Do Compliance Officers Have A Growing Target On Their Backs?

by Patty P. Tehrani, Esq.

Have you noticed the number of articles and blogs covering the troubling trend of personal liability for compliance officers and Chief Compliance Officers (CCOs) in the financial services sector?  While anyone entering this industry knows it is highly regulated and replete with regulatory requirements, the growing liability of its compliance professionals is worrisome. Those responsible for overseeing their firm’s compliance program have many duties, and now more than ever find themselves on the receiving end of enforcement actions. This is evident in expanded corporate probes of compliance professionals or increasing regulatory expectations cited in speeches and proposed regulations.

Compliance professionals are concerned about facing personal liability especially when it is for non-rogue behavior.[1] As a result, I thought this trend warranted a closer review.

Regulatory Expectations

Let’s start with what regulators have said about compliance liability. The Securities and Exchange Commission (SEC) has articulated its policy in various statements and speeches. This includes two speeches delivered by Andrew Ceresney, the then Director of the SEC’s Division of Enforcement, in 2014 and 2015.[2] He tried to allay concerns by stating that compliance officers should not feel they have targets on their backs. He did, however, reiterate the SEC’s enforcement policy for bringing enforcement actions against CCOs by outlining three “danger zones”:

  • Participation in the misconduct;
  • Misleading or hampering regulators; or
  • Failure to completely carry out assigned responsibilities.

The Department of Justice (DOJ) has also ramped up pressure on prosecutors to vigorously pursue individuals (including CCOs) for white collar crimes. In 2015, former Deputy Attorney General Sally Yates released the “Yates Memo.”[3] The memo sets out six “key steps” to enable DOJ attorneys “to most effectively pursue the individuals responsible for corporate wrongs.” While the steps conveyed the DOJ’s longstanding policy, there was more focus on the “cooperation credit.” Corporations s are incentivized to focus on individual employees to lessen enforcement penalties.  An open question yet to be answered is how that corporate focus on individuals will impact CCOs.

Separately, rule proposals have provided another channel for imposing greater liability on CCOs. Take for example the 2015 proposal from the New York Department of Financial Services (DFS) to include as part of its anti-money laundering (AML) regulation a requirement for CCOs to certify the adequacy of AML and sanctions compliance programs.[4] While the DFS eventually backed away from this requirement, the proposal was telling on the willingness of some regulators to seek to impose liability on CCOs.[5]

Enforcement Actions

But nowhere has this trend been more concerning to CCOs than in the enforcement arena. Let’s examine a few examples.

The first involves Thomas Haider, the ex-compliance chief of MoneyGram International Inc. (MoneyGram). Haider was sued and found personally liable for failing to ensure MoneyGram had an effective AML program.[6] To avoid insurmountable defense costs Haider agreed to settle the matter, with a three-year bar and $250,000 fine.    He also acknowledged certain failures, including not following through on policy recommendations or using reports to facilitate required Suspicious Activity Reports to the authorities.

But was Haider a guarantor or owner of MoneyGram’s AML program as this decision would suggest?  He made recommendations to management to terminate and discipline the fraudulent players at the center of the misconduct but was overruled. Compliance officers know all too well of instances when management turns a blind eye despite their warnings. What are CCOs’ obligations if they recommend a course of action but are overruled by management?

Another troublesome scenario involves the SEC imposing liability on CCOs for failing to prevent another person’s wrongdoing.  In 2015, the SEC settled with SFX Financial Advisory when its president embezzled close to $675,000 from client accounts over a five-year period.[7]  Once the CCO was alerted to the fraudulent activity, he promptly investigated the matter, leading to the president’s ouster and referral to law enforcement. However, the SEC censured and fined the CCO $25,000 for failing to stop the president from engaging in the wrongdoing. Specifically, the CCO was found to be negligent for failing to implement compliance policies, conducting an annual review, and making a material misstatement in a Form ADV filing. His liability was not for any intentional wrongdoing or ignoring any known misconduct or red flags, but for negligence.

Even outsourced CCOs are not exempt. Consider the SEC’s enforcement action against David I. Osunkwo.[8] Osunkwo was an outsourced CCO tasked with preparing a Form ADV. The form contained incorrect information provided to Osunkwo, who had relied in part on the Chief Investment Officer for the information. Osunkwo was fined $30,000 and suspended for what the SEC said was a willful violation of the Investment Advisers Act of 1940. A stark finding considering there was no evidence presented that Osunkwo knowingly engaged in the violation.

Concerns about the trend of CCO liability have been well documented.[9] Following the SFX settlement, then SEC Commissioner Daniel Gallagher, who dissented in the decision, issued a public statement.[10] Gallagher was alarmed about the growing number of CCO-targeted enforcement actions. He argued that placing accountability for failure to adhere to what is more appropriately a firm obligation could deter CCOs (or prospective CCOs) from remaining or entering the profession.


So, what should compliance professionals do? Important lessons such as:

  • Review your policies and procedures (including supervisory procedures).
  • Make sure you know your responsibilities and carry them out as required.
  • If you wear multiple hats (e.g., CEO and CCO), be on extra alert.
  • Make sure your compliance program requirements are implemented or you have robust plans to do so.
  • Assess your compliance program controls periodically.
  • Seek and document management support for your efforts.
  • Don’t ignore reported or identified issues and escalate them to management or to a board of directors as needed.
  • Keep records of your reviews, reporting, remediation, and escalations.

Lastly, watch this area closely for further guidance and hopefully more consistency on the criteria used for imposing liability on CCOs.


[1] Thomson Reuters 2017 Annual Cost of Compliance Survey (PDF: 5,964 KB): personal liability for compliance officers continues to be a concern with almost half (48 percent) of the respondents.

DLA Survey – 2017 Compliance & Risk Report: CCOs Under Scrutiny: 67 percent of the CCO respondents were somewhat concerned about personal liability.

[2] Keynote Address at Compliance Week 2014 – Andrew Ceresney.

Keynote Address at 2015 National Society of Compliance Professionals.

[3] Sally Yates Memo.

[4] NYS DFS Proposed Regulations: Part 504 (PDF: 339 KB).

[5] In the final NYS DFS regulation (PDF: 194 KB), the certification requirement was modified to permit a broader range of senior official(s) (those responsible for “management, operations, compliance, and risk”) to make an annual finding of such compliance.

[6] FinCEN New Release (May 2017) (PDF: 141 KB), FinCEN and Manhattan U.S. Attorney Announce Settlement with Former MoneyGram Executive Thomas E. Haider.

Haider’s settlement follows the 2012 Deferred Prosecution Agreement that MoneyGram entered into with the DOJ.

[7] In the Matter of SFX Financial Advisory Management Enterprises, Inc. and Eugene S. Mason (PDF: 161 KB).

[8] In the Matter of David I, Osunkwo (PDF: 190 KB).

[9] In an August 2015 letter from the National Society of Compliance Professionals to SEC Director Ceresney, the organization contended that the liability standard being applied by the SEC not one of simple negligence, but rather if they are alleged to have acted intentionally or recklessly to cause the violation by another.

[10] Daniel Gallagher Statement.

Patty P. Tehrani, Esq., is an experienced compliance attorney and founder of the Policy Patty Toolkit.


The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.