[jayd16]

The point was about who is on the hook and why they might be less permissive.

I'm not implying anything else. I used your own "literal" wording to refer to the "more strict than yours" interpretation.

I suppose I should have used scare quotes around "literal".

[PeterStuer]

'The company' would be on the hook. Inside, it might be the compliance team that signed off on the solution, but it usually is not the sort of blame game at that point. I'm not saying these scapegoat trails do not exist, but they are far less common than you would imagine if you only read about them in the press.

Company politics, feudal wars, fiefdom protections, backstabbing and outright sabotaging, now there's a daily occurrence and many minions are cannon fodder in those skirmishes, but they usually stay clear of regulatory issues minefields.

[rectang]

I am skeptical that developers who implement a non-compliant solution that gets a company in trouble get off scot-free.

If the company you work for actually had such a no-fault culture, I doubt you'd be criticizing programmers so aggressively for being sticklers, but would instead be trying to understand and account for the systemic factors (including human factors) behind their behavior.

[fauigerzigerk]

>I am skeptical that developers who implement a non-compliant solution that gets a company in trouble get off scot-free.

I don't see why developers should be in trouble. Developers don't make unilateral decisions on non-trivial compliance matters. A finding of non-compliance at a financial institution would typically be the result of an investigation, a disagreement with the regulator or a court ruling. It would come years after the organisation as a whole decided to adopt the interpretation in question.

[rectang]

But here we're talking about developers being asked to implement decisions which they don't understand to be compliant.

Engineers are not shielded by their implementer role if they participate in illegal activity. James Robert Liang was a rank-and-file engineer for Volkswagen and he got jailed for his role the VW emissions scandal[1].

No matter how much an enterprise architect or compliance officer promises "it'll be fine" to the developer, the developer needs documented CYA. An enlightened organization would perhaps find ways to expedite that CYA documentation rather than demonizing programmers as a class.

[1] https://apnews.com/general-news-988ea2ae45694b37b320e68cefe3...

[ThrowawayR2]

> "...don't understand to be compliant."

Liang got prison time because he _did understand_ that the engine wasn't compliant with regulations and chose to build the system to falsify the emissions output during tests anyway. He was not a scapegoat.

"On 9 September 2016, James Robert Liang, a Volkswagen engineer working at Volkswagen's testing facility in Oxnard, California, admitted as part of a plea deal with the US Department of Justice that the defeat device had been purposely installed in US vehicles with the knowledge of his engineering team: 'Liang admitted that beginning in about 2006, he and his co-conspirators started to design a new "EA 189" diesel engine for sale in the United States. ... When he and his co-conspirators realized that they could not design a diesel engine that would meet the stricter US emissions standards, they designed and implemented [the defeat device] software.'" from https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal

[rectang]

Yes, and that demonstrates that developers are not immune. And so, developers who suspect they're being asked to do something illegal (but aren't sure) are going to act as sticklers who irritate enterprise architects until you take concrete action to reassure them.

Complain about them, denigrate them, upbraid them for performing analysis outside their primary expertise, fire and replace them.... none of that changes the incentive structure that shunts people in the implementation role towards conservatism out of a perceived need for self-preservation.

[md224]

I think you misread the person you replied to.

"decisions which they don't understand to be compliant" = "decisions which they don't believe to be compliant"

In other words, they understand that the decisions are not compliant. There's no contradiction with what you said.

[fauigerzigerk]

You're talking about two very different situations but your wording doesn't make that clear:

a) Engineers don't know and cannot be expected to know whether what they are being asked to implement complies with all regulations. This is completely normal.

b) Engineers know or can be expected to know based on their expertise that they are being asked to cheat. That's when they are on the hook.

VW was a case of (b). It was clear-cut criminal behaviour on a very technical level. But that's not what typically happens in financial services and many other domains.

But if your point is merely that engineers are not automatically in the clear just because someone higher up told them what to do then I agree with you.