Compliance & Regulation

The Over-Enforcement Of Compliance Officers

How Much Is Too Much?

by Timothy Bernstein, NewOak

NewOak is a financial advisory and consulting firm providing clients with strategic insight, transparency and risk management. Visit

In the aftermath of the financial crisis, a common refrain that echoed throughout the national discourse was: “Why aren’t any people getting punished for this?”

The legal difficulty of reducing institutional transgressions to the intentional wrongdoing of specific individuals was both insufficient to stem the tide of populist anger and, frankly, beside the point. Fairly or unfairly, the public had already attached specific names to the meltdown, and it wanted to see justice done.

Villains or Scapegoats?

Seven years later, the public seems to be getting its wish in a way that is almost guaranteed not to satisfy. A growing body of judicial precedent is slowly shifting the regulatory failings of organizations onto their chief compliance officers (CCOs), at least when they are around to take the blame. In particular, executives that specialize in anti-money laundering (AML) have faced severe scrutiny. Of the Financial Industry Regulatory Authority’s (FINRA) 40 AML-related penalties, 30 of them were imposed on individuals in high-ranking compliance positions, according to FinOps Report.[1] More generally, a 2014 Thomson Reuters survey of 600 compliance chiefs around the world found that about 70 percent of them expected their personal liability to increase or increase significantly.[2]

Blame Game

Undoubtedly, some recent cases make a good argument that the CCO should shoulder a greater burden of responsibility for keeping his or her employer in line. In The U.S. Dept. of the Treasury v. Haider, the government sought to hold Thomas Haider, the former CCO for the money-transfer outfit Moneygram, personally liable for the failures of his employer’s AML program, and largely succeeded. Although Haider has moved to dismiss the allegations, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) assessed a $1 million penalty and lifetime industry ban against him personally, noting his failures to “terminate known high-risk agents/outlets; file timely suspicious activity reports; conduct effective audits of agents or outlets; and conduct adequate due diligence for the company.”[3]

However, many observers have been quick to warn of what Ian Comisky, Haider’s attorney, called “a chilling impact on those who work, or seek to work, as compliance officers at U.S. financial institutions.”[4]

Comisky’s objectivity aside, he is not alone in advising caution when it comes to holding CCOs criminally accountable for the implementation of a company’s entire compliance framework (Haider, in addition to the charges above, was also dinged for failures of implementation). In June, Daniel Gallagher, the outgoing Republican Commissioner of the Securities and Exchange Commission, publicly called on his colleagues to “tread carefully” in bringing about such actions. Specifically, Gallagher cited In the Matter of SFX Financial Advisory Management Enterprises Inc., in which the company’s president embezzled funds and the SEC fined the CCO $25,000 for failing to implement a set of policies and procedures that were designed to prevent the type of fraud that occurred.[5]

A growing body of judicial precedent is slowly shifting the regulatory failings of organizations onto their chief compliance officers, at least when they are around to take the blame

A similar case that Gallagher does not mention by name is last year’s FINRA v. Harold A. Crawford, a case centering on the failure by Brown Brothers Harriman to build an AML program adequate to monitor penny-stock fraud. FINRA fined Crawford, the former global AML/CCO of Brown Brothers, $25,000 (with a one-month suspension) for notifying his superiors of potential issues with penny stocks, but not acting on his own.[6]

Greater Liability, Lesser Enforcement?

The looming danger of personal liability—and the fines, suspensions and possible jail time that accompany it—threatens to do more than just deter potential CCOs from taking the job. Under SEC Rule 206(4)-7, which declares that registered advisory firms are required to “adopt and implement written policies and procedures reasonably designed to prevent violation[s]”[7] of the Advisers Act, CCOs have a wide latitude to design as strict or as lenient a set of policies and procedures as they choose. If there is a real possibility that government will come for them in the event of a breach, and with Rule 206(4)-7 offering no specific protections for someone in that role, what incentive would a CCO have to air on the side of stricter enforcement?

With the role of CCO becoming increasingly important in recent years, it is incumbent upon the SEC, FINRA , FinCEN and other regulatory bodies to ensure that CCOs have the tools necessary to do their jobs and lower the risk of any future wrongdoing on their companies, the industry as a whole and, most importantly, themselves.





[1] Kentouris, Chris. “Compliance Officers: Taking the Regulatory Heat, Personally.” FinOps Report, 1 April 2014.
[2] Ibid.
[3] Causey, Dawn. “Who Should Have Personal Liability for Compliance Failures?” American Banking Journal, 17 August 2015.
[4] Glovin, David. “Ex-Moneygram Compliance Head Sued in First-of-Kind Case.” BloombergBusiness, 18 December 2014.
[5] Gallagher, Daniel M. “Statement on Recent SEC Settlements Charging Chief Compliance Officers With Violations of Investment Advisers Act Rule 206(4)-7.”, 18 June 2015.
[6] FINRA News Release. “FINRA Fines Brown Brothers Harriman A Record $8 Million for Substantial Anti-Money Laundering Compliance Failures.” 5 February 2014.
[7] Gallagher.