There has been a lot written about CCOs fearing prosecution for compliance failures. Not to say there is no risk, but the truth lies really in the middle.  From my perspective, there is too much fear-mongering around this issue.

Let’s look at one extreme – a CCO who engages in misconduct should be prosecuted. A good example of this case is the prosecution of Thomas Haider, former CCO of MoneyGram. Given Haider’s complete disregard, if not active promotion, of the Moneygram AML deficiencies, FinCEN was entirely justified in filing a civil case against Haider. If I were the head of FinCEN, I would have done the same thing.

Now, let’s look at the other end of the spectrum.  SEC Enforcement Director Andrew Ceresney explained in a speech last year that CCOs would be prosecuted when they have “affirmatively participated in the misconduct, when they have helped mislead regulators, or when they have wholly failed to implement compliance programs or policies.”

No one can quibble with the first two scenarios but what does it mean to “wholly fail” to implement a compliance program or policies?

As an example of an SEC enforcement action at the extreme, consider the following — Eugene Mason paid $25,000 to settle SEC charges that he failed to “effectively implement” a company compliance policy in violation of the Investment Advisers Act.

Mason worked at SFX Financial. The President of SFX stole $675,000 from three customers’ bill-paying accounts over a five-year period. The President had signature authority over the accounts and no one was required to review his work. A customer alerted Mason to the problem and he launched an internal investigation and they terminated the President.

Mason was the subject of an SEC enforcement action because he: (1) did not effectively implement a compliance policy to review cash flows in client accounts; (2) failed to ensure that account cash flow reviews were done by someone other than the President (contrary to a specific representation in the company’s brochure); and (3) did not conduct an annual review of SFX’s compliance program.

Without knowing exactly what Mason knew and when he knew it, it is hard to decide whether the SEC prosecution was fair. For example, Mason may have relied on external auditors to review the cash flows from all accounts. On the other hand, if Mason was aware of the control weakness (no one reviewed the president’s authorizations) and he failed to act in response to this red flag or control weakness, then the SEC’s action may be justified.

The difficulty in this area occurs when CCOs are held to a standard bordering on negligence. That does not seem fair and the SEC, and other regulators, should be careful not to impose such a standard.

Compounding this potential trend, regulators are starting to look to CCOs to certify that the company has adequate compliance controls, in the same manner as Auditors, CFOs and CEOs are required to certify to the accuracy of financial statements as required by Sarbanes-Oxley.

The New York Department of Financial Regulatory Services has proposed a specific certification requirement for CCOs with respect to AML and fraud compliance programs. As many have pointed out, it is unfair to require CCOs to certify to something they do not necessarily have the authority to control. If such a requirement is being imposed to incentivize CCOs to directly notify corporate boards of the company’s failure to maintain an effective AML compliance program, threatening prosecution of CCOs does not seem like an appropriate way to increase compliance efforts. Frankly, if the NYDFS wants to improve compliance, it needs to hold corporate boards and CEOs accountable – they have the internal authority and access to funds to accomplish increased compliance.

The danger here is the importance of accountability. CCOs who engage in misconduct deserve to be punished. CCOs who are prevented from carrying out their responsibilities by lack of authority or budget resources, should not be punished – accountability needs to be placed on those with authority. CCOs do not deserve to be the fall person for compliance failures or for a lack of attention from the board or the CEO.