Stop me if you’ve heard this one before: a chief compliance officer faces personal legal liability for compliance failures at his firm, and everyone got into a tizzy over it. Then, upon reading the facts of the case, a more complicated picture emerges that demonstrates just how tricky a subject CCO liability can be.
Such is the case for Arnold Feist, the former chief compliance officer at Interactive Brokers. Last week Feist consented to a finding from FINRA (the regulator for broker-dealer firms) that he failed to oversee Interactive Brokers’ anti-money laundering compliance program properly. FINRA hit Feist with a $25,000 fine and banned him from working with any FINRA-regulated broker-dealer firm for two months.
CCO liability cases are always interesting because the financial services community is always saying that such cases are a menace; that the cases hold compliance officers responsible for failures beyond the CCO’s control and scare good compliance professionals away from the job. Then again, in just about every CCO liability case that I’ve seen, the compliance officer was either grossly negligent or directly involved in the misconduct. You can’t blame a regulator for punishing the CCO under those circumstances.
Feist’s case is instructive in several ways. First, we could assume the facts outlined in the FINRA letter are true — and from that, get a better sense of what FINRA does expect a compliance officer to do, so that he or she won’t face any personal liability. Second, we can also look at the larger picture here and ask: Was FINRA reasonable in its expectations for Feist, or do regulators expect too much of compliance officers?
Let’s begin with a recap of FINRA’s complaint against Feist.
A Lot of ‘Did Nots’
Feist was chief compliance officer at Interactive Brokers from 2006 until April 2020. According to FINRA’s complaint against Feist, Interactive Brokers’ written supervisory procedures vested Feist with “full responsibility” for the firm’s AML program, including its day-to-day operations; and required him to review one of each of the firm’s surveillance reports every month to assure that analysts handled them in accordance with the firm’s procedures.”
Instead, FINRA claims, Feist mishandled his AML duties over a five-year period in the mid-2010s. Among the shortcomings…
- Did not supervise the firm’s AML analysts or their supervisors;
- Did not take “other steps” to understand how the firm was implementing its AML program;
- Did not assess whether the firm’s AML analysts were reviewing the AML surveillance reports on a timely basis;
- Did not evaluate the adequacy of the firm’s surveillance reports;
- Did not take steps to determine whether the firm’s AML investigations were adequate;
- Failed to regularly perform the monthly review of at least one of the firm’s surveillance reports (as required by written policy);
- Failed to develop an understanding of the firm’s AML risk profile.
FINRA also said Feist “learned about, but failed to recognize the import of, facts that should have alerted him” that Interactive Brokers’ AML program wasn’t reasonably designed to detect suspicious activity and trigger suspicious activity reporting.
For example, Feist knew that Interactive Brokers received wire deposits from “unknown remitters” who hailed from countries with a heightened risk of money laundering. Those wire transfers ran into the hundreds of millions of dollars while Feist was in charge of AML compliance. Still, rather than treat those wires as third-party transactions and subject them to monitoring and review, the firm treated them as first-party wires, without any AML review or customer inquiry.
In 2020 Interactive Brokers agreed to pay a $38 million penalty to FINRA, the Securities and Exchange Commission, and the Commodity Futures Trading Commission over those exact issues: failure to monitor customers’ wire transfers for money-laundering risk and failing to file suspicious activity reports. The period in question was 2013 to 2018, when Feist was the chief AML compliance officer and Interactive Brokers grew to be one of the largest broker-dealers in the United States, with more transactions cleared for foreign financial firms than any other broker-dealer.
FINRA’s complaint against Interactive Brokers itself is instructive here. It notes that the number of account reviews Interactive Brokers’ AML staff performed soared from 18,000 in 2010 to 80,000 in 2016 — but the firm only added two AML analysts between 2013 and 2016, increasing its staff from four to six.
Moreover, a compliance manager warned his supervisor in 2015 that “we are chronically understaffed” and “struggling to review reports in a timely manner.” A year later, the manager wrote that the compliance department was “still struggling to review reports in a timely manner” and “barely able to review” some of them. That FINRA complaint doesn’t name names, but in all likelihood, Feist either was the supervisor receiving those pleas, or he would have heard about them.
Only in 2018, when Interactive Brokers’ compliance failures reached a crisis point, did the firm act. One of its first steps: split out AML compliance duties into a stand-alone role, rather than have Feist manage them (like he had been doing) while wearing the chief compliance officer hat.
What Can We Learn Here?
Let’s assume all FINRA’s allegations against Feist are true. From there, we can reverse-engineer what regulators do want to see for an active, engaged CCO who therefore wouldn’t need to worry about personal liability.
For example, in that list of Did Nots mentioned above, we see a lot of failure to supervise employees and failure to assess whether something (investigation protocols, surveillance reports, other processes) is adequate. To avoid personal liability, a compliance officer would need to fulfill those duties with zeal. Above all, you would need to work tirelessly to build a compliance program that keeps pace with the risks that your firm accumulates as it grows and evolves.
My beef with FINRA, however, is that it uses words like “adequate” and “reasonable” without providing much clarity about what those words mean in practice. For example, the workload for AML staff went from 18,000 account reviews to 80,000, an increase of more than 400 percent. Should Interactive Brokers have quadrupled the size of its staff, or invested in automated review technology, or taken some other course? We on the outside are only left to read enforcement action settlement notices and discern the correct answer (or what we think the correct answer is) ourselves.
Then again, we should note that when Interactive Brokers settled its case in 2020, the firm added 80 permanent positions to its AML staff, plus 35 more temp staff; including numerous senior managers with extensive AML experience and 10 team leads, plus “dozens of compliance analysts.”
Ain’t it funny how you can find the money and resources for adequate compliance staff once regulators knock on your door? Was Feist arguing for such investments all through the 2010s, when risky business was soaring and his staffers were crying out for help? Or was he, as FINRA says, disconnected from the minutiae of an effective compliance program and ignoring the concern about third-party wire transfers?
My point is that when compliance trade associations and legal groups raise a hue and cry over CCO liability, their arguments and fears mostly reside on the theoretical plane. Here on the material plane of facts and enforcement actions and misconduct, things are much less clear-cut.
Maybe, just maybe, we need to decide each case on its own merits; and give regulators the benefit of the doubt.