Compliance Officers: Recent Regulatory Guidance and Enforcement Actions and Mitigating the Risk of Personal Liability

Although the DOJ relaxed some of the requirements of the Yates Memo, the updated policy still requires companies to identify all wrongdoing by senior officials to qualify for any cooperation credit. In the same speech, Rosenstein also reaffirmed the DOJ's commitment to prioritizing individual over corporate liability, stating that "pursuing individuals responsible for wrongdoing will be a top priority in every corporate investigation" as "corporate cases often penalize innocent employees and shareholders without effectively punishing the human beings responsible for making corrupt decisions."

Officials at the SEC and the Commodity Futures Trading Commission (CFTC) also have emphasized individual accountability as top enforcement priorities. In May 2018, Stephanie Avakian and Steven Peikin, the SEC's co-Directors of Enforcement, testified before the House Committee on Financial Services that "it is critical to hold individuals responsible in appropriate cases and to pursue wrongdoing at the highest corporate levels." In November 2018, in a speech on enforcement trends at the NYU School of Law, James M. McDonald, the CFTC's Director of Enforcement, stated that holding individuals accountable would incentivize companies to foster cultures of compliance.

Key Regulatory Actions Against Compliance Officers

In addition to the criminal case against Barclay and Pietruszewski discussed above, regulators have brought several actions against compliance officers in the past year. Of particular concern, regulators have sought to hold compliance officers personally liable for "causing" their firms' failures to design effective compliance programs. In October 2018, the SEC sustained the Financial Industry Regulatory Authority's (FINRA) two-month suspension and $40,000 fine against Thaddeus J. North for, among other things, willfully failing "to establish and maintain a reasonable supervisory system for the review of electronic correspondence" in violation of FINRA, National Association of Securities Dealers (NASD), and Municipal Securities Rulemaking Board (MSRB) rules. In re Thaddeus J. North, Exchange Act Release No. 84500 (Oct. 29, 2018). North was the CCO of Southridge Investment Group LLC (Southridge). His responsibilities included "establishing and maintaining [Southridge's] supervisory procedures governing the review of electronic correspondence and … reviewing that correspondence." The SEC found that Southridge's procedures "were not reasonably designed because they completely failed to specify even the most basic parameters for reviewing electronic communications …." The SEC upheld FINRA's sanctions against North despite his attempt to amend the procedures that were found to be deficient.

In its opinion, the SEC acknowledged that compliance officers "play a vital role" in the regulatory framework and that "in general, good faith judgments of CCOs made after reasonable inquiry and analysis should not be second guessed." However, the SEC noted that "when a CCO engaged in wrongdoing, attempts to cover up wrongdoing, crosses a clearly established line, or fails meaningfully to implement compliance programs, policies, and procedures for which he or she has direct responsibility, we would expect liability to attach." Notably, the SEC's "failure to meaningful[ly] implement" standard appears to be broader than the standard articulated by former SEC Director of Enforcement Andrew Ceresny in a November 2015 address to the National Society of Compliance Professionals, when he stated that compliance officers may face personal liability in instances that exhibit "a wholesale failure to carry out his or her responsibilities."

Compliance officers also have been found personally liable for failure to follow their firms' compliance procedures. The SEC also found that North willfully failed to reasonably review Southridge's electronic correspondence in violation of its written supervisory procedures and FINRA, NASD and MSRB rules. Similarly, in May 2018, the SEC settled charges against Jerard Basmagy, the CCO and Anti-Money Laundering (AML) Officer of broker-dealer Chardan Capital Markets LLC (Chardan). In re Basmagy, Exchange Act Release No. 83252 (May 16, 2018). Chardan's policies required Basmagy to investigate potential red flags, monitor trading for patterns of suspicious activity, and file suspicious activity reports (SARs). The SEC found that Basmagy failed to review red flags and file SARs when Chardan executed penny stock transactions on behalf of its customers that "facilitate[d] fraudulent activity or had no business or apparent lawful purpose." Although Chardan had red flag monitoring systems in place, Basmagy failed to review "significant penny stock liquidations" even after Chardan's clearing firm raised concerns. The SEC decided that, by failing to file SARs as required, Basmagy "willfully aided and abetted and caused" Chardan's Exchange Act violations. The SEC barred Basmagy from the industry for three years and fined him $15,000 in civil penalties.

Compliance officers also have been found liable for failing to provide material information to regulators. On April 16, 2018, the Office of the Comptroller of the Currency (OCC) informed Laura Akahoshi, the former CCO of Dutch financial institution Rabobank, N.A. (Rabobank), of its intention to bar her from the banking industry and require her to pay a $50,000 civil penalty. In re Akahoshi, OCC File No. N18-002 (Apr. 16, 2018). Akahoshi and other Rabobank executives allegedly withheld a report from OCC regulators revealing the bank's AML program failures. The OCC alleged that, not only did Akahoshi withhold the report, but she also misled regulators about the existence of the report.

Laws and Regulations Imposing Additional Responsibilities on Compliance Officers

Several current and upcoming laws and regulations may place additional responsibilities on compliance officers and thus may lead to increased personal liability risk. For example, compliance officers must now ensure that their firms' compliance programs adequately address a plethora of data privacy regulations. The General Data Protection Regulation (GDPR) came into force on May 25, 2018, and imposes several privacy and data protection requirements on companies both within the EU and that sell or market goods and services to, or monitor the behavior of, people in the EU. The California Consumer Privacy Act (CCPA) will take effect on Jan. 1, 2020. The CCPA will require any company that does business in California that stores consumers' personal data to make certain disclosures to consumers, comply with specific requests, and otherwise allow consumers more control over their information. Experts anticipate that similar laws will soon pass in state legislatures around the country.

In addition, new regulations affecting broker-dealers will increase responsibilities on compliance officers in that industry. SEC Regulation Best Interest (BI), which will become fully effective June 30, 2020, requires broker-dealers to "act in the best interest of a retail customer when making a recommendation of any securities transaction or investment strategy involving securities to a retail customer." Regulation BI will raise the standards of conduct for broker-dealers beyond their existing obligations and require compliance officers to implement systems to ensure that their firms are meeting those higher standards of care.

Moreover, the U.S. Senate is considering legislation that would reform current AML rules and may impose additional AML responsibilities on compliance officers. On June 10, 2019, a bipartisan group of senators unveiled the proposed Improving Laundering Laws and Increasing Comprehensive Information Tracking of Criminal Activity in Shell Holdings (ILLICIT CASH) Act. The draft bill would require shell companies to disclose the identities of their true owners through mandatory filings of beneficial ownership information with the Financial Crimes Enforcement Network (FinCEN). The bill would also require financial institutions subject to customer due diligence requirements to report differences between their information and FinCEN's, increasing the responsibilities of compliance officers.

Best Practices for Compliance Officers to Mitigate Personal Liability Exposure

Compliance officers can take several steps to decrease their exposure to personal liability. For one, compliance officers should stay informed of updates in the law, regulatory guidance, technology, and compliance trends to ensure that their firms' compliance systems meet regulator expectations. For example, in April 2019, the DOJ's Criminal Division updated its guidance to prosecutors on the evaluation of corporate compliance programs, which plays an important role in charging decisions. The updated guidance uses a three-question framework to determine whether a company's compliance program is effective: 1) Is the corporation's compliance program well designed? 2) Is the program being implemented effectively? 3) Does the program work in practice? Compliance officers should tailor their firms' compliance programs to meet the DOJ's standards of effectiveness.

Second, compliance officers should regularly review their company's policies, procedures and controls to ensure that they adequately and effectively comply with new requirements and standards. If a compliance officer determines that his or her firm's compliance program may be deficient or becomes aware of signs of suspicious activity, he or she should quickly attempt to address the deficiencies or investigate the suspicious activity. Regulators frequently bring actions against compliance officers who ignore the deficiencies of their firms' compliance programs or fail to adequately investigate or take remedial actions in response to known red flags. A timely, serious, and documented response by the compliance officer demonstrates a good faith effort to address a compliance issue, even if the situation ultimately cannot be fully remediated.

Recent instances where the SEC decided not to charge compliance officers illustrate the importance of such proactive conduct. In the related enforcement actions In re Mark A. Elste, Investment Advisers Act Release No. 5062 (Nov. 6, 2018), and In re Pennant Management, Inc., Investment Advisers Act Release No. 5061 (Nov. 6, 2018), the SEC concluded that investment adviser Pennant Management Inc. (Pennant) did not have reasonably designed written policies and procedures regarding initial and ongoing counterparty due diligence. However, the SEC did not find the compliance officer personally liable for these failures. The SEC's orders explained that Pennant's CCO highlighted counterparty risks and repeatedly requested additional resources to remedy deficiencies in the compliance program, which were not provided. Accordingly, CCOs may avoid personal liability if they exhibit to regulators that they carried out even a flawed program to the best of their abilities and attempted to correct known deficiencies.

*****

Jonathan B. New and Patrick T. Campbell are both partners in the New York office of BakerHostetler's White Collar, Investigations and Securities Enforcement and Litigation Team. Mr. New is also a member of the Board of Editors of this newsletter and Mr. Campbell is the incoming Chair of the New York City Bar Association Compliance Committee. Madison Gaudreau is a summer associate in BakerHostetler's New York office. The views expressed in this article are those of the authors and not necessarily those of BakerHostetler or its clients.