"An honest man's pillow is his peace of mind." John Mellencamp, "Minutes to Memories" (1985).

2019 has been a year of increased regulatory scrutiny of banks' and other financial institutions' whistleblower investigation protocols and codes of conduct. In January 2019, for example, the New York Department of Financial Services (DFS) identified 10 pillars for an effective whistleblower program in a newly released Guidance on Whistleblowing Programs.

More recently, in July 2019, the Office of the Comptroller of the Currency (OCC) published an updated Handbook on Corporate and Risk Governance. The Handbook provides, among other things: "Employees, officers, and directors should have a clear understanding of the consequences of unethical, illegal, or other behaviors that do not align with the bank's code of ethics (or code of conduct)."

Against this backdrop of regulatory reform, two recent enforcement actions present extraordinary cautionary tales. The first action involved a general counsel's allegedly improper concealment from the regulator of a consultant's report of Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance deficiencies. The second involved a CEO's determined efforts to unearth the identity of a whistleblower who made accusations of misconduct against an executive who was the CEO's friend.

Each of these matters involved individuals with high level compliance responsibilities, who apparently made very bad decisions, which resulted in enormous monetary and reputational damage to their employers as well as themselves.

Concealment of Consultant's Report

In July 2019, coinciding with its release of the Handbook on Corporate and Risk Governance, the OCC entered into a Consent Order with the former general counsel of a major European bank doing business in the United States. The general counsel agreed to pay a $50,000 fine. He agreed that he would not, in the future, participate in the affairs of any insured depository institution, any insured bank, insured credit union, or other entity regulated by the OCC. He also agreed not to accept any indemnification from his former employer for the fine. In re Daniel Weiss, Office of the Controller of the Currency, Case No. AA-EC-2018-95 (Consent Order, July 17, 2019).

What did the general counsel do to warrant these extraordinary penalties? His alleged actions reveal an attorney who was trying, at all costs, to protect his client, but, at the very least, lost sight of his good judgment.

The magnitude of these errors in judgment is reflected by the fact that, as a result of his actions, the bank pleaded guilty to conspiracy to obstruct an OCC examination, forfeited over $368 million, and in addition paid a $50 million civil penalty. The OCC also found that the bank suffered "significant reputational harm as a result of Respondent's conduct that led to the Bank's guilty plea."

According to the OCC's Notice of Charges dated March 25, 2019, the general counsel had been hired in July 2009, at a time that the bank was subject to a formal agreement with the OCC addressing alleged BSA/AML compliance deficiencies. In 2012, the bank's chief compliance officer (CCO) had identified ongoing serious alleged BSA/AML deficiencies. Bank management disagreed with the CCO's findings, but in November 2012, the OCC commenced an on-site examination of the bank's BSA/AML compliance program, and found it to be ineffective and in violation of applicable law.

Thereafter, the bank retained an independent audit firm to assess its BSA/AML program. In January 2013, the bank and the general counsel received a first draft of the report (consultant's report) and distributed it to certain high-level bank executives, including members of its BSA Oversight Committee.

The consultant's report corroborated the findings of the CCO and the OCC, concluding, among other things, that the bank did not appear to maintain a strong 'Culture of Compliance' related to BSA/AML. Evidence of this included a lack of robust training and the lack of awareness of money laundering detection techniques.

In February 2013, the OCC informed the bank orally and by correspondence of its preliminary examination findings that the bank's BSA/AML compliance was ineffective (OCC Notice Letter). Following the bank's receipt of the OCC Notice Letter, the general counsel received several copies of updated versions of the consultant's report, which again corroborated the OCC's findings.

Nevertheless, in March 2013, in a letter that the general counsel helped prepare, the bank responded to the OCC Notice Letter by disputing the OCC's preliminary conclusion regarding the bank's BSA/AML compliance program, and claiming that the OCC's conclusion was based on incomplete and in some instances inaccurate information. The bank's response did not disclose the existence of the consultant's report or acknowledge its findings.

The whistleblower continued to elevate concerns about the bank's BSA/AML program, and the bank then placed her on forced leave. The whistleblower then alerted the OCC to the existence of the consultant's report. Upon learning of the existence of that report, on March 21, 2013, the OCC asked the acting CCO via email to "please provide us with a copy of the assessment report of the bank's BSA program that [the consultant] was engaged to perform in January 2013."

Rather than producing the consultant's report, the acting CCO and the general counsel allegedly conspired to conceal it. In an email to the general counsel, the acting CCO said: "I think the right answer is that [the consultant] did not perform an assessment. That while they were engaged to perform a market study/peer benchmark for management and the board, the project was shelved before any report could be issued."

The general counsel responded by stating his view, among other things, that the consultant "never provided a final report. … . They did produce a draft that was shared with management … . My guess is that copies of the draft are floating around although our intention was to not keep any draft documents. So I believe your statement is accurate, although should we say no 'final report was issued'? The obvious concern is they then ask for the draft from [the consultant]."

The acting CCO then responded to the OCC that the consultant "did not complete an assessment. While they were engaged to perform a market study/peer benchmark analysis for the benefit of management and the board, the project was suspended before any report was issued … ." She concluded that the bank had only recently asked the consultant to provide a BSA/AML risk assessment. She said: "We anticipate having a draft in time for the next board meeting in early May. I'd be happy to send you a copy of the draft report."

The OCC responded by stating its understanding that the consultant had indeed provided a report or documents to the bank, and requested a copy, "even if it was only preliminary or partial." The acting CCO replied to the OCC, again failing to acknowledge the existence of the consultant's report.

Finally, in April 2013, an Assistant Deputy Comptroller (ADC) for the OCC informed a senior executive officer of the bank that the OCC was aware the bank possessed a written report from consultants, and directed the officer to produce the materials in the bank's possession. Ten days later, the acting CCO emailed the consultant's report, which it had received in January, to the OCC.

The general counsel and the acting CCO attached a cover letter to the production, which sought to excuse the failure to provide the consultant's report by claiming that it had been distributed only to a limited few executives.

The OCC Notice of Charges against the general counsel alleged that he continuously participated in the concealment of the Auditors' Report from the OCC despite its "unambiguous, repeated, and direct requests," in violation of applicable law. It also asserted that the general counsel violated federal law "because he knowingly and willfully participated in the making of materially false statements regarding the bank's possession of the [consultant's report to the OCC continuously and repeatedly … ." In re Daniel Weiss, Office of the Controller of the Currency, Case No. AA-EC-2018-95 (Notice of Charges for Order of Prohibition and Notice of Assessment of a Civil Money Penalty, March 25, 2019).

In September 2015, the bank terminated the general counsel's employment, and in February 2018, as noted above, it forfeited more than $368 million and paid a $50 million civil penalty.

CEO's Efforts To Identify Whistleblower

In December 2018, the DFS fined a different foreign bank $15 million for similarly egregious conduct allegedly carried out by its CEO, who, in violation of the bank's policies, sought to identify a whistleblower despite the bank's vigorous policies prohibiting the identification of anonymous whistleblowers.

In that case, in June 2016, the bank had received two anonymous letters against a recently hired executive whom the CEO had recommended for hire. The CEO regarded the executive as a good friend, and he allegedly viewed the letters as a personal attack on both the executive and himself.

The bank had strong policies protecting whistleblowers. It permitted individuals to file complaints via a hotline, email, or via third parties. It provided for monthly reports to senior management regarding the status of any whistleblower complaints.

Critically, the bank also prohibited trying to identify anonymous whistleblowers—and this is where the CEO went profoundly wrong. When the CEO received the letters, he instructed the bank's investigations and whistleblowing team to log the complaint but not share it with senior management.

The CEO then contacted the bank's chief information security officer (CISO) and asked him to try to identify the author of the letters. In turn, the CISO enlisted a cybersecurity intelligence analyst to help them do so.

When the CEO told the bank's general counsel and group chief compliance officer (GCCO) of his plans to identify the whistleblower, they told him not to. However, the record contained no notes of anyone instructing the CEO to cease these activities, and the CEO continued to press the CISO.

Meanwhile, in response to the CISO's request, the cybersecurity intelligence analyst contacted an individual he knew at the U.S. Postal Inspection Service. He told the individual that there had been a threat to the bank and potential criminal activity, and asked him to find out what he could about the origin of the whistleblower's letters. The USPIS employee went about identifying the post office and viewing videos to try to determine the whistleblower's identity.

In January 2017, a third anonymous letter revealed the CEO's efforts to identify the whistleblower. The upshot was DFS's imposition of the $15 million fine, and an order requiring training for all board members on whistleblower law, and requiring the bank to identify to DFS all whistleblower complaints for the prior two years and the following two years. See In re Barclays Bank PLC et al., Consent Order under New York Banking Law §30 and 44 (Dec. 18, 2018).

Conclusion

Compliance professionals are under tremendous pressure to respond effectively to very close regulatory scrutiny and to protect the institutions they serve. It is critically important for these individuals, and the businesses that employ them, to behave in a manner that reflects the ethical and legal standards that they are duty bound to uphold. Failing to do so can lead—not only to a lack of sleep—but significant monetary and reputational penalties.

Philip M. Berkowitz is a shareholder of Littler Mendelson and co-chair of the firm's U.S. international employment law and financial services practices.