How to minimize personal liability as a compliance officer

Since the financial crash of 2007-2008, there has been a palpable public clamoring for regulators and enforcement agencies to hold individuals accountable for wrongdoing, rather than only penalizing corporations.

Although it may have taken several years, it appears the trend of compliance officer liability has caught on worldwide. In fact, the past five years are peppered with instances of enforcement actions against individual officers, often in tandem with enforcement action against the company at large.

In 2011, for example, Japanese courts leveled harsh punishments¹ against three former executives of camera and medical equipment maker Olympus, with fines of up to 10 million yen (over $128,000 in 2011) and prison sentences of up to 10 years.

In February 2014, the U.S. Financial Industry Regulatory Authority (FINRA) reached a settlement² with Brown Brothers Harriman, a New York-based investment firm, requiring them to pay an $8 million civil fine in connection with purported violations of its anti-money laundering program. But as part of this same action, FINRA imposed a $25,000 fine against the firm’s global anti-money laundering compliance officer, and suspended him for 30 days.

The federal government finally jumped on the bandwagon in September 2015, with the publication of a Department of Justice (DOJ) memorandum titled, “Individual Accountability for Corporate Wrongdoing.” The “Yates Memo”³ – as it’s become known colloquially – called for, among other things, “[b]oth criminal and civil corporate investigations [to] focus on individuals from the inception of the investigation.” The DOJ indicated its commitment to individual accountability by codifying this principle into the U.S. Attorneys’ Manual⁴ in November 2015.

Since this update, the DOJ has pursued criminal charges and civil penalties against individual compliance officers and executives at a higher rate.

Clearly, this is a troubling development for compliance officers who had previously believed they themselves were insulated from liability for any wrongdoing on behalf of the corporation.

How to protect yourself

It’s important to note that regulators and enforcement agencies aren’t pursuing individuals in all circumstances of corporate misconduct. Rather, their pursuit is typically based on some action (or inaction) on the part of the individual being prosecuted, which played a part of the misconduct in question.

It’s vital to heed the following tips in order to protect yourself from individual compliance officer liability, to the greatest extent possible.

Never make it personal

One of the surest ways of finding yourself facing criminal or civil sanctions in a corporate enforcement action is by directly involving yourself in the activity that prompted the compliance action to begin with.

Take, for example, two cases involving personal officer liability. In the first one, announced in October 2015,⁵ a pharmaceutical manufacturer’s former president along with three of its district managers faced criminal charges in connection with their personal roles in the wrongdoing of the corporation. In another, announced in January 2016,⁶ a company’s former owner agreed to pay up to $3.75 million to resolve allegations of Medicare and Medicaid fraud by the company which the former owner had a personal hand in instigating.

While it may seem obvious that individual liability may be avoided by simply avoiding any blatant personal wrongdoing, it bears repeating nonetheless, particularly because of the raw level of risk associated with such behavior.

Act on information immediately

Blatant individual wrongful behavior is far from the only qualifier for compliance officers to face individual liability. Officers may also land in hot water by failing to take action once they become (or should have become) aware of wrongdoing within the organization – or worse, attempting to conceal such wrongdoing from regulators.

The past several years have seen an increase in expectations on the part of regulators and enforcement agencies like the DOJ, the Securities and Exchange Commission (SEC), and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). Corporations should not only fully cooperate with any ongoing investigations, but also fully disclose all relevant facts relating to any misconduct – even in situations where the applicable agency is not aware of the misconduct to begin with.

If information passes a compliance officer’s desk and no action is taken – or if any such action is delayed without any justifiable reason – the compliance officer is likely to be investigated for individual liability.

Make sure your compliance programs are complete and up to date

Compliance officers are already well aware of the virtues of maintaining comprehensive compliance programs. But compliance officers probably focus primarily on the benefits such compliance programs bring to the organization as a whole, specifically in deterring enforcement actions through rigorous regulatory compliance.

However, a well-supported, regularly updated compliance program reflects very well on an organization’s compliance officer. More importantly, the opposite is also true: A deficient compliance program may likely be seen as a failure by the compliance officer – and such a failure may prompt regulators to seek individual liability for that compliance officer.

Finally, as is good practice in general, compliance officers should maintain robust records pertaining to the efforts made to keep these programs current.

Ensure a strong culture of compliance

Although sufficient employee training is often included as part of an organization’s compliance program, its specific importance should be emphasized in the context of individual compliance officer liability.

It may not be terribly difficult to understand why: If employees other than a compliance officer are responsible for a corporation’s regulatory misconduct (as is often the case), enforcement agencies often scrutinize that corporation’s compliance culture for any deficiencies that may have contributed to the misconduct – or, at the very least, allowed such behavior to slip through the cracks. And if such deficiencies are found, fingers are typically pointed squarely at the responsible compliance officer, and individual liability may be attached.

For this reason, maintaining a healthy culture of compliance within your organization is absolutely vital.

Monitor third parties

Unfortunately, a compliance officer’s responsibility doesn’t remain strictly within the boundaries of the organization he or she represents; instead, compliance officers must also monitor the third-party vendors with which the company does business.

Although an organization isn’t typically liable for the wrongful conduct of one of its vendors, regulators may view that organization’s continued dealings with a suspicious vendor as concerning, especially after learning of the vendor’s suspicious activity.

As such, compliance officers should have monitoring programs in place that screen third-party vendors both at the time the business relationship begins, and, on a continual basis.

True, compliance officers largely aren’t responsible for the misconduct of third parties with which the corporation does business, but they are responsible for reasonably knowing all they can about these vendors, in order to prevent any further misconduct.

In the broader context of compliance officer liability, this principle is also largely applicable: Learn all you can about the compliance operations of your organization and take appropriate actions to minimize the risk of organizational misconduct.

By doing all you reasonably can in your own capacity to minimize corporate wrongdoing, you’re also minimizing your own likelihood of facing individual criminal or civil sanctions.