“If you look at the landscape pre-financial crisis, i.e. in 2006-2007, compliance looked very different than it does now,” said Latham & Watkins partner Dr. Finn Zeidler. “In the meantime, compliance in the financial services industry has massively developed.”

Frankfurt-based Zeidler practices in Latham’s global Litigation Department. He acts for clients in the context of regulatory and criminal investigations and compliance matters, in particular in the financial industry, and he has a broad German and international litigation and arbitration practice. Zeidler spoke at the March 23-24, 2015, Anti-Corruption & Compliance Summit held in Berlin, Germany, as part of a panel discussion titled “Sanctions and the Financial Industry – Perspectives from both Sides of the Atlantic.”

In this lw.com interview, he shares some best practices related to internal controls, discusses the challenges that can arise if a European financial institution is under investigation by the US government, and looks at the discrepancies between US and European Union (EU) sanctions programs.

What are some of the best practices members of the global financial services industry must implement to improve their compliance and internal control systems?

Zeidler: Whether it is anti-money laundering (AML), sanctions, core capital requirements, misselling or securities fraud, the procedural weaknesses you see are very often similar.

I think the most important issue is tone from the top. Bank executives must emphasize the negative impact compliance violations can have on their institutions on the one hand, and on the careers of individuals in the financial industry on the other. It is a fact that many banks had to pay a lot of money to governments worldwide because individuals within those banks did not comply with the law at the time. Some individuals thought that financial institutions were more concerned about short-term profits than the long-term consequences of compliance violations. That is obviously wrong, but still bank executives must continue to stress how important compliance is.

If there are complaints coming up the chain of command, or internal audit or the compliance department discovers problems, it is critical that these problems are investigated properly. Most of the issues I have seen during my career in and beyond the financial industry that gave rise to risks and resulted in huge fines had been raised internally but not sufficiently investigated. You have people who raised their voice internally, but other departments or superiors did not sufficiently address and mitigate these risks in a timely manner.

Communication must extend across regions, departments and hierarchies. In my observation, the greatest obstacle to a working compliance and internal controls system is ineffective communication because people are in silos. For example, Department A changes a practice because it has perceived a compliance weakness, but Department B does not know that such a change has happened and continues with the questionable practice. Department B should at least be aware of the change in practice and think about whether it is necessary to make it as well. This does not necessarily mean that one size fits all, but events that trigger changes in one department should be communicated to and considered by the other departments. What you require is a holistic view.

What are some of the compliance challenges facing German and other European financial institutions that come under investigation by US government prosecutors?

Zeidler: One issue of particular interest is the different understanding between the regulators and prosecutors in the United States and Europe, Germany in particular, when it comes to data privacy with respect to bank employees in the context of internal investigations. The understanding of what is private data, and therefore particularly protected, is fundamentally different between the US and Germany.

In Germany, an employee’s business phone number or professional title is regarded as private information that must not be handed over to a prosecutor in the US, at least not with further safeguards. Even the names of employees are often considered as no-gos — which means a German financial institution facing a US government investigation could have its hands tied when it comes to really cooperating.

You have to really work on sorting these questions out on a case-by-case basis because, again, no one-size approach fits all. You have to look into what kind of investigation it is, who is asking the questions, what kind of data can be produced, where the data needs to be redacted, or where code names and numbers need to be used.

Are European employees legally required to participate in US government-run investigations?

Zeidler: As long as the individual remains abroad, the US government cannot make them appear for an interview. And it is questionable as to what extent a European bank can oblige its employees to sit down for an interview with US investigators.

In practice, a bank should explain to an employee why the US government wants certain information and why cooperating should not be harmful to the individual employee. To prove that point, the bank can provide the employee with an independent counsel, and the employee can ask their independent counsel whether revealing their past actions as part of an investigation exposes them to any risk. The employee then gets the reassurance that it is not harmful but rather helpful to sit down with the US government — with certain protections. It is a huge help to the bank if its employee decides to cooperate.

Depending on the risk appetite of the individual employee, one can arrange the meeting in different ways. For example, we have conducted interviews in London, which is more neutral ground for German individuals, and in New York and Washington, D.C. There are a variety of options we can present to people.

What types of discrepancies exist regarding sanctions laws in the US and Europe?

Zeidler: There is a discrepancy between the list of sanctioned countries in the US, on the one hand, and European countries, on the other. The simplest example is Cuba. Some of the European banks that are doing business out of New York are subject to the definition of US persons and are not allowed to do business with Cuba because of the US sanctions. In contrast, the European Union takes a different approach and is supportive of companies doing business with Cuba because it believes such actions will ultimately undermine communism.