7K0A0116Yesterday I began an exploration of the potential individual liability of a Chief Compliance Officer (CCO) based upon the Financial Industry Regulatory Authority (FINRA) enforcement action against Raymond James Inc. and its former CCO, Linda Busby. Today, I will consider the specific deficiencies laid out in the Letter of Acceptance, Waiver and Consent (Letter of Acceptance) and what lessons might be drawn going forward.

It is incumbent to note the basis of liability is FINRA Rule 3310, which requires the company to “develop and implement a written anti-money laundering program reasonably designed to achieve and monitor the member’s compliance with the requirements of the Bank Secrecy Act…” The required policies and procedures needed are to detect and report suspicious activity and monitor transactions for specified red flags. If such red flags were detected, additional investigation was required and any clearance of such a red flag required documentation. Some of the specifics of 3310 included appropriate due diligence on both customers and corresponding accounts for foreign financial institutions, a risk-based assessment of new clients and a review of red flags that might be raised in the above. Busby, as CCO, was required to implement the foregoing.

As noted yesterday, Busby was sorely understaffed, underfunded and probably could never have overseen a functioning and effective compliance program, had the company deigned to put one in place. However, the company obviously thought it did not have to do so. As noted in the Letter of Acceptance, the company “did not have a single written procedures manual describing AML procedures; rather to the extent written procedures existed addressing supervision related to AML, they were scattered through various departments.” Moreover, Busby did not have control or even oversight into individuals in other departments handing anti-money laundering (AML) issues. Finally, the company did not have any oversight for monitoring suspicious activity. The Letter of Acceptance noted these shortcomings were failures of both the company and Busby.

FINRA dived deeper into the weeds when it faulted both the company and Busby for not monitoring known high-risk transactions or individuals. The Letter of Acceptance listed high-risk activity as:

  • Transfers of funds to unrelated accounts without any apparent business purpose;
  • Journaling securities and cash between unrelated accounts for no apparent business purpose, particularly internal transfers of cash from customer accounts to employee or employee-related accounts; and
  • Movement of funds, by wire transfer or otherwise, from multiple accounts to the same third party account.
  • The company did not have any procedures “in place to reasonably monitor for high-risk incoming wire activity, such as third-party wires and wires received from known money laundering or high-risk jurisdictions.”

All of this meant that neither the company nor Busby were able to monitor or later investigate suspicious activity. FINRA turned up 513 accounts that engaged in high-risk activity that were never even spotted let alone investigated. There was no overall risk assessment performed which might have allowed Busby to marshal her limited resources and focus on the highest risk transactions. As you would expect there was no technological solution in place that allowed Busby to “conduct any trend or pattern analysis or otherwise combine information generated by the multiple reports to look for patterns”. All of Busby’s analysis had to be done the old fashioned way, through manual review.

While there were some reports generated by the company that might have been of use in an AML analysis, they were either deficient or not tied to similar reports. Even when the information was available there was no overall risk ranking for the company’s customers that would have allowed transaction monitoring on a more proactive basis. Finally, and this one is perhaps the most unbelievable, there was no linking of customer accounts so no pattern of single customer activity could be reviewed.

In addition to these overall AML program deficiencies, the Letter of Acceptance listed failures by Busby when sufficient information was available to her. There were thousands of alerts generated regarding suspicious activities each month that were closed out with no documentation as to the rationale for closing the suspicious activity alert. There was no documented clearance of red flags raised, even in the process the company did have in place.

The customer due diligence report was not even provided to Busby or the AML team but to the company’s credit department, one of those departments that Busby had no visibility into. When there was sufficient information to investigate customers, Busby and her team failed to do so and the Letter of Acceptance listed several instances where Busby failed to document that customers had been sanctioned by the US Department of the Treasury. The Letter of Acceptance laid out some useful indicia of suspicious transactions including (1) rounded dollar amounts; (2) purpose of payment inconsistent with the customer’s prior activities; (3) the domicile of the individual receiving the funds was not the location where the funds were transferred; (4) the Letter of Authorization provided to the company was dated at or near the date of transfer.

Finally, and to no doubt warm the heart of every process analysis and professional out there, FINRA criticized the lack of oversight. Busby was criticized for failing to engage in appropriate oversight of the company’s AML risk. But the company also failed in its oversight role of providing oversight to the CCO and the compliance function. If it had done so perhaps the company would have realized the impossible position Busby was in and the utterly impossible role she had to accomplish.

Fortunately for the Foreign Corrupt Practices Act (FCPA) compliance CCO, the financial services industry has specific rules that require compliance programs. Such regulations do not exist around the FCPA. However the analysis that FINRA used to bring charges against Busby could well bleed over to CCOs and compliance professionals in the future. With the new Department of Justice (DOJ) compliance counsel, the role of the CCO may be given more scrutiny going forward. It is painful to picture an anti-corruption CCO assessed with liability for a corporation which views compliance as poorly as did Raymond James but they are out there.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Mister Ed

A horse is a horse, of course, of course,

and no one can talk to a horse, of course.

That is, of course, unless the horse is the famous Mister Ed.

Those lines were the opening verse to the theme song of the TV comedy Mr. Ed, which we celebrate today with the passing of (non-horse) star Alan Young who died this past week. While the name Mr. Ed may not mean much to the current television watching audience, his role as Wilburrrr, the foil of that universally famous talking horse Mr. Ed, should bring a few smiles to faces out there. Mr. Ed had an initial run from 1961-1966 on CBS and then reintroduced itself to an entire new audience on Nickelodeon network on the ubiquitous Nick at Nite in the 1980s and 1990s.

Mr. Ed and his ongoing antics and shenanigans seemed a good introduction to the this issue of individual liability of a Chief Compliance Officer (CCO) in the financial services industry and whether that individual liability may bleed over into the wider anti-corruption compliance world. For when should a CCO have liability and should the regulators, whether in the financial services industry or in the broader anti-corruption world of the Foreign Corrupt Practices Act (FCPA), have such individual liability? While the financial services world is regulated by both the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) they have specific regulations requiring companies they regulate to have anti-money laundering (AML) compliance programs, the FCPA does not have any such requirements, either written directly into the statute or by interpretation therefrom.

In late 2014, SEC Enforcement Chief, Andrew Ceresney, gave a speech where he laid out the three areas of potential individual liability for a CCO. He said that CCOs should be concerned: (1) where there is actual willful misconduct with participation in the illegal activity; (2) when they have helped misleading regulators; and (3) where there is the clear responsibility to implement compliance programs or policies and a wholly fail to carry out those responsibilities. I do not think there would be any debate that a CCO who engages in illegal conduct should be sanctioned or one who wholly fails to engage in the statutorily mandated duties of position. However, if regulators are going to move into evaluating the specific compliance program implementation and execution by CCOs, that would provide a sea-change in enforcement and potential personal liability for CCOs.

Last year there were two SEC individual enforcement actions against CCOs in the financial services industry. The two enforcement actions were styled Blackrock Advisors LLC and Bartholomew A. Battista (Blackrock) and SFX Financial Advisory Management Enterprises, Inc. and Eugene S. Mason (SFX). The Blackrock case involved an internal conflict of interest which led to a $12MM fine paid by the company. The company had a conflict of interest policy. However, according to the Cease and Desist Order, the CCO liability turned on “BlackRock’s CCO, Battista was responsible for the design and implementation of BlackRock’s written policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules. Battista knew and approved of numerous outside activities engaged in by BlackRock employees (including Rice), but did not recommend written policies and procedures to assess and monitor those outside activities and to disclose conflicts of interest to the funds’ boards and to advisory clients. As such, Battista caused BlackRock’s failure to adopt and implement these policies and procedures.” Battista was fined $60,000 separately.

According to the SFX Cease and Desist Order, the company President, Brian Ourand, “misappropriated at least $670,000 in assets from three client accounts.” The company was ordered to pay a civil penalty of $150,000. However, the SEC accused SFX CCO Eugene Mason of three general violations. First, Mason did not effectively implement “an existing compliance policy requiring that there be a review of “cash flows in client accounts.”” Second Mason did not require an appropriate segregation of duties in that he did not guarantee that account cash flow reviews were done by someone other than the President. This caused the following statement in SFX’s brochure to be untrue: “Client’s cash account used specifically for bill paying is reviewed several times each week by senior management for accuracy and appropriateness.” Finally, and perhaps most troubling, while CCO he was in the midst of an internal investigation following the discovery of [the President’s] misappropriation, the company did not conduct an annual review of its compliance program. The SEC believed that “Mason was responsible for ensuring the annual review was completed and was negligent in failing to conduct the annual review.”

One of the difficulties with assessing these actions in the context of the role of a CCO in the broader FCPA world is that they are the end results of lengthy processes of negotiations. This is particularly true when it comes to the final resolution documents, such as the SEC Cease and Desist Orders, from both cases.

Last week there was an enforcement action initiated by the FINRA against Raymond James and Associates, Inc. and its former CCO Linda Busby (the “Raymond James matter”). Raymond James paid a fine of $17MM and Busby was fined $25,000 and banned from the industry for three months. The resolution was in the form of a Letter of Acceptance, Waiver and Consent (Letter of Acceptance). The facts laid out in the Letter of Acceptance were accepted and consented to by the defendants without admitting or denying same.

In the Letter of Acceptance, FINRA laid out the specific failings of Busby in her role as CCO. The basis of liability is FINRA Rule 3310 that requires a company to “develop and implement a written anti-money laundering program reasonably designed to achieve and monitor the member’s compliance with the requirements of the Bank Secrecy Act…” The required policies and procedures to detect and report suspicious activity and monitor transactions for specified red flags. If such red flags were detected, additional investigation was required and any clearance of such a red flag required documentation.

Busby’s role within the company, from 2002-2013, was to ensure that the company’s AML compliance program was “tailored to the Firm’s business and for appropriately monitoring, detecting and reporting suspicious activity.” Unfortunately for Busby, she was the Lone Ranger of Raymond James compliance from 2002-2012. She did, however, increase head count in the compliance function by 100% in late 2012 “by adding a second employee.” The size of this compliance function, when compared to the size of the company as laid out in the Letter of Acceptance, is stunning, “the firm’s “size increased from approximately 2,398 registered persons in 190 branches in 2006, to approximately 5,294 registered persons in 445 branches in January 2014.” Busby oversaw all of their work and one might see how her position was untenable to start with before there was any analysis of her work.

These head count numbers are rendered starker when one considers the number of transactions of the company. By 2014, the company had approximately 2.2 million accounts, generating “over 51 million transactions” annually. Busby and her team (such that it was) “were responsible for, among other things, reviewing more than a dozen lengthy AML exception reports for suspicious activity across the millions of accounts, filing suspicious activity reports (SARs), and communicating with branch managers and registered representatives regarding client actions and account activity.” It sure does not sound like a position set up for success.

Tomorrow, we will review that work and see what lessons may be drawn…stay tuned.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

 

7K0A0223This week I have been exploring the Public Accounting Oversight Board (PCAOB) with Joe Howell, an Executive Vice President (EVP) with Workiva Inc. We have considered how some of the issues addressed by the PCAOB directly impact the Foreign Corrupt Practices Act (FCPA) compliance practitioner in ways that might not seem immediately self-evident. Today I will conclude my series with Howell by considering some of the costs for the failure of internal controls and how auditors, governed by the PCAOB, can help foster and facilitate a best practices compliance program.

There is no materiality standard under the FCPA. This is generally a different standard than internal auditors or accountants consider in a company. However Howell believes their approach is wrong based upon simply more than just a plain reading of the statute itself. This is because Howell feels it is not simply the materiality of the bribe, it may not even be the materiality of the contract that you receive because of the bribe. Howell’s view is that it is much broader as the materiality would be the entire cost that potentially the company could be liable for: pre-resolution investigation, an enforcement penalty and fine, and then post-settlement remediation or other costs.

Howell began by noting that a company must report contingent liabilities in its financial statements, if only in notes. Even if a company cannot estimate these costs, they must be described. A financial statement would be incomplete and actually wrong if they fail to describe a liability when you know that you have one. This means “If a company discovers that a bribe was paid and a fraud was perpetrated and that money was used to pay a bribe, they now know that they have some sort of liability, a cost that they’re going to have to recognize at some point, but they don’t know how much it is yet.”

Howell acknowledges there can be many reasons why a corporation would not want to put such a disclosure on the face of its financial statements; nevertheless, they do need to describe it in the financial statements in order to actually give the reader of the financial information the full picture that they are required to provide.

Any FCPA investigation is going to have a profound cost. If a company desires to take advantage of the new Department of Justice (DOJ) Pilot Program and self-disclose to the DOJ and Securities and Exchange Commission (SEC), it still may result in a risk of a fine, disgorgement of profits and other penalties. Howell added, “then monitoring at the backend and penalties and reputational risk. All of which go together to be material to the company. Even though the bribe was a little bribe, even though the fuse was a small fuse, the bomb is a big bomb. When you see a fuse, notice that it’s been lit, you have an obligation to report that. That’s material. It’s relevant to the reader of the financial statements. Because the fuse is small, you can’t say, I don’t have to report it.”

In an interesting insight for the Chief Compliance Officer (CCO) or compliance practitioner to consider, Howell said that even if you remediate but make the decision not to self-disclose that alone may be evidence that your books and records are not accurate. Take a minute to consider that from the SEC perspective. If your SOX 404 disclosure does not reflect any reportable FCPA incidents because you have remediated and made the decision not to self-disclose, that alone can be a violation of the FCPA.

While Howell believes that such contingencies will resolve themselves over time, he believes it is important to make that immediately available to readers of the financial statements. He went on to state that there are large numbers of diverse constituencies who depend on your accurate financial statements. These include, “your bankers, creditors, as well as your shareholders. You may have relationships that are contractual relationships with suppliers, customers that could be affected by this. You may have contracts with your employees that are affected by this. There may be contracts with other third parties that could be affected or impaired because of your violation of the FCPA, in one instance.”

I was intrigued by Howell’s inclusion of bankers and creditors relying on the accuracy of your financial statements. This is because it is not uncommon now that a loan document or a secondary financing would require a company to maintain an effective anti-bribery, corruption compliance program. I asked Howell if this is something an external auditor would evaluate and, if so, how would they go about evaluating such a loan covenant?

Howell said this could well be important because if such a loan clause were violated, that would be part of the corporate disclosure. Howell went on to note that if an auditor were to become aware that a fraud was “committed and that fraud resulted in resources being used to pay a bribe, the auditor then needs to take a hard look at all the disclosures about the contingencies. If they’re uncomfortable with that, they need to report themselves about what they think that the client may have missed. When fraud is discovered, they cannot keep silent. They have to report it.”

I concluded by asking Howell about the SEC Audit Standard No. 5: what it is and how it ties into the FCPA and the line through SOX all the way to Dodd-Frank. Howell said the precursor to Audit Standard No. 5 was Audit Standard No. 2 which specified what Howell called a bunch of ““thou shalt do” stuff that became very mechanical and it drove people’s costs up and it made people uncomfortable.”

This led to the adoption of Audit Standard No. 5 and a change to a more risk based focus using a principles-based audit standard. The SEC wanted to direct “auditors to those areas that present the highest risk, such as financial statement, closed processes, and controls designed to prevent fraud by management. It emphasizes that the auditor is not required to scope the audit to find deficiencies that don’t constitute material weaknesses.”

Howell believes that bribery and corruption are subsets of fraud and auditors are “required to always disclose fraud, even if it’s immaterial. If they find fraud, and even if the fraud is immaterial, it still means that it could be a failure in the controlled environment that means that they can no longer really rely on those controls. They have to do something else. What they would do is substantive testing, which that means then they would go back and start to look at everything. That’s prohibitively expensive. It takes an enormous amount of time and it results in audits that are not sustainable.”

This means one can then draw even a line to Audit Standard No. 5 and the risks that companies have doing business outside of the US under the FCPA as a risk that needs to be audited. Howell said this means you have to incorporate such an analysis into your FCPA compliance program because if you are doing business in high-risk countries which have a reputation for bribery as a way of doing business and you have operations there that rely on third parties that are securing contracts for you, you have an obligation to build a controlled environment which both prevents, to the best of your ability, mistakes from happening, bribes, and then if one were to happen, to be on the lookout for where that would most certainly and most likely show up.

Howell said this could be a variety of responses, including “transaction monitoring, surprise counts, sending in auditors to actually be part of that control environment to look for all the documentation. It is important to also have that sense of remediation. If you find it, what do you do with it? To whom do you report? What processes are in place? Are they working?”

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016