Teamwork makes the compliance dream work.
So says Alexandra Sagaro, chief compliance officer of Skrill, a digital wallet brand, and VP of compliance for North America at its parent company, Paysafe.
At a recent discussion on anti-fraud regulations hosted by the Association of Certified Fraud Examiners, Sagaro shared her thoughts on why compliance needs to be collaborative—within your organization, with industry peers, and yes, with your regulators.
Sagaro’s remarks have been excerpted from the panel discussion and edited for clarity and length. This is part one of Sagaro’s remarks; click here for part two.
Practice makes policy. With different privacy laws that have come into play, the biggest compliance risk is breaches. How do you control the uncontrollable? The only way you can do that is running yourselves and your teams through tabletop exercises, so it’s not just a policy. They’ve actually gone through the physical exercise, have a little bit of muscle memory, and they’re able to kind of effectuate what needs to happen. And you’re stronger as a company.
Useful use cases. One of the strategies I’ve used is to provide a lot of use cases. If you’re able to sign up for a legal tool like LexisNexis, that’s great for getting use cases…I just present the cases at a very high level to our global chief compliance officer or our CEO. I tell them, ‘This is the potential of what could happen,’ and I just lay out the risk, and it’s very short bullets, because I know that’s all that they can really take in. I have trained our compliance team to do the same exact thing.
News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
Pick up the phone. I also am going to throw this out there—and this may be a little foreign—but having collaborative sessions with your regulators is also very helpful. My three toughest states are California, New York, and Florida. I can never get Florida on the phone, but California is always willing to talk to me. And they always give me different advice for the same question.
It’s very, very challenging from a compliance perspective, trying to figure out what they want from me. And what I found is also having collaborative engagements, bringing in your legal team, bringing in the regulator, bringing in industry standards, trying to look at if there are any cases out there that you can kind of leverage in your conversation to have a better interpretation of how you can demonstrate good due diligence.
Nobody’s perfect. There’s no company that’s 100% [compliant], and I don’t think that’s the regulatory expectation. I think it’s about how you demonstrate you’ve done your due diligence, you’ve set up a good compliance control framework, you’ve evaluated the risk associated with your company, and you’re just able to kind of walk that path with them. I think as long as you can demonstrate that, you do gain favor with regulators. What they really target are the companies that do nothing, that have policies that no one’s held accountable for, or they don’t have a plan in action. They can’t demonstrate that they’ve done something in furtherance of making the best effort.