Strict New Actions on Compliance Accountability: What your CCO needs to know to meet intensified regulatory expectations

Thursday, March 3, 2016 - 17:54

As the calendar year begins its first quarter we continue to experience unprecedented growth in regulatory oversight. In the past 12 to 18 months, several new regulations governing the financial services industry have been proposed, all of which speak to the need for stronger corporate governance. Specifically applicable to depository and lending institutions are the New York Department of Financial Services’ proposed Superintendent’s Rule 504, the announcement by the Financial Industry Regulatory Authority (FINRA) of its intent to include procedures to evaluate organizational culture and ethics during its exams, and the continued efforts of the Consumer Finance Protection Bureau (CFPB) toward debt collection and short-term lending.

The New York Department of Financial Services has issued a draft of Superintendent’s Rule 504. This proposed regulation increases compliance responsibilities for banks and non-bank regulated institutions doing business in New York. The comment period concludes March 31, 2016, but as it stands today, the rule includes these additional requirements:

l  Expanded model/system validation

l  The concept of easily understandable documentation

l  A mandate that no institution can modify its program to reduce suspicious activity report (SAR) filings or due to resource constraints

l  A certification component stating that the Compliance Officer or equivalent must certify that he or she has reviewed the institutions’ programs and that the programs comply with all of the requirements of the proposed regulation

l  Penalties for noncompliance, errors and fraud levied against both the institution and the individual.


FINRA has announced its intent to include audits of culture and ethics in its examinations. FINRA plans to address this seemingly subjective measure using the following five indicators: 

l  whether control functions are valued within an organization 

l  whether policy or control breaches
are tolerated

l  whether an organization proactively seeks to identify risk and compliance events 

l  whether immediate managers are effective role models of firm culture 

l  whether subcultures that may not conform to overall corporate culture are identified and addressed.1


The CFPB remains focused on consumers as it relates to debt collection, mortgage lending and information services/credit reporting,2 each of which has a direct impact on the day-to-day operations of financial institutions. The bureau has entered into settlement agreements with several debt collectors, and based on the complaint data, it will continue to be a focus. Credit officers will need to remain acutely aware of the need for high data integrity in institution-driven collections and third-party collection. The credit officer must also be cognizant of the data being disseminated to third parties, and how it’s used and by whom, as he or she will remain culpable for the data. 

The tenets of the regulations and regulatory actions outlined speak to the need for stronger oversight, high data integrity, effective monitoring and the general provision of due professional care. Responses of “I didn’t know,” “We are short-staffed,” “Our system can’t give us that information” and “Our vendor handles that” are not tolerated. Regulatory expectations are that entities are dedicating the appropriate resources, providing management oversight and availability, supporting applications, adequately summarizing data into useable information, and owning every step of the regulatory process to ensure satisfactory completion. This expectation is further exacerbated by the impact of the so-called Yates Memo, the crux of which can be summarized as follows:

One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing. Such accountability is important for several reasons: It deters future illegal activity, it incentivizes changes in corporate behavior, it ensures that the proper parties are held responsible for their actions and it promotes the public’s confidence in our justice system. 3 

Furthermore, the memo outlines six steps to strengthen the pursuit of individual corporate wrongdoing.

l  To be eligible for any cooperation credit, corporations must provide to the Department of Justice (DOJ) all relevant facts about the individuals involved in corporate misconduct. 

l  Both criminal and civil corporate investigations should focus on individuals from the inception of the investigation.

l  Criminal and civil attorneys handling corporate investigations should be
in routine communication with
one another.

l  Absent extraordinary circumstances, no corporate resolution will provide protection from criminal or civil liability for any individuals.

l  Corporate cases should not be resolved without a clear plan to resolve related individual cases before the statute of limitations expires, and declinations as to individuals in such cases must be memorialized.

l  Civil attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual’s ability to pay.4 


The DOJ clearly outlines through this memo that it intends to pursue individuals in addition to corporations for wrongdoing. This is compounded by the impact of emerging regulations, such as NYC DFS 504, which outline individual responsibility not only for purposeful malfeasance but also for errors, omissions and noncompliance. 

To see the impact of the Yates Memo, we can look to the case U.S. Department of the Treasury v. Thomas E. Haider in U.S. District Court for the Southern District of New York. Haider was the chief compliance officer (CCO) of MoneyGram from 2003 to 2008. He was personally levied a $1 million fine for his role in failing to maintain an effective anti-money laundering program and file SARs in a timely manner. Information related to the investigation of Haider included that MoneyGram entered into a deferred prosecution agreement with the DOJ, admitted noncompliance with provisions of the Anti-Money Laundering and Bank Secrecy acts, agreed to a government-approved monitor, and paid a $100 million fine.

Considering the trend of regulations containing provisions to certify compliance with those regulations, as well as fines and penalties for noncompliance, what should CCOs be doing to meet regulatory expectations? CCOs will need to ensure that stakeholders understand all aspects of applicable regulations, that appropriate resources (financial/personnel) are deployed, that management dedicates the appropriate level of oversight and that all reporting deadlines are met. To do so, a CCO must focus on key areas inside their organization:

l  Ensuring data quality

l  Allocating resources, including
budgetary, system capabilities and skilled resources 

l  Providing tools and applications

l  Building the necessary infrastructure

l  Monitoring and governance

l  Training.


Doing so will enable the CCO to certify over the compliance function that the organization has deployed highly skilled and well-trained staff, has utilized functioning systems, has committed the appropriate level of oversight, has compiled all relevant data, has submitted required filings, and is in compliance with the applicable regulations. Ensuring compliance will in turn reduce the risk to both the organization and the chief compliance officer.



Brian LanePartner in the financial services group of Baker Tilly.

Kevin SullivanDirector of Baker Tilly’s financial services group.

Russell SommersSenior manager in Baker Tilly’s financial services group.