Compliance Is Not In the Compliance Department


“You are the AML Officer so it’s your job to identify the suspicious transactions.”

“Yes, I thought those transactions were a little fishy, too, but if the AML Department didn’t say anything, what was I supposed to do?”

“You’re the Compliance Officer, so you must update my procedures with the changes in the legislation.”

And of course, my favorite one:

“You are the AML Officer, you find the customer’s source of funds. You have access to all those databases, start searching and show you know the customer.”


Please raise your hands, all of you who have heard one of these sayings at least once from your colleagues.

raise hands

Basically, the organization has a KYC-AML Department so all the KYC-AML activities are done in that department. All the risk related activities are done in the Risk Department. And the Compliance Department is the only one which has to be compliant.



And I will tell you a joke that best summarizes everything I want to tell you on this topic.



An organization has a team-building in the forest. They set up a camp and all the departments are requested to go into the woods and come back with an animal that they consider it would be useful for their camp.


The Operations Department goes into the wood and comes back with a bird. “We brought this bird because it is easy to transfer it from one camp to another, we can use it to send messages and it is also easy to store within our camp.”


The AML Department goes into the woods and comes back with a fluffy, white rabbit. “We brought this rabbit because it is clean. From analyzing its paws, it is easy to deduce that it hasn’t been in any dirty places. I can understand from its orange stains that his parents are white and orange. I know that it will eat carrots and cabbage and it fits the risk appetite of our camp.”

white rabbit

The IT Department goes into the woods and comes back with a fox. “We brought this fox because we have the technology to make a computer-linked fence that will keep the fox inside our camp.”


The Sales Department goes into the woods and after a few minutes, growls and screams are heard coming from that place. The Sales Officers come running out of the woods with a big, black bear chasing them menacingly. As they run pass their colleagues, they scream “We brought the customer in. It’s your job to manage it.”

bear chasing


Well…., if I were the AML Officer from that team-building, I would politely stop the running sales officer and I would professionally remind him that:

  • according to Article 29.1. from the National Bank of Romania’s Regulation 5/2013, you are the first responsible for the daily administration of the risks related to your activity. So, you are responsible for the bear that you brought and you must know and handle the bear from the moment you bring it to the camp and throughout its staying here.
  • also, according to Articles 5.1 and 28 from our national AML law (Law 656/2002), you are the first responsible to monitor the bear throughout its staying in our camp and report to the AML Department if you see the bear performing suspicious activities, otherwise you, as an individual, are liable for sanctions from the Authorities.


More specifically, this is what you must do for the bear that you brought:

a) know who your bear is – use reliable, independent source documents, data or information to identify if the bear is a brown, black, grizzly, etc. bear;

b) find out if behind this bear is another bear and have information on the ultimate bear;

c) understand what the bear intends to do in our camp and please have information on that glamorous fur coat it is wearing;

d) monitor what the bear is doing throughout its staying in our camp. This is to ensure that the bear’s activity is consistent with what you know of the bear and what you expected the bear to do. Know what and who is the bear eating and if the bear starts acting differently than expected, you must understand why. Suspicions must be immediately reported to the AML Department which will contact the Ranger.

Don’t blame me! It’s the national law, the EU Directive and the 10th FATF Recommendation.


Although the law clearly states that the first responsible for the management of the daily risks are the operational units, the common approach is that AML is done in the AML department.

Why? Because there is a specially designated department named this way. Because it’s easier to think that. And also because most of your colleagues simply don’t know the law.

So inform them of their legal obligations. Use every opportunity to inform them of the provisions of the law – for example, start your trainings with the provisions of the law. Underline that the sanctions are also for private individuals, not just for the organization.

Make your colleagues understand the 3 lines of defence:

  • 1st line: the front-office / the operational units
  • 2nd line: the compliance department
  • 3rd line: the audit department

Compliance is not (just) in the Compliance Department. It must start from the first contact with the customer and be embedded in all the structures of the organization.

Now, do you think that in these conditions the Sales Department would still bring a bear to the camp? Or would they choose a different animal? Maybe a ….lion?


By Andreea Tampu, ACAMS

  1. Reply
    Kishwar mehboob 27/06/2018 at 2:25 pm

    Dear sir, I have read your views and it’s understood compliance is not t
    In compliance department only . As in every organization compliance is the responsibility of each and every group and employee. For example if instructions are specifically issued for operations it’s their responsibility to comply it. At least in our organization same culture is being followed.

  2. Nice article. We should know everyone owns risk. This article makes the information humorous and entertaining. Hopefully it reaches the target audience! Thanks for sharing.

  3. It’s great when articles such as this provide compliance with a personality. Great read Andreea!

  4. Thanks Andreea, the ‘bear’ story made me smile, but you’re sadly right, still in organisations there is the view that all the regulatory risks have to be identified and managed by the ‘compliance’ department.

  5. Insightful, here are my 2 cents-

    First problem is defining the line of defense. Business has the first responsibility of ensuring the right animal is brought in.

    Second problem i see is the varied scope (multiple regulations in different countries) which changes while you are still solving the previous problems. A common regulation body will be the solution but I don’t see that happening and some countries may still want to have their own regulations on top of it making it ineffective.

    Third problem is the balance between customer experience and staying compliant.

    Fourth problem is no scope of revenue and hence ignored, Probably their should be tax benefit for ensuring high quality in compliance.

    Also some more points on what we need to know while getting the animal or keeping them-

    e. We need to know if bear is political exposed directly or indirectly, PEP need separate handling from the sanction lists and need defined review procedures.
    f. Need to know how many different relationship this bear has with us i.e customer view with multiple relationship.
    g. Where this bear originally came from, An prohibited country and bear can’t be added to Circus.

Leave a reply