Personal Liability for Compliance: Documentation – the Double Edged Sword?

There’s an old saying that goes “if you don’t look back on life and grimace, you haven’t learned anything.”

I was reminded of it while sitting through a conference and listening to several experts discussing liability issues for compliance officers. “The more you write, the more there is to chew on,” said one as he described subpoenas that reach deep into your electronic communications.

It’s not just memos and emails either. Texts and IMs of compliance officers and others and even services such as Slack (often used by businesses’ internal teams) can be included in a subpoena.

And so yes, I grimaced.

I had been schooled that I should never write any letter that I would not want read in a courtroom in front of a judge and jury. But this session on personal liability of a compliance officer made me reflect on other forms of documentation too. How many times had I written up policy and training materials in a rush to meet a deadline? How often did I dash off an internal email? How often did I clarify issues verbally instead of in writing? How many long email conversations did I have with a group of colleagues that may have resulted in no one taking action on a matter?

Additionally, how many of my short, “funny” (to me) texts to colleagues, often heavy with irony and sarcasm, could be read out of context in court or by a regulator or inspector? As we all know, electronic communications live on forever. They never disappear, even years after you have moved on from an employer.

As compliance professionals, we’ve all heard the mantra “document, document, document” and we’ve all repeatedly been assured that it’s best policy. When I was a compliance professional I agreed with that – in fact I still do – and did my best to write clear memos to record my analyses of higher-risk clients or my findings in an internal suspicious activity review. But that’s where my scrupulousness in documenting ended.

But times have changed and now our liability for compliance issues will depend on EVERYTHING we write and EVERYTHING that pertains to our job.   And with so many investigations under way – and fines and penalties that are unimaginable at times – all forms of documentation can be double-edged swords when it comes to our personal liability as a professional. Very sharp swords, too.

Consider these:

Does your job description accurately reflect what you do?  Your job description in your employment contract could be a lot more important than you think. If your responsibilities are too widely drafted, you could find yourself liable for the mistakes of others that you personally may never have known anything about. For example, does your job description contain wording such as “responsible for all aspects of compliance?” If so, and a colleague responsible for reviewing sanctions and screening misses a name on their list, then you could be held personally liable if you provide services to that sanctioned individual or approve transfers of funds. So make certain that your job description is up to date and relevant to you.  It should limit the scope of your responsibilities to what you actually do and should specify the tools you use to do your job and your authority. And if you are a compliance manager, you should ensure accurate job descriptions for every member of your team.

Are your compliance procedures clear? Your customer due diligence onboarding and periodic monitoring procedures need to be both comprehensive and clearly written. Procedures should address every situation you have come across for your clients and for the type of products and services you provide. For new situations that fall outside those policies, ensure an adequate approval method signed off by senior management – and, if repeatable, include that situation in future revisions of procedures. However, there should not be too many “waivers” if a new customer falls outside written procedure. Too many waivers for compliance matters being approved could be viewed as skirting the rules.

Do you have clear disciplinary measures in place for policy breaches?  Should you have any staff member who fails to follow procedures for compliance, you need to set out the disciplinary measures in place for non-compliance – and impose them. You also need to catalogue breaches and notify senior management and your Board of all breaches.   This is a tough one to put in writing.  Your best revenue earner could be your biggest culprit for non-compliance so you need to know for certain that the disciplinary measures you set out will be supported by the Board.

When you request additional resources in order to do your job, are you often denied or ignored?   Compliance is often regarded as one of those human resource and capital consuming functions which few organizations want to keep throwing money at.  It’s often easier for those having to write the checks to ignore the request for a new system or additional staff. But when you MUST have a resource in order to do your job effectively, ensure you follow a formalized process of requesting additional resources to reduce your personal liability.  Track when you requested the resource, to whom the request was made and the reason for requesting.  If promised, ensure timely delivery. If denied, press for a reason and document it. If there is delay or denial and no clear reason given, there is a danger that investigators might jump to the conclusion that there’s a reluctance to support compliance. That will be viewed unfavorably.

Do you have clear escalation procedures? If you’re not comfortable with a compliance related situation, do you know if escalation can reach the Board?  Who has responsibility for the matter once you notify your manager?  Do you know if you’ll be notified if an issue you escalated is being handled?

As more compliance professionals are increasingly being held liable for non-compliance matters within their organisation, it is important that you protect yourself.  But remember, your job is to also protect your colleagues and your organisation. Don’t use documentation as a form of passing blame.  Use documentation responsibly and professionally.

Documentation, properly done, can help you quickly and effectively address compliance issues. Documentation, properly done, will ensure adequate Board/Senior Management oversight. Documentation, properly done, can protect your organisation from inadvertently facilitating criminal activity, breaching sanctions and from incurring large fines or penalties in the future. All of these objectives are a top priority for every compliance professional.


Kimberly Smith is co-founder of SILO Compliance System, an easy-to-use due diligence management and anti-money laundering solution used by corporate service providers, credit unions, banks, trust companies and other regulated businesses. She can be reached at

Sign Up For AML Grey Matters