Recent enforcement actions suggest that regulators, both in the United States and the UK, are targeting compliance officers.
Some of these cases involve allegations that compliance officers took part in the misconduct, such as collusion between a compliance officer of a registered broker-dealer and his relatives to defraud investors and embezzle their money.
More worrying are the cases that involve charges against compliance personnel for failing to prevent their organizations from committing financial crimes or for failing to submit suspicious activity reports or other required regulatory disclosures or certifications.
The DOJ and SEC have also highlighted failures by compliance and law department personnel in recent FCPA cases for failing to investigate issues, overlooking red flags, and failing to stop payments to intermediaries even after they became aware that FCPA due diligence requirements were not met.
Those enforcement actions have typically been resolved through “negotiated settlements” and therefore may reflect a sanitized version of the facts underlying the charges. But do they nonetheless send a message that compliance personnel are responsible for the conduct of more senior decision makers in organizations? That compliance personnel bear an outsized burden for their organization’s misconduct without the upside of authority and compensation?
Compliance personnel may, as a result, find themselves in a no-win situation when faced with difficult decisions to approve or reject transactions or business partners in the higher risk “grey zone.”
If they approve something that later goes wrong, they may be blamed and could be held personally liable. If they reject a transaction or business partner (and are not overruled), they may be accused of hindering business, confront hostility and lose support in the organization.
In light of these risks, what are some common-sense steps compliance personnel can take to protect themselves from becoming the target of enforcement?
- First and foremost, fully understand regulatory obligations, particularly for filing disclosures/reports and reporting misconduct.
- Take time to think and assess before making a judgement about a tricky or complex compliance-related matter. Making a decision under duress is never a good course.
- Seek advice and input from internal colleagues and, where necessary, external advisers. Also don’t forget to obtain advice in writing to support the position taken.
- Contemporaneously document decisions and, importantly, the rationale behind them. Simply indicating “yes” or “no” will not be effective if a decision is ever questioned.
- Engage with the business employees to fully understand the facts, issues and internal drivers and, where needed, to determine if there is a less risky way to achieve the same objectives. If the answer is affirmative if certain mitigation measures are put in place, check periodically that those measures have been implemented and document it.
- Escalate major issues early and seek buy-in and support from management for the decision.
- Use internal reporting channels to report misconduct where necessary.
- Raise resource constraints with management and understand that limited resources necessarily mean focusing on higher risk issues to the extent possible.
In addition to protecting compliance personnel from unwanted allegations, these steps also promote the organization’s internal control framework and can shield it from compliance failures that could put it at risk for enforcement and reputational harm.
Bethany Hipp is Counsel in Allen & Overy’s Global Investigations Group focusing on internal investigations as well as anti-corruption and trade compliance. She’s based in Singapore. She previously worked for a multinational mining company and the U.S. Department of Justice. She can be reached here.
The views expressed in this post are the author’s own and do not necessarily represent the views of her employer.