The Evolving World Of The Corporate Compliance Officer

Friday, September 1, 2006 - 01:00

I sat in the small 8' by 8' office of a human resource legal manager, thrilled to be accepting a highly coveted role as a Vice President in litigation management at a major international financial institution. Suddenly I heard the sentence that would dramatically change my life and professional direction forever: "You understand, of course, that in addition to your litigation responsibilities, you will have one other assignment; but don't worry, it won't take up more than 5% of your time." Anxious to be upbeat and entirely "on-board" I quickly answered "no problem." The assignment turned out to be the area of money laundering - something I hadn't the foggiest idea about.

Frankly, I wasn't alone. In the late 1980s, many of us from the ranks of former district attorneys and prominent Wall Street lawyers were drafted seemingly overnight into the newly evolving world of global corporate compliance. We all shared one thing in common: we were ex-prosecutors who knew how to navigate our way through the courtrooms and the halls of the Securities and Exchange Commission and the Department of Justice and, more importantly, through the minds of those who conceivably could prosecute our new found clients.

Two weeks into my new position, I received a subpoena. It was a command by United States Senator John Kerry of Massachusetts to appear before the Senate Subcommittee on Terrorism, Narcotics, and International Operations. The subpoena asked for testimony and documentation on how the bank was keeping "dirty money" out of its institution in the 93 countries in which it was operating. It also represented the beginning of my path from litigator to Chief Compliance Officer.

The Reactive Phase

My "5%" assignment almost immediately began to consume 50% of my time, primarily in reactive mode to ever increasing regulatory burdens, just as it must have been for my counterparts at financial institutions across the country. Day-to-day issues included writing comment letters to the U.S. Treasury Department on a barrage of proposed anti-money laundering regulations that were designed to assist in the "war on drugs" and fighting with regulators over burdensome reporting requirements that were doing little to achieve the goals of the anti-money laundering laws. While learning the intricacies of private, consumer, and commercial banking, asset-backed securities transactions, equipment leasing, trade finance, letters of credit financing, mortgage lending, currency and securities trading, I gained greater insight into the ways in which both bankers and their clients could abuse the banking system. International organized crime reared its ugly head and my work brought me into closer contact with law enforcement agencies around the world. Chinese Triads working in Hong Kong and Macao were dealing with the Russian mafia in moving funds from the heroin trade into bank accounts from Singapore to Cyprus, and the bulk of my time, and those of my counterparts, was spent putting out fires that were erupting in places like Miami, Bogata, Panama, and Los Angeles, and throughout the Near and Far East.

The Proactive State

This reactive phase came to an end in 1991 with the passage of the United States Sentencing Guidelines1 applicable to corporations which required a proactive approach by corporations to prevent and detect criminal wrongdoing. Corporations now needed to:

1. Create Policies and Procedures to prevent and detect criminal conduct.

2. Have a Knowledgeable Board of Directors to oversee the program with specific high level individual(s) responsible for compliance and top management to ensure the program's effectiveness.

3. Engage in Responsible Due Diligence to ensure that senior level managers are not engaging in illegal activities or in conduct inconsistent with an effective program.

4. Create Training to communicate standards and procedures to directors, employees and agents.

5. Monitor and Audit to detect criminal conduct, and create and publicize a system to report suspected violations and one in which employees can seek guidance.

6. Create a System of Consistent Enforcement utilizing appropriate incentives and discipline to maintain the policies and procedures of the compliance program.

7. Timely Respond to detect violations and take action and reasonable steps to ensure corrective action and prevent further similar conduct.

I recall wondering how this giant banking institution was going to conform to what I referred to as the "Pre-Indictment Check List."

By 1991, my "5%" was consuming 100% of my time. Policies and procedures were written, risk assessments were created and administered, training programs and IT support were engaged. I had inadvertently become an "expert" in an increasingly "hot" area, attending American Bar Association and American Banking Association conferences on money laundering and being invited as a speaker. I was also meeting more frequently with the bank's Government Affairs Office and acting as its representative at meetings held by the U.S. Treasury Department, the Department of Justice, the U.S. State Department and the newly formed Financial Crimes Enforcement Network. I also received a coveted seat on the newly formed United States Bank Secrecy Act Advisory Board where I represented the interests of the money center banks.

Over the next five years, my expertise in identifying, preventing and predicting high risk geographies, businesses, and transactions took me to meetings with military, intelligence, police and law enforcement personnel, and with Prime Ministers, Premiers, Emirs, and Presidents throughout the world. This was heady stuff; policing a large banking institution's myriad of operations was not a simplistic task.

In the early 1990s, time and resources were being devoted to satisfying the demands of the Bank Secrecy Act,2 spurred by a series of prosecutions that woke up management in banks and corporations alike. Banks were collapsing under the weight of accusations of massive money laundering or gaining reputations for lacking proper controls. Financial institutions grudgingly assigned part-time legal staff, part-time risk officers and part-time auditors to this new role called "compliance." News headlines about multi-million dollar fines for non-compliance drove home the point that institutions needed to increase budget, staffing, and IT resources to prevent and detect violations of law and regulation. In the highly regulated banking industry, this transformation came more quickly as national regulators put the brakes on growth for many violators, preventing branching and introduction of new products. An increasing number of Memoranda of Understanding ("MOUs") were issued by regulators laying down corrective actions that financial institutions were expected to address prior to being permitted to continue growing. Institutions were in effect being placed "on probation."

The power of the compliance officer increased as it became clear that prevention and detection of regulatory failures was integral to growth, if not institutional survival. It took another decade for these roles to mature to their current professional status. By 1996, I was working at another corporation and eventually with a compliance group that numbered 350 in over 50 countries around the globe - a far cry from the team of 40 I had worked with just six years before.

During this period, increasingly more conferences were held in the United States and abroad on the topics of anti-money laundering, anti-corruption, anti-trust and data privacy. The Department of Justice began weighing in with a series of blockbuster criminal indictments. It was the infamous implosion of Enron and Arthur Andersen that caught the attention of boards of directors in all publicly traded companies. The Enron period, along with failures at other major corporations, were to forever change the face of the compliance community. Giant corporations falling apart for failing to detect rot from within were no longer acceptable to shareholders or to board members who were being held personally liable for the failures of the corporations on whose boards they sat.

Expansion Of The Compliance World

Congress reacted with the creation and imposition of the Sarbanes-Oxley Act ("SOX").3 Controllership became the mantra of the government and board members. Out of SOX came the realization that every type of publicly traded corporation needed to demonstrate the ability to control all risks , not just financial risks. Corporations were required to map their risks and demonstrate adequate controls. SOX gave rise to a new breed of compliance officer. Increasingly this position was being filled by ex-U.S. Attorneys, ex-government regulators at ever increasing levels of responsibility and accountability to CEOs and to Audit Committees of the Board of Directors. The expectation was that they would roll out global risk assessments and guarantee CEOs that there would be a robust system to PREVENT, DETECT and MITIGATE legal and regulatory failures. Slowly the size and strength of compliance departments grew, as did the standards for those who work in this unique area of corporate life. While early compliance officers were often lawyers, ex-auditors, ex-credit risk officers and the like, the new breed are talented business leaders and project managers who regularly interface with senior management and boards of directors.

Preventing failures has meant that compliance organizations have needed to install early warning systems that range in levels of sophistication from employee training, e-learning and hotlines (helplines, ombudslines) to more sophisticated software systems that filter aberrational statistical anomalies that highlight unusual patterns of sales or transactional volume or speed. Chief Compliance Officers ("CCOs") are increasingly being called upon to be technically proficient in a wide variety of software and case management systems. The myriad of laws and regulations, as well as the general compliance culture of an entire organization is now sitting with Chief Compliance Officers. In multinational organizations, these CCOs need regional and local staff who are equally proficient in the techniques of prevention, detection and mitigation of legal and regulatory risk.

The Department of Justice and the now famous "Thompson Memorandum"4 have increased the pressure on corporations to demonstrate their ability to detect violations of law and make "voluntary disclosures" to the government to avoid enormous fines (often running into the hundreds of millions of dollars) and jail sentences for senior management. Additionally, revisions to the Corporate Sentencing Guidelines have increased the focus on compliance and prevention, risk management, assessments and creation of ethical and compliant cultures.5 The Foreign Corrupt Practices Act6 and Anti-Trust enforcement - both domestically and with the European Union - have increased pressure on almost every type of industry doing business in emerging markets.

From the pharmaceutical industry to major aircraft manufacturers to the structured finance of major infrastructure projects costing hundreds of millions to billions of dollars, there is increased scrutiny. The oil and gas industry, water project companies, and single import/export businesses are all under government scrutiny for violations of corrupt payments around the world. The reputational risk for giant multi-nationals has taken on greater and greater significance in giant corporations as they expand their reach abroad. Emerging markets in China, India, Africa and South America have posed special challenges to corporations seeking to enter markets where corruption and a lack of rule of law make U.S. and European standards difficult to carry out. Cases of money laundering violations have been brought against stock brokerage firms. Recently, the Treasury Department expanded the anti-money laundering regulations to encompass mutual funds.

Mega corporations continue to increase their budgets, resources and attention in the area of compliance. There is no contender to the case for good corporate compliance, and no business that hopes to succeed in the new millennium can afford not to utilize every means available to comply.

1 United States Sentencing Commission, Guidelines Manual ("USSG"), Ch. 8 (Nov. 1, 1991). See also United States Sentencing Commission, Supplementary Report on Sentencing Guidelines for Organizations (Aug. 30, 1991) (discussing the need for Corporate Sentencing Guidelines and the text of the provisions), available at www.ussc.gov/corp/OrgGL83091.pdf.
2 31 U.S.C. 5311-5332.
3 Pub. L. No. 107-204, 116 Stat. 745 (2002).
4 The "Thompson Memorandum," named after its author, Deputy Attorney General Larry D. Thompson, enumerates a series of factors for United States Attorneys to consider in deciding whether to investigate, charge, or negotiate a plea with a corporation. The text may be found at www.usdoj.gov/dag/cftf/business_organizations.pdf.
5 USSG, Ch. 8 (Nov. 2004). See also id., Supp. to App'x C, at 99-118 (explaining the revisions as to business organizations).
6 Pub. L. No. 95-213, 91 Stat. 1494 (1977) (codified as 15 U.S.C. 78m(b)(2)-(b)(7), 78dd-1, 78dd-2, 78dd-3, and 78ff(c)).

Jane L. Wexton heads the Compliance Practices and Advisory Services Group at Akerman Senterfitt LLP, working from the firm's New York and Washington, DC offices.

Please email the author at jane.wexton@akerman.com with questions about this article.