Paulina Sosnowicz, Director of the Legal Department at Centrum Uslug Informatycznych we Wroclawiu, uses GetBack in Poland as a case study of potential pitfalls to avoid in the compliance function.
As it seems, compliance, in the sense of adhering to the provisions of the law and the guidelines of the regulatory authorities in the practices of organizational units (not only enterprises), has entered the Polish reality for good. Implementation of a compliance culture is particularly visible in the entities of regulated market sectors, such as finance, telecommunications, and health care, as well as the “new technologies” industry, which quickly follows the trend. It is no longer surprising that banks, insurance companies, and telecoms have specialized compliance risk management units. Also, healthcare entities use lawyers – often external – to ensure that the processes are adjusted to applicable law. Commercial entities, especially those belonging to the larger chains, are also now increasingly expected to operate in accordance with compliance.
However, implementing the compliance function in an organization is less difficult than introducing a full compliance culture. The difference is simplified as follows: in theory, there are three lines of defense responsible for the compliance function (although it can easily happen – and unfortunately it quite often does – that in fact the second line of defense remains alone). In successfully implemented organizational compliance cultures, the theory ceases to diverge from practice and all three lines of defense, including “business” and audit, play an active part in securing compliance.
The implementation of a compliance culture can be reduced to the cognitive model of human functioning, in which a given situation is at first interpreted by the mind. The person experiences emotions, instantly followed by interpretation via thought, which leads to the taking of a specific action.
Therefore, the key to implementing an ethical organizational culture is changing existing ingrained patterns that are, in actuality, not adaptive, and ultimately harmful. This can be achieved in two ways - by changing situations that will be interpreted by employees of a given organization, or by directly promoting a better-suited mindset.
The following is an experience-based and subjective set of factors that can shape the thinking in the organization as desired. It is impossible to avoid negative examples, which are more eloquent. It is worth learning from mistakes - preferably someone else’s.
I. A Negative Example – How Not to Think and What Not to Do
Life itself usually provides examples. In the field of practices that frustrate the implementation of at least a substitute of a compliance culture, it is worth getting acquainted with the GetBack SA case from 2018, which got media coverage in April and then again at the end of November, 2020, when (with some delay) the President of the Office of Competition and Consumer Protection (UOKiK) issued the first decision on an infringement of collective consumer interests, listing the company’s sins. The situation of GetBack was also brilliantly analyzed by lawyer Andrzej Nartowicz, in his The Case of GetBack SA (2018) In the Light of Corporate Governance report.
From available sources, including the two mentioned above, one can draw exciting conclusions about the roots of a compliance anti-culture. So what went wrong?
1. Having Something vs Using Something
The first practice that stands out in the GetBack case, involving a well-known debt collection company, is that it had the documents required by supervisory practice – from a compliance risk management policy, through control procedures, to the regulations of the company’s governing bodies. The problem was that the approach to applying internal regulations was, colloquially speaking, very loose. The business practice differed significantly from the requirements set out by the internal regulations, including, for example, in the misselling obligation identified by the UOKiK. To sum it up: the internal regulations were illusory and functioned only as the scenery of a properly operating company.
Unfortunately, one of the main reasons for this state of affairs was quite simple – it happened because the company was allowed to treat internal regulations as an unnecessary ballast that inhibits business, overly emphasizing the role of the latter at the expense of promoting stable and legalistic management.
Supervisory documents, such as the exemplary Polish Financial Supervision Authority Principles of Corporate Governance, or some of the Commission’s recommendations for banks (e.g., Recommendation H), clearly define the role and principles of an efficient compliance unit. I am referring to the financial market because it was a precursor in this respect and is perhaps the most heavily regulated in terms of the need to manage compliance risk. The main features of a properly functioning compliance unit are its independence and wide access to complete and reliable information. In the GetBack example, both of these features were missing, and the compliance system was shaped based on the perception that the compliance unit was a threat to the development of the organization, and not as an ally able to prevent the occurrence of risks, which –in the case of GetBack – fully materialized.
3. Example Comes from Above
It is a truism to say that a bad example comes from above. Unfortunately, this is a truth based on an evolutionary social mechanism – the principle of authority. A person who possesses titles and power in a social context is accepted as having authority that ought to be obeyed. The case of GetBack began and ended with the president of its management board, who allowed various types of organizational pathologies to develop.
4. Unreal Control
Controlling mechanisms – from those used by the compliance unit to the supervisory board – failed in the case of GetBack, because the organizational units and company bodies responsible for their application received incomplete or false information. The moral that can be drawn from this is: in the case of entities responsible for controlling the compliance of an entity’s operations with the law, the obstruction of access to the data and the treatment of such information as top secret prevents the implementation of controls. And this is a straightforward way to overlook gross mistakes and condone lawlessness.
5. Transparency and Order Above All
In the example of GetBack, many sources claim that the company was an overwhelming organizational mess, which created a kind of a smokescreen for not-very-reliable business attempts. Thinking about the organization in terms of transparency and order will always support ethical attitudes, and consequently will prevent efforts to sweep disturbing practices or common shortcomings under the carpet.
6. You Should Not Hurt Your Customer
Customers are protected by law for a reason, as especially relative to large business entities they are usually practically helpless. In the case of GetBack, a debt collection company, customers were treated only instrumentally, as a source of money necessary to ensure the financing of the company, which, even if this operation had been successful, would only have extended the downward slope on which the company was located. A long-term business plan – always, of course, focused on profit – does not have to hurt customers by trying to circumvent their rights (e.g., by misseling). Imagining the customer as a business partner builds trust in terms of public perception, which translates into an increase of interest and increases competitiveness.
7. We Look Nice on the Charts
The topic of falsified information has already been mentioned above in the context of the system of control mechanisms, but there is one more aspect to be considered. In GetBack’s case, the company’s supervisory board, despite frequent meetings, was unable to detect the falsehood in the data presented to it, as these had the signs of credibility. With less drastic consequences, you can often encounter a broader practice of bending reported data. The temptation to present oneself in a better light is disastrous in the long run because falsified information gives an unreal image of the subject to its decision-makers and thus leads to erroneous decisions, based in part on a fictitious factual state. The solution to this issue seems to be a change in the superiors’ thinking about the received data. Instead of the reluctance and negative perception of these red indicators, it is desirable to analyze the causes and solve the problem in a skeptical manner.
II. What Else Could Go Wrong, That Didn’t Happen at GetBack?
I would like to mention two more circumstances that destroy a culture of compliance, which are easy to encounter in practice, even though they did not clearly manifest in the GetBack case. Both are related to schematism.
1. They Have Checked It for Sure.
Who has not heard of this sentence in work-related conformity testing? A far-reaching mental simplification aimed at saving even a bit of valuable time is based on the mechanism mentioned above, regarding authority. If we receive a given material from a person or entity that we believe has a good reputation, we tend to trust that everything has been done correctly. Such a misconception leads to the repetition – sometimes for an impressive amount of time – of the same errors.
2. We’ve Always Done This, So it Must be Correct.
This is another simplification, relating to an attachment to an ingrained scheme that saves energy and time devoted to re-examining an issue. In a dynamically changing regulatory environment, such a practice does not work for obvious reasons: it leads to the obsolescence of specific solutions, and thus an increasing divergence of processes concerning both provisions and regulatory guidelines.
Thinking about a compliance culture is not an easy task -- but it is certainly possible. Most of the situations dangerous for market entities consist of the materialization of one of the risks (usually regulatory or image-related), resulting from incorrect beliefs rooted in the organization and triggering erroneous thinking that it was possible to prevent. The lessons arising from the problems of a specific entity, which have shaken the entire industry, shows why it is worth implementing an organizational compliance culture by changing the way of thinking about it.
By Paulina Sosnowicz, Director of Legal Department, Centrum Uslug Informatycznych