Transcriptie: Rein Graat – De CCO in een constant veranderende omgeving

Welcome to Compliance Adviseert. We talk with experts, advisors, and business leaders about navigating risk and compliance challenges within the financial sector. Because the straight and narrow path doesn’t come with GPS. We’d like to thank our partners, Hyarchis, Partner in Compliance, Deloitte and De Volksbank. Your host is Jeroen Broekema.

Jeroen: Welcome to a new episode of Compliance Adviseert, Compliance Advises. Today, we do it in English. I’m very honoured to have the group Chief Compliance Officer of ING with us, who is Rein Graat. Welcome!

Rein: Thank you.

Rein Graat – CCO ING Group

Jeroen: I’m really glad you’re taking the time to speak to me and to the podcast. We speak about the job of the compliance officer in a fast-changing environment. And of course, we also speak about you because I’m really curious to learn more about you and maybe that’s where you could start. Maybe you could introduce yourself to the audience?

Rein: Let me then take a quick flight through my past. I’m trained as a lawyer, so I’m a lawyer by nature. I’ve also worked in law firms, private practice, in the Netherlands and in London. From there on, I went into the banking environment, so into the finance environment. I always thought, “How would it be on the other side?” To no longer be the advisor, but to be the owner of the kitchen, no longer being one of those cooks in the kitchen to then move on, but staying there to own the consequences and the responsibility that comes with that. So I moved from being a lawyer into banking, still as a lawyer and different banks in the Netherlands but cumulated into going into ING. That was after ABN AMRO was taken over by Consortium. From there, I went to what I then called what the next big bank in the Netherlands became, which ING was, and has grown to be much more. So I’m currently working at ING, started as a lawyer in that environment, moved into financial markets in a sales role into strategy roles, innovation roles, within an environment to go back into my habit of legal in a general consolation specific to ING. And then I got that call to take on the bigger responsibility of being ready for that next big thing for ING, which was a big chapter in the ING journey, given that we just came through an intense period of public debate as well, on the back of the KYC environment. So that’s where I started taking on the responsibility for compliance, move back to Europe into the role I’m currently in. So that’s been for the last three and a half years, and it’s been an exciting journey, as you already alluded to, in terms of compliance, has morphed into something different over those last couple of years already. Both in the industry as well as within ING.

Jeroen: Do you miss your position as a lawyer?

Rein: At times, it is easy, obviously, to give advice and walk away. Because to a certain extent, that is always partly present when you are a legal advisor. But what I love particularly most is taking that responsibility, but also owning the accountability that comes with seeing it through. And I think that is what compliance brings, it’s also much more operational. It’s also very much still legal, but has much more decision-taking judgements to be made to make things no longer gray, which lawyers tend to do, that’s qualifications, reservations and this is why you need to own it. To make it black and white: stick to your decision, have it well argumented, and we’ll probably come to talk about it later on. Because we also have introduced what we call the ‘orange code decision-making model’, to make sure that we have integrity-led decisions. With our primary customers being the foremost important piece within ING, that’s trust-led. That’s why we own that trust to them. And I think that is what compliance brings to the organization, it’s from end to end within the organization involvement and steering what I would call the tail that moves the head. You can really, from a second line, move the majority of the first line for them to become the second line de facto. And that was new to me. It was also a bit of a gamble for ING to put me in that position while having never been in compliance before. And if you then by accident perhaps – or lucky even, perhaps – although Ralph Hamers at the time was the one calling me, and we obviously had discussions back then also with the CRO, currently the CO of ING. Where two weeks after I was interviewed and appointed, there was an article in the Financial Times indicating, “Never hire a lawyer into a compliance position.” So I gave Ralph a call and said, “I might be lucky you didn’t read this.” I think being a lawyer greatly helps, but I understand where it’s coming from. Because it’s that nuance that requires to be there. It’s much more the logical thinking, the ethical thinking, the nuance around not being black and white but owning it, that is what makes a great compliance officer. It used to be compliance being a specialism, now it’s so many specialisms within compliance, even over the last couple of years. So it’s been an exciting journey where I’ve made many mistakes that give me the biggest learnings, and it has been a rollercoaster with a lot of fun, a lot of intense environments, a lot of intense discussions, a lot of intense days to make, but very rewarding.

Jeroen: Sounds like you took the right decision at the time. Also, I find this moment where you go from being a lawyer into a bank very interesting from another perspective. Because you went from the UK to the Netherlands, although in a very international environment, not only the Netherlands, you’re in many countries operating. How was that, to move from the UK to here? Apart from the fact that you went to a bank?

Rein: That’s a very good question. One of the reasons why I went to the bank is because I went back to the Netherlands. So when I was working at a law firm, I was heavily involved and heavily working with banks in the UK. Structuring transactions, working on negotiating the deals, and it was a very exciting dynamic environment. And back in those days, probably it was even more the hot spot for Europe to work from a financial central perspective. And I was the first one going to London, there was a merger of the law firm I used to work for with a big UK-based law firm. So I was the first one to celebrate that merger and to be the ambassador for the Dutch footprint to go to London. So I did that for over a year, working over there, and I committed to come back. I was supposed to go and commit to one of the big investment banks, and probably that’s where the excitement was. And when I came back, it became more of an opinion practice, much less the deal negotiation but much more the Dutch flavour that comes with these transactions, the SPV’s, et cetera. And that simply excited me a bit less, so I wanted to be where the action is because I’m most energized by impact. And it also means influence and being at times intimately involved where it matters most. And the UK to the Netherlands change also prompted me to reconsider being part of the private practice where you know much of little. And I wanted to know much of much. That’s the opportunity when you go into banking, for example, where you can have a much better remit for your involvement as opposed to this very specific trajectory you’re typically on when you become a partner in a law firm.

Jeroen: You mentioned one thing which I find very interesting. Obviously, it was a funny story as well, given you told us about the article you read and that was in the media where it stated, “Never hire a lawyer in a compliance position” You already gave part of the answer, but I’d love to dive in a bit deeper, what was the key point of this article to do that? Also, what are the reason why having a lawyer is a great thing?

Rein: Well, Jeroen, obviously I tried to forget that article immediately. It didn’t suit me well back then. But I think the jest of the article was that lawyers tend to be very restricted in their thinking, it’s very rule-based thinking. If you look into compliance, it’s much more the open mindset that is required as well. You are obviously very creative as a lawyer, don’t get me wrong. But that interpretation, that application and also having an open mind in terms of from a risk-based judgement perspective, that’s not necessarily a muscle you train as a lawyer to own that. And I think that’s what the gist of that article was, and it’s also something we’ve trained our global population particularly in the transformation we’ve gone through, that mindset change has been very much also dominant in our environment to move from advisor to being the owner of the risk-traveling direction. That means from a second line defining where we need to go, helping the first line to move into that direction materially because ultimately, that is where the real risk manager should be. Because that’s where risk-taking takes place. So it’s also been a journey in terms of culture. It has been a very important component as part of our transformation program.

Jeroen: We’ll come back to that as well later during this interview because I’m really curious to learn more. But first, if you look at it from an even broader perspective, from a helicopter view, what would you say are the key components of how the compliance job has changed over time? You can pick any time, five years, ten years or longer, but how have you seen it change over time?

Rein: A couple of things. I think the relevance of compliance with a lower case, a compliance as an organization has also the reliance on compliance with a capital C. So the function Compliance has simply materially been moved north, so really increased. If there’s one thing we’ve seen in the papers as well, there is a tail risk, that’s what compliance risk is all about. It’s the residual risk management. So it doesn’t happen often, but when it happens it’s one that does not necessarily only affect materially the reputation typically of an organization. But what you see as well is that the executive management is typically personally effective. You read in the papers that CEOs are requested to look for something else, if I can put it like this. So unlike credit risk, for example, which has been there for a long time, that’s something that’s part of the firm DNA of any organization. Compliance is not just a new type of risk management environment, and I call it risk management because it comes with the ownership. But it’s also a reflection of how society is moving. It’s not black and white, and it’s that interpretation to lead with integrity, to make that politic decision taking and making is what makes compliance exciting. It also makes it much more gray than many other environments where you say, “We put controls in place.” That doesn’t happen. There is a lot of conduct reliance in compliance that people intrinsically want and do the right thing. It’s not easy.

Jeroen: Just conduct reliance, right? Explain a bit more to me, please?

Rein: Conduct reliance means that the dependency on the behaviour of people for any decision, discussions taking place in ING, is going to be one where you say, “What’s your dilemma? What’s the information and the stakeholder?” So check your information, list your stakeholders, go into balance rights and interests. List your argumentation, weigh the argumentation, control the damage to then record the same. That means we want to have a flow where people put integrity and not just their decision, but judgement weighted by different dilemmas and different opinions, different angles for consideration. That is something crucial, I would say. And not necessarily always normally naturally part of any human being working in an organization, including ING. So we need to help our people to have a conduct reflection in terms of, “What would it look like? If I read it in the papers, what would this be to customer centricity?” And that type of contemplation, that’s something we want to make part of our processes just to change the rhythm of the behaviour, and that’s where conduct is essential. You cannot put a control in place to change people either consciously wilfully or unconsciously taking the wrong decision for a customer or internal process with all the consequences that come with it. So it starts with conduct contemplation and being very much mindful of the behaviour of our employees and for them to make that part of their decision taking every day, day in and day out. Because that prevents big headlines in the future. That’s why I think compliance on the conduct side at least is essential. That’s why also programs which are around risk culture, awareness, the risk judgement, the risk awareness, the tone from the top, those crucial components that help us to make that part of reminding all, as competition continuously actually to do that automatically. That’s not an easy thing because that’s moving minds and hearts, that should be the emotional connection, it should be the why particularly. Why should I do that? It’s not the what, it’s not the list that people need to follow. No, it’s the why that makes the difference because you intrinsically understand, and you want to do something in a certain way. We’re taught to do that, and I think that’s been the common denominator as well, transformation programs, to establish that emotional connection to explain the why behind a story. Let me give you an example. If you look at KYC, if you look at financial crime, AML, you can read it on your report, we invest a lot in our resources, in our people, in our processes, to improve and improve. It’s really something to be proud of, where we stand today. But our people are not busy doing a due diligence checklist, they’re actually fighting financial crime. And they need to understand their peace in the bigger puzzle of what this means and the why behind that question is really important for them to be part of a bigger purpose, to be driven by motivation rather than just following the rules. That’s also why I call them risk-based because it requires a bit of judgement.

Jeroen: And ultimately, that’s better for everyone. It’s better for the banks, better for the person, and better for society at large.

Rein: Absolutely. But it brings in a bit of risk as well. Because rules are very easy to perhaps interpret, and risk-based means there is also room for an arrow or room for not doing everything right because you got your processes that are really going forward. And that is always the dilemma, and it’s also something we see in the industry, and it’s also having discussions in the private public sector, to have these types of discussions because it’s not right, it’s not wrong, it’s gray, and it requires discussions for us to join the shape direction for the future.

Jeroen: It sounds like the gray is area is actually what you find so interesting. There are many, many different routes we can take from here because you’re bringing a lot to the table. But before we move on to those different routes we can take, I’d love to ask one additional question as a long introduction about you. You didn’t actually tell that much about yourself, but a lot about what you do, which is great. But I wanted to know, in terms of your own energy, you seem to be very positive, you’re having a lot of energy. But what are the things in your job that are not giving you much energy? I’m curious about it, I don’t want to make it too negative, but I’d love to hear.

Rein: You’re right, I think typically the glass is half full and there’s a lot of energy and there’s a lot of movement, it also gives me energy. What would give me the least energy, not an energy drainer, is fixed mindsets in general. So the open mindset to take the decency to take a step back, “Are we still doing the right things for the right reasons rather than because we have always done it this way?” That goes for internally as well as externally. I think that has also driven our maturity as compliance, as an industry. In terms of becoming more mature, having a bigger voice and being the navigator for the organization. Ethical courage beyond corporate responsibility, something that requires a bit of courage, pioneering. Not seeking that type of environment, a bit of courage in the discussion to also always seek the other side of the same discussion. That can be a big drainer, it also means that just being an advisor, for example, rather than feeling that ownership, that is something that I still sometimes feel. That is not just the disappointment, but also a bit of a drainer. Because that is not moving the needle.

Jeroen: Sounds like you’ve surrounded yourself with a lot of dynamic people versus static mindset people.

Rein: Yes, but also a bit of those. Because if there is a movement to be made, it’s also important to understand what can motivate them to take them along. There’s unity in diversity, that diversity component is still very much there. But yes, you are right, there is a different type of breed, there is a different type of leadership required as we move to different faces of our maturity, also as a compliance function within ING.

Jeroen: Generally speaking, is it hard for you or easy or somewhere in the middle to find the right people on every level on your own level at the top or also down in the organization?

Rein: Absolutely. Over the last couple of years, this has become quite explicit, also in the Dutch market. If you look in terms of the demand in the market, just in the financial industry in the Netherlands, the demand has gone up tremendously. Experienced people clearly did not follow that same type of offer. So there is a constraint in the market, we are lucky that we have a massive footprint. Also, the benefit of the learnings that corona gave us is that much more is possible. Working abroad, working in a different way, different ways of working, so we have that luck as ING. But you see it in the market, we’re all hunting for the same types of experienced people, junior people to educate.

Jeroen: Really on all levels, like on the Chief Compliance Officer all the way down to the Junior Analyst?

Rein: Yes, I do think so. Absolutely. That constraint, that impediment, that challenge is present across that pyramid. And it’s also why also Chief Compliance Officers in the Netherlands are talking about, “How can we support that?” If somebody’s initiative we’re talking to is also, “Can we have an academy to train that, to make sure of the training, the mindset?” Get people ready to take on the compliance responsibility, but also in the organization. If you look within ING, for example, in the past compliance was not necessarily the most sexy environment to be part of. I’m not saying that we currently are the most sexy environment, but I think we’re pretty sexy currently, if you will. Also, the understanding within your organization, having been part of compliance, having been part of that risk management part really is a positive on your resume within your organization to move further. The same goes for different risk environments. I also think in a general environment, it has become much more relevant if you want to become a senior banker to not have been in the first line, but also in the second line. It could be compliance in a different environment. But the constraint is there, we need to do something about it. And it also prompts, “Are we still doing it in the right way? Should we do things differently that would make it more effective, perhaps even more efficient?” We have those discussions within ING, but also in the wider industry.

You’re listening to Compliance Adviseert.

Jeroen: I’d love to discuss with you the role of the Chief Compliance Officer, which is your role. And maybe we can structure that to talk about the different stakeholders you have to deal with. Because I can imagine you deal with a lot of different stakeholders, you already alluded to how you work with all the people in your organization, how you align them to get certain things done. First of all, I’d like to ask you, your relationship to the board, because the Chief Compliance Officer is not on the board, right?

Rein: No.

Jeroen: Maybe at some place it is, or never, or it should be?

Rein: It is a bit of a mixed bag. Some countries have the CCO, and he is part of the board, some compliance and risk. For most but not all Dutch banks, for example, it’s under the CRO, typically. If you would ask me, “Is there a difference?” I think as long as the topic of compliance is well discussed in the board, whether or not I’m physically present, that means that the CCO is physically there in terms that discussion that requires taking place and the right discussions taking place. Within ING, I am very often on the board to discuss compliance. It’s a reflection in terms of how serious we are about this. So it’s not necessarily the formality in terms of reporting to the CRO, it’s more the independence that the CCO has as well. To regulation, but also within our organization, that for example also includes that there is also a dotted line into the supervisory board of ING for the CCO to make sure that if there would be a dilemma, when the CRO and CCO would not be in agreement, that there at least is a higher level where this can be discussed to sustain that independence as well.

Jeroen: I obviously understand it’s a bit delicate to ask you about this, I’m not talking about you as a person applying to get into the board, but more generally speaking, do you think we see a trend, maybe worldwide or in the Netherlands or anywhere where the CCO job becomes so important that it actually gets into the board position? And again, I’m not talking about you, because I understand the delicacy of that.

Rein: We have a CCO European network, like a CCO club, with the biggest banks in Europe. We come together on a quarterly basis to discuss policies, where we can contribute to shaping compliance, as well as discussing comparing the Compliance function, for example. It is a mixed bag. Do we see a trend? There was a trend that it was becoming part of the board. I think currently it’s much more often than not part of the CRO environment. Within banking, it’s typically part of risk. Within other environments, you typically see legal and compliance. That combination you don’t see often anymore within the European environment. So if there is a direction, not necessarily and that’s not clear, it’s also sometimes a reflection in terms of where the organization stands. In Europe sometimes, when you go through remediation and the attention, and the board attention requirements. Sometimes you see that appointment as well. But for compliance, it’s a bit of a mixed bag. 50/50 or maybe a bit less than that, more part of the risk, certainly in the Netherlands that would be.

Jeroen: You already mentioned the non-executive directors and the non-executive board. To what extent are you very busy with that relationship? Is there really a formal thing once in a quarter or once in an x-period of time? Is this something you’re really spending a lot of time on?

Rein: I think that’s also where I can draw the link to the remark I just made. If you look at ING, our focus area is clearly on certain things, certain topics, a trigger, spotlights. So when I took this responsibility, there was a lot of spotlight on compliance for the organization and also there was a lot of attention for Compliance as a function. Because we really had to go through a massive transformation. So that clearly merits and prompts more discussions within the board. More discussion within the supervisory boards, and there also is that internal credibility. As a function, you need to earn that credibility that you can be that navigator, that people can rely on that trust equation. So what I’ve seen in the last couple of years is that it was very intense, for the right reasons. Also very much encouraged by me, because that also means it’s high on the agenda. And at one stage you find a different rhythm in a more business as usual type of environment. We always have monthly discussions, for example, within the board specifically for compliance. Now we’ve got many discussions during the week, be it with the CEO or CRO or CCO and others around compliance topics. So it’s always there. It may not be specific to MBB, for example, on a daily basis or weekly basis. But that topic is being discussed continuously. I think that’s the most important one, also leave the supervisory board to really be the supervisor. That means knowing what’s happening, being informed on something is worthwhile flagging. I see that interest from the risk committee, for example, I have periodic dialogues, not just on a quarterly basis. So I think that’s a very healthy dynamic, it’s a reflection in terms of compliance being a topic on their agenda that they want to discuss, not that I’m forcing on the agenda. I think that is something that is not the case everywhere in every organization. In ours it is, and I think that’s really healthy. So CRO/CCO can be next to each other. I think sometimes there’s a movement towards it, but in most instances not. It’s more about that dialogue, be it with the supervisory board, it’s the influence without authority sometimes as well. That people have that interest, that people want to better understand what the dilemma is. And particularly also, as in any organization, no surprises. So if something is coming up, then clearly I will inform the board and I will inform the supervisory board for them to be aware of something that requires discussing.

Jeroen: I think I take two key messages here, in my own words. One is that you have clearly direct access at any time you need it and when you think it’s important to share information and the other way around as well, that’s the second message. Clearly, it’s high on the agenda of everyone and I think it’s fair to say that the compliance officer is not a role, I don’t know if it has ever been, but potentially it is, that is not taken seriously enough. It’s clearly taken very seriously.

Rein: I think that’s a very good summary. Indeed taken very seriously in every respect, both in the discussions as well as the attention, you see it at all the board levels. Clearly, a lot of my discussions are also taking place at that level. But more importantly is that the discussion is actually taking place at the lower levels. Because that is where risk-taking takes place, that is where risk management requires taking place. And I think that is an equal healthy reflection of that attention at a top level, the tone from the top, I earlier referred to it. You see that back in the organization, and that’s probably for me even more relevant than I see that the healthy right prompting discussion that invited to be part of the dialogue rather than pushing ourselves on the agenda. I think that is the most crucial thing for me as a CCO. That is what I stand for, and I think that is what I particularly like if I look at ING for the last couple of years. That is equally present.

Jeroen: That makes total sense, if you have that large group. How many people work at ING Group?

Rein: It must be somewhere between 55,000 and 60,000 people.

Jeroen: Which underlines your point, right? If you have that mass of people with you and the culture is right, then that prevents a lot of trouble at the top of the compliance function, I guess.

Rein: Absolutely. And you also see the same reflection of those discussions and the interest and the involvement of compliance also in how compliance itself has grown. I think we currently have 1700 people globally around 40 countries. That also means that we can make a movement across the footprint, not just in the central discussions, but making sure that in every entity we have, every branch we have locally, we follow a certain type of dialogue and having that on the agenda.

Jeroen: The other stakeholder I’d love to discuss with you is society at large or maybe one step below society at large, which is corporation with other banks, with regulators, with other organizations within society. So is there a lot of cooperation going on?

Rein: Yes, there is a lot of cooperation. Also having very mindful corporations. From a competition perspective, there are many topics that we don’t discuss. But what we do discuss in the corporation, particularly on the KYC front, for example, and it’s not just within the banking industry, there is an intense and good constructed dialogue involving the prosecutor, the FIU, which is the Financial Intelligence Unit, the police, the DNB, the AFM, all stakeholders relevant for us to collectively team up. The individual impact that we can have, particularly in that environment, is very difficult to achieve unless you team up to really have an end-to-end view. It takes a network to find a network. And I think that is something that you particularly see recognized and understood in that environment and that requires a lot of proactive thinking, that is still respecting sensible privacy. But still in a way that AML and fighting financial crime and that we take out criminals out of the system, it’s something that you can only do collectively. Because we see only a small part of a bigger puzzle and in order to see that picture that is part of that puzzle, you need to work together. And I think that’s where you particularly see not just the effort, but the upside that collective thinking and collective working brings to the table, I think we should do more of that. Because ultimately, it’s about impact. It’s about doing the right thing in the right way. Not just within ING, but for the bigger society.

Jeroen: Sounds like an initiative like TMNL, Transaction Monitoring Netherlands, what you are a part of, is a great idea in terms of working together as banks to fight criminal activity from a network perspective?

Rein: My answer would be yes, there is also a lot of discussion around TMNL, about data privacy, for example. And it is something we take very seriously. We have taken it very seriously as TMNL. Because TMNL is an initiative of several banks that indeed comes from that concept of what I just indicated. Together, we see more, together we can really take crime out of the system. And ultimately, that’s what we stand for. It’s not ticking the box of regulation, it’s really about having an impact.

Jeroen: The why.

Rein: Indeed, the why. So TMNL is a great example, it’s also an example where we need to further explore how we can be really impactful, still respecting privacy, still respecting anonymisation, which we have in an environment. So there is also a perception that requires addressing to be really get to a level where it will have the impact that we envisioned it to have at the start. Because we’re not there yet. You also see different environments, like in the UK currently, with JMLIT (Joint Money Laundering Intelligence Taskforce) launching their pilots, not being confirmed yet, but in the papers really setting it up. That also involves the local supervisor to have a joined initiative to have that impact on the fraud side or on the AML side. I think we will see more of that. Also in Hong Kong, last week for example, where see a lot of the same discussions, a lot of good discussions, but it’s really about shaping and finding the dilemmas within that topic. Because it comes with AML, data privacy. There are a lot of different stakeholders that will have a view on this, and a lot of different rights to be balanced. So these are great discussions because it’s really about shaping the future, finding days to do more while still respecting rules and regulations and obligations of our customers, but still leaving a big impact behind. So TMNL is a great example of this, indeed.

Jeroen: And it’s also a great segue into another topic I’d love to discuss with you, which is about running an organization from a compliance perspective, in this case in so many different countries. Because you already mentioned for example JMLIT or things happening in Hong Kong. This great knowledge, TMNL is an example of that, a lot of other countries are interested in what the Dutch people are doing. First of all, how do you take all these learnings from different GO’s where you operate in? Because you operate in quite a lot of countries, I don’t know the exact number, you can speak to that. But how do you take these great examples, great initiatives that in some countries are earlier doing these things and others bring them back to HQ and then also try to leverage them in other countries?

Rein: That is a good question. Sharing that aspect is what it starts with, knowing what the best practices are. So if you look at our organization within the compliance function, we were not always that good at it. Why? Because it was much more an organization that was policy led. The countries had to interpret, had to apply it, but not having one uniform process. Risk assessment, risk typology and so on. So what we really did is harmonising all of that. So we introduced design principles, for example. That also resulted in being in a position to collect this type of information, to have the network integrated, to have and give voices to the countries particularly, to share those best practices, be it from a process or be it from what we see in the market. So these types of initiatives really become a part of our verticals, as we call it. We’ve got risk verticals, like AML, like financial economic crime. We’ve got them on the conduct side, on the data protection side, and that’s a community, a global community of specialists. The ambassadors for these environments, for these countries that come together on a period basis to discuss these types of things. That helps us to know what’s happening, to select collectively or individually what’s most relevant within it, to then see how we can leverage it. So giving the countries a voice, making sure that there is an integrated approach on basic design principles, we have collectively agreed. That also means that we can much more operate as being one compliance, with the bank team, one voice, working on one platform. And that’s the benefit of these best practices.

Jeroen: Yes, I can imagine. That’s a great benefit, if you have a local footprint, it’s just much harder to get that information. You need to see it from the outside, from other banks. Here you have the information from the inside.

Rein: Just one thing to add, it’s not just internally. Because it’s also helping, and it’s perhaps the wrong word, like educating others that need to play a role as well. So if you take supervisors, also college supervisors in this environment, these discussions are great discussions to have. Because also collectively discussing not just in the private sector, but also the public sector, in terms of what we see, why we could become comfortable about that as well, what it requires doing to leverage a different idea, to work together. I think that’s where the equal benefit is. So it’s not sometimes internal, also from the public sector towards us, to have those discussions that are sometimes daring, sometimes are sensitive. But those are exactly the right ones to have.

Jeroen: Makes sense, that’s great you added that. But I guess at the same time, if I would be your role, I would also have nightmares sometimes or potential nightmares about the fact that you have this great span of control and I guess there are different cultures, different regulations, different sizes of the business. How do you deal with that? Because it’s all quite different, right? And as you said, you like to work in one particular way, you don’t want to have all these different ways of working in different countries. I assume, but maybe I’m wrong.

Rein: We would like to have one way of working as a foundation. But every country has its own rules and obligations. Europe may be more harmonized than if you go to Asia or if you go to the US. It is really different. So while we want to be uniform in the way we work, clearly there needs to be local consideration for local regulation, for local cultures and behaviours or habits that we want to make part of this. So it’s more the process where we’re very uniform, to make sure the same types of dilemmas are being discussed and that our orange coat and the way our behaviours and values of ING always find their way to every part of the world, including how it’s captured in the global coat of conduct. That’s really saying something about detailing how we want to work together and what we want to be for our customers. That’s a guiding principle that we have everywhere. So we create the foundation, but also leave that room for local interpretation.

Jeroen: But is it difficult? Also for yourself, you can’t be able to understand all these different regulations. Even in the Netherlands, it’s a lot, let alone all these different countries you work in.

Rein: It is difficult, and clearly we don’t even try to understand for all the locations. That’s also why we want to have the best people locally, that understand what we stand for as ING, understand the local market and know the local regulations. They are also daring of that countervailing power, to have that voice locally, to be heard when we want to navigate the organization or at least challenge the organization, whether it is the right direction to take. So it’s a balancing act. There is no right and wrong.

Jeroen: And from a cultural perspective, because a different regulation is already hard, but I guess if you want people to speak up, for example, some basic rule in ethics is that at some point people see things that are wrong or potentially wrong, and you want them to speak up, I assume. In some cultures, that’s a lot easier than others. How do you create a culture where people are willing and feel comfortable enough to actually speak up?

Rein: That’s a good question because this is something that many organizations are struggling with. The way we have approached this – and when you talk about speaking up, for me that shelters speaking up, listening up, following up – so speaking up means that we expect people to speak up. But it’s also actively inviting people, encouraging people to get that information towards you. It’s also the tone from the top, I earlier referred to it as being relevant. So how we’ve gone about this speaking up, listening up and following up is also to really focus on this. A reflection of how important we feel this is, is what we call the risk culture program. So it’s really all about this topic. How can we encourage getting the right signals from the organization, having the right discussions locally, for people to be comfortable having those discussions? Even if they are living in a country which is typically more hierarchical. We should not be naive about that, so as an organization, giving them the tools, introducing processes that ultimately give that a voice, but also for example having initiatives around risk champions. The risk culture program really is not led by a first line board member, that gives a reflection of how important we feel this is and also encouraging others to follow many different initiatives underneath it, but also risk champions. We champion those people who went beyond, that really stepped up, spoke on the second line or the first line and just celebrate that. It’s celebrating that component of being conscious about the risks, acting towards it, speaking up about it, and seeing that through and following up on it. That is something that we give explicit attention.

Jeroen: So from a cultural perspective, you work in many different countries, you operate in many different countries. Do you see cultural differences that really matter from a compliance perspective?

Rein: Yes, we do see those differences, I have to admit. We look at cultural differences, while we have a foundation where we all want to bank on the ING behaviours and values and the code of conduct. Still, there are cultural differences, there still is a difference and people are still born and raised in an environment that will define them. If we look at compliance, if we look at countries, one of the things that we simply actively gave consideration, my time in Asia where you really see that people have the inclination to only share the problem when they have the solution. There is a time lag that comes with that. There’s a time frame where you cannot help them to come up with the right solutions. So making sure that people are comfortable, sharing the solution or at least sharing the problem before giving the solution and that we know they’re going to do the right things, that is something that I’ve seen much more previously than I see today. That’s also where we can work with our risk culture program. It’s that particular topic, for example, and speaking up and listening up for them to be comfortable to speak up and then the action to follow on the back of that, I’ve seen that many times. We’ve also seen that particular aspect of problems and solutions. If I really see it, I call it a watermelon. It’s green from the outside, but red on the inside. When people give a story that everything is fine, particularly when countries are further away, when they’re very independent of the past, it’s something we want to make them part of and for them to also be comfortable. Experience the comfort that sharing the problem brings and the response that comes on the back of that sharing, that’s really what’s the most relevant piece in all of this. To illustrate, to experience, that sharing the problem is a good thing and finding the solution collectively, jointly, is even better. There are organizations, for example, where information flows through management lines. In some instances, you don’t want to have that filter in between. Or in local committee meetings, people need to have that invite to speak up. You want them to take that seat at the table and to simply speak up and feeling also supported by that functional line. Specific examples are perhaps difficult to give. Although many come to mind, also having worked in Singapore, for example, and having been in that region. In that region, you see so many different flavours in terms of how people from a local cultural perspective – not ING – it’s something to accept, but particularly find the common denominator, ING, in terms of what we stand for and how we want our employees to stand up, to speak up. For us to listen up as management and also have those discussions about management. So if you look at examples, one of the things that we did introduce to encourage this is what we call behavioural risk management, so behavioural risk assessments. To your point of different cultures, understanding that better, understanding the dynamics in a room or understanding the dynamics of a whole system in the room, because we’re working in an ecosystem in KYC first, second and third line. We have introduced behavioural risk assessments. So it’s really all about the behaviour of the group, understanding the dynamics.

Jeroen: So it’s an assessment of the group, not of individuals?

Rein: Absolutely. It’s the natural patterns you see in every relationship, within families, for example. If you step back into that family, you go back into your childhood, for example, in terms of that position you have within that family. And that’s simply present everywhere. And those families we have in every location across communities that we have. And for that reason, to understand it and to address it, we have behavioural risk assessment, for example, really focused on behaviour, on the common side, to understand it and to have a discussion around it. As reports being discussed, for example, at the local executive committee and different environments that we assess and having that discussion, trying to understand what’s happening, that already means a lot. Because it makes people conscious, who were previously unconsciously and perhaps incapable of addressing it, now becoming consciously capable around these important topics.

Compliance Adviseert.

Jeroen: You mentioned a couple of times during this conversation that you run transformation programs. I think it’s very interesting for many different angles, but one angle I wanted to discuss with you is that transforming larger organizations like yours is difficult because you need to get people on board to join the bandwagon of a certain direction you want to go to. What is really the starting point to get the organization into a transformation?

Rein: The starting point is what we started with, it’s the why. It’s the emotional connection that you really would like to establish so people understand why that new dot on the horizon is put on our agenda. What is in it for them? What does it mean to them? So how we started our transformation is really having the locations involved in this actively. So we had ambassadors of the biggest companies and small companies being part of the workgroups that defined the design principles. Design principles that we wanted to all adhere to. So to put it on the horizon, to design the principles along which we wanted to be organized and why we wanted to be organised that why was a common achievement. Not something coming top-down into the locations for them to simply accept it. That was carried by them, so it made the product of that really one that they felt proud of. Feeling part of it, having had the influence to be part of it, I think that makes a mild difference for people to feel, “I own this as well. I’ve defined this, or at least my represented have defined it locally.” With everyone around the world and also the teams that we have in the Netherlands, that was the biggest starting point of it. Talking to people, “Why do we need to change? What requires changes subsequently as well?” It’s that advisory, it’s that owner, it’s becoming more comfortable with data-driven, becoming more comfortable with risk-based and having a different mindset towards the same types of topics, and also introducing new people. Experience that from outside, to teach and educate, take our internals along. Because ultimately, that’s also the commitment that we have to our people, to really upgrade them continuously in the sense that takes the outside in perspective. To create a community that is going to be fit for the future. All of them have gone through assessments, so our leaders globally have gone through their assessments to establish their development, so we can help them with that. We’ve gone through a risk compliance corporative that helps to give metrics to rely on so that they don’t have to look for everything locally, to turn every peddle, to know where they need to focus on. So in terms of transformation, design principles starting with involvement, consciously really well-meant involvement in terms of, “We want you to be involved, we want you to have a voice, and we actively listen to this, and we follow up on it”, I think that has been crucial. What did help, perhaps a bit strange, is corona. Because it also gave us the opportunity to directly reach much more people. It’s bad to say that in the past, we were much more the traditional communication through the lines into the rest of the world, while now we have town halls, ‘ask me anything’ sessions, webinars where everybody can participate in. Everybody has a voice at the table, whether you just joined ING as a fresh from college or you’ve been with ING for twenty years and a super senior specialist, it doesn’t matter. All of them have that seat at the same table and I think that is something that really has established to build that community, that people felt being part of. Because they really felt part of being part of a country. And I also dare to say they really feel part of one compliance of that family. And that really has changed a lot, because now we’re thinking in collective, rather than in local interest only. And that’s always about reasonable compromises and as long as people understand the reasonable compromise is helping us collectively, might give in a bit here and there locally. And equally, the opposite, that has moved the needle for us and that’s something why we are at a completely different maturity today than we were three years ago.

Jeroen: Makes total sense! A couple of last questions to wrap this podcast up, although there are many other areas we could go into. One follow-up on this one, because I think it’s super strong that you start from the why. Because if people understand why you’re doing something, you want to do it intrinsically instead of it being forced upon you or anything else. Is it always clear for you why you’re doing certain things, and you have to do certain things?

Rein: It’s never clear for everybody why. But I always try to understand the why, so if it is not clear, I will definitely search for the why. Because if I don’t have the why, it’s also more difficult for me to understand the agenda of the person asking me the why. So in order to satisfy that agenda, but also to get the compliance agenda out of the same discussion, the why is truly important.

Jeroen: What do you do, practically speaking, to find out yourself? Because I think most things you probably know why you’re doing it. It’s pretty clear to you, but sometimes you maybe are trying to make up your own mind on why you’re doing certain things or why you have to do certain things. What do you do?

Rein: Ask the question, “Is there a simple answer?” I really ask the question. So if it’s not clear why we’re doing certain things, it’s also the purpose behind it that gives me context to then define the what. I cannot challenge the what if I don’t understand the why. It’s really going into the next question in terms of asking the question of why and to explore that. Because otherwise, it’s very difficult to explain it to the organization or to challenge the what in itself. That in itself would not be the right approach for me.

Jeroen: It sounds like you just ask people around you in your management teams and everything, “Why are we doing this?” So it sounds like you ask this question quite often then?

Rein: I do, but particularly also my people do that. If you want to change something, something we’ve always done in a certain way, it’s very easy for the organization to stick to it and no longer ask the question of why, but just focus on the what. In order to change things, you really need to continuously ask the why question to reinvent yourself and to reinvent your organization. Even an incremental change.

Jeroen: Another large theme that has come back during this conversation a couple of times, but also in society at large and among banks is the whole AML approach and how to make it more effective. And also one component of this is, take the Netherlands or any other country, around 13,000 people are working in this field, only in the Netherlands. There are the same numbers in relative terms to other countries, the same story. Will this stay like that, or can we probably at some point go back to a situation that we’ll only have a few thousand people working in this field? What’s your opinion on that?

Rein: I think it’s about the numbers, it’s about the effectiveness. And ultimately, that will influence numbers, because obviously, there is a bit of a loaded message in what I’m saying, and what I’m trying to say is that where we’re coming from is rule-based. That’s how we grow up, that’s how we internally grew up. That’s how a supervisor grew up, it’s also how the law probably requires us to behave. So in order to change, you need to really rethink the why. What are we trying to establish here? That’s simply leaving a big impact on fighting financial crime. So that requires you to be more risk-based. If you want to go spear-fishing, knowing where that fish is rather than being gray land on the sea with the nets out, also means that you need to accept that you will not look at everything. So in terms of moving into the future and being more effective about it, I do think that it will be more effective. It probably will also be more efficient, so lower numbers on the back of that. And those are the healthy discussions we’re currently having. DNB is progressing, the NVB is progressing, we are all contributing to it. But it needs to pick up in pace, and it needs to pick up in being comfortable within that discussion. It’s very difficult if you come from a different environment to change that overnight. So it will take some time. But the numbers, I’m sure, will be different if you look at TMNL, if you look at initiatives, we can do so much more when we go into sharing information, when we’re going to be focused on criminals with a bigger capital c, rather than needing to check everything, treating everybody as a criminal through our transaction monitoring systems, individual banks. Clearly that will have a positive impact in terms of efficiency, but more importantly, it will have an impact on effectiveness. And that is what this is all about.

Jeroen: A very clear theme in this podcast is the why. The last two questions from my side. One is, we’ve asked every single guest on this show: do you have particular tips for either your fellow Chief Compliance Officers or other people in the compliance field?

Rein: One of the things that has always helped me is to keep that open mind. And with that, I mean the following: when I say ethical courage beyond corporate responsibility, clearly there’s sometimes also a message that not everybody is yet ready to hear. So as a CCO, you do not just have the obligation to make sure that you obey the rules and regulations, but also to navigate and to shape the ethical part, the integrity part. And typically, that is not yet captured in rules and regulations. Because they always follow the music. So they capture change in society, which is always lagging behind. So in order to be ready for the future, that voice requires hearing. And for me, that helped me to really be in different positions, before I became the CCO of the organization, to have a better understanding of different agendas. To understand the first line and the second line, coming from a legal background. So try different things, give yourself different perspective and particularly, be willing to risk your position by speaking up. Being that independent voice, I think that is really important. That independence of being the challenger and being the mirror for the organization, that requires being comfortable doing exactly that.

Jeroen: Sounds like you should not be afraid.

Rein: It’s exactly that, yes.

Jeroen: Wonderful! The last question from my side, is there anything you would have loved to share here or that I should have asked you or anything else you would love to bring to this podcast episode before I will thank you for this great conversation? But I will come back to that in a second.

Rein: If there’s anything, I think what you see within compliance as an industry is that it’s really maturing. The beauty of maturing is that you can really shape and create. And the shaping and creating is also learning from other environments that have matured. I think that is something that we also see in the industry, that we also see within ING and that road that we have been on, the transformation road, we came from an environment that really had to improve to where we are today. I think that ability to define where we become who you are and becoming who you are in terms of being a function where the tail that moves the head is not something that requires being said, but it’s the movement that you orchestrate within the organization and that movement is one where you move the maturity of the organization particularly from a second into a first line. That transformation component, perhaps we didn’t touch enough upon it, but that is one that is close to my heart. Again, going back to ING, that gives me a lot of energy, the impact that we can have for the organization for the right reasons, for the better.

Jeroen: Wonderful. That energy is exactly where I want to thank you for and all the stuff you’ve brought to this conversation. It’s really great, and you’re very eloquently discussing all these different topics from all different angles and directions. So I want to thank you for that, for taking the time to talk to Compliance Adviseert. It was a very, very interesting and nice conversation to have. So thank you very much for your time. I’m pointing to it right now, but listeners can’t see it, I’m going to give you a small present to thank you for taking the time. I hope to have you back at some point at the show to see where you are at that point, maybe in two or three years or any time you are willing to join this podcast. So thank you so much!

Rein: Thank you for having me, and I’d love to be back. Thank you!

You’ve been listening to Compliance Adviseert, made with the help of Hyarchis, Partner in Compliance, Deloitte and De Volksbank. Would you like to know more or leave us a comment? You can do this on our LinkedIn page. If you follow us there, we’ll keep you up to date with our new episodes. We’d be grateful if you could leave a review and tell others about this podcast. Also, don’t forget to check out the other podcasts on our channel, there is bound to be something for you.

Vul hieronder je e-mailadres in om op de hoogte te blijven van Compliance Adviseert