Categories
Compliance Tip of the Day

Compliance Tip of the Day: TD Bank Lessons Learned – New and Emerging Risks Demand Action

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

If you develop new products and services, you must assess those offerings as new compliance risks to manage.

Categories
Blog

Compliance Lessons from Boris Karloff’s Frankenstein

Ed. Note: This week, leading up to Halloween, I will examine lessons for compliance professionals through the lens of the great Universal Movie Monsters: Frankenstein, Wolfman, Dracula, and The Mummy. First up is Boris Karloff’s film version of Frankenstein. 

============================================================

The 1931 classic Frankenstein, starring Boris Karloff as the iconic monster, offers more than gothic horror. It provides a rich framework for understanding corporate compliance. The film, adapted from Mary Shelley’s novel, tells the story of Dr. Henry Frankenstein, whose ambition to play God results in the creation of a monstrous figure. While focusing on the horror elements is easy and fun, a closer analysis reveals valuable lessons for compliance professionals and business leaders alike.

We will explore how this film version of Frankenstein mirrors real-world compliance challenges and how its themes of ambition, unchecked power, and ethical negligence offer critical insights into today’s corporate environment. We will also consider how Frankenstein offers a range of corporate compliance lessons that resonate with the key points raised by Nicole Argentieri in her recent speech to the Society of Corporate Compliance and Ethics (SCCE) and the 2024 Evaluation of Corporate Compliance Programs (2024 ECCP).

The Perils of Ignoring Ethical Oversight: Frankenstein’s Creation and Corporate Risk

Dr. Frankenstein’s pursuit of creating life was a scientific marvel, but his failure to consider his work’s moral and ethical implications led to his downfall. His ambition closed his eyes to the responsibilities that come with power and innovation. This reflects a critical issue for corporate compliance: the danger of ignoring ethical oversight in the rush to achieve business objectives.

In her SCCE speech, Nicole Argentieri highlighted the importance of ethical decision-making and the need for leadership to embed compliance into every facet of business operations. The 2024 ECCP emphasizes that compliance officers must have the authority and autonomy to act independently and influence decision-making at the highest levels of an organization. Just as Frankenstein lacked the oversight to rein in his dangerous experiment, a lack of oversight in corporate governance can result in catastrophic outcomes.

The clear lesson for compliance professionals is that organizations must prioritize ethical oversight and ensure compliance is involved in strategic decision-making. As the 2024 ECCP advises, having a strong compliance function with direct access to the board of directors can prevent “Frankenstein-like” risks from spiraling out of control. Ethics cannot be an afterthought; just as Frankenstein learned too late that his creation needed more than raw ambition, organizations must recognize the importance of ethical governance before it’s too late.

Risk Management: Expecting the Unexpected

One key reason for Frankenstein’s failure was his inability to anticipate the risks his creation posed. He believed he could control the creature, but without proper planning, things quickly spiraled out of control. This is a critical lesson in risk management for any organization. The creature was the manifestation of uncalculated risk—an outcome born of Dr. Frankenstein’s failure to consider the “what ifs.”

Argentieri’s speech and the 2024 ECCP emphasize the importance of addressing emerging risks and implementing proactive risk management strategies. As business models evolve, new risks emerge, and compliance professionals must be vigilant in identifying and addressing them before they become uncontrollable.

Compliance professionals should continuously evaluate and adjust their risk management strategies. This aligns with Argentieri’s recommendation that compliance programs must be agile and anticipate emerging risks, especially in areas such as new technologies, cybersecurity, and third-party relationships. A comprehensive risk management process that includes scenario planning and stress testing can prevent corporate “creatures” from escaping the lab and causing damage.

Accountability and Governance Failures

Dr. Frankenstein operated without accountability, answerable only to himself. His lack of governance resulted in a situation without checks and balances on his actions, and his poor judgment led to tragic consequences. The creature’s actions, while horrifying, can be traced back to Frankenstein’s governance failures.

Argentieri emphasized in her SCCE speech that the DOJ expects organizations to maintain a strong compliance culture backed by a governance structure that holds individuals accountable for their actions. The 2024 ECCP builds on this expectation, stressing that compliance programs must ensure accountability at all levels—from executives to front-line employees.

Effective compliance programs must have strong governance structures to hold individuals accountable for their decisions. This is more than just ensuring policies are in place; it’s about creating a culture where employees at every level understand their ethical responsibilities. Just as Frankenstein should have been accountable for the consequences of his experiment, corporate leaders must be held accountable for the risks and decisions they make within the company.

The Ethical Consequences of Secrecy

In Frankenstein, secrecy plays a critical role in Dr. Frankenstein’s downfall. He isolates himself from his peers, hiding the details of his experiments out of fear that others will not understand or approve. This secrecy prevents him from receiving the input and guidance that could have prevented disaster.

Similarly, corporate secrecy can breed ethical violations. In her speech, Argentieri discussed the importance of transparency in compliance efforts, particularly when addressing misconduct. The 2024 ECCP emphasizes open communication within organizations, noting that secrecy or a culture of silence can lead to deeper ethical violations, regulatory breaches, and, ultimately, significant legal consequences.

Compliance professionals must constantly work to foster a culture of transparency and open communication within their organizations. Indeed, the DOJ sees compliance professionals as the holders of institutional justice and institutional fairness in their organizations. Employees should feel empowered to raise concerns without fear of retaliation. Compliance professionals should encourage whistleblowers, monitor for red flags, and ensure that no department operates in secrecy. In the same way, that Dr. Frankenstein’s isolation led to his downfall, a corporate culture of secrecy can result in unethical behaviors festering in the shadows.

Remediation and the Need for Swift Action

One of the more tragic elements of Frankenstein is Dr. Frankenstein’s inability—or refusal—to remediate his mistakes. Instead of acknowledging the harm his creation causes and taking steps to stop it, he spends much of the film trying to avoid responsibility. This refusal to act only exacerbates the problem, leading to even more destruction.

In her SCCE speech, Argentieri emphasized the importance of remediation when compliance issues arise. The 2024 ECCP reinforces this point, stating that companies must take swift action when misconduct occurs to address the immediate issue and prevent future violations. A failure to remediate can lead to a loss of trust from regulators, stakeholders, and the public.

Companies must act swiftly to remediate any ethical or compliance violations. This means conducting thorough investigations, holding wrongdoers accountable, and implementing corrective measures to prevent similar issues in the future. Dr. Frankenstein’s inaction led to tragic consequences, and in the corporate world, failure to remediate can result in reputational damage, legal penalties, and a loss of public trust.

Creating a Culture of Compliance and Ethical Awareness

Ultimately, Dr. Frankenstein’s downfall can be traced to his failure to create an environment that valued ethical considerations and accountability. He was driven by ambition without the ethical grounding to manage his creation responsibly.

Argentieri’s speech stressed the importance of building a culture of compliance and ethical awareness within organizations. The 2024 ECCP echoes this, highlighting that culture is the foundation of an effective compliance program. A company’s culture should not only encourage compliance but make it clear that ethical behavior is a core value of the organization.

Compliance professionals should focus on building a strong ethical culture within your organization. Compliance programs are most effective when employees at all levels buy into the company’s ethical mission. Training programs, consistent messaging from leadership, and visible consequences for unethical behavior are all crucial components of creating this culture.

The Boris Karloff version of Frankenstein may be categorized as a horror film, but its compliance lessons are relevant to any organization today. From respecting ethical boundaries to the importance of accountability, risk management, and training, the film underscores the dangers of unchecked ambition and the value of thoughtful, well-designed compliance frameworks. As compliance professionals, we must ensure that our organizations don’t become modern-day Frankenstein’s, creating monsters we cannot control.

Join us tomorrow as we consider the corporate branding lessons for the compliance professional from the Bela Lugosi movie version of Count Dracula.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: TD Bank Lessons Learned: Putting Profits Over Compliance Will Always End Poorly

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Cutting costs in compliance and reducing head count will always be a path to wreck and corporate ruin.

Categories
Innovation in Compliance

Innovation in Compliance: Monica Goyal on Tech-Driven Solutions for Law Firms

Innovation comes in many areas and compliance professionals need to not only be ready for it but embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. This month’s sponsor of Innovation in Compliance is Athennian.

In this episode, Tom welcomes Monica Goyal, the Vice President for Legal Innovation and Lawyer at Caravel LLC and Briefly LLC, to explore the transformative potential of technology in the legal industry.

Monica has a non-traditional journey to the legal profession, beginning with her educational background in electrical engineering and firsthand experience in Silicon Valley. From this perspective and after law school and work in the legal field, she observed multiple process inefficiencies. She discusses how advanced technologies like generative AI and data analytics can address these inefficiencies, improving corporate governance, contract management, and the overall delivery of legal services.

Monica highlights the importance of legal innovation officers in law firms and the role of Caravel Law’s unique model in providing backend support to legal professionals, allowing them to escape administrative tasks and focus on core legal work. She also touches on the innovative concept of fractional in-house counsel, which serves businesses needing more support than external counsel without the full expense of a general counsel. Listeners will gain insights into the growing necessity for legal tech skills and the benefits of tools such as Athennian for document automation. Monica underscores the value of emerging technologies and encourages further exploration of resources like Caravel and Briefly for legal professionals.

Key Highlights:

  • Monica Goyal’s Unique Journey into Law
  • Innovations in Corporate Legal Departments
  • Communicating Tech Solutions to Legal Professionals
  • Caravel’s Unique Business Model
  • Management with Athennian

Future of Legal Tech and Data Analytics

Resources:

Monica Goyal on LinkedIn

Caravel LLC

Athennian

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Tip of the Day

Compliance Tip of the Day: TD Bank Lessons Learned – What Does AML/BSA Enforcement Have to Do With ABC?

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Why does every type of compliance professional need to study the TD Bank enforcement Action?

Categories
Adventures in Compliance

Adventures in Compliance: Compliance Lessons from The Adventure of The Blanched Soldier

In this new season of Adventures in Compliance, host Tom Fox takes a deep dive into the Sherlock Holmes collection The Case-Book of Sherlock Holmes  by Arthur Conan Doyle. It is final set of twelve Sherlock Holmes short stories by Arthur Conan Doyle first published in the Strand Magazine between October 1921 and April 1927.

In this episode, we consider the story, the Adventure of the Blanched Soldier. In this story, Sherlock Holmes investigates a case involving a missing man and an unusual illness, revealing a family secret in the process. This story provides several valuable compliance lessons for the 21st century compliance professional.

“The Adventure of the Blanched Soldier” teaches us that transparency, due diligence, and the ethical handling of sensitive information are core components of an effective compliance program. Holmes’s methods remind us that ignoring or concealing potential risks can have far-reaching consequences.

Highlights Include:

  • Transparency and Ethical Duty
  • Due Diligence and Investigation
  • Confidentiality and Sensitive Information
  • Responsibility to Act
  • Health and Safety Compliance

Resources:

The New Annotated Sherlock Holmes

Sherlock Holmes FAQ by Dave Thompson

For an audio/video version of the Compliance Kids book, Speaking Up is AWESOME, contact Tom Fox.

Connect with Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance and AI

Compliance and AI: Navigating AI Compliance: The EC Gang Reviews The 2024 ECCP

What is the role of Artificial Intelligence in compliance? What about Machine Learning? Are you using ChatGPT? These questions are but three of the many questions we will explore in this cutting-edge podcast series, Compliance and AI, hosted by Tom Fox, the award-winning Voice of Compliance.

In this episode, Matt Kelly leads the Everything Compliance quartet of Susan Divers, Jonathan Marks, Karen Moore and Tom Fox through a look at Compliance and AI from the prism of the 2024 Evaluation of Corporate Compliance Programs (ECCP).

Kelly examines the complexities of integrating artificial intelligence into corporate compliance frameworks, highlighting the DOJ’s recent guidance on managing AI risks as laid out in the 2024 ECCP. In Deputy Attorney General Nicole Argentieri’s SCCE speech, she noted the overlooked AI risks and compliance requirements and emphasized the need for businesses to assess both internal AI applications and external threats from malicious uses by scammers or fraudsters.

The gang then delved into the dual aspect of AI risk—its creation and reception—and underlining the importance of comprehensive risk assessment and control measures in AI deployment, such as developing bug bounty programs and ensuring anti-fraud mechanisms are robust. We explored the role of compliance officers in AI oversight, focusing on the challenges in governing AI-generated decisions compared to human actions. With various insights on the legal and operational aspects of AI compliance, the discussion urges companies to evaluate the implications of AI use, both in risk management and ethical execution.

Key Highlights:

  • Understanding AI Risks
  • Compliance Guidelines for AI
  • AI in Fraud Prevention
  • Challenges in AI Oversight
  • Compliance Officers and AI
  • Model Validation and AI

Resources:

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

TD Bank: Part 4 – Watergate, Actual Knowledge and Conscious Indifference

Mike Volkov often told the story of watching the Watergate Hearings as a teenager and being a seminal influence on his later professional life in the legal profession and government service. It was my first exposure to long-term Congressional hearings, at least when they were not the claptrap theater we have in place today. Perhaps the single thing I remember the most clearly was Tennessee Senator Howard Baker’s question, “What did the President know, and when did he know it?” The answer that we learned during the Watergate hearings was that President Nixon had known all along that the crimes of Watergate originated in the White House. Today, I want to use that question to explore what TD Bank knew, when they knew, and what that tells us about the culture of the world’s 30th-largest bank and 10th-largest bank in the US.

Prior OCC, FinCEN, and DOJ Enforcement Actions

In September 2013, the OCC and FinCEN levied a $37.5 million civil monetary penalty against the Bank for violating the Bank Secrecy Act (BSA) related to a Ponzi scheme run by a Florida attorney. Despite the numerous AML alerts triggered by its transaction monitoring system, the Bank failed to identify and report approximately $900 million in suspicious activity. This failure stemmed, in part, from inadequate anti-money laundering (AML) training for both AML and retail personnel. FinCEN emphasized that poorly resourced and trained staff managing critical compliance functions is unacceptable, underscoring the importance of adequate training and resources in compliance programs.

Following these enforcement actions, the Bank needed to adapt its transaction monitoring system to address its deficiencies substantively. The OCC had directed the bank to establish policies and procedures that could respond systematically and promptly to environmental or market changes, such as developing new monitoring scenarios. However, the bank’s failure to implement these recommendations meant it could not effectively mitigate emerging risks. This oversight revealed significant gaps in the Bank’s AML compliance efforts, particularly its ability to adjust its program to evolving threats.

In 2015, the OCC instructed the Bank to enhance its transaction monitoring program for high-risk customers, who were subject to the exact scenarios and thresholds as the rest of the Bank’s customers despite their higher risk profile. In 2016,  the AML function and the Bank technology teams began to develop new high-risk customer scenarios. That effort was put on hold in October 2016 by AML executives due to a lack of resources. After being briefly revived in early 2017, this project was again put on hold, this time by the head of AML at the Bank partly due to “cost.” Although US-AML leadership informed the OCC during its 2017, 2018, and 2019 examinations that these scenarios were in development, the Bank never implemented the required enhanced transaction monitoring of high-risk customers. By 2018, the OCC determined that the Bank’s planning and execution of its AML technology systems remained insufficient. The Bank had delayed implementing key AML technology projects, which directly contributed to its failures around AML compliance.

The Bank even misrepresented itself to the Department of Justice (DOJ). In February 2018, the Bank entered a settlement over its failure to file Suspicious Activity Reports (SARs). The Bank’s issues were partly due to its cessation of transaction monitoring scenario threshold testing. The Bank’s US-AML executives were aware of this resolution and acknowledged the importance of monitoring transactions for suspicious activity. One key AML leader at THE BANK emphasized that their AML team reviewed similar enforcement actions to ensure their compliance programs aligned with regulatory expectations, particularly around scenario threshold testing.

He explained to the AML Oversight Committee that the Bank conducted a detailed analysis below scenario thresholds to determine if SARs should have been filed, adjusting thresholds accordingly. This approach was intended to avoid the failures that led to the other bank’s settlement. However, despite these assurances, by early 2018, THE BANK’s AML team and its technology partners effectively halted its threshold testing due to competing priorities and resource limitations.

As a result, between 2018 and 2022, the Bank conducted threshold testing, or “quantitative tuning,” on only one out of approximately 40 U.S. transaction monitoring scenarios. This significant reduction in testing left gaps in the Bank’s AML compliance program, potentially exposing the bank to similar risks and regulatory scrutiny that had affected other institutions in the industry.

Where Was Internal Audit?

The question in these massive enforcement actions is often, ‘Where was the internal audit?’ Regarding the Bank, the answer is simple: Right Here, Doing Our Job. In 2018, the Bank’s Internal Audit function uncovered a critical issue within the bank’s AML program: the high-risk jurisdiction transaction monitoring scenarios were based on an outdated list, meaning the bank was not flagging transactions from jurisdictions currently deemed high-risk. This oversight severely impacted the bank’s ability to monitor and address risks associated with these regions. The findings revealed a gap in how the bank’s transaction monitoring system adapted to evolving regulatory expectations and global risk landscapes, compromising the effectiveness of its AML efforts.

By 2020, Internal Audit highlighted even more deficiencies in the bank’s AML compliance, specifically related to the governance and review of transaction monitoring scenarios. Among the key issues were a need for formal timelines for completing scenario reviews, some of which had been outstanding since 2017, and the failure to implement proposed changes from the previous year. Moreover, there needed to be a formal process or documentation to guide the promotion of new monitoring scenarios, a governance gap mirroring issues identified by the OCC seven years earlier. These systemic failures indicated a troubling lack of progress in strengthening the bank’s AML compliance framework.

Despite the findings from 2018 and 2020, Internal Audits reviewed in the following years revealed that these issues remained unresolved. The Bank’s Board of Directors was informed of these ongoing deficiencies and remediation plans, yet the persistent gaps in governance and scenario management continued to hinder the bank’s ability to respond to AML risks effectively. For those keeping score at home, that means Actual Knowledge at the Board.

Three Clarion Calls

Are you beginning to see a pattern here? The Bank engaged third-party consultants who identified significant weaknesses in its AML program and reported these issues to the Bank’s AML leadership. In 2018, one consultant noted that increasing regulatory requirements and transaction volumes would pressure AML operations, making it difficult to meet demands and deadlines. Additionally, the consultant found that The Bank’s testing of its transaction monitoring scenarios took less than the industry average, highlighting inefficiencies in its ability to assess and capture suspicious activity.

In 2019, another consultant flagged sub-optimal transaction monitoring scenarios based on outdated parameters. These outdated scenarios generated many alerts, overwhelming the AML team and limiting their ability to focus on truly high-risk customers and transactions. This finding pointed to a broader issue in the bank’s ability to adapt its monitoring systems to changing regulatory and risk environments, significantly undermining the effectiveness of its AML compliance efforts.

In 2021, a third consultant identified additional limitations within the Bank’s transaction monitoring program, particularly its technology infrastructure. The consultant found that the bank faced technological barriers that restricted its ability to develop new scenarios or adjust existing parameters, further hampering its AML efforts. These ongoing challenges reflect a broader need for the Bank to modernize its systems and ensure its AML program is agile enough to meet regulatory expectations and address emerging risks effectively.

The AML Leadership Team

During the relevant period, the Bank’s AML leadership consisted of key individuals whose responsibilities significantly shaped the Bank’s approach to AML compliance, and, more importantly, all knew of the Bank’s AML deficiencies. They were identified as Individual-1, Individual-2, and Individual-3 in the Information. Individual-1 was hired in 2013 as VP of AML Operations and rose to become the sole Chief AML Officer by 2019, overseeing the bank’s global AML program. His role included setting the annual AML budget, developing strategic priorities, and regularly reporting to the board of directors. Individual-1’s oversight extended to AML technology services and the U.S. Financial Intelligence Unit (FIU), reflecting his pivotal role in the U.S. and global AML operations.

Individual 2 joined THE BANK in 2014 as Head of the U.S. FIU and was critical in overseeing the investigative teams responsible for reporting suspicious activities and managing high-risk customers. By 2019, Individual-2 had assumed the role of BSA Officer and Deputy Global Head of AML Compliance, where they were responsible for managing the U.S. AML program. However, despite these responsibilities, Individual 2 faced limitations due to the Chief AML Officer’s direct control over AML technology, a crucial aspect of the bank’s AML operations, which created challenges in overseeing technology-related AML issues.

Individual-3, a vice president within AML Operations, took on significant responsibilities within the U.S. FIU, especially between 2017 and 2018. In this role, Individual-3 managed the initial review of transaction monitoring alerts and the handling of Unusual Transaction Referrals (UTRs) and reports of suspicious activity submitted by employees. Together, these key figures shaped THE BANK’s AML efforts, though the division of responsibilities and challenges with AML technology governance highlighted areas of vulnerability within the bank’s compliance framework.

What did the Bank know, and when did they know it? As the Information rather dryly noted, “US-AML, including senior leadership, were aware of the lack of domestic ACH and check monitoring.” More importantly, like President Nixon, they knew about their AML failures and consciously chose not to do anything about them.

Resources

Join us tomorrow when I will consider the reckoning for the Bank.

Resources

 OCC

OCC Press Release

Consent Order 

Civil Money Penalty 

DOJ

TD Bank US Holding Company Information

TD Bank N.A. Information

TD Bank US Holding Company Plea Agreement and Attachments

TD Bank N.A. Plea Agreement and Attachments

Merrick Garland Remarks

Nicole Argentieri Remarks

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Lessons on Preventing Corrupt Payments from John Deere

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

The Deere enforcement action case offers valuable lessons on the importance of monitoring, oversight, and due diligence—especially when dealing with third-party agents.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Lessons on Post – Acquisition Integration and Investigation in M&A from John Deere

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

The rules for compliance programs on post-acquisition integration and investigation are set out in the DOJ M&A Safe Harbor Policy. Learn and implement them.