Governance Challenges - Gatekeeper enforcement cases rise as - compliance culture - talk turns to action
Revised by Bachir El Nakib (CAMS), Senior Consultant Compliance Alert (LLC)
Compliance officers and other gatekeepers have been hit with a string of enforcements in recent months, reflecting growing pressure by U.S. financial regulators on individuals in supervisory roles. The cases can be seen as a next step in the broad regulatory push to instill a “culture of compliance” at financial firms.
An emerging governance challenge is the need to address the tension between the pursuit of legitimate corporate strategic goals, and the concerns of internal “gatekeepers” who perceive themselves at increasing personal legal risk for corporate wrongdoing. This challenge is a direct byproduct of new enforcement initiatives of the Department of Justice and the Securities and Exchange Commission, and other recent developments with respect to corporate officials.
The concern is that these developments may cause some gatekeepers and other corporate officials to be much more self-protective in performing their corporate and fiduciary responsibilities, to the possible detriment of strategic implementation. Attentive boards will acknowledge this challenge and engage its gatekeepers in an appropriate resolution.
Who are the “Gatekeepers?”
Regulators often use the term “gatekeepers” to refer to those within the organizational hierarchy who have fiduciary or professional obligations to spot and prevent potential misconduct, and respond to any problems that do occur. These “essential” individuals typically include auditors, lawyers, and compliance officers, as well as directors and committee members. The notion of the corporate gatekeeper has its roots in the Sarbanes-era evolution of corporate responsibility principles. Concerns with “gatekeeper anxiety” can be traced to SEC Chair Mary Jo White’s cornerstone commitment in 2014 to focus the Commission’s enforcement commitment in part on the accountability of “gatekeepers.” 
The New Focus on Individuals
A series of specific regulatory developments over the last year combine to increase the personal liability concerns of gatekeepers:
The DOJ Policy. The Department of Justice’s new enforcement policy reflects a view that an effective way to combat corporate misconduct is to hold accountable all individuals who engage in wrongdoing. This new policy serves to shift the primary attention in DOJ investigations from the corporation, to allegedly culpable employees. It also significantly incentivizes companies to “give up” individuals believed responsible for corporate wrongdoing, in order to receive leniency for the company in an ultimate settlement with the government. 
When originally introduced in September, 2015, the new DOJ policy was focused on individual accountability in matters implicating criminal and civil corporate fraud allegations. Since that time, comments by DOJ officials have publicly clarified that the policy will apply to individual conduct in the context of any corporate wrongdoing; e.g., to actions instituted under the False Claims Act, to health care and food safety cases brought under the federal Food, Drug and Cosmetics Act, and to civil and criminal violations of the federal antitrust laws. 
Compliance Officer Actions. A recent series of enforcement actions have been initiated by the SEC against compliance officers working in the investment adviser sector.  In a November, 2015 speech, SEC Enforcement Director Andrew Ceresney acknowledged that these actions “have caused concern in the compliance community,” and pledged continued SEC support for the compliance officer function. That notwithstanding, he confirmed that the SEC will continue to pursue enforcement actions against compliance officers involving conduct the SEC believes to be egregious. Indeed, the SEC’s Enforcement Division has identified three categories of conduct that could expose compliance officers to scrutiny and potential liability. 
Audit Committee Actions. Also noteworthy is the series of recent SEC enforcement actions against corporate directors and officers, and members of corporate audit committees. This, despite assurances from SEC Commissioner Luis Aguilar that “conscientious” outside directors “should have nothing to fear” from the SEC.  To the extent such actions are instituted, they are typically limited to allegations of direct participation in, or willful blindness with respect to, corporate misconduct. Indeed, several recent SEC enforcement actions against individual directors are consistently cited by industry observers.  Two of these have been brought against audit committee chairs, “an infrequent but disturbing occurrence” according to Chair White. 
“Operation Broken Gate.” The SEC’s Enforcement Division, through its “Operation Broken Gate” initiative, is also formally focused on the accountability of “gatekeepers who fail to carry out their duties and responsibilities consistent with professional standards.”  While this particular initiative focuses on identifying wrongdoing by auditors, Division staff will also review the conduct of attorneys and other gatekeepers who have special duties and responsibilities to ensure that the interests of investors are safeguarded.
Responsible Corporate Officer. The 28 year prison sentence of a former peanut company executive (following his conviction under the Food, Drug and Cosmetic Act for the sale of misbranded foods) serves as a stark reminder that the government will continue to prosecute individuals under the strict liability “Responsible Corporate Officer Doctrine” for violations of public welfare statutes. 
These new policies and enforcement actions have received substantial publicity. Directors and executives are becoming increasingly sensitive to both the existence of the new policies, and the tensions they may create in the management/board relationship. Indeed, a senior Department of Justice official has acknowledged that while the new DOJ policy “may make some employees nervous. …[s]ome may have reason to be nervous.”  And in fact they may be. Yet boards should be nervous well—not necessarily for their own exposure, but for the fate of key strategic initiatives that management is charged with implementing.
Informed Risk Taking
Corporate law protects directors who innovate and accept informed risks in their pursuit of the company’s strategic and other initiatives. The concept of “risk” is not antithetical to effective governance, legal compliance and prudent corporate strategy. Indeed, excessive caution by a board may be harmful to the company’s long term sustainability. Yet, in the new enforcement environment, some executives may have an entirely different perspective on risk—at least as it relates to their personal role in implementing certain corporate strategies or performing similar duties. Those who feel “chilled” by concerns with personal liability may not be easily convinced that certain strategic initiatives comfortably fall within the corporation’s risk tolerance range.
The Governance Concern
The primary board concern is that for certain potentially controversial initiatives, some gatekeepers may become “gun-shy;” i.e., may engage in self-protective conduct that frustrates valid board strategic initiatives and other appropriate efforts. This, despite the fiduciary or employment risks a gatekeeper may assume by acting in what may be perceived as his/her own interests, as opposed to the legitimate business interests of the company. Note that this is a concern separate and distinct from the concern, expressed by some knowledgeable observers, that the new DOJ policy will have a chilling effect on employees’ willingness to cooperate in their companies’ internal investigations. We’re talking here about a different kind of “chill.”
Such self-protective conduct may manifest itself in both obvious and subtle ways:
Examples of obvious self-protective conduct could include the gatekeeper’s refusal to engage with the initiative; written or oral expressions of discomfort made to corporate leadership, or—at the extreme—resignation.  Examples of subtle self-protective conduct could include approaching an initiative with excessive cautiousness; substantial equivocation in his/her observations or recommendations; or simply delegating initiative responsibility to a lower level of management. Whether obvious or subtle, it is conduct intended to provide the gatekeeper with “plausible deniability” as to material involvement with, and support of, the initiative. Yet, the board must be extremely careful not to misinterpret or confuse such self-protective comments, or other indicia of “gun-shy” behavior, with legitimate expressions made by gatekeepers of compliance-related, or other concerns.
To a certain extent, this is all just human nature. And, the government may, indeed, applaud self-protective conduct as an appropriate check and balance to problematic corporate behavior. But it becomes a governance issue when such self-protective conduct impedes the implementation of otherwise legally appropriate strategies.
The Board’s Challenge
The challenge for the governing board is multifold. On the one hand, it is expected to exercise informed risk taking with its strategic initiatives, while continuing to promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. It must also be prepared to take steps to achieve credit for corporate cooperation should the organization become subject to Department of Justice investigation. On the other hand, it will want to preserve and enhance the loyalty, morale, support and confidence of the corporate management team, such that it may successfully implement its strategic initiatives.
How, then, can board members do their jobs and implement appropriate corporate strategy in the face of roadblocks raised by self-protective conduct? Indeed, some individual board members may feel the same concern regarding issues of their own personal liability, and thus may become more inclined to say “no.” How do leaders make difficult and important decisions for the company when they feel pressured to prioritize concerns with their personal liability profile over concerns with the legitimate interests of the company?
Possible Action Items
A pro-active response by the governing board might include elements of the following:
- An internal board-to-gatekeepers acknowledgement that this new tension exists; why it exists; why it is more the function of human nature than it is of bad faith; and of the risks that can arise from this conduct.
- Assure gatekeepers that corporate strategic plans are consistent with the board-approved risk profile for the corporation, and that all major corporate strategy decisions have been carefully vetted by experienced legal counsel.
- Provide gatekeepers with clear legal advice on the proper implementation of approved corporate strategies. Make it known that company lawyers are available to counsel gatekeepers at all times.
- Enhance gatekeeper confidence in the effectiveness and rigor of existing corporate compliance and risk management programs, and of conduits through which gatekeepers and others can express—without fear of retribution—to the highest organizational authorities their concerns about individual strategic initiatives.
- With the help of qualified advisors, carefully review the adequacy of existing indemnity and insurance coverage available to gatekeepers. The goal is to assure gatekeepers that “state of the art” coverage is in place with the best possible terms; e.g., whether the policy covers fines and penalties assessed by a regulatory agency, and how policy coverage is affected by the presence of multiple defendants seeking coverage, and multiple actions (i.e., the potential for “catastrophic circumstances”).
The Financial Industry Regulatory Authority also places culture at the top of this year’s priority list for enforcement and examinations. FINRA, which has taken a lead in defining the requirements, explains that “a firm's systems of supervision, risk management and controls are essential safeguards to protect and reinforce a firm's culture.” It prepared firms this year by offering eight questions compliance should be ready to answer — and back up with documentation — when examiners show up.
Here are the key points, restated as simple questions:
- What are the key policies and processes by which your firm establishes cultural value?
- How do business management and compliance establish, communicate and implement your firm's cultural values?
- Do you have effective tools to assess and measure their impact on your culture?
- Can you explain steps you have outlined to identify and document cultural compliance lapses?
- What steps does your firm take when individual behavior fails to uphold the culture of compliance?
- Are you prepared to deal with business units that undermine your efforts?
- How do compensation, promotion and benefits support a culture of compliance?
- Is there a clear path to managing director-level positions for those who work in compliance, legal, risk and internal audit functions?
The “bigger target” on gatekeepers backs
The series of enforcement actions this year cast brighter lines on the fuzzy concept, and the consequences of failure. The cases show an SEC enforcement division that is becoming less event- and transaction-driven as a growing proportion of cases are focused on firms’ safeguards and controls. At the same time, the U.S. Justice Department's "Yates memo" directive last year, to charge individuals not firms when wrongdoing is found, makes personal liability a growing concern for gatekeepers.
Regulators have long talked about holding gatekeepers accountable, and have occasionally cited compliance executives in enforcement actions. A handful of high-profile cases involving chief compliance officers last year triggered a rare public debate among SEC commissioners at odds over the wisdom of putting compliance in the crosshairs.
“It’s not that the ‘target on the back’ is new, but rather that it has gotten bigger over time,” said Michael W. Peregrine, a partner at McDermott Will & Emery, in a D & O Diary blog post last month.
String of cases involving gatekeepers, and cultures
The SEC has taken action against a broad range of gatekeepers in the past few months, with cases brought against accountants, board members, lawyers, auditors, financial operations managers, clearing firms, transfer agents and fund administrators. It has also expanded its oversight into new financial sectors, taking on more oversight of hedge funds, asset managers, and private investment firms under provisions of the 2010 Dodd Frank regulatory reforms. It has been holding gatekeepers to the same enforcement standards as broker dealers, with a rising number of cases related to reporting violations, overcharges and conflicts of interest in firms’ that had little scrutiny in the past.
“Reporting violations are the fastest growing category of enforcement actions,” said John Gebauer, managing director of compliance consultant NRS. “And there are a lot more cases in the works.”
The overall focus of SEC enforcement has shifted. Since the start of last year, cases against operating units of financial services firms have overtaken actions against public companies’ parents for the first time in years, according to data compiled by the Securities Enforcement Empirical Database, known as SEED.
A number of recent cases settled over the past two months illustrate focus on gatekeepers at financial firms:
—The SEC in late June settled a $415 million case alleging Bank of America’s Merrill Lynch unit manipulated its reporting of brokerage units’ reserve requirements in a way that put customer funds in jeopardy. It charged the former head of regulatory reporting, William Tirrell, for his role in allegedly creating misleading reports to deceive regulators.
—In the same case, the SEC cited Merrill for putting clauses into severance agreements to thwart whistleblowers, another sign of culture-related enforcements. In subsequent cases filed this month against two non-securities firms — Health Net and BlueLinx — the SEC assessed fines for putting language into severance contracts to restrict whistleblowers. Compliance experts have warned firms to check all contracts for such clauses.
—Private equity firm Apollo Global Management Tuesday agreed to settle for $52.7 million allegations that it failed to supervise a senior partner who charged personal expenses to clients’ funds. The firm dismissed the unnamed executive and bolstered its compliance and controls.
—Fund advisor Apex Fund Services in June paid a $350,000 penalty and agreed to an independent review of its compliance for allegedly missing clear indications of fraud on the part of mutual fund clients it administered and for issuing misleading statements to fund holders.
—Morgan Stanley paid a $1 million SEC fine for allegedly failing to adopt written policies and procedures reasonably designed to protect customer data after a junior broker downloaded private data for 730,000 accounts to his personal server. The amount of the fine was reduced because the firm reported the violation and cooperated with the agency in its investigation, another sign that cooperation is rewarded.
The focus on gatekeepers has led to improvements in financial disclosures, SEC Head of Enforcement Andrew Ceresney said at a conference in June. “Boards, management, and auditors are now much more focused on the risks involved in the preparation of financial statements and of the mitigants necessary to control those risks,” said Ceresney, citing a decline in earnings restatements as evidence the SEC reporting initiatives have had an impact.
Lawyers next in line?
While the SEC denies targeting compliance professionals, the agency openly states that gatekeepers are in its sights. And while lawyers have been conspicuously absent from gatekeeper enforcement cases, for the most part, commissioners and top enforcers say the legal community will face more scrutiny in the future. The Panama Papers disclosures, which suggest law firms are involved in widespread offshore and domestic fund concealment, have generated scores of leads for such cases, investigators say.
Compliance and audit teams are at “the touch points” where compliance failures show up, and that means they are likely to feel more heat in the culture crackdown. “Regulators are taking a step back and getting away from just looking at transactions in the usual whack-a-mole game of dealing with problems as they surface. They are trying to move upstream to look what should have happened that might have prevented the problem in the first place,” McCleskey said.
Inevitably, he said, this will lead to more cases against gatekeepers.
The result is that “gatekeeper anxiety” is rising, Peregrine wrote in his blog post. “Self-protective conduct may increase where executives are concerned that, in the context of a governmental investigation, the benefits of ‘advice of counsel’ defense may not be available to them.”
In a case late last year that reflected both the Yates memo impact and gatekeeper failures, the SEC charged BDO America with allegedly approving misleading financial statements, and singled out five top BDO executives over alleged supervisory failures: The case showed that accountability goes to top level executives, as it charged then-chairman and majority shareholder of the client company, Stephen B. Pence, who is a former U.S. attorney and a former lieutenant governor of Kentucky.
Takeaway: How to grab a "two-edged sword"
“The SEC’s focus on compliance officers is a two-edged sword, in scaring compliance professionals into doing a better job, I do wonder who would be willing to take on the responsibility, particularly in the securities industry with complicated compliance questions, rule making through enforcement and second-guessing.”
Top managers and board members, who also could become targets, must “acknowledge this challenge and engage its gatekeepers in an appropriate resolution, Peregrine added. Building a culture of compliance means companies need to align their firms’ interests with customers — which in most cases will help meet the demands of regulators as well, at a time when fiduciary rules are covering a widening swath of the financial services industry, and the Yates memo raises the stakes on firms to create top-to-bottom accountability to explain compliance failures.