Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Bethany Hipp: How can compliance officers protect themselves from harm?

Recent enforcement actions suggest that regulators, both in the United States and the UK, are targeting compliance officers.  

Some of these cases involve allegations that compliance officers took part in the misconduct, such as collusion between a compliance officer of a registered broker-dealer and his relatives to defraud investors and embezzle their money.

More worrying are the cases that involve charges against compliance personnel for failing to prevent their organizations from committing financial crimes or for failing to submit suspicious activity reports or other required regulatory disclosures or certifications.

Most of these recent cases in the news involve AML-related reporting violations or breach of investment adviser/broker-dealer compliance requirements.

The DOJ and SEC have also highlighted failures by compliance and law department personnel in recent FCPA cases for failing to investigate issues, overlooking red flags, and failing to stop payments to intermediaries even after they became aware that FCPA due diligence requirements were not met.

Those enforcement actions have typically been resolved through “negotiated settlements” and therefore may reflect a sanitized version of the facts underlying the charges. But do they nonetheless send a message that compliance personnel are responsible for the conduct of more senior decision makers in organizations? That compliance personnel bear an outsized burden for their organization’s misconduct without the upside of authority and compensation?

Compliance personnel may, as a result, find themselves in a no-win situation when faced with difficult decisions to approve or reject transactions or business partners in the higher risk “grey zone.”

If they approve something that later goes wrong, they may be blamed and could be held personally liable. If they reject a transaction or business partner (and are not overruled), they may be accused of hindering business, confront hostility and lose support in the organization.

In light of these risks, what are some common-sense steps compliance personnel can take to protect themselves from becoming the target of enforcement? 

  • First and foremost, fully understand regulatory obligations, particularly for filing disclosures/reports and reporting misconduct.
  • Take time to think and assess before making a judgement about a tricky or complex compliance-related matter. Making a decision under duress is never a good course.
  • Seek advice and input from internal colleagues and, where necessary, external advisers. Also don’t forget to obtain advice in writing to support the position taken.
  • Contemporaneously document decisions and, importantly, the rationale behind them. Simply indicating “yes” or “no” will not be effective if a decision is ever questioned.
  • Engage with the business employees to fully understand the facts, issues and internal drivers and, where needed, to determine if there is a less risky way to achieve the same objectives. If the answer is affirmative if certain mitigation measures are put in place, check periodically that those measures have been implemented and document it.
  • Escalate major issues early and seek buy-in and support from management for the decision.
  • Use internal reporting channels to report misconduct where necessary.
  • Raise resource constraints with management and understand that limited resources necessarily mean focusing on higher risk issues to the extent possible.

In addition to protecting compliance personnel from unwanted allegations, these steps also promote the organization’s internal control framework and can shield it from compliance failures that could put it at risk for enforcement and reputational harm.


Bethany Hipp is Counsel in Allen & Overy’s Global Investigations Group focusing on internal investigations as well as anti-corruption and trade compliance. She’s based in Singapore. She previously worked for a multinational mining company and the U.S. Department of Justice. She can be reached here.

The views expressed in this post are the author’s own and do not necessarily represent the views of her employer.

Share this post



  1. Excellent article!

    An additional recommendation: under critical situation (exception cases), the Compliance Officer should involve people who are interested in the process approval to make a decision as a team. He/she has to register the discussion: the arguments that raises concern, the alternatives and the statements in favor to approval (with the clear person's names who took over each statement). In the end of this discussion, the conclusion has to be "nobody is aware of any misconduct in place and the related risks are mitigated". If the conclusion is not that, the Compliance Officer has to stop the process. This document should be submitted to the CEO for final approval.

  2. Excellent article which perfectly articulates the rock and a hard place scenario for the compliance profession.

Comments are closed for this article!