Corporate compliance officers are used to facing pressure from within their companies to protect them from legal exposure, but increasingly, external pressure from regulators means that compliance officers themselves may face liability if something goes wrong. The recent enforcement cases holding compliance officers liable for failing to implement effective compliance programs and the debate that has ensued indicate that the issue remains unsettled, but the overall trend appears to be toward growing individual accountability.

Several recent government initiatives have suggested that compliance officers face increased scrutiny by regulators. Twice in the last year, the SEC settled enforcement actions involving alleged violations of the Investment Advisers Act Rule 206(4)-7 by chief compliance officers (CCOs). [See In the Matter of Blackrock Advisors, LLC (April 20, 2015); In the Matter of SFX Financial Advisory Management Enterprises, Inc. (June 15, 2015)].

The settlement orders for both cases cited the CCOs for failing to properly implement their firms’ policies and procedures. SEC Chair Mary Jo White recently told compliance professionals that the SEC will take “enforcement action against compliance professionals if we see significant misconduct or failures by them,” and that being a compliance officer “obviously does not provide immunity from liability.”

The SEC’s more aggressive approach towards compliance officers has met with resistance, even from within the SEC. Commissioner Daniel Gallagher dissented from the 2015 enforcement actions against CCOs and chastised the SEC for moving “toward strict liability for CCOs under Rule 206(4)-7.” According to him, this trend was both unfair (because CCOs have minimal guidance from the SEC and often have limited ability to oversee the business lines that actually implement many of the relevant policies) and unwise (because the SEC risked discouraging and dis-incentivizing CCOs who often act as the only line of defense against misconduct in many firms).

Other commissioners rejected the suggestion that the SEC was unfairly targeting CCOs. Commissioner Luis Aguilar responded with a statement affirming the SEC’s support for CCOs and acknowledging the vital role they play. He argued that most of the cases against CCOs related to their non-compliance-related duties, as many CCOs at smaller firms have multiple responsibilities in addition to being a compliance officer, and he emphasized that the SEC “think[s] long and hard when considering enforcement actions against CCOs, and oftentimes exercise[s] prosecutorial discretion not to bring such actions.” SEC Chair White also affirmed that the SEC does not “target compliance professionals,” and that “[w]e do not bring cases based on second guessing compliance officers’ good faith judgments, but rather when their actions or inactions cross a clear line that deserve sanction.”

Regardless, the SEC is not the only regulator focusing on compliance officers. For example, in December 2015, the New York Department of Financial Services issued proposed regulations that would require senior compliance officers to make an annual certification as to an institution’s compliance with the requirements of the regulations, with potential criminal penalties for the officer if the certification is “incorrect or false.” Unusually, this criminal exposure appears to be on a strict liability standard: a prosecution could be initiated for false certifications even if the CCO was unaware that the certification was inaccurate.

A district court recently refused to dismiss a $1 million civil action brought by FinCEN against MoneyGram’s former CCO for failing to implement and maintain an effective anti-money laundering program and failing to file timely suspicious activity reports [US Department of the Treasury v. Thomas E. Haider, No. 1501518 (D. Minn, Jan. 8, 2016)]. Recent activity by the DOJ—the issuance of the 2015 Yates memorandum emphasizing the need for individual prosecutions and the hiring of a compliance consultant to evaluate companies’ compliance programs— suggests that it will also be intensifying its focus on individual liability for compliance failures going forward.

In addition to increasing individual liability for failure to implement compliance programs, these programs are now made mandatory in certain industries. Some heavily regulated sectors, such as financial services, insurance, healthcare, defense and other federal contractors, already have affirmative obligations to establish and maintain compliance programs. Compliance officers in these industries have a duty to ensure these programs are effective and are facing increased regulatory scrutiny of their efforts.

WHAT COMPLIANCE OFFICERS SHOULD DO TO AVOID LIABILITY FOR COMPLIANCE PROGRAM FAILURES

Compliance officers must proactively seek out new ways to mitigate compliance risks rather than simply maintain a baseline compliance program. In order for them to succeed, they must partner with business managers to create a robust compliance culture that encourages ethical conduct and compliance with applicable law in the various jurisdictions in which the company operates.

Regulators expect that CCOs will be empowered to perform their duties with senior executive status and the authority to get things done. The CCO should be independent from the business management and have direct access to the Board, as well as a separate budget, adequate resources and an unobstructed line of sight into company operations. CCOs should also have a seat at the table when strategic decisions are considered in order to have an opportunity to contribute to developing business practices that are both effective and compliant.

Compliance officers must effectively collaborate with the CEO and other senior executives to secure their commitment to the compliance program’s success. They must also confer regularly with business managers to better understand the risks they face in their operations and to enlist their support in implementing compliance initiatives that might mitigate these risks. Compliance officers should also communicate regularly with other company functions responsible for compliance, such as Legal, Internal Audit, Finance and Human Resources to ensure alignment and cooperation in fostering the company’s compliance goals.

While most companies discipline employees involved in compliance violations, many do not actively encourage employees to promote compliance within their areas of responsibility. They can do so in several different ways, from quarterly compliance awards to including compliance as a performance evaluation criteria, particularly for senior and mid-level managers who set the tone at the company.

Compliance officers working at company headquarters should push compliance down and out by identifying employees capable of taking on compliance responsibilities throughout the organization. Such employees should be rewarded sufficiently for their compliance duties and trained regularly so they can spread the compliance message to their fellow employees.

Compliance officers should ensure that they are sending strong compliance messages to all employees. Communications should be based on a regular annual plan but also be flexible to accommodate new circumstances. Compliance officers should use a variety of channels to deliver compliance messages, such as internal blogs, Intranet, and social media.

Compliance officers who stay on top of business developments and associated risks at a company are unlikely to be judged to have failed in their duties under the more stringent requirements for compliance officers resulting from ever-increasing regulations and responsibilities.

This article was first published on Ethisphere