NOTE: This article was published in Compliance Monitor on April 6, 2017.
In recent years, a perception has developed that compliance officers have personally become more exposed to regulatory and government enforcement action. This has been coupled in many industries, especially financial services, with a broader increase in scrutiny by regulators and government agencies as well as the contingent increase in compliance officers' responsibilities. But does this perception of personal risk match the reality?
In public, senior officials in the United States certainly do not believe this to be the case. In 2015, the former US deputy attorney general Sally Yates said compliance professionals are the Department of Justice's "crucial partner in the fight against whitecollar crime". Andrew Weissmann, head of the DoJ fraud section, stated "we are not going after compliance officers for criminal liability ... " and, from a regulatory perspective, Stephen Cohen, associate director at the Securities and Exchange Commission enforcement department, said "it's very hard for us to conceive of a liability ... where we would hold the compliance officer responsible."
The message is similar in the United Kingdom. In March 2015, Georgina Philippou, the then-acting director of enforcement and market oversight of the Financial Conduct Authority said "We are reliant on compliance officers ... to act as an important line of defence, to support effective regulation at firms and to show backbone even when challenged by their colleagues."
So, given these stated positions, where does the perception of increased exposure come from. The answer, perhaps, can be found in the number of compliance officers, on both sides of the Atlantic, that have faced criminal or regulatory proceedings in the last couple of years.
Historically, under the UK financial services regulatory regime, compliance officers and Money Laundering Reporting Officers (MLROs) have been individually approved by the FCA and the Prudential Regulation Authority. This 'approved persons' regime is currently being replaced by the Senior Managers and Certification Regime (currently in force for certain banks and scheduled to cover all firms regulated under the UK Financial Services and Markets Act by 2018). This new regime focuses on individual accountability and may well have significant effect on compliance officers.
While there has not been any enforcement action under the new senior managers regime, the FCA certainly has a history of taking enforcement action against individual compliance officers. Between 2012 and 2016, the FCA (or its predecessor the Financial Services Authority) have taken enforcement action against nine individual compliance officers. The majority of these cases involved compliance officers who were considered to have breached Principle 6 of the Statements of Principle and Code of Practice for Approved Persons ("An approved person ... must exercise due skill, care and diligence in managing the business of the firm for which they are responsible") or Principle 7 ("an approved person performing an accountable higher management function must take reasonable steps to ensure that the business of the firm for which they are responsible ... complies with the relevant requirements and standards of the regulatory system"). Separately, the FCA has brought proceedings against a number of MLROs for failings in their firm's anti-money laundering procedures.
These cases have resulted in personal fines of up to £200,000 along with, in many cases, a ban from holding a role in the UK financial services industry. Space does not allow for going into the specifics of each case but there is a consistent theme of compliance officers failing to be alert to the risk of market abuse or manipulation, as well as often failing to implement or monitor systems and controls. The crucial point to note is that according to the FCA final notices, all the compliance officers involved completely failed to act with the appropriate level of care and skill - therefore the enforcement action taken was appropriate and reasonable.
Away from the regulatory arena, the Serious fraud Office has been equally aggressive, bringing corruption charges against three former compliance officers for rail transport company Alstom. This first trial is to be heard at Southwark Crown Court in May 2017, with a further trial in January 2018.
In the US there is only one significant case in relation to personal liability of compliance officers. The case stems from MoneyGram (a money transfer company) entering into a Deferred Prosecution Agreement with the DoJ in 2012 following a Financial Crimes Enforcement Network (FinCEN) investigation. In the settlement, MoneyGram admitted to wire fraud and money laundering control violations and paid US$100 million to settle the matter. In linked proceedings, FinCEN took civil enforcement action against former MoneyGram chief compliance officer Thomas Haider, and personally fined him US$1 million. Mr Haider appealed but in January 2016 the US District Court in Minnesota ruled that Haider (and any other compliance officers) can be held responsible for anti-money laundering control failures.
There are certainly anecdotal reports from the US that Haider was made a scapegoat for the conduct of other, more senior, individuals in the business and, if accurate, this is a troubling counterpoint to the positive messages outlined above from the SEC and DoJ.
Additionally, the SEC and the DoJ have made clear that a robust and adequately-trained compliance staff is an essential element of a rigorous anti-corruption programme, starting with strong leadership from a chief executive officer or chief compliance officer. This has been supported by a number of recent Foreign Corrupt Practices Act (FCPA) resolutions with the SEC and DoJ, specifically Qualcomm, Key Energy Services and AstraZeneca pie, where the SEC described each company's compliance staffing and training as inadequate as well as a root cause of its FCPA violations. While, so far, the focus has been on corporates, given the US Government's stated aim to target more individuals there is a risk that, in an appropriate case, the focus could fall personally on a compliance officer.
So, given the number of regulatory and criminal cases, are compliance officers more exposed? The strong message coming from enforcement agencies is that they are only interested in intentional misconduct. It is right, though, that there are more enforcement actions against compliance officers and a desire by the regulators to increase personal accountability. The reality is that complicity in misconduct by compliance officers has always been prohibited and therefore, while it may appear that there is greater exposure, the comforting answer is that appearances can be deceptive.