Compliance officers and their staff have become more concerned lately about exposure to personal liability, since recent regulatory actions have shown them to be at risk.

The argument for that liability is this: Compliance is expected to know the regulations and how they apply to the business model, and so a CCO should recognize violations more readily. Compliance officers typically know more than the business-line folks whom they advise regarding the regulatory requirements for the company’s operations. As compliance often communicates periodically with government agencies, a retrospective failure to inform regulators of problems in a timely manner might suggest they are ill-informed or withholding information.

As described in recent columns, applying the Three Lines of Defense Model creates clear oversight responsibilities, defined so that functions and departments understand the boundaries of their responsibilities and how their roles fit into the organization’s overall risk and control structure. This clarity is especially helpful to the compliance function (and internal audit, to the extent they are combined with compliance or perform second-line support), because it delineates the ownership and management of key risk areas, including regulatory violations. The model can help reinforce that foremost, the business line owns the risks inherent in its operations and is accountable for maintaining effective internal controls to safeguard the company.

Compliance Officer Liability

Recent actions against compliance officers have made clear the increasing scrutiny. What’s disconcerting is that the compliance department or its individuals may be perceived as having misunderstood regulatory requirements, or as having not implemented adequate controls. Personal liability can potentially arise not just for actively aiding and abetting a violation, but also for omissions and compliance failures.

For example, the Financial Industry Regulatory Authority fined the former compliance officer of Brown Brothers Harriman $25,000 for “substantial anti-money laundering compliance failures,” which included not having processes in place to monitor and detect suspicious transactions. Likewise, the Financial Crimes Enforcement Network recently hit the former chief compliance officer of MoneyGram with a $1 million civil penalty for failing to ensure that the company abided by the anti-money laundering provisions of the Bank Secrecy Act.

While these actions have been confined to the financial services sector, they portend professional and personal exposure for those undertaking a high-level compliance position. These concerns about gatekeeper responsibilities for compliance professionals shadow the concerns in-house counsel have about being in the cross-hairs following the Sarbanes-Oxley Act and subsequent regulations.

SEC Guidance on Supervisory Liability

The Securities and Exchange Commission has provided guidance on when compliance and legal professionals are considered to be acting as “supervisors” subject to liability for failing to supervise. This guidance, issued in the context of broker-dealer responsibilities, is consistent with the approach of the Three Lines of Defense model¾namely, that the senior management in the first line of defense has ultimate responsibility for compliance.

Compliance will want to take an active role in monitoring whether matters raised are tracked to completion including documentation of any appropriate discipline.

The SEC staff guidance clarified that compliance personnel will not be held liable solely for being ineffective at detecting and preventing violations of law. Specifically, the determination of whether or not a person is a supervisor is based on whether that person has the requisite degree of responsibility or authority to affect the conduct of those whose activities are at issue (actively aiding in violation or recklessly ignoring the compliance matter). The SEC provides a list of questions to ask when considering whether a person is a supervisor, including:

Has the person clearly been given, or otherwise assumed, supervisory authority or responsibility for particular business activities or situations?

Do the firm’s policies and procedures, or other documents identify the person as responsible for supervising, or for overseeing, one or more business persons or activities?

Did the person have the power to affect another’s conduct? Did the person, for example, have the ability to hire, reward, or punish that person?

Did the person otherwise have authority and responsibility such that he or she could have prevented the violation from continuing, even if he or she did not have the power to fire, demote, or reduce the pay of the person in question?

Moreover, the guidance provides that compliance personnel can perform certain activities without being considered a supervisor, such as setting up a compliance program and providing advice to business line personnel. Compliance personnel do not become supervisors merely by participating in or providing advice to management or a senior executive committee. Nor, however, can a supervisor also be a mere bystander to events and ignore wrongdoing or red flags of irregularity.

Escalation Policies and Other Defenses

The SEC and the Three Lines of Defense model offer a framework that can protect compliance staff as well as the organization. Compliance and other second-line functions should keep in mind that when enough high-level people know something, the concern becomes a firm issue rather than one of personal exposure. Perhaps even worse than the CEO and board first learning of a problem in the front pages, is the CCO realizing that the issue should have been disclosed to senior leadership, but was not.

One of the best protections for the compliance department is to have clear escalation policies. When misconduct occurs, state and document which supervisor is responsible for handling the matter. Boards and committees on which the CCO serves should specify in formal charters that the compliance role is advisory. Serious concerns that involve potential legal violations should be escalated to designated senior management.

The content of an escalation policy should be developed with the board and senior management based on what they need to know and when. Here are examples of issues that should be escalated:

When the CEO, board member, or senior executive is named in an allegation.

Anything with potential to cause reputational harm.

Any significant financial or accounting issue; these must be defined (and generally escalated to the chair of the audit committee).

Remedial action committed to, but not executed, by an executive or board director.

Protection of Legal Privileges

Escalation policies should be developed in conjunction with internal investigation protocols and processes for company personnel to assert the appropriate attorney-client privilege and work-product protections. The good news, as made clear in the Barko decision in federal appeals court last year, is that legal privilege can apply widely during internal investigations. The important element is to have robust processes to demonstrate that the legal advice is being sought such that the privilege applies.

Substance over form is what matters. The D.C. Circuit in Barko assigned little importance to who conducted witness interviews and what was specifically said to those interviewed about the purpose of the investigation. Nor did the D.C. Circuit regard the involvement of outside counsel as essential. What mattered was that lawyers, in this case in-house lawyers, were overseeing a fact-gathering process intended to help provide the company with legal advice. And what matters is having experienced staff and clear processes for conducting investigations and raising the privilege under the proper circumstances.

Of course the best protection for compliance and the company is to ensure that escalated issues are addressed quickly and appropriately. Compliance will want to be active in monitoring whether matters raised are tracked to completion, including documentation of any appropriate discipline.

Currently the liability risk for CCOs outside the financial industry is relatively low; for those who do their job and raise issues appropriately, however, the risk is even lower.