There's a breach of trust aspect but the real reason is that the employee is deliberately taking action that directly harms the employer.

When someone deliberately breaks a compliance system, that has, or potentially has, directly harmful consequences for the employer.

Employees break rules. They don't always do it with dishonest intent. But they usually know they are doing it and they find a way to justify it to themselves.

I wasn't being bad, I was just making sure none of my colleagues suffered as a result of my efficiency. After all, I was only there for three months, driving around the countryside in, almost daily, glorious weather. They'd be doing it in winter with short days, icy roads and snowdrifts. Even more, they looked after me: on arrival I was given an ancient van with no power steering. I ended up famous (pre-twitter, etc) for doing a 300 point turn on the clifftop above Whitby Harbour in a car park that I should never have been in. I got a much more modern van. I ripped the roof under a massive roller door at a Navy supply depot. I thought the door was open to accommodate a bigger lorry but too late discovered it wasn't inside. They pleaded my case. I got bogged down in a field which provided a story for dozens of people in the transport industry who knew my father. My colleagues told the bosses it could have happened to anyone because the map was wrong (it was wrong but I'm not sure anyone else would have sunk their lorry up to its axles in mud trying to turn around in a field). These were my self-justifications. That and the fact that I was paid extremely well: far more than I was paid in my usual holiday job in a law firm.

In health and safety, it is not unknown for a worker to remove a guard from a machine because he finds it easier to work without it. Or for a worker to trail a cable across a walkway because "it was only for a few minutes."

Convenience and expedition are at least as powerful reasons to break the rules as laziness or dishonesty.

There are two types of compliance: internal and external. Internal is where a business designs and develops its own rules for its own purposes. "Don't steal the stamps" is an example.

But external compliance is driven by law and regulation. If an employee steals the stamps, it affects the company's profits but it does not create a regulatory problem. And it does not place his colleagues at risk of prosecution or losing an authorisation that's needed for his job.

That external compliance is an existential threat to businesses. We all look at the massive numbers bandied about as fines and penalties for large banks, etc. small businesses, law firms, estate agents, independent insurance brokers, pawnshops, car dealers...

The reputational damage that arises when one regulator targets a company and others, domestically and internationally, coupled with the time spent on dealing with the synthetic rage of the hashtag warriors and self-appointed guardians of something or other are serious consequences of a financial crime compliance failure.

It's important to distinguish between risk and compliance. Compliance is a technical matter, that's why computers can do it. There should be no discretion: it's binary. The rules say do this, so you must do this.

Risk is an art form and discretion is an inherent part of risk assessment.

It's for the protection of the company, its shareholders and all its officers and staff. Compliance officers often have personal responsibility for when compliance fails but they don't have the authority to adequately enforce breaches.

It's quite possible that an employee will come up with a better way of doing something which is still compliant. But he should not apply his solution unless it has been approved, even as a test. That's because it's a deviation and deviations are punished by regulators as failures. But employees should be encouraged to suggest improvements, for both efficiency and effectiveness (with the latter being more important than the former if there is a conflict). And those improvements should be properly considered and, even if not made public, rewarded. If they are adopted, so much the better.

Against that background, from a specifically compliance (as distinct from a risk) perspective, failing to follow the policies and procedures should be treated in the same way and with the same seriousness as an offence of dishonesty.

The consequences for colleagues and the company are too dire for it to be otherwise.

And how do we know that it's time to start to tighten up and make it clear that a breach of a compliance measure is gross misconduct, equal to offences of dishonest or gross negligence, for which the default penalty is immediate dismissal?

We know because a US regulator, in a bribery case, said that the company was liable even though the bribery was performed by staff who deliberately circumvented the policies and procedures that the company had put in place.

If prosecutors and regulators are going to adopt a stance of no-fault liability, then there is no choice but to encourage staff to comply, to teach them how and why, but always against the background that if they don't, they will be dismissed from their job, not allowed to resign with benefits.

Harsh. Yes. But in the current regulatory climate, there is no choice.