US Money Transmitter Licensing
PART NINE: ENFORCEMENT, EXAMINATIONS, AND RISK Chapter 32

Building a Culture of Compliance

A compliance director at a licensed money transmitter tells me that her problem is not following regulations. Her problem is that the transaction processing team does not believe the regulations matter. When she tells them to change a process to comply with a new AML requirement, they ask why. When she explains that the regulation requires it, they ask whether the regulator will ever actually check. When she says yes, they ask whether they will be caught if they do not comply.

This is a culture problem. The business has implemented compliant rules and procedures. The business has trained staff. But the business has not created a culture in which compliance is valued.

Building a culture of compliance is fundamentally different from implementing a compliance program. A compliance program is a set of policies, procedures, systems, and controls. A culture of compliance is a shared understanding that compliance matters, that the business should operate within legal boundaries, and that deviating from those boundaries has costs.

What "Culture of Compliance" Actually Means in Practice

Culture of compliance, in its most basic form, means that people in the organization believe that complying with the law is important and act accordingly. It does not mean that people blindly follow rules. It means that when a rule is unclear, people try to interpret the rule correctly rather than interpreting it in a way that benefits the business. It means that when someone discovers that a rule is being violated, they report the violation rather than concealing it. It means that the business prioritizes compliance over short-term revenue.

In a money transmitter context, culture of compliance might mean: when a customer conducts a transaction that looks suspicious, the compliance officer investigates before the transaction is completed, rather than completing the transaction and filing a suspicious activity report afterward. It might mean that when a staff member discovers that due diligence was not conducted properly on a customer, the staff member reports the discovery to the compliance officer rather than completing the customer file anyway. It might mean that when a customer asks to conduct a transaction that appears to violate sanctions, the business declines the transaction rather than processing it and hoping no one notices.

The difference between a compliant business and a culture of compliant business is that in the former, compliance is an overhead cost that the business tolerates. In the latter, compliance is a core business value that the business has chosen to prioritize.

Board and Senior Management Responsibility

Culture of compliance starts with the board and senior management. If the board does not care about compliance, the business will not be compliant. If senior management has not made a clear statement that compliance matters, the organization will not prioritize it.

This begins with board oversight. The board should receive a compliance report at each board meeting. The report should summarize regulatory developments, should describe material compliance risks, should report suspicious activity filing, should describe transaction monitoring alerts, should report any regulatory examinations or enforcement actions.

More importantly, the board should ask questions about compliance. The board should ask: what are our compliance risks, how are we managing those risks, how do we know our controls are working, what happens if we do not comply. If the board asks these questions, the organization will understand that compliance matters.

Senior management should also provide visible leadership on compliance. The CEO should receive the same compliance report the board receives. The CEO should meet regularly with the compliance officer. The CEO should participate in decisions about how to handle compliance issues.

When a compliance issue arises—when an examination uncovers a control failure, when suspicious activity reporting is incomplete, when a customer compliance issue is discovered—the board and senior management should be engaged. They should understand what happened, should understand what the business will do to remediate, should understand whether the issue reflects a systemic problem or an isolated incident.

Tone from the Top: Real vs. Performative

I have observed many businesses that have created the appearance of a strong compliance culture without actually building a strong compliance culture. They have a chief compliance officer. They have compliance policies. They have a compliance committee. But when the business faces a choice between compliance and revenue, the business chooses revenue.

This is performative compliance, and it is detectable by employees. Employees will quickly understand whether compliance is genuinely important or whether it is a compliance department problem that senior management has delegated away.

Real tone from the top requires that senior management make compliance decisions even when those decisions reduce revenue. If a customer wants to conduct a transaction that the compliance officer believes is suspicious, and the customer represents significant revenue, senior management should support the compliance officer's decision to decline the transaction. If declining the transaction means the customer takes business elsewhere, so be it.

This is hard. Customers generate revenue. Compliance generates costs. From a financial perspective, it would be better to process the transaction and hope you do not get caught. But this calculation is wrong because it ignores the true costs of non-compliance: regulatory fines, reputational damage, loss of banking relationships, loss of operating licenses.

When senior management consistently chooses compliance over short-term revenue, the organization will understand that compliance is genuinely important. When employees see that the CEO will fire a high-revenue-generating employee who cuts corners on compliance, they will understand that compliance matters more than revenue.

Training That Actually Works

Compliance training is typically a box that businesses check. Once a year, the business conducts AML training. Employees spend an hour in a training session. The business documents that training was conducted. And then compliance continues as it was before.

This training does not change behavior. The reason is that training does not motivate behavior change unless the training is connected to an expectation that the behavior will change, and unless there is accountability for whether the behavior actually changed.

Effective training works differently. Training should be targeted. You do not need to train your back-office staff on sanctions compliance. You need to train your customer-facing staff on how to conduct due diligence, your transaction processing staff on how to identify suspicious transactions, your management staff on how to escalate compliance issues.

Training should be practical. Rather than explaining the AML Act in abstract terms, training should walk through the scenarios that your customers and your transactions present. If your business sends money to Latin America, the training should address the specific compliance risks in those corridors.

Training should be reinforced. A single one-hour training session per year is not sufficient. Compliance messaging should be reinforced monthly. This might be through brief messages in staff meetings, through case studies of compliance issues, through scenarios to discuss.

Training should be tested. After conducting training, the business should test whether staff has retained the information. This might be through a quiz, through a scenario-based test, or through role-play in which staff walk through the decision process they would follow in a compliance situation.

Training should have consequences. If a staff member fails the compliance training assessment, they should be required to retrain. If a staff member violates a compliance procedure after receiving training, there should be accountability.

Incentive Structures That Support Compliance

Businesses typically measure employee performance based on revenue, customer acquisition, transaction volume, or customer service metrics. These are the metrics that determine bonuses, promotions, and career advancement.

If you measure and compensate employees based on revenue, but compliance requires declining transactions that generate revenue, you have created a misaligned incentive structure. An employee who is measured on revenue and is compensated based on revenue will be tempted to ignore compliance concerns if addressing them means losing revenue.

To build a culture of compliance, align incentive structures with compliance. This might mean that no employee receives a bonus if the business is under regulatory enforcement. It might mean that employee performance evaluations assess compliance as well as revenue. It might mean that transaction processing staff are measured based on compliance accuracy, not on transaction volume.

More subtly, it might mean that you promote people who have demonstrated strong compliance judgment to positions with more responsibility, and you do not promote people who have cut corners on compliance, even if they have generated significant revenue.

These incentive changes have costs. If you measure transaction processing staff based on compliance accuracy rather than transaction volume, your transaction volume may decrease in the short term because staff will take more time to ensure compliance. If you do not promote high-revenue-generating employees who have cut corners on compliance, you may lose those employees to competitors.

But these costs are investments in building a sustainable business. A business that is compliant will not face regulatory enforcement, will not lose banking relationships, will not lose operating licenses. A business that ignores compliance in pursuit of short-term revenue will eventually face enforcement, will lose banking relationships, and will lose its operating license.

Internal Reporting and Whistleblower Protections

A culture of compliance requires that employees feel safe reporting compliance issues. If an employee discovers that a customer due diligence file is incomplete, the employee should feel comfortable reporting that discovery to the compliance officer without fear of retaliation.

The business should establish an internal reporting mechanism. This might be a compliance hotline, an email address, or a meeting with the compliance officer. The business should make clear that employees can report compliance issues confidentially and without fear of retaliation.

The business should also establish protections against retaliation. The business should make clear that any adverse action taken against an employee who reported a compliance issue in good faith is prohibited. This includes termination, demotion, salary reduction, or any other form of adverse action.

These protections should be formalized in writing, should be communicated to all employees, and should be enforced. If a manager retaliates against an employee who reported a compliance issue, that manager should face discipline.

Learning from Mistakes: Incident Response

When a compliance failure is discovered—when a customer due diligence file is found to be incomplete, when a suspicious transaction is found to have been processed without a suspicious activity report, when a transaction monitoring rule fails to detect suspicious activity—the business should treat the discovery as a learning opportunity, not as a disaster.

An incident response process should be established that includes: investigation of the incident to understand root cause; remediation of the specific instance of non-compliance; assessment of whether the incident reflects a systemic problem; implementation of changes to prevent recurrence; and communication to relevant parties about what happened and what will be done to prevent recurrence.

The investigation should be honest. If the incident occurred because a staff member misunderstood a procedure, the investigation should acknowledge this. If the incident occurred because a procedure was unclear, the investigation should acknowledge this. If the incident occurred because a staff member intentionally violated a procedure, the investigation should acknowledge this.

The remediation should be proportionate to the severity of the incident. If a single customer file has incomplete due diligence, the remediation might be to update that file and to retrain the staff member who prepared it. If dozens of customer files have incomplete due diligence, the remediation might be to comprehensively review all customer files, to implement new quality control procedures, to replace the procedures that created the systemic failure.

The communication about the incident should be honest and should not attempt to minimize the incident. If the incident was serious, call it serious. If the incident reflects a failure in the compliance program, acknowledge the failure. Employees will respect an honest assessment of what went wrong and what the business will do to fix it. Employees will not respect an organization that covers up compliance failures or minimizes them.

Measuring Compliance Culture

How do you measure whether a culture of compliance has been built? The traditional measurements are compliance metrics: number of suspicious activity reports filed, transaction monitoring alert rate, percentage of customers with complete due diligence files, training completion rate.

These are useful metrics, but they do not measure culture. They measure outputs, not values.

To measure culture, you need to look at other indicators. Do employees report compliance issues, or do they hide them? When compliance concerns arise, does senior management engage, or does the business try to hide the issue? When the business faces a choice between compliance and revenue, what choice does the business make?

You can measure culture through surveys. Ask employees whether they believe compliance is important, whether they would report compliance violations they observe, whether they believe senior management cares about compliance.

You can measure culture through observation. When a compliance issue arises, observe how the organization responds. If the organization immediately escalates the issue, investigates thoroughly, and implements remediation, that suggests a strong compliance culture. If the organization tries to cover up the issue or does not investigate, that suggests a weak compliance culture.

You can measure culture through turnover of compliance staff. If your compliance officer leaves because they were not empowered to enforce compliance, that suggests a weak compliance culture. If your compliance officer stays and reports that they feel supported by senior management, that suggests a stronger compliance culture.

The Competitive Advantage of Genuine Compliance

I have observed that businesses with strong compliance cultures outperform businesses without strong compliance cultures, even though compliance is a cost and non-compliant businesses do not incur that cost.

The reason is that a strong compliance culture creates a durable business. A business with strong compliance will not face regulatory enforcement. A business with strong compliance will not lose banking relationships. A business with strong compliance will not lose operating licenses.

More importantly, a business with strong compliance can operate at scale. As a business grows, the founder can no longer be directly involved in every decision. The founder must delegate authority to managers and staff. A business without a strong compliance culture will have problems scaling because the founder cannot monitor every transaction, cannot personally ensure that every customer is complied with, cannot personally ensure that every suspicious transaction is reported.

A business with strong compliance culture can scale because the values are embedded in the organization. Managers at every level understand that compliance is important. Staff at every level understand what compliant behavior looks like and is motivated to behave that way.

Finally, a strong compliance culture attracts better employees. Professionals who care about working in a legitimate business, who do not want to work in an organization that cuts ethical corners, will prefer to work for a business with strong compliance culture. These professionals are often higher-quality employees, and the business benefits from the talent.

Practitioner's Bottom Line

Building a compliance culture requires genuine commitment from the board and senior management, not just creation of compliance policies and procedures. Align incentive structures with compliance by measuring and compensating employees based on compliance metrics, not just revenue. Establish internal reporting mechanisms and whistleblower protections that enable employees to report compliance violations without fear of retaliation, and treat compliance incidents as learning opportunities rather than disasters.

Need Help Navigating Money Transmitter Licensing?

Faisal Khan has spent 15+ years solving the exact problems covered in this book. If you are building a payment company, seeking licensing, or need a trusted advisor — reach out.

SPEAK WITH FAISAL KHAN