Latest Products

The Liability of Compliance Officers

Tuesday 25 July 2017

*This article was originally published in the June Edition of the GRC Professional

David Jacobson, Lawyer for Financial Service Providers, writes about the liability of compliance professionals. 

Click HERE to dowload a PDF Copy of this article or scroll down. 

by David Jacobson

Two recent announcements have the potential to increase the personal responsibility of compliance officers in the financial sector.

Firstly, in April 2017 Australian Transaction Reporting and Analysis Centre (AUSTRAC) published draft new AML/CTF rules that, for the first time, set out the responsibilities of the AML/CTF Compliance Officer for the compliance of a reporting entity.

Secondly, on 9 May 2017, the Commonwealth Treasurer announced the establishment of the Banking Executive Accountability Regime, which will make banking executives liable for misconduct in their businesses; in turn, those executives will expect more of their risk and compliance officers.

Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) already have the power to disqualify persons from management of companies.


Most compliance officers are not directly involved in operational areas but are responsible for the implementation of the compliance program and providing a second line of defence to operations.
If the three lines of defence model is followed, is the liability for a compliance breach a collective corporate liability, or the personal liability of the chief executive, senior manager or the compliance officer?

This article looks at overseas examples to give an indication of how compliance officers might be held liable in Australia.


What are compliance officers concerned about?

Typically, the role of compliance officers includes:
  •  reviewing compliance with external regulatory requirements (laws, regulations, codes, standards) as well as internal business policies and controls;
  • monitoring changes in the external and internal environments for new or changing legal and compliance risks; and
  • training and development, and business process improvement functions.
People make mistakes. The test of an organisation’s culture is how it minimises the risk of mistakes and what it does when they do occur. Does it cover them up or fix them?
Shortening the time between the initial breach and detection can minimise financial loss to the business and its customers.

Designing a framework to prevent a breach and to detect and respond to breaches is a critical compliance measure.


The three lines of defence: is it consistent with individual accountability?
In risk management, we talk about the ‘3 lines of defence’: firstly, front-line operational management; secondly, risk and compliance (which reports to senior management); and thirdly, internal audit (which reports to the Board), backed up by expert third parties.

Having three lines of defence is intended to provide assurance at multiple opportunities that there is no unethical corporate culture or illegal conduct occurring.

The three lines of defence model clarifies the role and duties of the compliance officer and how that relates to the risk management policies developed by senior managers and the board of directors.

Compliance adds to the reputation and integrity of the organisation. It creates a culture that values accountability and good governance. It shows your employees you are committed to ethical conduct. It shows your customers you are trustworthy. It reduces the risk of errors and of prosecution and penalties.

If compliance is a corporate objective, it should also be a corporate liability, in the absence of individual misconduct.


AML/CTF compliance officers
The 2016 Report on The Statutory Review of The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 made the following comments about AML/CTF compliance officer requirements:

“While the AML/CTF Rules refer to tasks that AML/CTF compliance officers are authorised to perform, there is no description of the role and function of the AML/CTF compliance officer or compliance arrangements. The AML/CTF Rules should be amended to address this issue and be accompanied by guidance to assist reporting entities to understand and implement this obligation.
Stakeholders supported the development of competency standards and qualifications for AML/CTF compliance officers to help build the capacity of reporting entities to comply with their obligations.”

In the first draft of the AML/CTF Rules resulting from the Reform Project Review of the AML/CTF Act, AUSTRAC proposes to amend Part 8.5 to define the responsibility of the AML/CTF Compliance Officer.

The function of the AML/CTF Compliance Officer is stated as “the person who undertakes the handling, direction or control of AML/CTF compliance within the reporting entity”: Draft Rule 8.5.2.
Draft Rule 8.5.3 states: “In conjunction with the supervision and oversight provided by RE’s board and/or senior management, the AML/CTF Compliance Officer is responsible for ensuring the entity’s continuing compliance with the obligations of the AML/CTF Act and AML/CTF Rules.”

The first line of Draft Rule 8.5.4 says “the responsibilities may include, but are not limited to” a list of 15 duties.

The Explanatory Note says that it is intended that the list is non-exhaustive and the reporting entity has the discretion to implement those which are relevant to its circumstances.

However, by not only requiring a reporting entity to appoint a compliance officer but also making the AML/CTF Compliance Officer responsible for ensuring the entity’s continuing compliance, it makes it possible for a compliance officer to contravene a civil penalty provision or be subject to a pecuniary penalty order.


The overseas experience
It is worth looking at two overseas examples of investigations into the conduct of compliance officers.
The UK Dynamic Decisions Capital Management Limited investigation
In 2011, the UK Financial Services Authority fined Dr Sandradee Joseph, a hedge fund manager compliance officer, £14,000 and banned her from performing any function of significant influence in regulated financial services for failing to carry out her duties with due skill and care. She was declared not a fit and proper person.

When interviewed by the FSA, Dr Joseph stated that she considered her role to be more of a reporting function, with her responsibilities limited to setting up systems. As a result, she relied on false information from a fraudulent employee in respect of the transaction in question.
The FSA concluded Dr Joseph should have taken steps to ensure the investors’ concerns were investigated to verify their legitimacy, and if so, to have taken appropriate action.
The Agricultural Bank of China
In 2016, a New York State Department of Financial Services investigation into the Agricultural Bank of China resulted in an agreement by the Bank to pay a US$215 million penalty and install an independent monitor for violating New York’s anti-money laundering laws.

The DFS investigation discovered intentional wrongdoing, including actions by bank officials to obfuscate US dollar transactions conducted through the New York Branch that might reveal violations of sanctions or anti-money laundering laws.

The Bank also silenced and severely curtailed the independence of the Chief Compliance Officer (CCO) at the New York Branch, who tried to raise serious concerns to Branch management and conduct internal investigations regarding suspicious activity, leading the CCO to ultimately resign.
The Consent Order recites:

“The ultimate responsibility for the design and implementation of these policies and systems belongs at the very top echelon of the institution. The board of directors and senior management must devote careful study to the design of the [anti-money] laundering and other compliance systems that lie at the core of this first line of defence. They must provide sufficient resources to undergird these systems and structures, including appropriate and evolving technology where cost effective. Adequate staffing must be put in place, and training must be ongoing.

Management cannot be focused solely on business or branch development. Compliance must be a central pillar of management’s responsibilities. Senior executives need to be proactive, dedicated to a strong program, and unwavering in their commitment to keep the program on their agenda. When there is a material failure in a compliance program—in its structure, implementation, execution or policing—senior management must bear responsibility.”

The Bank has been sued by the former chief compliance officer who ran the firm’s compliance in New York. The officer said she was forced out of her job after telling the New York Federal Department about money-laundering risks in trade-financing transactions and alleged the Bank retaliated against her for the late-2014 disclosures.


Banking Executive Accountability regime
In May 2017, the Treasurer announced that the Government will legislate to introduce a Banking Executive Accountability regime, which includes registration of senior executives and directors of all ADI’s, new APRA powers and penalties and remuneration measures.

Previously, APRA has focussed on the behaviour of boards and senior executives and industry remuneration practices as two of the drivers of risk culture in a range of banking, insurance and superannuation businesses.

Stronger powers will be given to APRA to remove and disqualify senior executives and directors from all APRA-regulated institutions.

APRA will be given power to require ADIs to review and adjust remuneration policies when APRA believes such policies are producing inappropriate outcomes.

Under the UK Senior Managers Regime, the UK Financial Conduct Authority can take enforcement action against senior managers if they are responsible for the management of any activities in which their firm contravenes a regulatory requirement, and if they do not take such steps as a person in their position could reasonably be expected to take to avoid the contravention occurring or continuing.

The recent Wells Fargo scandal involved employees opening as many as 2 million unauthorised accounts without customers’ knowledge in order to benefit from sales incentives. Senior management fired 5,300 employees over five years for related bad behaviour, but failed to tell its own board of the number.

The bank was fined $US185 million and the CEO/chair ultimately resigned. Additionally, the CEO and another top executive forfeited $US75million in in entitlements.


Boards and senior management set an organisation’s objectives and the strategies to achieve those objectives, together with a risk and compliance framework.

The three lines of defence model is designed to give assurance that risks are being managed.
In the absence of individual misconduct, making compliance officers liable is not consistent with good corporate culture.

About the author

David Jacobson is a lawyer for Financial Service Providers, specialising in regulatory compliance, contracts, risk management, governance and training.