An overview of emerging CCO accountability regulations

What is personal accountability?

Amanda Khatri

Editorial Manager

An overview of emerging CCO accountability regulations

Cancel culture has taken on a whole new meaning in the financial services industry. Regulators across Europe, the UK and US are clamping down on wrongdoing, including punishing those who have acted wrongly on behalf of a company. Instead of placing the entire blame on the company, every compliance officer and senior executive is now responsible for their own errors in judgement.

While it’s good to see regulators barking up the consumer protection tree – something that we’re witnessing more of, as well as attention around personal accountability – this shift in focus is keeping people up at night. Companies can no longer avoid fines by operating in loopholes and employees can no longer hide in the cracks of a larger establishment.

For example, in May 2018, the group Chief Executive of Barclays, James Staley, was fined for attempting to unmask a whistle-blower… twice! More recently, the ex-Rabobank CEO was fined $20k for obstructing the Bank Secrecy Act (BSA) program examination.

We’re experiencing a shift in regulatory attitudes – one in which regulators are working towards the balance between technological innovation and thriving financial institutions versus customer protection and deterring crime as a whole. With that in mind, regulators across the globe have called for higher standards of conduct and more personal accountability for management failings.

What is personal accountability?

Individual accountability alludes to everyone being responsible for their performance at the workplace. In typical criminal situations, a person who has violated a law would be charged for the offence, however, those who have acted on behalf of a company and have been involved in a crime can hide behind the company – meaning it would be the corporation’s responsibility.

The research briefing, ‘Executive accountability in financial services: the Senior Managers and Certification Regime,’ states that individual accountability is where “regimes focus on the people who manage these firms, ensuring that they are fit and proper to do their jobs.” It’s feared that individuals could avoid accountability for their improper actions “by claiming ignorance or hiding behind collective decision-making.”

Ever since the 2008 financial crisis, scrutiny of the financial service industry has increased, as has the need for greater accountability. This is a response to the insufficient regulation that eventually led to the global financial crisis and several misconduct occurrences.

In the interest of customer protection and market integrity, regulators across the globe have been establishing the same narrative which consists of rules that navigate individual accountability more effectively.  

Click below to navigate directly to the region of regulatory action:

United Kingdom


In 2008, the UK took a step towards personal accountability by introducing the Senior Managers and Certification Regime (SMCR). It was constructed to increase the level of accountability and conduct of UK financial services – for the firms as well as its employees.

It consisted of various compliance obligations and certification requirements which, if violated, could lead to significant penalties. Following in the footsteps of the UK’s Parliamentary Commission on Banking Standards (PBS) which emphasized senior managers’ conduct, SMCR required firms to ensure that senior employees were fit for high-responsibility roles. This included running criminal record checks, credit checks and directorship checks; managers must also be approved by the Financial Conduct Authority (FCA) or PRA before working and certified by these governing bodies annually.

Non-compliance with SMCR

If violated, penalties for non-compliance could result in personal and institutional liability, including fines and financial restrictions or custodial sentences – the seriousness of the breach would be assessed by the FCA. Non-compliance could be a failure in the following:

  • Accountability
  • Due diligence
  • Professional fitness
  • Market abuse
  • Money laundering
  • Financial crime

Criticisms of SMCR

Since SMCR came into force, there have been just 21 investigations and only one successful enforcement action – proving that it is ‘disproportionately difficult to prosecute large companies such as banks for economic crimes committed in their names, by senior managers.’ The general rule for enforcing liability to companies is the ‘identification principle.’ This refers to “where a particular mental state is required, only the acts of a senior person representing the company’s “controlling mind and will” can be attributed to the company.” In theory, this is limited to a small number of senior management persons.

On top of the lack of prosecutions, there is growing concern about how the identification principle doesn’t properly punish those who have carried out misconduct on behalf of companies. 

Corporate Criminal Liability Review 2022

In light of the low numbers of enforcement actions, the Law Commission recently published an Options Paper (the Options Paper) for the Government, suggesting improvements for the law to ensure companies are effectively held accountable for committing serious crimes.

Commenting on the reform options set out to Government, Professor Penney Lewis, the Law Commissioner for Criminal Law, said:

“It’s imperative that we have the right mechanisms in place to allow companies to be effectively held to account for misconduct carried out in their name. Our ten options for improving the law on corporate criminal liability mean that the Government now has several viable routes to reform at its disposal.”

A summary of the options paper

Back in November 2020, the Government asked the Law Commission to examine current laws and publish a paper that suggests different options for reform. 

To review the law relating to the criminal liability of non-natural persons, including companies and limited liability partnerships, these are the points that were considered: 

  1. whether the ‘identification doctrine’ is fit for purpose, when applied to organisations of differing sizes and scales of operation;

  2.  the relationship between criminal and civil law on corporate liability;

  3. other ways in which criminal liability can be imposed on non-natural persons in the current criminal law of England and Wales;

  4. the relationship between corporate criminal liability and other approaches to unlawful conduct by non-natural persons, including deferred prosecution agreements and the civil recovery of proceeds of unlawful conduct;

  5. approaches to criminal liability taken in relevant overseas jurisdictions;

  6. whether an alternative approach to corporate liability for crimes could be provided in legislation; and

  7. the implications of any change to the liability of non-natural persons for the liability of directors and senior managers (including under ‘consent or connivance’ provisions, such as those in s. 92 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017).

Options that were put forward

The Options Paper, as the name would suggest, put forward a number of options. Broadly, the options were:

  1. To retain the current identification doctrine

  2. To allow conduct to be attributed to a corporation if a member of its senior management engaged in, consented to, on connived in the offence

  3. The same as option 2, with the addition that the organisation’s Chief Executive Officer and Chief Financial Officer would always be considered to be members of its senior management.

To impose a number of additional reporting requirements related to the Companies Act 2006 and the Modern Slavery Act 2015.

United States

There has been lots of talk on the topic of regulation; discussions around regulation are gradually focusing more on individual accountability. This is especially clear in enforcement action, where we’ve we’ve seen individuals  fined for their wrongdoings on behalf of a business across a range of different industries – without being able to hide behind the corporation.

From the $100k ex-PPG controller fined for accounting improprieties to the SEC charging a former CEO at Tampa-Based Health Insurance Distributor as well as the company for making false statements to investors. As we embark into a more regulated financial industry, where personal accountability is in the spotlight, it’s more crucial than ever to ensure your employees are working to the best possible standards and company regulations are all up-to-date.

DoJ on White Collar Crime

In a keynote speech,  the US Department of Justice’s Deputy Attorney General (DoJ), Lisa Monaco delivered new policies and actions for corporations and their compliance teams. As the Deputy Attorney General, her goal is “to set our investigators and attorneys up for continued success, so that they can enforce the criminal law fairly and vigorously.” Monaco believes that accountability starts with the individual, hence she advocates prosecuting “the individuals who commit and profit from corporate malfeasance.”

Upon investigating the current enforcement landscape, Monaco found that:

  1. Corporate crime has an increasing national security dimension — from the new role of sanctions and export control cases to cyber vulnerabilities that open companies up to foreign attacks.

  2. Data analytics plays a larger and larger role in corporate criminal investigations, whether that be in healthcare fraud or insider trading or market manipulation.

  3. Criminals are taking advantage of emerging technological and financial industries to develop new schemes that exploit the investing public.

As a result, regulation must keep up with this constantly changing landscape to “protect investors, consumers and employees.” 

Monaco has set out the following actions that will evolve its policies on corporate and individual accountability:

Following actions from the DoJ

1. Disclosing information about all individuals in misconduct, regardless of position

Companies must provide the department with all non-privileged information about those responsible for misconduct. This is regardless of position, status or seniority level and can no longer be limited to those “substantially involved.” 

2. Reconsider how prior misconduct affects decisions about corporate resolution

All previous misconduct of a company will be assessed when making decisions about corporate resolutions – even if prior occurrences are entirely different to the issue under investigation. 

3. Use of corporate monitors will no longer be an exception

If non-compliance does occur, regulators  believe corporations will commit to improvement – often through self-policing. If that trust is called into question, the department will call on independent monitors. Independent monitors should be appointed “wherever it is appropriate to do so.” 

4. Formation of the Corporate Crime Advisory Group

Monaco took this keynote speech as an opportunity to launch a new advisory group, the Corporate Crime Advisory Group, which will be formed of representatives from every area of the DoJ involved in corporate criminal enforcement.

Actions for firms on White Collar Crime

To achieve a stringent level of compliance, Monaco suggests that corporations should do the following: 

  1. Actively review their compliance programs to ensure they adequately monitor for and remediate misconduct.

  2. For those currently under investigation, the DoJ will be reviewing the entirety of their criminal, civil and regulatory records from hereon in. 

  3. Those that are currently cooperating with the government on cases of misconduct, will now need to identify every individual involved in that misconduct – and produce all non-privileged information about the involvement of these individuals.

  4. For those currently negotiating results, it should not be assumed that a corporate monitor will not be appointed.

  5. Looking ahead, firms should understand that this is just the start of the DoJ’s actions to combat corporate crime.

New York City Bar’s Framework for Chief Compliance Officer Liability

In the latest push towards individual accountability, particularly within financial services, the New York City Bar has published a Framework for Chief Compliance Officer Liability within Financial Services. The Framework, which would serve to hold CCO’s liable for malfeasance within financial services, was picked up by SEC Commissioner Hester Pierce, who recently outlined what the framework could look like in practice.

According to Commissioner Pierce, the overriding question when determining the extent to which a CCO should be held accountable is to distinguish whether “wildly inappropriate” behaviour or “a wholesale failure” has occurred. The New York Bar’s liability framework sets out a series of component questions, which can determine overall responsibility:

  1. Did the CCO not make good faith efforts to fulfil their responsibilities?
  • Did the Wholesale Failure relate to a fundamental or central aspect of a well-run compliance program at the registrant?
  • Did the Wholesale Failure persist over time and/or did the CCO have multiple opportunities to cure the lapse?
  • Did the Wholesale Failure relate to a discrete specified obligation under the securities law or the compliance program at the registrant?
  • Did the SEC issues rules or guidance on point to the substantive area of compliance to which the Wholesale Failure relates?
  • Did an aggravating factor add to the seriousness of the CCO’s conduct?

While the Framework remains in its nascent stages, Commissioner has warned of the dangers of such liability – noting that “fears of facing liability for someone else’s missteps can dissuade excellent candidates from seeking compliance jobs”. Such a framework might scare potential compliance officers away.

European Union

EBA expectations for AML COs

In June 2022, the European Banking Authority (EBA) published new policies for the role and responsibilities of the AML/CFT Compliance Officer. This is to ensure that there is no confusion around the anti-money laundering (AML) and countering the financing of terrorism (CFT) arrangements and actions that are expected by companies. It aimed to establish a “common understanding” and ensure “common interpretation” as well as “adequate implementation of AML/CFT internal governance arrangements across the EU.” 

The 2019 Report from the Commission to the European Parliament and the Council on the assessment of recent alleged money laundering cases involving EU credit institutions found that many credit institutions in the Commission’s sample had not established adequate risk management systems and controls. The analysis revealed deficiencies in credit institutions’ AML/CFT-related governance arrangements (including the ‘three lines of defence), their internal reporting, group policies and senior management’s responsibilities and accountability.

A common understanding of the role and responsibilities of AML/CFT compliance officers and the management body or senior manager, which is applied and enforced consistently, is important to ensure that credit or financial institutions in all Member States implement sound and effective AML/CFT systems and controls and to protect the EU’s financial sector from financial crime.

Under the EBA’s new guidelines, the compliance officer should follow these responsibilities across seven key areas:

  1. The development of a risk assessment framework – the CO is expected to develop and maintain an AML/CFT risk assessment framework in line with Article 8(1) of Directive (EU) 2015/849.

  2. The development of policies and procedures – the CO should ensure that adequate policies and procedures are put in place, kept up to date, and implemented effectively on an ongoing basis.

  3. Managing high-risk customers – the CO should be consulted before a final decision is taken by senior managers to onboard new, high-risk customers.

  4. Compliance monitoring – the CO should, as a second line of defence, be responsible for monitoring whether measures, policies, controls and procedures comply with AML/CFT obligations.

  5. Reporting to the management body – the CO should advise the management body on measures taken to ensure compliance with applicable rules, regulations, laws and standards.

  6. Reporting of suspicious transactions – the CO, under Article 33(2) of Directive (EU) 2015/849, should make those other members of staff responsible for aspects of compliance have the skills, knowledge and suitability to assist.

  7. Training and awareness – the CO should inform relevant staff about the risks to which the organisation is exposed, including methods, trends and typologies – as well as the approach being used to mitigate those risks.

Firms should integrate these guidelines into their business frameworks by the 1st of December 2022. 

CUBE comment

The UK, US and EU are all taking steps to enhance laws around individual accountability. The seriousness of these changes is evident in the surge of enforcement action against senior management members at corporations.

For the UK, the Options Paper is a step towards enhancing the current UK laws around accountability. It has laid out certain rules that should be reformed to establish a ‘culture of compliance’ through individual responsibility. It is now up to the Government to decide what to implement going forward, ensuring that companies are effectively and successfully held accountable for any crimes committed.

organisation where decision-making can be fragmented. The options paper suggests that the “failure to prevent” offences should be extended to spot economic crimes such as the “failure to prevent fraud.” This would include instances where the corporation has failed to put any measures in place to stop its employees from committing fraud. It also covers new financial penalties and reporting requirements – by dotting all the i’s and crossing all the t’s, we cover all aspects to ensure effective individual accountability. 

The regulatory landscape is changing for the better. Across the world, regulators are operating with consumer protection and individual accountability at the top of the agenda. After all, it does begin with one person’s actions that impact the rest of the company. 

The future of individual accountability is shifting towards punishing those who are unfit to do their jobs and have been involved in wrongdoings. The wave of changes across the board aims to achieve sound and effective financial regulations as well as thriving industries that operate to the highest standards. 

Since the financial crash, regulators have been working hard to achieve a ‘culture of compliance.’ This has birthed a new type of service – a regulator’s best friend – automated regulatory intelligence. CUBE takes regulatory content, makes sense of it and maps it automatically to existing company policies. We’re here to make your lives easier. 

With many regulations on the horizon, especially around accountability, choose to implement regulatory technology to ensure your company is staying ahead of changes and incorporating these before any deadlines. 

Related resources

How will embracing cryptocurrency bring global financial inclusion?

How will embracing cryptocurrency bring global financial inclusion?

Across the globe, we are experiencing high rates of inflation and increased costs of living. Could e...

The SEC’s crackdown on fraudulent crypto activity

The SEC’s crackdown on fraudulent crypto activity

The U.S. Securities and Exchange Commission takes steps to promote transparency in crypto by penalis...

Taming the crypto wild west: the US and UK strengthen regulation

Taming the crypto wild west: the US and UK strengthen regulation

With recent crypto crashes, the need for safeguards and risk controls is greater than ever. The US a...

The crackdown on crypto continues 

The crackdown on crypto continues 

This month, Kraken (Payward Ventures) was charged by the Securities and Exchange Commission (SEC) an...

View More