ARC (trade) talks with... Bas Mol, Head of Compliance & Privacy

December 6, 2021

To keep close track of developments in our field, we interview a practitioner expert every month. In a series of interviews with people with final responsibility for audit, risk and/or compliance and we ask the question: what developments do you see and how do you deal with them? This month we talk to Bas Mol, Head of Compliance & Privacy at BPD Area Development.

Can you tell a bit about BPD; what are BPD's activities, who are BPD's customers, what is BPD's objective and what is your role in this?

'BPD Area Development is an area developer that has been realizing living environments in the Netherlands and Germany since 1946. Since our founding 75 years ago in 1946 - then still under the name of Bouwspaarkas Drentsche Gemeenten - BPD has now facilitated the construction of more than 365,000 homes. BPD is committed to inclusive living environments with attention to the physical, spatial and social dimensions of housing. BPD does this from the social conviction that everyone has the right to a pleasant and affordable home in a pleasant living environment. And we will continue to do so so that fine living will remain possible for generations to come. 

'BPD focuses on all segments of the housing market. BPD's target group is everyone in the Netherlands with a housing need. So we realize social housing, but also more expensive owner-occupied apartments and everything in between. Our main partners are municipalities, provinces and housing corporations. In addition, we have cooperation partners that we engage to realize our projects, such as contractors, architects and brokers. BPD's ultimate customers are the residents of our living environments.'

'The Compliance & Privacy department currently consists of four people, which I lead. The department contributes to the pursuit of a healthy integrity climate within BPD by, among other things, drawing up compliance and privacy policies, providing advice, carrying out monitoring activities and facilitating and activating colleagues to act with as much integrity as possible.' 

BPD is a subsidiary of Rabobank. Can you tell if, and how, this affects BPD's Compliance & Privacy department?

'BPD is an independent subsidiary of Rabobank. As part of a bank, the guidelines and requirements for compliance and acting with integrity are high - and thus perhaps higher for BPD than for other players in our field. On the other hand, that is also precisely something we ourselves want.' 

'Ultimately, as BPD, we ourselves are responsible for running our business with control and integrity and managing our compliance risks. So for the Compliance & Privacy Department, being part of a bank is not necessarily a disadvantage. It suits BPD that, as a company, we want to take responsibility for practicing our profession responsibly and reliably. As a market leader, we owe it to our standing. In consultation with Rabobank, we determine which regulations and guidelines apply to BPD and how we can best organize this within our organization in order to minimize compliance risks.'

What are the advantages and/or disadvantages of being a subsidiary of Rabobank?

'As mentioned, there are certainly advantages to BPD being part of a bank. Banks and financial institutions have shown in recent years that they take issues such as compliance, integrity and privacy - rightly so - very seriously. The bar is therefore high at Rabobank and therefore automatically at BPD as well, also because as an organization we obviously want this ourselves.' 

'There are disadvantages, of course. BPD is an area developer and that is a very different business from banks and financial institutions. BPD therefore has a very different risk profile than Rabobank and the size of the company - 350 employees in the Netherlands and 350 employees in Germany - is also different. As a result, many of the bank's guidelines and requirements cannot be integrated one-to-one within BPD - or that requires other, more risk-based, solutions to still manage the risks as much as possible.' 

'The pressure on banks (from their gatekeeper function) regarding regulations is increasing, especially when you talk about KYC (Know Your Customer) related issues. Because we are a subsidiary of Rabobank, we also feel this pressure. BPD, for example, also has to comply with sanctions legislation while the risks in this area are much smaller for our company than for a bank. These kinds of issues sometimes lead to hefty discussions with Rabobank, and because the pressure on banks in this regard will increase further in the future, we will have to keep having these discussions. Of course, we always come out of it.'

What do you think is the most important task of the Compliance & Privacy department within BPD, and how do you implement it?

'Being compliant with internal and external laws and regulations and acting with integrity is a task for all employees within BPD. In addition to the more traditional compliance tasks such as drawing up policy, monitoring, following up incidents, performing risk analyses and reporting to BPD's Managing Board and the Rabobank shareholder, the Compliance & Privacy department also plays an important role as the guardian and booster of integrity. It is important here that there is and remains a continuous focus on culture and behavior within the organization. We do everything in our power to create an open culture in which colleagues raise the alarm beforehand and dare to ask for advice, instead of people being afraid of possible consequences, not reporting incidents and having to fix things afterwards.

"In order to achieve this open culture, we as a Compliance & Privacy department pay a lot of attention to the themes of culture and behavior, for example through a biannual integrity measurement. This measurement gives us as a department a good picture of the culture and behavior within the organization. The points that emerge from this measurement are discussed in detail during dilemma sessions. These points are also discussed with the managements of the various regions and it is determined what actions will be linked to them. Specific actions are therefore linked to the results of the integrity measurement'.

'Besides the role of culture carrier, I also see it as an important task of the department to act as a catalyst for change. With a rapidly changing landscape of regulations, shareholder demands, COVID situation and further digitalization and automation, you could actually say that change is the only constant. In my opinion, Compliance departments should more often take the lead in (helping to) shape the changes in organizations - and thus the culture of the organization. They should be able to bring about change more often by identifying where improvements are needed in the organization and by serving as a countervailing power even more than before. Currently, compliance departments are still too often an island within an organization. More connection should be sought with the rest of the organization. They do not only have to be restrictive from a risk management perspective, but can also be proactive from a vision of who you want to be as an organization and where you would like to go.'

What are the biggest challenges currently facing BPD and in what ways can the Compliance & Privacy Department contribute to these challenges?

'The Compliance & Privacy department is going through a professionalization process within BPD. We see that due to increasing legislation and regulations, increasing regulatory pressure from our shareholder, but especially also due to our own desire for a professional compliance organization that is demonstrably in control, there is a need for a next step. This is also in line with BPD's growth ambition. As a result, the department is seen less as the 'policeman' and more as a sparring partner for BPD employees and countervailing power for the Managing Board. The department is increasingly fulfilling an advisory role and is also more likely to be involved by colleagues in issues. A good development if you ask me, because it puts you in charge much earlier and much more proactively to prevent and/or limit any compliance risks.'

'Furthermore, we have a very strong focus here on the soft controls of the organization. Of course, this is a theme that has received more prominent attention within the compliance domain in recent years, but I see that we can really make a difference here at BPD as well. Continuous attention to themes such as accountability, transparency and exemplary behavior ensure that these determinants of culture really come to life within the organization. In this way we not only realize more visibility for the department, but also more awareness of the importance of a good solid compliance organization.'

As a Compliance & Privacy department, how do you ensure that all the rules, standards, policies and procedures you implement as a department are carried within BPD by both the board and employees? 

'There is continuous coordination with the Managing Board on the interpretation of our compliance policy. They are ultimately the main owners of compliance and integrity within BPD, so the mandate - and also exemplary behavior - of them is important. In order to get all the policies, regulations and procedures in our company between their ears, we provide mandatory e-learnings, additional knowledge sessions, quarterly meetings, blogs and structural communication for employees, among other things. It is mostly the power of repetition that counts.

'In addition, I think it is very important that we as a department can explain well and clearly why it is so important for us to be compliant as BPD. We work in a sector where the stakes and associated risks are high. That is precisely why it is important to be able to explain clearly what our role in this is. We also talk to employees about integrity and what is expected of them through, for example, dilemma sessions. That is why it is also good that employees see us as a department that can provide them with advice on how to make the right decisions. In practice, we also see that colleagues are finding it increasingly easy to find us. We want to build on that in the coming period. 

What is your vision for Compliance; what is the core?

'Compliance is about behavior and not checklists, it is actually at its core. The definition of compliance which is also used in the Compliance & Integrity Management postgraduate course - Promote and maintain compliance with national and international regulations as well as internally imposed rules, standards and regulations to protect the integrity of management, employees and the organization, with the aim of mitigating the resulting risks to the organization's core objectives - is, of course, wonderful, but can simply be summed up in that one important word: behavior!' 

What developments are you currently seeing in the Compliance profession and how do you feel about them?

'In line with the above about the core of compliance, I fortunately see more and more breeding ground for that approach. This is partly due to all the hard work that Sylvie Bleker (Professor of Compliance & Integrity Management, VU University Amsterdam), for example, has done for the field. She also states very clearly and rightly that the accumulation of compliance rules has created false security. Many organizations do not focus on the core objectives of their organization and the behavior of their employees, but are busy surviving in a forest of rules. Ticking off procedures and blindly focusing on processes is a priority, but there is no time to monitor compliance. And as soon as an incident occurs, supervisors or commissioners often call for new rules again.'

I believe that the field is and will remain in a state of flux, but that a transition is taking place towards a structurally different way of looking at things and acting. This requires the ability to change and courage, but I firmly believe that this is the only way to make a difference. In any case, the development towards (even) greater attention to the behavioral aspect and the management and support thereof is very interesting.

What makes the field of compliance interesting to you?

'I more or less mentioned it above. It is precisely the behavioral aspects that make this field so incredibly interesting. Of course, the cliché is also that compliance is different every day - and it really is - but it is the enormous transition the field is going through that makes it so much fun. There is still so much to discover and so much else to do. When you see that compliance has evolved from a "back room" and technical, restrictive role to a more strategic forward-looking management function, the eyes and ears of management and the catalyst of change within organizations, in just a 20-year span. Then you can imagine many interesting developments to come.'

Marc van Heese RO RE CIA