London Office
Quick Contact


Image Alt


Three Steps to Encourage Proactive Regulatory Compliance.

Get your .COM to act like a .MIL to encourage proactive regulatory compliance.

Companies can take three steps to encourage more proactive (vs. reactive) regulatory compliance within their enterprise: if you Measure, Institutionalize, and Lead (“MIL”), your company will soon be “leaning forward in the foxhole.”


Management expert Peter Drucker is credited with the axiom “You can’t manage what you don’t measure.” And this is just as true for compliance as any other core, business function. If you don’t measure your regulatory compliance activities, how do you know if you are succeeding in mitigating risk? How do you know what’s working and what needs fixing? And, in the unfortunate event of an enforcement action, how does management demonstrate their historical commitment to compliance-related activities? Metrics are the lifeblood of a proactive approach to regulatory compliance.

But you need to get behind the numbers for a metric-based approach to work. In a 2013 Wired article, data scientist John Candido observed “Understanding why you are using a particular type of math is more important than understanding the math itself.” And this is certainly true when using data to inform your approach to proactive regulatory compliance.

A recent case is instructive. According to the Wall Street Journal the SEC has undertaken a probe of Bank of America. The probe is looking into whether BofA has complied with a provision of the Securities and Exchange Act of 1934 called Rule 15c3-3. Essentially, the rule requires investment banks and trading firms to keep enough liquidity in rainy day funds (known as “lockup”). The idea is that, in case of failure, the bank would have adequate on-hand resources to make its customers whole. But the WSJ article reports that New York-based executives in BofA’s Merrill Lynch brokerage may have designed complicated trades and loans to game the lockup requirements, which banks are obliged to report in a weekly calculation of net liabilities to clients. So while the lockup may have been sufficient based on the math, the way the bank calculated the data drew costly regulatory scrutiny.

A proactive compliance plan should rely heavily on data. But it should also constantly challenge the manner in which the enterprise is using the data.


Constantly challenging compliance metrics requires a dynamic, institutionalized approach to the compliance function. Periodic compliance audits and samples are insufficient. Managers put them on the calendar, prepare for them, and then relax their attention once the instant activity has passed.

And the larger the company, the more imperative it is that the compliance function has become ingrained. What’s needed is the development of a culture of compliance; and, the larger the business, the more difficult it is to develop and nurture the appropriate corporate culture.

In February 2012, the Air Force proposed that the San Antonio, Texas office of Booz Allen Hamilton be debarred (prohibited from doing business with the federal government). According to the Air Force, a senior manager allegedly shared with colleagues protected, non-public information regarding an IT contract. The information gave Booz an unfair advantage, and the conduct “caused the Air Force to have serious concerns regarding the responsibility of Booz Allen, specifically, its San Antonio office, including its business integrity and honesty, compliance with government contracting requirements, and the adequacy of its ethics program.” Booz commissioned an independent evaluation of its ethics program. And the preliminary report from the evaluator observed, “while Booz Allen has a comprehensive ethics program and [] its senior leadership may embrace such beliefs, Booz Allen’s ethics message may not be inculcated throughout the firm and specifically, beyond its headquarters location.” Essentially, the evaluator concluded that Booz had failed to institutionalize its compliance program.

Companies must constantly seek to institutionalize their compliance programs. The fact that senior leadership is championing compliance should not lull companies into a false sense of confidence; buy-in must be inculcated throughout the enterprise.


Booz suffered a modest fine and avoided debarment. A slap on the wrist. And, as a former prosecutor, I can attest to this largely being a result of strong C-Suite leadership. The government takes notice when senior management drives proactive compliance. In the military, and in many B-School classrooms, this is called “leading from the front.”

There’s a country music song written by Rodney Atkins called “Watching You.” The lyrics describe the first time a Dad hears his son curse. The Dad asks, “Where did you learn to talk like that?” And his son responds, “I’ve been watching you.” Later that night, the Dad is heart warmed to see his son praying at his bedside. The Dad asks, “Where did you learn to pray like that?” And his son responds again, “I’ve been watching you.”

Senior management needs to lead from the front to properly promote proactive compliance. Once measured and institutionalized, proactive compliance should be rewarded. Hiring and firing decision should incorporate indicia of proactive compliance. Bonuses should be issued as frequently for stellar compliance as for stellar sales. But most of all, senior management needs to own proactive compliance, and not simply pay it lip service.

Wall Street has recently seen a significant uptick in regulatory activity relating to enforcement of the Foreign Corrupt Practices Act, or FCPA. The FCPA generally precludes companies from giving anything of value to a foreign official to win business or curry favor. While bribes given by improperly motivated, ill-trained middle managers have been prosecuted for years. The new regulatory scrutiny is unique in that it involves senior decision makers arranging jobs for the children of high-ranking Chinese government officials. The WSJ has reported that the probe into J.P. Morgan is one of the furthest along. Purportedly, J.P. Morgan hired the son of China’s commerce minister, Gao Jue. And they are now presumably expending huge sums trying to establish that the hiring was based on Mr. Jue’s professional skills and not the identity of his highly positioned and influential father.

The boys and girls in HR are unlikely to have independently identified and hired Mr. Jue. It’s more likely that US-based senior management made or acquiesced to this decision. The WSJ identified documents that “offer the first evidence to date that executives outside Asia were aware of accusations about the bank’s foreign recruiting before federal officials started asking questions about the bank’s practices,” wrote Emily Glazer. “Securities and Exchange Commission investigators are examining how much people at J.P. Morgan’s headquarters office knew about the bank’s overseas hiring, a person close to the probe said. A spokesman for the SEC declined to comment.”

It appears likely that J.P. Morgan’s executives failed to lead from the front. And now, they only have themselves to blame if the entire enterprise becomes a bunch of potty mouths.

To practice proactive regulatory compliance, take a page from the Pentagon’s playbook: Measure; Institutionalize; and, Lead.