NEW YORK (Thomson Reuters Regulatory Intelligence) - The personal liability of financial services executives, including compliance leaders, has been a focus of several cases and regulatory initiatives this year, as the issue has taken hold in the United States.
U.S. regulators have fined or otherwise punished a number of corporate employees for misconduct while trying to bring clarity to how and when they will act, and why it is in a company’s best interest to promptly cooperate with investigators after wrongdoing occurs.
Regulatory emphasis on the personal liability of individual corporate actors in both criminal and civil investigations should encourage executives, including compliance professionals, to use best practices for demonstrating their diligence in supervising staff and using sound judgment.
For compliance professionals, the avoidance of personal liability involves adopting techniques that showcase consistent monitoring and show how the compliance program is sound and appropriately configured for the firm.
PERSONAL LIABILITY AFTER YATES MEMO - AGENCY INITIATIVES
In 2015, Deputy Attorney General U.S. Sally Yates unveiled a memorandum(here) bearing her name and setting the course for the Justice Department's strategy on corporate prosecutions.
The memo announced a revised Department of Justice (DOJ) policy on targeting individuals within corporations during criminal or civil investigations. It states that federal prosecutors will give corporations “cooperation credit” only if they hand over all relevant information related to individuals responsible for potential misconduct.
It warns companies that the DOJ will focus on individual liability from the start of civil and criminal investigations and will not agree on a resolution with a corporation that provides immunity to culpable individuals.
The memo highlights accountability and deterrence while providing incentives for firms to take the reins in holding bad actors to account.
Incentives for employees themselves comes from the Dodd-Frank Act's whistleblower provisions(here) which encourage employees to report and help ferret out wrongdoing occurring in their businesses. The programs at the Securities and Exchange Commission and some other agencies allow whistleblowers to share in the financial penalties collected from successful enforcement actions that are assisted by their information; and the awards have been substantial.
Executives in the business -- compliance included -- should appreciate that an employee within the organization has the incentive to report any potentially wrongful behavior these executives are committing.
Another regulatory agency, the Office of the Comptroller of the Currency (OCC), the primary federal regulator for most large banks, issued a new policy(here) on agency enforcement actions seeking civil money penalties against institutions and individuals.
Among other things, the OCC last February added a new aggravating factor to its enforcement policy by stating its intention to assess the “effectiveness of internal controls and compliance program” and broadened the list of institution-affiliated parties from the typical list of directors, officers and controlling shareholders that could be subject to a penalty.
The list now includes any independent contractor or “any other person” who knowingly or recklessly participates in any violation of law or regulation, breach of fiduciary duty, or unsafe or unsound practice. The harshest penalties are reserved for persons who show a deliberate or willful intent to violate a law or regulation; showing an attempt to comply can help scale down the civil money penalty.
Late last month, the DOJ announced its new Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy(here), which is intended to improve upon and make permanent the FCPA Pilot Program and applies to DOJ criminal prosecutions when a company voluntarily self-discloses misconduct, fully cooperates, and timely and appropriately remediates.
In so doing, the company will get the presumption of a declination unless there are aggravating factors, and even if the company does not make a voluntary disclosure, but meets the other requirements of the new policy, the business will still be eligible for cooperation credit of a 25 percent reduction off the bottom of the U.S. Sentencing Guidelines.
The new policy is an effort by DOJ to incentivize companies to further disclose of their own accord and fully cooperate with respect to potential FCPA violations, plus another effort to bring criminal prosecutions in general against individual offenders.
At the Securities and Exchange Commission (SEC), its enforcement division issued its Annual Report for Fiscal Year 2017(here) that details its accomplishments and year-over-year comparisons, plus outlines an enforcement agenda for the coming year.
The report asserts that individual accountability deters wrongdoing and says the pursuit of such individuals must be the key of any effective enforcement program. It buttresses SEC Chairman Jay Clayton's statement(here) in his confirmation hearing earlier this year that "individual liability is the greatest deterrent."
On the state level, New York's Department of Financial Services (NYDFS), a powerful agency with regulatory jurisdiction over major international banks and insurers doing business in the state included significant executive liability measures in a directive(here) that took effect in March requiring firms to establish cyber-security programs.
The regulations require firms to designate a chief information security officer responsible for compliance with the directive. It also requires either the chairperson of the board or a senior officer to annually certify that firm’s cyber-security program meets the regulator’s requirements. Those submitting the certification can be held individually liable if the organization’s cyber-security program is deficient and possibly assessed civil and criminal penalties.
The United States attention to individual liability is echoed in other countries, including the United Kingdom, whose measures reach beyond its borders.
Last year, the UK's Financial Conduct Authority (FCA) implemented a strict accountability policy(here) called the Senior Managers and Certification Regime, whose implementation has been rolled out in waves, with all rules being in place by 2018.
It will impose liability on persons the FCA demonstrates were “knowingly concerned” with a breach by the firm. They will require senior persons to personally attest to the adequacy of compliance.
Those rules apply not only to UK banks but also to branches of foreign banks operating in the UK.
Barclays Capital in May had to pay penalties of more than $16.5 million as part of a U.S. settlement(here) stemming from allegations that the company did not properly supervise two of its former mortgage bond traders who allegedly lied to and overcharged clients.
According to the SEC, which brought the enforcement action, an investigation found that Yoon Seok Lee and David Wong, two former Barclays Capital residential mortgage-backed securities (RMBS) traders, made false or misleading statements to Barclays RMBS customers. These statements included false or misleading information about the price at which Barclays had bought the securities, the amount of profit Barclays was making for facilitating the trades, and who owned the securities. The SEC said the traders created a fictional third-party to create the appearance of price negotiations.
Additionally, the SEC investigation found that Lee and Wong added excessive mark-ups on certain transactions without notifying their customers.
The SEC investigation also found that Barclays “failed reasonably to supervise” Lee and Wong by not implementing appropriate supervisory procedures that could have prevented or detected the false or misleading statements Lee and Wong made and could have prevented the overcharges.
Lee and Wong were charged individually, and both agreed to 12-month suspensions from working in the securities industry and payment of a fine.
Also in May, the U.S. Department of Treasury settled its case with Thomas Haider(here) the former chief compliance officers of MoneyGram international Inc. for what its financial crimes unit -- the Financial Crimes Enforcement Network (FinCEN) -- called his significant failures to oversee an anti-money laundering (AML) program at his employer. The charges against Haider revolved around a "failure to ensure an effective AML program."
FinCEN stressed the authority he had and failed to exert -- from knowing of program deficiencies to failing to fire staff under his oversight who showed fraudulent behavior.
Haider agreed to a three-year injunction ban from serving in a compliance function at any money transmitter. He also agreed to pay a $250,000 penalty.
MoneyGram was also charged(here) in a Justice Department case. The company signed a deferred prosecution agreement in 2012 with the DOJ and was ordered to pay $100 million in penalties and restitution.
In another SEC case involving a chief compliance officer, David I. Osunkwo was charged with alleged reporting failures and misstatements.
The settlement was announced on August 15 and was based on events from 2009 to 2011 which ultimately resulted in an order(here) against not only Osunkwo but investment adviser Aegis Capital LLC and Circle One Wealth Management LLC, (two now defunct investment advisers) and their chief operating officer, Diane W. Lamm.
Osunkwo served in 2010 and 2011 as the compliance chief at Aegis Capital and Circle One Wealth Management. The firms had outsourced CCO duties to a third-party provider called Strategic Consulting Advisors, where Osunkwo was a principal.
Osunkwo was responsible for preparing a consolidated 2010 year-end Form ADV for Circle One that would reflect its merger with Aegis under the same parent company, Capital L Group LLC.
The SEC said in the settlement order that Osunkwo submitted inaccurate information for the two investment advisory companies, and Osunkwo listed the chief investment adviser as having certified the figures when, in fact, he had not.
The SEC held Osunkwo liable for the failings, fined him $30,000, and barred him from the securities industry for one year. Osunkwo, a New York-licensed attorney, did not admit or deny any wrongdoing. His company, Strategic Consulting Advisors, has closed, the SEC said.
Regulators are increasingly emphasizing the importance of individual liability at financial institutions, and holding individuals accountable for decisions they make that result in breaches of financial regulations.
This means that compliance officers should consider increasing and strictly organizing the evidence they maintain to show their monitoring and testing of compliance programs and controls. They should respond to all red flags of possible misconduct and thoroughly document their investigations or responses. Keeping a personal file to document all steps taken is one way to do so.
The compliance team must be prepared to show how they updated the company’s compliance the program in light of organizational changes and new developments in applicable laws and regulations.
Particular attention must be given to reports of misconduct or whistleblower reports, and all relevant materials must be escalated to senior management such as the general counsel or board of directors.
The compliance department must detail how it investigated areas of potential non-compliance and developed corrective actions to rectify any misconduct and significant mistakes unearthed.
To define and limit supervisory liability, CCOs should also not have supervisory responsibilities over business-line activities. This should be made explicit when they assume the role, such as in an offer letter. Instead, an appropriate person in each area should perform supervisory responsibilities, and CCOs should meet regularly with these designated supervisors to verify whether proper oversight is taking place.
It is also essential that all appropriate staff members understand the accountability they bear in their specific roles. A compliance officer can be one of the persons in the organization to disseminate such information to encourage good behavior, whistleblower reporting, and detailed reporting of actions taken and decisions made.
Compliance officers must also escalate all material issues to senior management, including the board, or report them to regulators. CCOs should further request permission to obtain and document advice from independent outside legal counsel if there is a disagreement with senior management.
They also must speak up if they are working with insufficient resources, including headcount. This might mean appealing to the highest reaches of the organization, including the board of directors, using as examples the penalties and public relations pitfalls of peers in the industry and showcasing the benefits to the company’s bottom line, reputation, and readiness to work anywhere in the world.
All managers in regulated firms must also appreciate any joint liability risks that could arise from the actions of affiliated entities, plus third-party vendors, and assess whether these parties are operating with quality systems, qualified personnel, and effective compliance programs.
Compliance departments should view regulatory cooperation credit policies as an attempt by the regulator to also essentially encourage self-reporting of violations.
The Commodity Futures Trading Commission (CFTC), another federal regulatory agency with a cooperation credit program, noted that such credit will not be given merely for following the law, but rather for what an individual or corporation “voluntarily does, beyond what it is required to do.”
(Julie DiMauro is a regulatory intelligence expert in the Enterprise Risk Management division of Thomson Reuters Regulatory Intelligence. Follow Julie on Twitter @Julie_DiMauro. Email Julie at firstname.lastname@example.org.)
This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Dec. 22. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters