How to turn compliance from an obstacle to a competitive advantage
With over 36 years of experience, spanning from heading global compliance teams at Fidelity to Director of the Southeast Region of the SEC, Advisor to Notabene, Charles V. Senatore has amassed diverse insight for compliance officers operating in the crypto industry.
During this fireside chat with Co-founder and CEO of Notabene Pelle Brændgaard, Chuck covers:
- A promise he committed to a higher-up that earned him a seat at the business partner table.
- Steps compliance officers can take to move from being perceived as the “anti-business” department to becoming an integral part of product teams by contributing early to product development.
- Three tips that crypto firms can do to encourage regulatory regimes to take a risk-based approach to achieving desired regulatory outcomes instead of mandating the entire technology.
Pelle Brændgaard (PB): Thank you for joining me. Please tell us about your path into compliance.
Charles V. Senatore (CS): It was an unlikely route. But, looking in retrospect, I had a collection of experiences that ended up uniquely suiting me to becoming a compliance officer without ever having planned to become one. I am a lawyer with a multifaceted background.
First, I was a trial lawyer, so I understand dealing with issues like dispute resolution. Next, I became a federal prosecutor and became familiar with criminal laws, how they affect defendants, and how they are enforced. I then became a law firm partner, where I gained an understanding of the client’s perspective. Later, I became a senior regulator at the SEC, where, with a slightly different lens, I got deeper into public policy and understanding the drivers behind financial regulation.
Then I unexpectedly became a compliance officer after experiencing what I would call a “bear hug.” For those of you that are unfamiliar with mergers and acquisitions, a bear hug is a takeover offer that a target must respond to, with enormous pressure to say “yes.” In my case, I received a request from the general counsel for whom I was working, who asked me if I would consider taking on the compliance director role for a significant business unit. I was quite happy with my current role as an in-house lawyer at that time, so I gently pushed back. But it soon became apparent that this was less of a request and more of a demand. So, I began my unplanned compliance journey, which led to me leading global compliance functions, first at Merrill Lynch and later at Fidelity.
Grabbing a seat at the leadership table as a compliance officer
PB: I know that you’re passionate about the value that compliance brings to a business. But, unfortunately, we sometimes hear from compliance teams that they are often not seen as a strategic function but as a necessary evil or a checkbox you just have to deal with. Have you experienced something like this in your career, and what did you do to change this perception?
CS: Great question. Compliance Officers are often in danger of being perceived as “the anti-business department.” If compliance officers behave in a way where they’re perceived as always saying “No,” it’s understandable why business partners may see them as an obstacle versus being part of the solution to help the business grow.
I’ll share a quick story. When I first assumed my compliance role, I was surprised to learn that the business heads never dealt with the compliance leader directly, instead of communicating indirectly and only on an as-needed basis through staff. I thought this was a little odd. So I initiated a direct connection with one of the business heads. In that first meeting, he asked me why we were meeting. I sensed that he questioned the value of him meeting with me when their practice had been simply to deal with compliance issues through staff when they arose.
I explained that I thought it would make sense for both of us to be better connected and working together. I also wanted a better one-on-one connection with other business leaders. I offered him a promise: whenever an issue arose, I would do whatever I could to find a way to realize the business vision and get to a “yes.” We would think as creatively and responsibly as possible and consider every alternative to reach a “yes,” unless it became abundantly clear that, after all that thought and effort, the answer had to be “no.” In exchange, I requested that he introduce me to the management ranks and invite me to their business meetings.
The change in how the compliance department was perceived didn’t happen overnight. When I first attended a national sales managers meeting and introduced myself as the compliance officer, the people I met were polite but uneasy. But over time, the strategy worked. Within a few years, I was invited to join the business unit’s operating committee.
The message here is understanding that reflexively saying “no” really isn’t a great option. Instead, a real value-add is helping the business get to a “yes” responsibly and consistently, not just with regulation but also with what’s suitable for the company and customers. And that ends up introducing the opportunity for compliance officers to be at the table and be a respected part of leadership.
Crypto compliance is based on classical banking principles
PB: Coming from the banking world, what do you see as some of the biggest challenges from a compliance perspective regarding supporting new crypto-based products?
CS: Today, we rely on principles based on classical banking and payment transactions and apply them to various new constructs. The big challenge is having those same principles work in a new setting.
The industry is experiencing what I would call a square peg in a round hole regulatory phenomenon. Currently, the challenge is to figure out how to take those timeless principles, those underlying the foundations of, for example, the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) customer identification and reporting, and translate them into a new and different world.
We’re facing a rapidly maturing market with lots of new products. Even digital fiat is being discussed in countries where it could become a legal tender. But regulators need to assess what kind of issues they may produce and what bad things could happen as a result. The crypto industry is like a gangly teenager with growing pains, finding their way as they grow. Right now, we’re trying to help the industry mature and grow in a way that doesn’t create counterproductive issues.
PB: It’s a challenge we’re seeing our customers grapple with all the time. And that leads me to the next question. US regulators have a history of a technology-agnostic view on managing ML/TF risks, which has been a boon to the US crypto industry in the past because they essentially let the industry figure out how to solve compliance.
But the recent notice of proposed rule-making (NPRM) from the Department of Treasury seems to be setting a new precedent of more specific technical guidance instead of a more technology-agnostic approach. Do you see this as a general trend that’s coming, or is this something we can take on as an industry to encourage FinCEN to continue with a technology-agnostic approach?
Mandating a technology doesn’t end well
CS: Unfortunately, there is a history where regulators have dictated a particular technology. And frankly, it often doesn’t end well in the long run.
Here’s a well-known example in the securities space. “Write Once, Read Many” (WORM) is a mandated requirement by a books and records retention regulation created over 20 years ago. WORM required records to be kept on optical disks to ensure that records could not be altered. Today, this standard still exists, despite technological innovations that could enable less costly ways to ensure records can’t be changed. To comply, some firms have to duplicate their records by copying them onto those disks. You end up with these two redundant systems. It’s incredibly inefficient, and regulators have been, unfortunately, slow.
The WORM example demonstrates why I believe mandating a technology doesn’t end well. The danger of mandating a technology is that the technology changes, yet the regulation stays set to a specific point in time. It’s hard to unwind it, and it creates all sorts of inefficiencies.
Regarding the recent NPRM, I believe there might be hope that regulators will not mandate a specific technology. Many regulatory regimes, FinCEN included, contemplate a risk-based approach when it comes to regulatory compliance. A risk-based approach allows you to deal with different cases and situations based on specific conditions in a firm, while a mandated or recommended approach may not fit and does not lead to good outcomes. In crafting the NPRM as it applies to unhosted wallets, FINCEN was essentially borrowing from existing BSA principles.
PB: Is there anything you think the crypto industry should do to encourage regulators to take this approach?
CS: There are three things the industry can do.
- Firms should remember that at the end of the day, the onus is on them to create the proper internal controls and be accountable for outcomes.
- The industry must gather as a community. I understand that, in general, individual businesses compete with each other. But when it comes to regulatory compliance issues, in my experience, collaboration and sharing ideas happen more freely. There appears to be an appreciation that “a rising tide lifts all boats.” In my experience, the firms I worked for certainly had competitors. But when it came to compliance, people from different firms were willing to share best practices.
- Engage with regulators responsibly. Having a healthy relationship with the regulators enables all parties to understand the challenges facing an industry while fostering awareness regarding emerging technologies, improving controls, and mitigating risks.
There is certainly a potential for adverse interactions with regulators, particularly when problems arise at our firms. And it’s understandable why some in the industry would want to avoid contact with them unless absolutely necessary. However, even in those circumstances, having a constructive relationship of trust with regulators often goes a long way towards a thoughtful and fair resolution.
Additionally, there are other scenarios in which regulator interest can actually be positive. Often, regulators value their relationship with responsible industry participants because they want to understand where the markets are going and better understand the technology. Regulators, as public servants, have a laudable interest in the integrity of our markets, and keeping up to speed is crucial for executing their mission. Because if they don’t, regulations begin to become out of date and less effective. And if there are new and emerging technologies that regulators don’t understand, they risk finding themselves behind the curve. As such, many regulators are eager to engage and to learn.
Ultimately, our ideal scenario here in the United States, which I assume is also the case elsewhere, is to develop a paradigm where regulators and industry promote responsible innovation by learning together. Some jurisdictions, for example, in the UK’s FCA, appear to be further along, with their embracing of sandboxes and proactive collaboration with industry. These are examples of how a healthy regulatory relationship can benefit an industry.
Viewing compliance as a business strategy
PB: When FinCEN started instituting rules for applying the BSA to crypto companies, they tended to react in a few different ways. Some saw it as an opportunity to get regulatory compliance, while others moved offshore. Now, many are starting to see that compliance could be a competitive advantage, particularly in this crowded market that we see today in the crypto space. Do you think compliance can be an opportunity for differentiation?
CS: No question about that. Compliance offers an opportunity for differentiation whether regarding crypto, a banking transaction, or an investment transaction. Whenever anybody handles other people’s money, they really need to care that there are first-class controls and first-class attention to the welfare of clients.
I’ll give you an example from the history of mutual funds. Many years ago, in the early 2000s, there was a scandal where certain mutual fund firms allowed special privileges to a particular client. Basically, the client said, “Look, I will give you lots of money as assets, from which you can earn hefty management fees. In exchange, I want you to allow me to trade more frequently than you allow other shareholders, to enable me to arbitrage various markets, and allow me special privileges to place mutual fund orders after the close of the markets–so I can get the previous day’s price.” This client essentially asked for a unique advantage, as one regulator said, to bet on yesterday’s horse race.
Over 20 mutual fund firms agreed to give the client that unfair advantage. But, once the scandal broke, the fallout for these firms was dramatic. For example, one firm, pre-scandal, had assets under management in the range of $360B. But, clients pulled significant assets out post-scandal, resulting in a dramatic loss of assets under management (AUM) down to approximately $60B. Considering that a mutual fund firm’s revenue is based on a percentage of AUM, I think you can imagine the magnitude of investment management fees lost. And it’s still as yet to fully come back to its former glory.
My point here is that clients and investors care about these issues, so having great compliance is a competitive advantage. When you’re in a position of trust, whether it’s doing a transaction, whether it’s providing custody, whether it’s managing investments, or otherwise, people are trusting you with their money. So if you don’t do that well, if you don’t have the commitment and controls, you’re going to lose ground to firms with strong and effective compliance programs.
A great compliance program can bring a large competitive advantage. Going back to the earlier question, when compliance officers work shoulder to shoulder alongside the firm’s leadership and jointly think about these things, this leads to extraordinary outcomes.
PB: We’re seeing more and more institutional players enter the space. For companies that want to service that market, will regulatory compliance become even more important than when servicing the average retail investor?
CS: In terms of the amount of money at stake, yes. However, we should remember that retail investors hold a special place in the hearts of regulators and in the regulatory scheme generally across the board.
For example, when it comes to securities laws, there are stringent disclosure requirements and registration requirements that apply to the offering of securities meant to ensure that investors understand all the details and risks of an investment. This is intended to protect the “mom and pop” investor. However, the securities laws implicitly recognize that institutional investors, or those that are accredited, are in a better position to fend for themselves, resulting in more relaxed disclosure requirements. So institutional investors are presumed to need less protection.
With respect to cryptocurrencies, the risks and opportunities for bad outcomes for investors are actually higher at the retail level. When one considers the plenary risks of loss of assets and volatility versus other investments, mom and pop investors choosing to engage in the crypto markets could lose a larger percentage of their nest egg than an institutional investor.
This goes back to the earlier point of the importance of best practices and controls. Even though institutional investors may have more risk tolerance, they still don’t want to risk the loss of potentially large sums. So, institutional clients want institutional level comfort. You’ll see custodians that hold crypto looking to compete on enhanced security with respect to key management, anti-hacking protocols, and critical ceremonies. Firms will demand best practices. Over time, reviews by independent parties such as SOC reviews and similar risk assessments will become very important. Because crypto presents a new set of challenges, people will really care that there are robust controls before entrusting their assets to crypto companies.
Involving the compliance team early in the ideation process
PB: If you’re a compliance officer working at a crypto business, what can you do to help the business see potential new growth areas through regulatory compliance, like expanding into new markets or creating new products?
CS: New product ideas will have better outcomes if compliance officers successfully integrate themselves from the start. Nothing frustrates a business more than having a great idea for a use case if they bring in a compliance officer who says it’s not going to work down the road. It creates a lot of frustration and gives rise to the risk of being perceived as the “anti-business” department.
Going back to our earlier conversation, we talked about how compliance officers might tend to be conservative and gravitate to saying “no” in terms of dealing with the business. So the onus is also on them to behave in a way that makes them a business partner.
If the business is thinking about new products, everyone needs to be aligned right from the start and think about it in real-time. I think of this as analogous to an agile program where real-time creation is happening and where product requirements are curated and tested during the development process.
The role of the compliance team here should be to gain an understanding of the new products and keep in mind the timeless principles the regulators care about. If they look back to the essence of what regulators tend to think about, then they can provide input from the onset as to how these principles may need to apply to an emerging setting.
Most compliance principles fall into two major buckets. They are either binary “yes” or “no” decisions or risk-based considerations. An example of a binary decision where there is no debate is the Anti-Money Laundering Currency Transaction Report (AML CTR) requirement to report transactions in excess of $10,000. There is no space for flexibility there and no room for judgment. It just must be done.
But suppose you’re working through a new use case without a specific binary regulatory requirement. In that case, you now have to think about what regulatory principles could apply and what best practice principles you can borrow from to build a program. While you can’t do anything about binary “yes” or “no” requirements except to make sure you identify them, your value as a compliance officer in the absence of such requirements is applying time tested risk-based principles to get a high level of comfort that you’ve assessed your risk appropriately and proposed mitigation steps accordingly.
PB: With this fast-moving crypto regulatory environment, we’ve seen so much happen in the last year, and we expect a lot more is going to happen over the next 1-2 years. What tips do you have for compliance teams as they put together their compliance strategies?
CS: We talked earlier about how compliance can be embedded more meaningfully as a partner and be part of the business and the importance of regulatory engagement. We just covered how compliance teams need to identify the binary requirements and the timeless principles that enable the adaptation or creation of something new. These are all essential elements for compliance teams to consider as they map out their approaches.
I would like to end with one more point. Today, across the industry, we don’t yet have many people with both the technical know-how and the understanding of how to apply regulation.
The key thing is that compliance officers should consider, particularly when entering uncharted waters, is that regulators have these timeless principles that you can use to plan compliance going forward. But at the end of the day, having people who both understand tech and how these regulatory principles will apply to it will be necessary ingredients. The teams with these capabilities will be best suited to nimbly and quickly adapt as new use cases emerge. It will take collaboration among different teams and working seamlessly together to reduce friction and allow innovation to flourish.
PB: Perfect. Thank you very much, Chuck.
Want to learn more about how to empower your business with compliance? Reach out to the Notabene Team.