Growing personal liability for compliance officers for regulatory lapses may be invading C Suite

Date: April 20, 2016

The crackdown by regulators worldwide to hold individuals accountable for the regulatory failings of the financial institutions where they work is gaining momentum. Regulators are increasingly emphasizing the importance of imposing liability on individuals who work at financial institutions at all levels, especially when their misconduct is intentional and knowingly carried out.

Though enforcement actions to date have been aimed mainly at Chief Compliance Officers (CCOs), financial executives and senior management are now also being held personally accountable for the adequacy of systems and controls at their institution. In December 2015, the New York Department of Financial Services (NYDFS) proposed a regulation designed to hold individuals at financial institutions accountable for decisions they make that result in breach of financial regulations.

The regulation is set to take effect in April 2017 and will apply to all regulated and non-regulated financial institutions. Modeled in part on the Sarbanes-Oxley law, which imposed financial reporting and corporate disclosure obligations, the rule requires compliance officers to maintain a ”transaction monitoring program”. This includes an “annual certification” in which the officer personally attests to the proper functioning of their organization’s controls and compliance with Bank Secrecy Act/Anti-Money Laundering/Office of Foreign Assets Control (OFAC) requirements.

The new regulation imposes criminal penalties if the certification is intentionally “incorrect or false”. The inclusion of OFAC requirements into the wording of this new regulation may suggest an intention of regulators to be equally stringent about economic sanction violations as they recently have been for violations of BSA/AML regulations.

This proposal is not new. In March 2015, Benjamin Lawsky, the former Superintendent of the New York Department of Financial Services, announced his intention to require financial institution senior executives to attest to the adequacy of the compliance systems. He called current regulations a whack-a-mole approach”. On December 1, 2015, New York Governor Andrew Cuomo, in ratifying this approach, said senior financial executives must certify that their institutions have sufficient systems to detect, weed out, and prevent illicit transactions”.

Will U.S. government follow suit

New York’s strong stance on personal liability does not mean the federal government and other states will follow.

Recent cases suggest the federal government is tightening its grip. In December 2014, the Financial Crimes Enforcement Network (FinCEN) imposed a $1 million penalty on the CCO of MoneyGram for failing to ensure AML compliance and for willfully violating BSA requirement to maintain such programs. In April 2015, the SEC charged the CCO of Black Rock Advisors LLC for failing to implement policies and procedures regarding employee conflicts of interest. The CCO paid a $60,000 penalty. In June 2015, the SEC charged the CCO of SFX Financial Advisory Management Enterprises with failing to implement proper client asset compliance policies, and imposed a $25,000 penalty.

In August 2014, FinCEN issued a report, “Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance,” highlighting the importance of a strong compliance program for senior management and executives of financial institutions.

The Justice Department Yates Memorandum

A memorandum from U.S. Deputy Attorney General Sally Q. Yates on September 9, 2015, stressed the importance of individual accountability. She said, “One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.”

In criminal cases against large corporations, Yates said, “it can be difficult to determine if someone possessed the knowledge and criminal intent necessary to establish their guilt beyond a reasonable doubt.” The Department of Justice has emphasized that it will use criminal and civil remedies against individuals who are responsible for corporate wrongdoing.

Financial institution employees may properly conclude that they may be held personally responsible for violation of economic sanctions, especially in view of the weighty national security considerations that underlie these measures.

Recent groundbreaking OCC guidance and actions

The Office of the Comptroller of the Currency (OCC), which supervises United States national banks, recently issued guidance informing financial executives of their exposure for regulatory lapses at their institutions.

On February 26 and 29, 2016, the OCC issued two guidance advisories revising its civil money penalty regulations, which determine the amount banks and individuals may pay for compliance failures. They also provide guidance on standards the OCC will follow to determine penalties against institutions and individual bank employees for regulatory failures. The norms apply to what the OCC calls “Institution-Affiliated Parties”, or IAPs, which includes directors, officers, employees, controlling shareholders, and other persons participating in the bank’s affairs”.

It is the first time the OCC has outlined the way penalties against bank employees may be imposed for maintaining inadequate internal controls. It likely presages more penalties and personal liability on institution employees when controls fail. The OCC says it may impose penalties for willful violations ranked by a tiering system. The highest begins at $175,000.

The harshest penalties are reserved for persons who show a deliberate or willful intent to violate a law or regulation. If the institution or individual can show that it attempted to comply, the OCC civil money penalties are scaled downward.

Though less rigorous than the proposed transaction monitoring certification program of the NYDFS, the OCC’s new rules for IAPs serve as a warning to compliance officers and senior management that an important federal regulatory agency may be moving toward stricter individual responsibility.

Other countries have moved toward personal liability

The United States is not alone in penalizing individuals for regulatory lapses. The United Kingdom has already been active in the field.

The UK regime, implemented in April 2015, allows imposition of liability on SIFs, or persons holding a “significant influence function”. In 2015, the Financial Conduct Authority (FCA), the UK financial regulator, acted against a compliance officer for being “knowingly concerned” in a regulatory breach. He was penalized £33,800 for his personal involvement. The FCA found he failed to take “sufficient steps, as part of the recruitment process” to properly assess new staff “to determine whether they were suitable” and “[establish] and [maintain] adequate compliance and file checking procedures”. In 2015, in an action against the Bank of Beirut, the FCA found the compliance officer and internal auditor personally in breach by failing to deal with the regulators in an “open and cooperative way”. It found that both were influenced by senior management, but concluded that this did not excuse their liability because they “should have resisted any senior management influence… [and] remained personally bound by [their] regulatory responsibilities”.

On March 7, 2016, the FCA implemented a stricter accountability policy, the Senior Managers and Certification Regime, whose implementation will come in waves. All rules will become “active” by 2018 and will impose liability on persons the FCA demonstrates were “knowingly concerned” with a breach by the firm. They will require senior persons to personally attest to the adequacy of compliance.

The rules flowing from the new regime apply not only to UK banks but also to “branches of foreign banks operating in the UK”.

How new rules work in practice

The new rules may create a dilemma for financial officers in various situations.

What if senior management ignores the concerns of a compliance officer, or orders the officer to convey false or misleading information to the government? Should the officer “blow the whistle” or resign to avoid the repercussions of whistleblowing on senior management? There is a fear that compliance officers could be viewed as scapegoats for failures resulting simply from the hesitation to oppose managerial decisions.

Whether the new rules help compliance officers get the attention of senior management and thus receive more resources to bolster compliance is uncertain.

Recent Articles