Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
On July 18, 2019, a federal grand jury in Cincinnati indicted the former compliance officer of a pharmaceutical distributor, James Barclay, the pharmaceutical distributor, and others with conspiring to illegally distribute controlled substances. Among other things, the indictment alleged that Barclay, who was responsible for supervising the distributor's compliance with drug laws, and others sold millions of painkiller pills to pharmacies, while regularly exceeding the company's internal threshold limits and ignoring obvious signs of diversion and abuse. When the company's internal suspicious order monitoring system flagged many of these orders, Barclay and other defendants allegedly failed to conduct any due diligence or report the suspicious orders to the Drug Enforcement Administration (DEA), as required by law. The Barclay indictment was issued around three months after federal prosecutors in Manhattan brought felony criminal charges against a different drug distributor, its former Chief Compliance Officer (CCO), William Pietruszewski, and others on allegations that they opened new customer accounts without conducting due diligence and sold customers controlled substances despite knowing they were being distributed for illegitimate purposes. On April 19, 2019, Pietruszewski pleaded guilty to conspiracy to distribute controlled substances, conspiracy to defraud the U.S., and willful failure to file suspicious order reports with the DEA.
These high-profile criminal actions against compliance officers provide a powerful reminder that they remain in the crosshairs of U.S. law enforcement authorities. Although some government officials, such as Securities and Exchange Commission (SEC) Commissioner Hester Peirce, have indicated support for deferring to the judgment of compliance officers in most cases, recent government investigations and enforcement actions raise concerns about where regulators will draw the line.
This article, which is an update to our two-part article on compliance officer liability first published in March 2018 (see, http://bit.ly/2LRw0WN and http://bit.ly/2LUlApb), explores legal developments over the past year that may impact compliance officer personal liability. The article discusses U.S. regulators' continued emphasis on charging individuals in criminal and civil actions, recent enforcement actions against compliance officers for failure to maintain and implement adequate compliance programs and other conduct, and new laws and regulations that may impose additional responsibilities and personal liability risk on compliance officers. The article concludes by recommending steps compliances officers can take to limit their personal liability exposure.
|Over the past several years, regulators have emphasized charging individuals in connection with alleged corporate wrongdoing rather than merely seeking large corporate fines. This focus on individual accountability impacts all corporate executives and, in particular, increases the risk of personal liability faced by compliance officers. In November 2018, former Deputy Attorney General Rod Rosenstein confirmed that the Department of Justice (DOJ) likely will continue this approach for the foreseeable future. In a speech given to the American Conference Institute, Rosenstein introduced modifications to the policy that then-Deputy Attorney General Sally Yates issued in September 2015, commonly known as the Yates Memo. The Yates Memo required companies to disclose "all relevant facts about the individuals involved in the alleged corporate misconduct" to qualify for any cooperation credit. Rosenstein stated that, under the revised policy, companies need only identify individuals who were "substantially involved in or responsible for the criminal conduct" to qualify for maximum cooperation credit.
Although the DOJ relaxed some of the requirements of the Yates Memo, the updated policy still requires companies to identify all wrongdoing by senior officials to qualify for any cooperation credit. In the same speech, Rosenstein also reaffirmed the DOJ's commitment to prioritizing individual over corporate liability, stating that "pursuing individuals responsible for wrongdoing will be a top priority in every corporate investigation" as "corporate cases often penalize innocent employees and shareholders without effectively punishing the human beings responsible for making corrupt decisions."
Officials at the SEC and the Commodity Futures Trading Commission (CFTC) also have emphasized individual accountability as top enforcement priorities. In May 2018, Stephanie Avakian and Steven Peikin, the SEC's co-Directors of Enforcement, testified before the House Committee on Financial Services that "it is critical to hold individuals responsible in appropriate cases and to pursue wrongdoing at the highest corporate levels." In November 2018, in a speech on enforcement trends at the NYU School of Law, James M. McDonald, the CFTC's Director of Enforcement, stated that holding individuals accountable would incentivize companies to foster cultures of compliance.
|In addition to the criminal case against Barclay and Pietruszewski discussed above, regulators have brought several actions against compliance officers in the past year. Of particular concern, regulators have sought to hold compliance officers personally liable for "causing" their firms' failures to design effective compliance programs. In October 2018, the SEC sustained the Financial Industry Regulatory Authority's (FINRA) two-month suspension and $40,000 fine against Thaddeus J. North for, among other things, willfully failing "to establish and maintain a reasonable supervisory system for the review of electronic correspondence" in violation of FINRA, National Association of Securities Dealers (NASD), and Municipal Securities Rulemaking Board (MSRB) rules. In re Thaddeus J. North, Exchange Act Release No. 84500 (Oct. 29, 2018). North was the CCO of Southridge Investment Group LLC (Southridge). His responsibilities included "establishing and maintaining [Southridge's] supervisory procedures governing the review of electronic correspondence and … reviewing that correspondence." The SEC found that Southridge's procedures "were not reasonably designed because they completely failed to specify even the most basic parameters for reviewing electronic communications …." The SEC upheld FINRA's sanctions against North despite his attempt to amend the procedures that were found to be deficient.
In its opinion, the SEC acknowledged that compliance officers "play a vital role" in the regulatory framework and that "in general, good faith judgments of CCOs made after reasonable inquiry and analysis should not be second guessed." However, the SEC noted that "when a CCO engaged in wrongdoing, attempts to cover up wrongdoing, crosses a clearly established line, or fails meaningfully to implement compliance programs, policies, and procedures for which he or she has direct responsibility, we would expect liability to attach." Notably, the SEC's "failure to meaningful[ly] implement" standard appears to be broader than the standard articulated by former SEC Director of Enforcement Andrew Ceresny in a November 2015 address to the National Society of Compliance Professionals, when he stated that compliance officers may face personal liability in instances that exhibit "a wholesale failure to carry out his or her responsibilities."
Compliance officers also have been found personally liable for failure to follow their firms' compliance procedures. The SEC also found that North willfully failed to reasonably review Southridge's electronic correspondence in violation of its written supervisory procedures and FINRA, NASD and MSRB rules. Similarly, in May 2018, the SEC settled charges against Jerard Basmagy, the CCO and Anti-Money Laundering (AML) Officer of broker-dealer Chardan Capital Markets LLC (Chardan). In re Basmagy, Exchange Act Release No. 83252 (May 16, 2018). Chardan's policies required Basmagy to investigate potential red flags, monitor trading for patterns of suspicious activity, and file suspicious activity reports (SARs). The SEC found that Basmagy failed to review red flags and file SARs when Chardan executed penny stock transactions on behalf of its customers that "facilitate[d] fraudulent activity or had no business or apparent lawful purpose." Although Chardan had red flag monitoring systems in place, Basmagy failed to review "significant penny stock liquidations" even after Chardan's clearing firm raised concerns. The SEC decided that, by failing to file SARs as required, Basmagy "willfully aided and abetted and caused" Chardan's Exchange Act violations. The SEC barred Basmagy from the industry for three years and fined him $15,000 in civil penalties.
Compliance officers also have been found liable for failing to provide material information to regulators. On April 16, 2018, the Office of the Comptroller of the Currency (OCC) informed Laura Akahoshi, the former CCO of Dutch financial institution Rabobank, N.A. (Rabobank), of its intention to bar her from the banking industry and require her to pay a $50,000 civil penalty. In re Akahoshi, OCC File No. N18-002 (Apr. 16, 2018). Akahoshi and other Rabobank executives allegedly withheld a report from OCC regulators revealing the bank's AML program failures. The OCC alleged that, not only did Akahoshi withhold the report, but she also misled regulators about the existence of the report.
|Several current and upcoming laws and regulations may place additional responsibilities on compliance officers and thus may lead to increased personal liability risk. For example, compliance officers must now ensure that their firms' compliance programs adequately address a plethora of data privacy regulations. The General Data Protection Regulation (GDPR) came into force on May 25, 2018, and imposes several privacy and data protection requirements on companies both within the EU and that sell or market goods and services to, or monitor the behavior of, people in the EU. The California Consumer Privacy Act (CCPA) will take effect on Jan. 1, 2020. The CCPA will require any company that does business in California that stores consumers' personal data to make certain disclosures to consumers, comply with specific requests, and otherwise allow consumers more control over their information. Experts anticipate that similar laws will soon pass in state legislatures around the country.
In addition, new regulations affecting broker-dealers will increase responsibilities on compliance officers in that industry. SEC Regulation Best Interest (BI), which will become fully effective June 30, 2020, requires broker-dealers to "act in the best interest of a retail customer when making a recommendation of any securities transaction or investment strategy involving securities to a retail customer." Regulation BI will raise the standards of conduct for broker-dealers beyond their existing obligations and require compliance officers to implement systems to ensure that their firms are meeting those higher standards of care.
Moreover, the U.S. Senate is considering legislation that would reform current AML rules and may impose additional AML responsibilities on compliance officers. On June 10, 2019, a bipartisan group of senators unveiled the proposed Improving Laundering Laws and Increasing Comprehensive Information Tracking of Criminal Activity in Shell Holdings (ILLICIT CASH) Act. The draft bill would require shell companies to disclose the identities of their true owners through mandatory filings of beneficial ownership information with the Financial Crimes Enforcement Network (FinCEN). The bill would also require financial institutions subject to customer due diligence requirements to report differences between their information and FinCEN's, increasing the responsibilities of compliance officers.
|Compliance officers can take several steps to decrease their exposure to personal liability. For one, compliance officers should stay informed of updates in the law, regulatory guidance, technology, and compliance trends to ensure that their firms' compliance systems meet regulator expectations. For example, in April 2019, the DOJ's Criminal Division updated its guidance to prosecutors on the evaluation of corporate compliance programs, which plays an important role in charging decisions. The updated guidance uses a three-question framework to determine whether a company's compliance program is effective: 1) Is the corporation's compliance program well designed? 2) Is the program being implemented effectively? 3) Does the program work in practice? Compliance officers should tailor their firms' compliance programs to meet the DOJ's standards of effectiveness.
Second, compliance officers should regularly review their company's policies, procedures and controls to ensure that they adequately and effectively comply with new requirements and standards. If a compliance officer determines that his or her firm's compliance program may be deficient or becomes aware of signs of suspicious activity, he or she should quickly attempt to address the deficiencies or investigate the suspicious activity. Regulators frequently bring actions against compliance officers who ignore the deficiencies of their firms' compliance programs or fail to adequately investigate or take remedial actions in response to known red flags. A timely, serious, and documented response by the compliance officer demonstrates a good faith effort to address a compliance issue, even if the situation ultimately cannot be fully remediated.
Recent instances where the SEC decided not to charge compliance officers illustrate the importance of such proactive conduct. In the related enforcement actions In re Mark A. Elste, Investment Advisers Act Release No. 5062 (Nov. 6, 2018), and In re Pennant Management, Inc., Investment Advisers Act Release No. 5061 (Nov. 6, 2018), the SEC concluded that investment adviser Pennant Management Inc. (Pennant) did not have reasonably designed written policies and procedures regarding initial and ongoing counterparty due diligence. However, the SEC did not find the compliance officer personally liable for these failures. The SEC's orders explained that Pennant's CCO highlighted counterparty risks and repeatedly requested additional resources to remedy deficiencies in the compliance program, which were not provided. Accordingly, CCOs may avoid personal liability if they exhibit to regulators that they carried out even a flawed program to the best of their abilities and attempted to correct known deficiencies.
*****
Jonathan B. New and Patrick T. Campbell are both partners in the New York office of BakerHostetler's White Collar, Investigations and Securities Enforcement and Litigation Team. Mr. New is also a member of the Board of Editors of this newsletter and Mr. Campbell is the incoming Chair of the New York City Bar Association Compliance Committee. Madison Gaudreau is a summer associate in BakerHostetler's New York office. The views expressed in this article are those of the authors and not necessarily those of BakerHostetler or its clients.
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.