Compliance Culture

'Culture of Compliance’ is one of the terms that is overly used in the corporate world, whether to advertise a company’s values to stakeholders or to prove to the regulator that the company is committed to be in compliance with applicable laws and regulations. 

But what is a culture of compliance and why is it important? Does the regulator require a financial institution to establish a culture of compliance and how can this be achieved? How can we avoid pitfalls and measure the level of a compliance culture?

Read our insights below



Regulatory Background in the UAE

The term “compliance culture” is mentioned in the rulebook of UAE regulators but a clear standalone definition is not existent. The DFSA for example, expects the senior management of a regulated entity to “establish a robust and effective AML/CTF and sanctions compliance culture for the business”. Further it expects that the risk-based approach is a key part of the money laundering compliance culture (…).

The Central Bank of the UAE mentions the word “culture” quite regularly in various regulations e.g., control culture, corporate culture, risk culture, risk management culture, but a definition of these terms is not provided. The consumer protection standards for example mandate a financial institution to have and be able to demonstrate a corporate culture of consumer service, fairness, transparency, ethical business conduct and effective disclosure. Thereby the corporate culture should be supportive and constructive.

The same standards also mandate that financial institutions evaluate and report on the state of the organization’s compliance culture and provide recommendations for improvements (as part of their annual consumer protection reporting to CBUAE).

The AML/CFT Guidelines issued to all financial institutions in the UAE state, that in order for the AML/CFT framework to be effective, it must be based on the foundation of a sound governance structure and held together by a strong compliance culture. The Compliance Officer is further responsible for helping to establish and maintain a strong and effective AML/CFT compliance culture within the FI. The members of senior management (together with the members of the board of directors in those organisations that have one) are ultimately responsible for the quality, strength and effectiveness of the AML/CFT framework, as well as for the robustness of its compliance culture.

The CBUAE Standards for Internal Control, Compliance, and Internal Audit applicable to all banks, further make it clear that “Compliance must be part of the culture of the bank, not just the responsibility of staff in the bank's compliance function.”

What is Compliance Culture and how can we establish it?

In the absence of a definition, let us try to define the term. In a nutshell, an organization can be seen to have a culture of compliance if the organisation collectively does the right thing, the right way at the right time and that even when nobody is watching.

To lay it out further, compliance culture is represented by the shared attitudes, values, goals, and practices that characterize an organization. Senior management leads the way by expressing their commitment to comply with regulatory requirements and expectations and encourages open communication and honest feedback. Staff is aware of their responsibilities and are not purely revenue driven since compliance with laws, regulations and internal policies is given a high priority in the organization.

In 2014, FinCen published “Advisory to U.S Financial Institutions on promoting a culture of Compliance”, stating that a financial institution should do the following to strengthen the culture of compliance:

  • Leadership Should Be Engaged

This is the so called ‘tone from the top’. Boad and Senior Management should understand an institution’s responsibilities regarding compliance with laws and regulations and create a culture of compliance at that institution. The commitment of an organization’s leaders should be visible within the organization.


  • Compliance Should Not Be Compromised by Revenue Interests

Compliance staff should be empowered with sufficient authority and autonomy to implement an institution’s compliance program. An institution’s interest in revenue should not compromise efforts to effectively manage and mitigate non-compliance.

  • Information Should Be Shared Throughout the Organization

There is information in various departments within a financial institution that may be useful and should be shared with the compliance staff in order to ensure and enhance the level of compliance. In turn, the compliance department should continuously communicate and share with the rest of the organisation the requirements and expectations.

  • Leadership Should Provide Adequate Human and Technological Resources

Obviously, the level of compliance within an organization depends strongly on the resources that are provided to achieve compliance. This could be additional human resources but also technical systems. These must be accounted for in the budget and require approval by Senior Management and Board. 

  • The Compliance Program Should be Tested by an Independent and Competent Party

Even though an organization might think that compliance with laws and regulations is already achieved does not mean this is actually the case. Reviews by Internal Audit, regulators or other third parties can give valuable insight.

How can an organization ‘test’ if it has a strong Culture of Compliance?

If you are a financial institution and you are keen to assess and understand if your organization has a good compliance culture, the below points can help in your review:

Board involvement also known as “tone from the top”:

  • Does the Board discuss any compliance related issues?
  • How often does the Board Compliance Committee meet?
  • Does the Head of Compliance get one-on-one time with the Board members without other Senior Management present?


Board reporting:

  • Does the reporting related to Compliance sugar-coat the real issues and does not highlight what the Board actually has to know?
  • Is the reporting so detailed that important matters are buried in stats and tables? Hence, can board members actually identify matters that need their attention?


Number of exceptions:

  • How many policy exemptions are granted (e.g., KYC during on-boarding, loan approvals)?
  • How many customer accounts have been recommended to be closed by compliance and how many are actually closed after a certain period of time?


Investment in people, systems and process enhancements:

  • Is the budget for necessary enhancements provided?
  • Are approved projects prioritized or delayed?
  • Does the organization invest in training and professional certifications?


Vacancies in Compliance/FCC:

  • Are vacancies timely filled?
  • Does the quality and quantity of compliance staff commensurate with the size/complexity of the institution?


Key Performance Indicators

  • Do KPIs of the first line of defence incorporate any indicators relating to Compliance (non-revenue driven)?
  • Does obvious non-compliance carry any disciplinary penalties?


What are the pitfalls that could prevent the establishment of a strong compliance culture?

#Pifall 1: Isolated approach

Attempts to establish a culture of compliance are not comprehensive and do not encompass all parts of the organization.

#Pitfall 2: Short-term thinking

The expectation of the leadership is that a culture of compliance can be established within a short period of time.

#Pitfall 3: Wrong motivation

The establishment of a culture of compliance is seen as a tick box exercise to please stakeholders and the regulator.

#Pitfall 4: Culture of Compliance is seen as static and not dynamic

The culture of compliance is not seen as evolving and changing over time. Efforts to enhance and improve the level of compliance are not taking place.

Final Thoughts

In general, organizational culture is important to the success and overall health of a financial institution, its employees, and its customers. Compliance Culture is part of the overall culture and can be seen as the backbone of an institution’s compliance framework. 

Building a culture of compliance is more important than ever since regulatory expectations in the UAE are still rising and the public perception and corporate reputation are increasingly defined by a company’s ability to comply with laws and regulations and ethical standards.

Therefore, financial institutions should be aware of their culture and if and how it supports internal compliance efforts.