Photo courtesy of the author
Two recent complaints of serious misconduct against Chief Compliance Officers reminded me of a debate at one organization about whether Compliance Officers should suffer harsher consequences than others when they violate the compliance policies themselves.
To be clear, the complaints are serious. Steven Teixeira, then CCO at a global payments processing company, is alleged to have stolen material, nonpublic information that he accessed through his then-girlfriend’s work laptop, subsequently trading on the information and tipping others.[1] The second complaint by the debtors in possession of FTX Trading LTD alleges that David Friedberg, the former CCO at FTX was “indeed considered one of the key decisionmakers within the FTX group” and that Friedberg took actions including drafting, backdating and presenting to outside auditors allegedly fraudulent records to obscure the nature of funds transfers within the group. It further alleges that he bought the silence of whistleblowers and their attorneys. The complaint concludes that his roles as a gatekeeper meant he had a duty to “ensure appropriate internal controls, risk management and compliance” and yet knowingly failed to implement – and even obstructed the implementation – “of virtually any of the systems and internal controls that would be necessary”[2].
If proved, these allegations are likely to lead to severe penalties regardless of the position the target held. A more difficult question is how a company should think about less-serious breaches when crafting its consequence management system. So, for example, if an investment Bank’s Compliance Officer is late submitting a quarterly report of their personal trades so that conflict checks could be performed but in fact there were no actual trades and we conclude this was a lapse of discipline and that neither malintent nor actual conflicts existed, should we treat this individual the same way we would treat people in other roles who made the same error – give a warning and require some remedial re-training – or should we increase the penalty because of an expectation that Compliance Officers be held to higher standards? Failing to decide this in advance leads to a haphazard approach.
First principles suggest that there are good reasons to issue harsher penalties for Compliance Officers. Their breaches carry greater risk. Even minor breaches by a Compliance Officer may compromise their ability or desire to uphold the rules that they themselves failed to follow. Moreover, when a Compliance Officer breaches the rules, this can trigger circulation of two toxic messages: that the organization is not serious about its rules; and that certain people might be immune from them. Such messages destroy the culture of compliance, minimize speaking-up and tacitly approve risk-taking and rule-breaking. So, perhaps it seems not only natural but also appropriate to issue stronger penalties for a Compliance Officer.
The US Department of Justice recognizes the special status of gatekeepers such as Compliance Officers, suggesting companies should, too. Statements by Deputy Attorney General Lisa Monaco (in the so-called ‘Monaco memos’[3]) and Assistant Attorney General Ken Polite (in May 2022 remarks presented to Compliance Week National conference[4]) and the Glencore settlement that required a CCO certification[5], signal both a renewed focus by the DOJ to hold individuals accountable for their roles in Corporate malfeasance and prosecutorial interest in holding Compliance Officers’ feet to the fire.
However, there are also good reasons for not singling Compliance Officers out for harsher treatment. One is that this reinforces a view that Compliance Officers are more responsible for compliance outcomes than others in the organization. Such thinking flies directly in the face of the ‘lines of defense’ theories where the strongest, and most important, compliance responsibility has to be built into the operations and not live in some distant back room. Moreover, if we want to apply consequence premiums to Compliance Officers there are certainly other roles that warrant premiums. All other ‘gatekeepers’ including in-house lawyers, auditors, and at least some Human Resource professionals would qualify. What about the senior executive premium? When the CEO or a member of the Executive Committee fails to file their report on time, should there be an automatic increase in penalty because they set the tone? What about managers at other levels in the organization who arguably have even greater influence on people around them than do any senior executives (the “tone in the middle”)? How should we think about the manager of a department that themselves has a clean record but whose team members consistently record higher than average breaches, suggesting the manager fails sufficiently to reinforce compliance standards?
Of course, all of these are reasonable principles to apply in a consequence management system but one thing I have learned is that too many variables either lead to escalated consequences or to cherry-picking by assigning greater weight to different variables depending on the circumstance, leading us right back to the haphazard state of affairs. Either of these can have a devastating effect on the culture of compliance. Once people convince themselves that consequence management systems are not fair then there is no hope for people admitting mistakes or freely interacting with the compliance process.
There are ways to construct simple, accretive consequence management systems that deliver proportionality as well as consistency. One key is to select very few variables that determine the consequence level and then identify – and publish – those factors that most clearly indicate each variable. One organization landed on just two variables: seriousness and repetition. Consequences were decided in three, clearly distinct levels of seriousness and the level automatically increased with repetition. Proportionality came from the factors used to assess seriousness. Some factors were over-riding, like the presence (if identifiable) of intent. Others were accumulative and it was one of these factors – the likelihood that an individual knew the requirements – where Compliance Officers had no grounds for leniency. The final test came when publishing, in detail, both the mechanics of the system and examples of how it was applied. In consequence management aim for belief, not popularity.
Footnotes
[1] Securities & Exchange Commission v Meadow & Teixeira, June 29,2023 at comp-pr2023-124.pdf (sec.gov)
[2] FTX Trading LTD et al v DANIEL FRIEDBERG, June 27, 2023 available (redacted) as entry #1727 on Kroll FTX docket at Kroll Restructuring Administration
[3] ‘Further revisions to Corporate Criminal Enforcement Policies following Discussions with Corporate Crime Advisory Group’, Lisa Monaco, Deputy Attorney General, September 15, 2022
[4] Available at Transcript: Kenneth Polite Jr. keynote address at Compliance Week 2022 | Reprint | Compliance Week
[5] See plea agreement in Re. United States vs Glencore International, A.G. Attachment H at sdny_guilty_plea_0_0.pdf (justice.gov)
Anthony O’Reilly is the Founder of O’Reilly Advisors, LLC.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).