The liability of compliance officers [long article]

This article was first published in the GRC Professional Magazine June 2017 edition

Two recent announcements have the potential to increase the personal liability of compliance officers in the financial sector.

Firstly, in April 2017 Austrac published draft new AML/CTF rules which for the first time set out the the responsibility of the AML/CTF Compliance Officer for compliance of a reporting entity.

Secondly, on 9 May 2017 the Commonwealth Treasurer announced the establishment of the Banking Executive Accountability Regime which will make banking executives liable for misconduct in their businesses; in turn those executives will expect more of their risk and compliance officers.

APRA and ASIC already have the power to disqualify persons from management of companies.

Overview

The compliance officer is not usually directly involved in operational areas but is responsible for implementation of the compliance program and to provide a second line of defence to operations.

If the three lines of defence model is followed, is the liability for a compliance breach a collective corporate liability or the personal liability of the chief executive, senior manager or the compliance officer?

This article looks at overseas examples as an indication of how compliance officers might be held liable in Australia.

What are compliance officers concerned about?

The role of compliance officers usually includes:

  • reviewing compliance with external regulatory requirements (laws, regulations, codes, standards) as well as internal business policies and controls;
  • monitoring changes in the external and internal environments for new or changing legal and compliance risks;
  • a training and development and business process improvement function.

People make mistakes. The test of an organisation’s culture is how it minimises the risk of mistakes occurring and what it does when they do occur. Does it cover them up or fix them?

Shortening the time between initial breach and detection can minimise financial loss to the business and its customers.

Designing a framework to prevent a breach and to detect and respond to breaches is a critical compliance measure.

The three lines of defence: is it consistent with individual accountability?

In risk management we talk about the “3 lines of defence”: firstly, front line operational management, secondly, risk and compliance (which reports to senior management) and thirdly, internal audit (which reports to the Board) backed up by expert third parties.

Having three lines of defence is intended to provide assurance at multiple opportunities that there is no unethical corporate culture or illegal conduct occurring.

The three lines of defence model clarifies the role and duties of the compliance officer and how that relates to the risk management policies developed by senior managers and the board of directors.

Compliance adds to the reputation and integrity of the organisation. It creates a culture that values accountability and good governance. It shows your employees you are committed to ethical conduct. It shows your customers you are trustworthy. It reduces the risk of errors and of prosecution and penalties.

If compliance is a corporate objective it should also be a corporate liability, in the absence of individual misconduct.

AML/CTF compliance officers

The 2016 Report on The Statutory Review of The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 made the following comments about AML/CTF compliance officer requirements:

“While the AML/CTF Rules refer to tasks that AML/CTF compliance officers are authorised to perform, there is no description of the role and function of the AML/CTF compliance officer or compliance arrangements. The AML/CTF Rules should be amended to address this issue and be accompanied by guidance to assist reporting entities to understand and implement this obligation.

Stakeholders supported the development of competency standards and qualifications for AML/CTF compliance officers to help build the capacity of reporting entities to comply with their obligations. …”

In the first draft AML/CTF Rules resulting from the Reform Project Review of the AML/CTF Act Austrac proposes to amend Part 8.5 to define the responsibility of the AML/CTF Compliance Officer.

The function of the AML/CTF Compliance Officer is stated as “the person who undertakes the handling, direction or control of AML/CTF compliance within the reporting entity”: Draft Rule 8.5.2.

Draft Rule 8.5.3 states: “In conjunction with the supervision and oversight provided by RE’s board and/or senior management, the AML/CTF Compliance Officer is responsible for ensuring the entity’s continuing compliance with the obligations of the AML/CTF Act and AML/CTF Rules.”

The first line of Draft Rule 8.5.4 says “the responsibilities may include, but are not limited to” a list of 15 duties.

The Explanatory Note says that it is intended that the list is non-exhaustive and the reporting entity has the discretion to implement those which are relevant to its circumstances.

However by not only requiring a reporting entity to appoint a compliance officer but also making the AML/CTF Compliance Officer responsible for ensuring the entity’s continuing compliance it makes it possible for a compliance officer to contravene a civil penalty provision or be subject to a pecuniary penalty order.

The overseas experience

It is worth looking at two overseas examples of investigations into the conduct of compliance officers.

The UK Dynamic Decisions Capital Management Limited investigation

In 2011 the UK Financial Services Authority fined a hedge fund manager compliance officer 14,000 pounds and banned her from performing any significant influence function in regulated financial services for failing to carry out her duties with due skill and care. She was declared not a fit and proper person.

When interviewed by the FSA Dr Joseph stated that she considered her role as a reporting function, in addition to which, she would be responsible for setting up systems. She relied on false information from the fraudulent employee in respect of the transaction.

The FSA concluded she should have taken steps to ensure that the investors’ concerns were investigated, to verify if the concerns appeared to be legitimate, and if so to take appropriate action.

The Agricultural Bank of China

A New York State Department of Financial Services investigation into the Agricultural Bank of China in 2016 resulted in an agreement by the Bank to pay a US$215 million penalty and install an independent monitor for violating New York’s anti-money laundering laws.

The DFS investigation discovered intentional wrongdoing, including actions by bank officials to obfuscate U.S. dollar transactions conducted through the New York Branch that might reveal violations of sanctions or anti-money laundering laws.

The Bank also silenced and severely curtailed the independence of the Chief Compliance Officer (CCO) at the New York Branch, who tried to raise serious concerns to Branch management and conduct internal investigations regarding suspicious activity, leading the CCO to ultimately resign.

The Consent Order recites:

“The ultimate responsibility for the design and implementation of these policies and systems belongs at the very top echelon of the institution. The board of directors and senior management must devote careful study to the design of the [anti-money] laundering and other compliance systems that lie at the core of this first line of defence. They must provide sufficient resources to undergird these systems and structures, including appropriate and evolving technology where cost effective. Adequate staffing must be put in place, and training must be ongoing.

Management cannot be focused solely on business or branch development. Compliance must be a central pillar of management’s responsibilities. Senior executives need to be proactive, dedicated to a strong program, and unwavering in their commitment to keep the program on their agenda. When there is a material failure in a compliance program — in its structure, implementation, execution or policing — senior management must bear responsibility.”

The Bank has been sued by the former chief compliance officer who ran the firm’s compliance in New York. The officer said she was forced out of her job after telling the New York Fed about money-laundering risks in trade-financing transactions and alleged the bank retaliated against her for the disclosures in late 2014.

Banking Executive Accountability regime

In May 2017, the Treasurer announced that the Government will legislate to introduce a Banking Executive Accountability regime, which includes registration of senior executives and directors of all ADI’s, new APRA powers and penalties and remuneration measures.

APRA has previously focussed on the behaviour of boards and senior executives and industry remuneration practices as two of the drivers of risk culture in a range of banking, insurance and superannuation businesses.

Stronger powers will be given to APRA to remove and disqualify senior executives and directors from all APRA-regulated institutions.

APRA will be given power to require ADIs to review and adjust remuneration policies when APRA believes such policies are producing inappropriate outcomes.

Under the UK Senior Managers Regime the UK Financial Conduct Authority can take enforcement action against Senior Managers if they are responsible for the management of any activities in their firm in relation to which their firm contravenes a regulatory requirement, and they do not take such steps as a person in their position could reasonably be expected to take to avoid the contravention occurring or continuing.

The recent Wells Fargo scandal involved employees opening as many as 2 million unauthorised accounts without customers’ knowledge in order to benefit from sales incentives. Senior management fired 5,300 employees over five years for related bad behaviour, but failed to tell its own board of the number.

The bank was fined $US185 million and the CEO/chair ultimately resigned. Additionally the CEO and another top executive forfeited $US75million in in entitlements.

Conclusion

Boards and senior management set an organisation’s objectives and the strategies to achieve those objectives, together with a risk and compliance framework.

The three lines of defence model is designed to give assurance that risks are being managed.

In the absence of individual misconduct, making compliance officers liable is not consistent with good corporate culture.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.