UNDERSTANDING CHIEF COMPLIANCE OFFICER PERSONAL LIABILITY IN MULTIPLE JURISDICTIONS
Doha, 13 March 2017
By Bachir El Nakib, Senior Consultant, Compliance Alert (LLC)
The “compliance culture” of the institutions is measured and rated under the “Management” component. A strong “compliance culture” will be rated “One” defined as follows:
An institution in this category is in a strong compliance position. Management is capable of and staffs are sufficient for effectuating compliance. An effective compliance program, including an efficient system of internal procedures and controls, has been established. Changes in consumer statutes and regulations are promptly reflected in the institution’s policies, procedures and compliance training. The institution provides adequate training for its employees. If any violations are noted they relate to relatively minor deficiencies in forms or practices that are easily corrected. There is no evidence of discriminatory acts or practices, reimbursable violations, or practices resulting in repeat violations. Violations and deficiencies are promptly corrected by management. As a result, the institution gives no cause for supervisory concern.”
The complexity of the "Compliance Management" system and control will depend on the size and complexity of each institution. The type of oversight needed for a compliance management program can also vary considerably depending upon the scope and complexity of the organization’s activities, the geographic reach of the organization, and other risk factors.
The MLRO's are the first line of defense in their institutions against money laundering and other financial crimes. A qualified Compliance Officer is required to have knowledge and understanding of all appropriate regulations that apply to the business operations of the financial institution. The compliance officer should also have general knowledge of the overall operations of the institution and interact with all of the departments and branches to keep abreast of changes (e.g., new products and services or business practices, personnel turnover) that may require action to manage perceived risk.
While in certain jurisdictions, the appointment of an MLRO (Money Laundering Reporting Officer) do not require the written approval by the concerned body, such appointment by the financial institution is not sufficient to meet the regulatory requirement if that person does not have the expertise, authority, or time to satisfactorily complete the entrusted job. While the title of the individual responsible for overall AML compliance is not important, his or her level of authority and responsibility within the bank is critical. The compliance officer may delegate AML duties to other employees, but the officer should be responsible for overall AML compliance. The board of directors is responsible for ensuring that the AML compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective AML compliance program based on the bank’s risk profile.
A compliance officer’s general responsibilities, regardless of the size or complexity of the institution’s operations, include:
- developing compliance policies and procedures;
- training management and employees about laws and regulations in force;
- reviewing policies and procedures for compliance with applicable laws and regulations and the institution’s stated policies and procedures;
- assessing emerging issues or potential liabilities;
- coordinating responses to consumer complaints;
- annual AML reporting compliance activities and audit/review findings to the senior management/board, copying the related regulatory body supervising the institution; and
- ensuring corrective actions.
When more than one individual is responsible for compliance responsibility and accountability must be clearly defined. The quality and effectiveness of a compliance program is also an important factor that prosecutors consider in determining whether to bring charges against a business entity that has engaged in some form of criminal conduct. For example, the in certain MENA jurisdiction, the supervising agency has indicated that in the after-the-fact reviews they conduct on corporate AML/CTF compliance programs, the department looks closely at whether compliance programs are simply “paper programs,” or whether the institution and its culture actually support compliance.
The supervision regulatory officer looks at pre-existing programs, as well as what remedial measures a financial institution took after discovering misconduct, including efforts to implement or improve a compliance program.
To be effective at overseeing compliance and maintaining a strong compliance posture, a compliance officer also must be provided with on-going training, as well as sufficient time and adequate resources to do the job, should perform sufficient due diligence to verify that the provider is qualified, because ultimately the institution is accountable for compliance with applicable laws and regulations.
In 2005, the Basel Committee issued a paper on compliance risk and the compliance function in banks (the “Basel Paper”).1 It defined “compliance risk” as “the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities.”
The Basel Paper sets out principles addressing the responsibilities of the board of directors and senior management for compliance as well as specific principles addressing the independence standards, status, organization, governance, resources, and responsibilities of the compliance function.
A review of the recent enforcement actions published by federal regulatory agencies found several actions against “institution-affiliated parties” for engaging in reckless unsafe or unsound practices. According to the enforcement actions examined these violations or practices were part of a pattern of misconduct that caused more than a minimal loss to the institutions involved. The misconduct noted in these cases resulted in financial and reputational losses to the institutions involved; demonstrated willful or continuing disregard for the safety and soundness of the institutions involved, and involved reckless disregard for the applicable laws or regulations.
Directors and officers of banks have obligations to discharge duties owed to their institution and to the shareholders and creditors of their institutions, and to comply with federal and state statutes, rules and regulations. Similar to the responsibilities owed by directors and officers of all business corporations, these duties include the duties of loyalty and care.
The duty of loyalty requires directors and officers to administer the affairs of the bank with candor, personal honesty and integrity. They are prohibited from advancing their own personal or business interests, or those of others, at the expense of the bank.
The duty of care requires directors and officers to act as prudent and diligent business persons in conducting the affairs of the bank. This means that directors are responsible for selecting, monitoring, and evaluating competent management; establishing business strategies and policies; monitoring and assessing the progress of business operations; establishing and monitoring adherence to policies and procedures required by statute, regulation, and principles of safety and soundness; and for making business decisions on the basis of fully informed and meaningful deliberation.
Compliance Officers are responsible for running the day to day operations of the institution in compliance with applicable laws, rules, regulations and the principles of safety and soundness. This responsibility includes implementing appropriate policies and business objectives.
The firm directors must require and their senior management must provide the directors with timely and ample information to discharge board responsibilities. Directors also are responsible for requiring management to respond promptly to supervisory criticism. Open and honest communication between the board and management of the bank and the regulators is extremely important.
Chief Compliance Officers (CCOs) increasingly face personal liability for corporate wrongdoing and regulatory violations as a change of guidelines and a string of federal enforcement actions have transformed the environment in which CCOs operate. Now, regulators are pursuing cases of negligence where the CCO was neither involved in nor aware of the wrongdoing. CCOs are concerned that their personal assets may be at risk if regulators pursue them for unintentional wrongful conduct.
CCOs are questioning whether they can rely on corporate indemnification and insurance to pay for defense costs and any settlement or judgment that may result if they are pursued for unintentional wrongful conduct. Directors and Officers (D&O) liability insurance and Side A difference-in-conditions (DIC) insurance provides some protection, but in the event of a regulatory enforcement act may be insufficient.
In “Mitigating Personal Liability Risk for Chief Compliance Officers” we explore the history of COOs being held personally liable for corporate wrongdoing and review:
- How the US regulatory bodies are approaching CCO liability.
- The role of D&O liability insurance in protecting CCOs, its limits, important policy definitions, and stipulations.
- Steps CCOs can take to limit personal liability risks.
As their jobs become more perilous under the current enforcement trends, CCOs are well-advised to evaluate and understand regulatory expectations of their oversight of compliance policies and procedures. They should examine and review current and available insurance protection against regulatory investigations and proceedings CCOs and their companies should work with their insurance advisor to understand how D&O and other available coverages work.
The imposition of personal liability on chief compliance officers is part of the regulators’ broader interest in compliance failures at the highest levels of financial institutions. Early 2016, the Financial Industry Regulatory Authority (FINRA) sent letters to a dozen financial firms, inquiring about the methods by which the firms establish and maintain a culture of compliance. In addition to requesting general information on the firms’ practices, e.g., FINRA specifically requested information on how the firms established a “tone from the top.” FINRA characterized the request letters as an attempt to better understand how culture affects compliance, but the focus on the “tone from the top” suggests FINRA perceives or is at least particularly concerned about deficiencies among the highest ranking executives of financial firms.
Penalties for money laundering and terrorist financing can be severe. A person convicted of money laundering can face up to 20 years in prison and a fine of up to $500,000. Any property involved in a transaction or traceable to the proceeds of the criminal activity, including property such as loan collateral, personal property, and, under certain conditions, entire bank accounts (even if some of the money in the account is legitimate), may be subject to forfeiture.
In Germany, where corporate criminal liability does not exist and wrongdoing is imputed to the individuals themselves, there is no statutory law specific to compliance officers. However, case law exists. Anyone can be liable as long as their job in the company is to prevent crimes from happening (irrespective of the job title). According to the law, the individual must take steps to prevent a crime from happening (intent of 3rd degree, where a compliance officer sees it as highly probable that a crime will be committed but does nothing to prevent it). That said the majority of criminal offences cover crimes of willful or intentional wrongdoing. – In terms of civil liability, individuals may be subject to company sanctions (warning, dismissal, etc.) as well as damage claims in particular for infringement of data security laws and the violation of privacy rights.
In France the compliance officer’s status is not properly recognized and no specific criminal or civil liability regime applies.
There is also (other than in Germany) no case law yet. With the exception of specific sanctions in the financial services / assets industries (where they can lose the ability to perform their functions in the future if convicted), compliance officers are civilly and criminally liable in the same way as other non-compliance employees. – As is the case in France, there is no specific liability regime which applies to compliance officers in Italy, but the independent supervisory body (‘Organismo di Vigilanza”), which companies must have under Legislative Decree 231, does have specific criminal liability (failure to report breaches, assistance to perpetrators) and civil liability (the company can sue them for not fulfilling their tasks). –
In the UK, criminal liability for bribery by the company falls on the executive management as well as on any individual having played a role in the crime (conspiracy, aiding and abetting, etc.). Regulatory sanctions from the Financial Conduct Authority can apply to people with a compliance oversight function in regulated sectors. –
In Spain, a civil and criminal liability regime does apply to compliance functions since all companies are required by law to have specific programs and procedures in place to prevent crimes.
Compliance officers can be held liable for failing to prevent corruption but, generally speaking, liability is established in particular if there is evidence of willful intent or gross negligence. Compliance officers are not held liable for failing to report wrongdoing to authorities. They are not held liable as long as they fulfil their duties, including the duty to report to supervisors, even if they do not report to authorities. –
In the Netherlands, both companies and individuals can be held liable but no specific liability regime applies to compliance officers. Usually, liability falls on executive management so the risk of a compliance officer being charged for an offence committed by the company is relatively small. – Regulatory and administrative sanctions in the financial sector can apply to compliance officers who fail to provide accurate information to authorities (financial market regulators) in accordance with the Netherlands Financial Supervision Act. –
In countries where liability of the legal person exists, there is a tendency for companies to try to shift liability to the individuals in order to get a better deal from authorities. This raises some questions among the compliance community with regards to proceedings.
– – Individuals have the right to keep silent in order to prevent self-incrimination (can stay silent when interrogated by authorities). But such a right does not exist in company policy and withholding information during an internal investigation can lead to company sanctions including dismissal. Therefore, compliance officers often disclose information to the employer who in turn must disclose the information to the authorities. This is because the employer can no longer invoke rights relating to the prohibition of self-incrimination since it’s no longer about the employer but about the employee.
– – Civil liability pertains mostly to liability vis-à-vis the company. Compliance officers should request that corporate liability insurance be included in their employment contract.
– – Upjohn Warning: Lawyers representing a company must make it clear to employees that their legal representation applies to the interests of the company and not those of the individual. It must be made clear to employees that they can seek another lawyer to represent them. While this Upjohn Warning is obligatory in the US, it is not formally implemented in the UK or Germany.
– – Covering the costs of legal defense: Compliance officers need to make sure that their insurance brokers have correctly negotiated their companies’ insurance plans, including coverage which kicks in early on in the process (receipt of Section 2 notice instead of starting from the time of arrest, which is already quite late in the process). The insurance plan should also cover extradition situations which can very well happen due to extraterritoriality.