Personal liability after the Yates Memo

Increasingly, the issue of personal liability for bank compliance leaders has become a hot button issue at conferences and within financial institutions. While this is particularly true in the anti-money laundering (AML) space, the threat has also grown relevant in the consumer protection field as well.

On one hand, there have been, and continue to be, calls for the government to find and punish individuals for corporate wrongdoing. On the other, there is also a real concern that punishment will be meted out for plain old errors in judgment.

In the financial compliance world, concern has been sparked by the cases where compliance officers have been held personally liable for company wrongdoing. This includes  the FinCEN enforcement action against MoneyGram and the FINRA enforcement action against Raymond James. In both cases the agencies fined the compliance officers personally and sought to ban or suspend them from the financial services industry.

Impact of the Yates Memo

A catalyzing event for those worried about being held personally liable for their company’s actions was the issuance of a memorandum—“Individual Accountability For Corporate Wrongdoing”—by Deputy Attorney General Sally Yates in September 2015. This document announced a revised Department of Justice policy on targeting individuals within corporations during criminal or civil investigations.

The “Yates Memo,” as it is now known, makes several significant policy changes that heighten the concern of corporate employees that might become aware of criminal actions or even civil activity that harms consumers.

Much has been written about the Yates Memo and its effect on industries such as finance and healthcare. My purpose isn’t to address the memo’s provisions in detail. The pertinent parts can be summarized as follows.

• DOJ will give corporations “cooperation credit” only if the corporation supplies it with all relevant information related to individuals responsible for the potential misconduct.

• From the start of civil and criminal investigations, DOJ will focus on individual liability.

• DOJ will not agree to a resolution with a corporation that provides immunity to culpable individuals.

• Civil attorneys within DOJ should also focus on responsible individuals, taking such things as deterrence and accountability into consideration, as well as the ability to pay, when considering punishment.

Obviously, bank employees, such as compliance professionals, who have visibility into the bank’s AML practices should be aware of the potential for personal liability, especially in light of the previously mentioned FinCEN and FINRA actions.

Other areas that could be problematic are compliance leaders focusing on the Foreign Corrupt Practices Act (FCPA) which, like AML, has the possibility for criminal penalties and those that cover fair lending and UDAAP-related areas where harm to large numbers of consumers is possible.

Influence of whistleblowing incentives

Besides the examination and enforcement power of the financial regulators, the Dodd-Frank Act specifically encourages whistleblowing to ferret out wrongdoing in financial institutions. One way it does so: Allowing whistleblowers to share in the financial penalties collected from successful enforcement actions that are assisted by their information.

In fact, the Securities and Exchange Commission awarded a whistleblower $30 million in 2014 and $17 million in 2016.

The media exposure given to these awards could substantially increase the rate of whistleblowing in the future. Compliance professionals should not discount the fact that others within the organization will know about potentially wrongful actions and report it for their own benefit.

How can you safeguard yourself?

In light of these developments, what are the best ways for compliance leaders to protect themselves? 

One typical response is to suggest increasing the directors and officers liability insurance that the institution purchases to protect its board members and staff. However, relying on D&O insurance as a silver bullet for personal liability can produce disappointing results. In some enforcement actions, regulatory agencies have stipulated that fines cannot be paid from the proceeds of any insurance policy, including D&O coverage.

Sometimes D&O insurance can be helpful in paying for a defense of a potential enforcement action or court case, but it is not a panacea for personal liability.

The most effective strategy for avoiding personal liability is to implement a robust risk management compliance program that thrives on transparency and truthfulness.

This may seem simplistic, but regulatory compliance as a risk management discipline is only just developing in some quarters. In the recent past, it was a considered, in some cases, just a poor cousin of the internal legal organization and expected to act as Legal would when risks are found.

However, the role of Legal and the role of Compliance are not nearly the same. A truly well-executed compliance risk management program will identify the real risks; determine the true state of mitigation and controls; and transparently implement reporting and change management processes where needed. Although it is beyond the scope of this article to discuss legal privilege, suffice to say, the compliance risk management function should never try to hide risks within the organization.

Compliance programs, sometimes even those in large organizations, may fall short of rigorous risk management. Either the program may be underfunded, or executive management may not really want to hear the truth about the regulatory risks within the bank.

As a result, the compliance leadership lives with a less-than-optimal program, because executive management will not tolerate the transparency necessary for the best risk management practices.

Four hard but essential steps to take

For regulatory compliance leaders to protect themselves to the greatest extent possible, I suggest the following proactive steps:

1. Truthfully assess your compliance staff and program for adequacy.

Compliance spending has set records every year since the financial crisis, and many institutions have spending fatigue. However, financial products and services and, in some cases, the institutions themselves, have grown so complex that they need to continue spending to upgrade systems or staff.

Compliance executive leaders should ask whether they are operating with the best people, systems, and tools available.

For example, staffing a compliance program solely with subject matter experts or lawyers is not the best move. Experts in operations and systems are also necessary to effectively assess and manage regulatory risks. Ask what adjustments should be made to the compliance staff, software tools, or systems in order to be in the best position to control regulatory risks.

2. Beef up your risk assessment processes to find the true risks.

Every bank compliance department conducts risk assessments—lots of them. However, many of these are not finding real risks within the organization. They are simply window dressing, conducted for the benefit of examiners.

Typical compliance risk assessments entail hundreds of risk questions or statements tied to very technical requirements. Technical compliance is certainly important. However, those technical requirements are often not the bank’s greatest risks.

Risks that can seriously harm consumers are often found in the fair lending and UDAAP areas. Risk of criminal activity is greatest in AML and FCPA areas. Taking a clear-eyed look at these areas to identify risks is essential.

Spending lots of time and money examining small technical requirements and ignoring the larger risks that do not fit into the technically written questions on a risk assessment won’t protect you.

Instead, you and your banks must be brave—brave enough to address the true risks currently within the organization as well as those on the horizon. Thoroughly identifying organizational risks is half the battle in containing personal liability risks.

Also, banks must adjust their approach to this challenge. Taking the time and effort to integrate risk assessments into a single platform and meshing the compliance assessments with operational risk assessments is necessary. You must go beyond just looking at them side by side, instead integrating them holistically. This will give compliance leaders the best view of the risks within the bank.

3. Call out the areas of weakness within the organization.

This is easier said than done, I know, but too often when line of business leaders fail to cooperate to add controls or beef up the first line of defense, the compliance group attempts to take up the slack.

One lesson from enforcement actions: If you take responsibility for an area or a task, you will be held responsible if there is failure to be effective in that area or in completing the task.

If you are the second line of defense in your organization, let your voice be heard in reporting the true risks and the efficacy of the controls—whether they are effective or not.

Today’s regulatory environment allows no room for timidity or half measures.

4. Do not stay in an organization that refuses to do the right thing.

This is a hard one. It is difficult to resign one’s position, but in this day and age, there is no other course when the organization refuses to do what you know is right. I’ve seen too many compliance teams that found and reported bad practices only to be ignored—or worse, punished. In cases where the organization will not listen, getting out is your best protection.

The bottom line is, the best insurance against personal liability is to establish a risk management culture of truthfulness and transparency.

To paraphrase Shakespeare, it is better to have made the effort and lost your job, than to spend time in jail or pay large fines because you did things the wrong way.