A new theme is developing in financial services regulatory enforcement—assigning personal responsibility for ostensibly corporate acts. As a result, individual officers at financial services companies, in addition to the institutions themselves, are now in the regulators’ cross-hairs. This rapidly developing trend appears to be rooted in a regulatory reaction to a perceived public outcry over why so few officers have been jailed or fined following the recent financial crisis.1
State Regulators Seeking Personal Accountability
In a recent speech,2 Benjamin Lawsky, Superintendent of the New York Department of Financial Services (“DFS”), noted that five years after the financial crisis not a single senior executive officer has been held accountable. In response to this lack of assigned personal liability, the DFS, under Superintendent Lawsky’s leadership, is implementing a policy to hold individuals, along with the corporate entities they work for, accountable for identified personal misconduct. Superintendent Lawksy’s stated objective is to deter future misconduct in order to provide for a more ethical and stable financial system for the long term. While a laudable goal, this new enforcement focus raises significant issues and poses numerous challenges for individuals and employers—as well as regulators—in the financial services industry
Lawsky’s focus on individual accountability, in addition to corporate accountability, stems from the notion that a corporation is a group of people and that if there is wrongdoing at a corporation, the actions were instigated and carried out by individuals, i.e., ultimately, people committed the wrongdoing. Of particular concern to Lawsky is that most regulatory enforcement actions are against corporations, which typically pay millions of dollars (or more) to get out of an investigation or prosecution; and such efforts typically result in an enforcement order or similar action that provides little, if any, details about which individuals engaged in the misconduct and, specifically, what they did. Noting that large corporate fines are just a charge to the financial statements—hitting the shareholders who typically had nothing to do with the violations—Lawsky lamented the fact that these fines often result in no impact regarding personal liability for the individual(s) who committed the wrongful acts. Lawsky’s solution is to establish a meaningful personal deterrent to future misdeeds, including serious penalties when individuals break the rules. The scope of meaningful deterrents
include jail time for criminal actions, suspensions, firings, bonus claw-backs, and other penalties for deliberate or negligent regulatory, compliance and supervisory violations. According to Superintendent Lawsky, this would be to incentivize more ethical behavior and positively influence a more healthy corporate culture.
Federal Regulators Pursuing Similar Actions
Lawsky is not alone on this issue; federal regulators appear to be heading in the same direction. For example, in 2013 the U.S. Department of the Treasury, which administers the Office of Foreign Assets Control and the Financial Crimes Enforcement Network (“FinCEN”), announced its intention to hold individual bankers liable for wrongful acts that involve money laundering activities and to seek financial penalties from the individuals culpable for implementing or orchestrating corporate acts that were at the heart of the wrongdoing.3 Members of Congress then introduced proposed legislation to codify this new policy.4 Soon other regulators were following suit. For example, in February 2014, the Financial Industry Regulatory Authority (“FINRA”) fined both Brown Brothers Harriman $8.0 million and its Global Anti Money Laundering (“AML”) Officer $25,000; the AML officer also was suspended for one month.5 Similarly, in March 2014, the Comptroller of the Currency raised the issue in the context of AML actions, suggesting that senior bank managers should be held personally accountable for Bank Secrecy Act risk management failings and deficiencies, especially when there is a conscious decision or deliberate action not to commit the requisite resources and expertise to maintain an AML program necessary to meet the requirements of law and/or the expectations of the regulators.6
These recent attempts to impose personal liability are in addition to the traditional enforcement actions by regulators against directors and officers of financial services companies for misdeeds, most notably by the Federal Deposit Insurance Corporation as receiver for failed banks (the “FDIC-R”). The FDIC-R has filed approximately 90 suits against directors and officers of failed banks since 2010, most of which have been settled without court action.7 These actions are pursued in an attempt primarily to recover director and officer liability insurance coverage. Even in settlements involving some of the largest failures, FDIC-R recoveries have come largely from director and officer insurance proceeds.8 Frequently, these settlements involve strong-arm techniques to encourage settlement, with government cases pursued in the context of wasting insurance policies, the proceeds of which are being pursued by multiple parties suing a failed bank or its holding company. Warranting particular concern is the situation where a director or officer lacks appropriate insurance coverage and faces personal liability, which provides substantial leverage to the FDIC to force a settlement.
Determining the Parameters of Personal Culpability
Superintendent Lawsky acknowledges that the new focus on personal liability will likely impact a targeted employee’s reputation and career, and may even impinge on an officer’s personal liberty in the most egregious of circumstances. He cautioned, however, that regulators must act responsibly in wielding this authority and, particularly, must have a high degree of confidence that a regulatory action is just and fair and supported by strong-evidence. Accordingly, as other financial regulators join in Superintendent Lawsky’s crusade for individual accountability, a key question must be answered— will the other regulators follow his strong-evidence approach or adopt the strong-arm tactics frequently used by the FDIC-R?
Regulatory efforts to impose individual accountability raises significant issues under employment law, legal ethics and corporate governance principles, and implicate the parameters for appropriate insurance coverage for officers of financial services companies. While corporations are run by their employees, the typical employee is under the supervision of a manager—who in turn is supervised by
another individual, and this chain of command proceeds up the corporate ladder to the c-suite.9 Corporations typically use enterprise-wide compliance programs to ensure that the corporation qua corporation acts in a lawful manner. Threats of personal liability, either at the line level or within a corporate compliance department, could have the adverse impact of hampering the effective operations of the corporation as anyone with personal liability soon will begin to engage in personal preservation exercises, which could very well be at the corporation’s expense, to immunize themselves from being “second guessed” or worse by a regulator who has the benefit of 20-20 hindsight about how things unfolded.
An example of the considerations and dynamics involved in a real life situation is evident in reviewing the challenges confronted by an AML officer seeking resources and staffing to address a program deficiency either self-identified or identified by examiners. The AML officer will be dependent on others up the corporate “food chain” to obtain the funding for access to a specific AML resource or staffing, with the AML officer having only a requesting role in the decision (and budget) process. An important consideration in the context of this situation is the culpability of the AML Officer who fails to adequately make his or her case with corporate higher-ups about the need for the requested AML resource or staffing. In particular, what are the factors that could cause the AML officer to be personally liable for the failings of the bank’s AML procedure to secure the proper resources?
This example, imposing personal liability on an AML officer, illustrates the challenges that are created addressing the real or perceived shortcomings of officers or employees who fail to adequately perform their job in the eyes of state and federal regulators. Some of the most significant issues to consider are:
- What will happen if the AML officer has papered the file to document he is not being provided with proper resources?
– Who then should be held accountable?
- Would the recipients of the AML officer’s self-protection memo be held liable if they were on notice of this material deficiency and they did not act to address the deficiency?
- What about a budget officer who denies a necessary procurement ... what is the standard of culpability applied to these officers?
- How will the AML officer’s self-protection memo be used against the corporation for failing to properly implement an adequate AML policy?
- Should each officer have his or her own counsel, as company-counsel likely would face an ethical dilemma advising both the company and its employee?
- When should an officer obtain his own counsel?
- At whose expense?
- Where does the buck ultimately stop?
- Why is the corporation, acting through the people it employs, not deemed the true culpable party?
Certainly, individuals engaged in illegal acts and wrongdoing should not be permitted to continue handling other peoples’ money. At the same time, it is important to recognize that employees and officers of corporations may have certain indemnification rights under applicable state corporate laws that provide for indemnification if they are involved in or threatened in connection with a pending or
completed investigation, claim, action, suit or other civil, criminal, administrative, or investigative proceeding.10 While Section 18(k) of the Federal Deposit Insurance Act11 and Part 359 of the rules and regulations of the FDIC12 could restrict indemnification payments to an FDIC-insured depository institution or its holding company if the institution is deemed to be in a “troubled condition,” these provisions only apply to indemnification payments involving an administrative proceeding or a civil action initiated by a federal banking agency.13 Actions commenced by a state regulator, such as the DFS, could be exempt from these indemnification restrictions.14 Thus, to the extent a state regulator or self-regulatory organization such as FINRA acts alone or against an individual, he or she may be required to be indemnified by his or her employer. As a result, even though regulators seek to hold individuals accountable and personally liable, ultimately (and perhaps, rightfully), it could be the employer saddled with the relevant expenses.15 Ultimately, it is possible that at least the financial penalties related to individual accountability could ultimately still result in corporate responsibility, i.e., an expense imposed upon the owners of the corporation—the shareholders.
Corporate and Corporate Officers’ Action Plan
As financial services regulators develop new approaches to pursue individuals, financial services companies and their employees need to prepare to address issues that inevitably will arise. Among the more pressing actions are the following:
- Corporations should review their indemnification obligations—authorized by state law and/or required under corporate governance documents and contractual commitments:
- to understand their obligations to their directors, officers and employees who may be under regulatory scrutiny, including obligations to advance fees and expenses that could be incurred as a result of an investigation of the individual’s activities;
– any exceptions to their obligation to make indemnification payments; and
- the procedures to implement their indemnification obligations, including any required prior-notice to regulators or undertaking by an indemnified party to reimburse the company if he or she is ultimately found to be not entitled to indemnification.
Based upon such review, financial services companies should consider whether they need to revise their corporate governance documents and procedures, as well as their future employment contracts to limit their indemnification obligations.
- Corporate counsel also should review their ethical obligations to provide advice to officers and employees, as well as to the corporation that is the subject of regulatory scrutiny. Corporate counsel should also be prepared to advise a targeted employee regarding his or her need to retain separate counsel due to an inherent conflict of interest, and whether or not securing such personal counsel would be at the employee’s own expense.
- Employees should consider obtaining copies of and reviewing their company’s corporate governance materials and applicable law to understand the company’s obligations to them if they become subject to regulatory scrutiny, including procedures that the company must follow to provide indemnification and that the employee must follow in order to request indemnification, (e.g., a written demand and an undertaking to repay the company if it is determined the employee was not entitled to indemnification).
- Employees with contractual indemnification rights should also review such agreements and understand the procedures that must be followed by their employer in order to provide contractually-required indemnification, and by the employee to obtain such indemnification (e.g., a written demand and an undertaking to repay the company if it is determined the employee was not entitled to indemnification).
- Financial services companies should review existing directors and officers insurance policies to ensure officers who are potentially most vulnerable, e.g., AML officers and officers who assume similar, significant compliance oversight responsibilities, have adequate coverage in the event that an individual officer is identified as having some degree of personal culpability.
The implications of recent developments regarding personal accountability and liability for wrongdoing and, potentially, negligent acts should be reviewed throughout the corporate structure to identify areas of greatest risk within each financial services company. In working to minimize such risks, financial services entities should recognize the potential impact on their ability to retain qualified officers if they fail to do so.16 Ultimately, the challenge is to ensure that the interests of the corporation and the corporate officers are closely aligned to minimize the possibility of harmful acts or actions that could harm, rather than help, the interests of all concerned.
* * *
Paul Hastings attorneys are actively representing financial services companies and individual directors and officers facing regulatory enforcement actions. If you have any questions regarding the developments discussed in this StayCurrent please contact your Paul Hastings attorney.