Who Should Have Personal Liability for Compliance Failures?

By Dawn Causey

Although it is impossible to find a chief compliance officer (CCO) at the top of any company organizational chart, recent cases have concluded that the buck stops with the CCO. And that has gotten every compliance officer’s attention.

Using an untested theory of liability, federal regulators and private regulatory organizations are seeking to hold CCOs personally liable for banks and companies failing to comply with anti-money laundering (AML) and other requirements.

The only case being actively litigated is the one with the biggest penalty. U.S. Dept. of Treasury v. Haider involves the former CCO for MoneyGram. FinCEN alleged and MoneyGram admitted to aiding and abetting wire fraud and willfully failing to implement an effective AML program. The scams included a number of schemes that induced consumers to send money to the fraudsters. Federal and state agencies alleged that the company should have known it was facilitating fraud. The case against Haider alleged his responsibility for programmatic violations and failure to report suspicious activity. A $1 million penalty was assessed against Haider personally and he was banned from further employment in the industry. Among the failures cited were failure to: implement a discipline policy; terminate known high-risk agents/outlets; file timely suspicious activity reports; conduct effective audits of agents or outlets; and conduct adequate due diligence for the company.

Haider moved to dismiss the allegations and oral arguments will be held in September. His motion argues that one of the two statutes cited against him in the Bank Secrecy Act never contemplated individual liability, and the government’s failure to track the money penalties to the statutes cited dooms the entire penalty assessment.

Another case is FINRA v. Harold A. Crawford, the former global AML/CCO of Brown Brothers Harriman. That case, involving penny stock fraud, resulted in Crawford being assessed a personal penalty of $25,000 while Brown Brothers paid $8 million. Crawford’s failing? He was held personally liable because he had written a memorandum to his superiors detailing the issues with the penny stocks, but failed to take any action. FINRA stated that putting the company on notice was not sufficient to eliminate his personal liability.

The SEC weighed in with its own order against the CCO of SFX Financial Advisory Management Enterprises, Inc., in June of this year. In that case the former president of SFX misappropriated $670,000 from three client accounts. The company agreed to a penalty of $150,000; the CCO paid a $25,000 personal penalty. Even though SFX conducted an inquiry and fired the president, both the company and the CCO were held liable for violating the Investment Advisors Act because SFX failed to adopt and implement written policies and procedures designed to prevent the president’s fraudulent acts and failed to reasonably supervise the president—and the CCO did not conduct the annual review of its compliance program in 2011, the year during which the fraud was discovered.

Holding CCOs liable for company failures will make compliance folks skittish at best and difficult to hire or keep. And who would blame them? Other cases have forced resignations, clawbacks and orders tying compensation to compliance success. While banking may be the business of risk management, personal liability for CCOs puts them in a serious predicament of assessing business risk appetites against their own. Compliance is challenging enough without personal liability. Is the CCO the correct target?