Compliance Risk

Caught in the Middle

Even when innocent of wrongdoing, chief compliance officers face liability when their companies act unethically or illegally.
By: | October 1, 2016 • 8 min read

In June 2015, SFX Financial Advisory and Management Enterprises, a subsidiary of Live Nation, fired Brian Ourand, the company’s president.

A few years earlier, Eugene Mason, chief compliance officer of SFX, suspected Ourand was stealing money from athletes who used the firm for investments and financial services. He promptly conducted an internal investigation and concluded that more than $650,000 was missing from three clients’ funds. Allegedly, one of them was former boxing champion Mike Tyson.

Advertisement




SFX reported the alleged theft to criminal authorities, and in December 2015, Ourand was arrested by the FBI. He is awaiting trial on the criminal charges.

In March 2016, Ourand was found guilty of embezzlement by an administrative law judge of the U.S. Securities and Exchange Commission, who fined him $671,000 and barred him from the securities industry.

Mason’s reward for his efforts? In June 2015, he was officially censured by the SEC.

“SFX’s compliance policies and procedures were not reasonably designed, and were not effectively implemented, to prevent the misappropriation of client funds,” the SEC concluded, fining Mason $25,000 and fining SFX $150,000.

That was not the first time — and it probably won’t be the last — that the SEC decided that a chief compliance officer’s inadequate policies and procedures were at least partly responsible for an organization’s unethical or criminal behavior — even though the CCO was not involved in the wrongdoing.

Many CCOs in the financial services industry are aware of the potential liability they face and are wary.

Compliance officers in other industries, however, may be unaware of this potential liability, and it may be only a matter of time for other federal regulators to consider targeting CCOs when misconduct occurs.

Some experts speculate that the Foreign Corrupt Practices Act and the False Claims Act are two laws that might ensnare compliance officers in their position between wrongdoing companies and aggressive enforcement agencies.

“It’s a confluence of events that would make me nervous if I was a compliance officer.” — Jessica Flinn, senior vice president, Integro Insurance Brokers

“There remains a high level of concern on the part of compliance officers,” said Richard D. Marshall, a partner at Katten Muchin Rosenman LLP.  “I think this is spreading into other areas [than those in the SEC’s purview].

“Will this apply to a chief compliance officer at a cement company? It’s a different world. I think compliance there has a different meaning than in financial services,” he said.

But, health care may not be as far-fetched.

“If I would go out on a limb, I think health care [compliance officers have the potential to be targeted], mainly because of Medicare and Medicaid payments, and False Claims Act exposures,” said Jessica Flinn, senior vice president at Integro Insurance Brokers.

“Anything from a regulatory perspective where they can set their eyes on someone else, yes, I would be worried. … It’s a confluence of events that would make me nervous if I was a compliance officer,” she said.

As for the FCPA, Pat Harned, CEO of the nonprofit Ethics & Compliance Initiative, noted that the Department of Justice enacted a program to look at corporate ethics.

“I think there is every reason to think that the SEC won’t be the only agency to look at whether the ethics and compliance function is in place,” she said. “And if not, why not?”

Jessica Flinn, senior vice president, Integro Insurance Brokers

Jessica Flinn, senior vice president, Integro Insurance Brokers

The SEC’s action in the SFX Financial case and another involving BlackRock Advisors — where a CCO was fined $60,000 after a portfolio manager (who was not sanctioned) had a conflict of interest that the firm failed to disclose — prompted then-SEC Commissioner Daniel M. Gallagher to issue a statement criticizing the enforcement actions.

“Actions like these are undoubtedly sending a troubling message that CCOs should not take ownership of their firm’s compliance policies and procedures, lest they be held accountable for the conduct that … is the responsibility of the [financial] adviser itself,” he wrote in June 2015.

In the statement, Gallagher said the SEC was creating “perverse incentives … targeting compliance personnel who are willing to run into the fires that so often occur at regulated entities.”

“As it stands, the Commission seems to be cutting off the noses of CCOs to spite its face,” he said.

The National Society of Compliance Professionals is also troubled by the SEC’s second-guessing of compliance officers, “particularly where the obligation to execute those procedures rests with the business,” wrote Lisa D. Crossley, executive director of the society to the SEC’s director of enforcement.

Advertisement




Compliance officers, she wrote, could be investigated and face “potentially career-altering liability for simple mistakes or errors of judgment which could somehow be connected to a primary violation committed by others.”

Mark Weintraub, vice president, insurance and claims counsel, Lockton, said, “I know a lot of CCOs in particular are really afraid of this, and that they are going to find themselves second-guessed.”

“I don’t think [the SEC is] truly looking to catch CCOs unaware or play gotcha with them,” he said. “They really only want them to do their jobs.

“Ideally, a compliance officer should have policies and procedures in place to prevent [theft or conflicts of interest] and that did not happen in those enforcement actions,” he said.

The SEC’s actions are based on its interpretation of a “failure to supervise,” which has been extended to include compliance officers, Marshall said.R10-1-16p48-50_5Compli2.indd

“The theory is you weren’t trying hard enough to prevent [the wrongdoing],” he said. “It has created a lot of concern.

“Unfortunately,” said Marshall, “it seems every couple of years, there is some controversy about this.”

The disconnect occurs because CCOs usually do not have the authority to stop misconduct on their own. They rely on corporate leaders to enforce and fund compliance programs.

“It turns the whole system on its head,” Marshall said. “Compliance helps companies that are well-intentioned to do the right thing so we want to support them so they are more likely to do the right thing.

“If you just whack people when something doesn’t get prevented, what incentives are you creating? It’s discouraging good people from being compliance officers,” he said.

“The theory seems to be that compliance is some insurance policy guaranteeing that nothing ever goes wrong. Therefore, if something goes wrong, the compliance system is defective,” Marshall said.

“That’s ridiculous.”

“There’s no question,” said Harned of the Ethics & Compliance Initiative, “that it’s getting harder to recruit chief compliance officers. You see it more in some industries than in others. It’s true in financial services in particular … because of the personal liability.”

Putting protection in place can be challenging, Lockton’s Weintraub said.

“These aren’t classic D&O cases,” he said.

Richard D. Marshall, partner, Katten Muchin Rosenman LLP

Richard D. Marshall, partner, Katten Muchin Rosenman LLP

Wrongful acts are generally covered under D&O, but if the CCO was “taken to task for failure to write a policy [as opposed to an overt action], coverage would depend on the allegation. It can be tricky,” he said.

The other hurdle will be the investigatory phase. Typically, coverage is triggered when an individual is named as part of the allegations, and that tends to happen at the very end of the investigation, Weintraub said.

“You can be paying your own bills for a while until the insurance coverage is triggered and comes to bear,” he said.

If the compliance officer is not covered under the D&O policy, the E&O policy would generally cover them, said Michael Klaschka, managing principal, EPIC Brokers & Consultants.

“As to which policy would apply, it would really depend on the claim itself,” he said. “Is it a claim alleging a wrongful act arising from professional services or in an officer-type capacity such as a breach of fiduciary duty? Either way, you have to make sure the wording is drafted correctly,” he said.

“I have definitely received phone calls from CCOs about this,” he said. “They want to know, ‘Am I covered? What should I be thinking about?’

“There are insurance products out there specifically for them but they usually require an underlying D&O or E&O contract. If the company has appropriate D&O or E&O cover, they should be fine. It’s just a question of whether the limits of liability are adequate.”

Even if a policy is triggered, fines and penalties are usually uninsurable. And criminal or fraudulent acts are generally excluded from coverage.

“If, in fact, they committed fraud, they will not be covered,” Klaschka said. “If someone else within the organization did, and the personal conduct exclusions in the D&O and E&O policy are crafted correctly, they will still have coverage.”

“If I were a CCO,” Weintraub said, “I would want more of a contract, an indemnity agreement, with the company to spell out what they would do for me to address this type of thing,” he said. “If I am fined for whatever reason or there is a settlement, if possible I would want to make my employer pay it.

“Insurance is really the last line of defense. The first line is corporate indemnity. You want to drive things there,” he said.

“If you just whack people when something doesn’t get prevented, what incentives are you creating?” — Richard D. Marshall, partner, Katten Muchin Rosenman LLP

Marshall said a compliance officer, who “was trying to do the right thing,” was sued last year after a person at his company committed wrongdoing, but there was no indemnification because the company went bankrupt and the individual possessed limited funds for his own defense.

“He ended up settling on very unfavorable terms. It was a very sad thing,” he said.

Advertisement




Best practices for policies and procedures are important, but consistent training and guidance are equally important, Klaschka said.

“You could have the best practice in the world; it’s making sure they are followed,” he said. “It’s like having a privacy policy on a website, everybody has access but are they following it? Are they reading it?”

CCOs should review the organizational reporting structure to better protect themselves, he said.

“The key is making sure there is a direct line to the board,” Klaschka said. “If the board is unwilling to make those decisions, they should leave the firm.”

“Unfortunately,” said Integrto’s Flinn, “many organizations don’t become proactive until there is an incident. The barn has to be burning until they spend the money. That’s a problem for many CCOs.” &

Anne Freedman is managing editor of Risk & Insurance. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Risk Report: Hospitality

Bridging the Protection Gap

When travelers stay home, hospitality companies recoup lost income through customized, data-defined policies.
By: | October 12, 2017 • 9 min read

In the wake of a hurricane, earthquake, pandemic, terror attack, or any event that causes carnage on a grand scale, affected areas usually are subject to a large “protection gap” – the difference between insured loss and total economic loss. Depending on the type of damage, the gap can be enormous, leaving companies and communities scrambling to obtain the funds needed for a quick recovery.

Advertisement




RMS estimates that Hurricane Harvey’s rampage through Texas could cause as much as $90 billion in total economic damage. The modeling firm also stated that “[National Flood Insurance Program] penetration rates are as low as 20 percent in the Houston area, and thus most of the losses will be uninsured.”

In addition to uninsured losses from physical damage, many businesses in unaffected surrounding areas will suffer non-physical contingent business interruption losses. The hospitality industry is particularly susceptible to this exposure, and its losses often fall into the protection gap.

Natural catastrophes and other major events that compromise travelers’ safety have prolonged impacts on tourism and hospitality. Even if they suffer no physical damage, any hotel or resort will lose business as travelers avoid the area.

“The hospitality industry is reliant on people moving freely. If people don’t feel safe, they won’t travel. And that cuts off the lifeblood of the industry,” said Christian Ryan, U.S. Hospitality and Gaming Practice Leader, Marsh.

Christian Ryan
U.S. Hospitality and Gaming Practice Leader, Marsh

“People are going away from the devastation, not toward it,” said Evan Glassman, president and CEO, New Paradigm Underwriters.

Drops in revenue resulting from decreased occupancy and average daily room rate can sometimes be difficult to trace back to a major event when a hotel suffered no physical harm. Traditional business interruption policies require physical damage as a coverage condition. Even contingent business interruption coverages might only kick in if a hotel’s direct suppliers were taken offline by physical damage.

If everyone remains untouched and intact, though, it’s near impossible to demonstrate how much of a business downturn was caused by the hurricane three states away.

“Hospitality companies are concerned that their traditional insurance policies only cover business interruption resulting from physical damage,” said Bob Nusslein, head of Innovative Risk Solutions for the Americas, Swiss Re Corporate Solutions.

“These companies have large uninsured exposure from events which do not cause physical damage to their assets, yet result in reduced income.”

Power of Parametrics

Parametric insurance is designed specifically to bridge the protection gap and address historically uninsured or underinsured risks.

Parametric coverage is defined and triggered by the characteristics of an event, rather than characteristics of the loss. Triggers are custom-built based on an insured’s unique location and exposures, as well as their budget and risk tolerance.

“Triggers typically include a combination of the occurrence of a given event and a reduction in occupancy rates or RevPar for the specific hotel assets,” Nusslein said. Though sometimes the parameters of an event — like measures of storm intensity — are enough to trigger a payout on their own.

For hurricane coverage, for example, one policy trigger might be the designation of a Category 3-5 storm within a 100-mile radius of the location. Another trigger might be a 20 percent drop in RevPAR, or revenue per available room. If both parameters are met, a pre-determined payout amount would be administered. No investigations or claims adjustment necessary.

Advertisement




The same type of coverage could apply in less severe situations where traditional insurance just doesn’t respond. Event or entertainment companies, for example, often operate at the whim of Mother Nature. While they may not be forced to cancel a production due to inclement weather, they will nevertheless take a hit to the bottom line if fewer patrons show up.

Christian Phillips, focus group leader for Beazley’s Weatherguard parametric products, said that as little as a quarter- to a half-inch of rain over a four- to five-hour period is enough to prevent people from coming to an event, or to leave early.

“That’s a persistent rainfall that will wear down people’s patience,” he said.

“A rule of thumb for parametric weather coverage, if you’re looking to protect loss of revenue when your event has not actually been cancelled, you will probably lose up to 20 to 30 percent of your revenue in bad weather. That depends on the client and the type of event, but that’s the standard we’ve realized from historical claims data.”

The industry is now drawing on data to establish these rules of thumb for more serious losses sustained by hospitality companies after major events.

“Until recently the insurance industry has not created products to address these non-physical damage business interruption exposures. The industry is now collaborating with big data companies to access data, which in turn, allows us to structure new products,” Nusslein said.

Data-Driven Triggers

Insurers source data from weather organizations that track temperature, rainfall, wind speeds and snowfall, among other perils, by the hour and sometimes by the minute. Parametric triggers are determined based on historical storm data, which indicates how likely a given location is to be hit.

“We try to get a minimum of 30 years of hourly data for those perils for a given location,” Phillips said.

“Global weather is changing, though, so we focus particularly on the last five to 10 years. From that we can build a policy that fits the exposure that we see in the data, and we use the data to price it correctly.”

New Paradigm Underwriters collects their own wind speed data via a network of anemometers that stretch from Corpus Christi, Texas, all the way to Massachusetts, and works with modeling firms like RMS to gather additional underwriting information.

The hospitality industry is reliant on people moving freely. If people don’t feel safe, they won’t travel. And that cuts off the lifeblood of the industry.– Christian Ryan, U.S. Hospitality and Gaming Practice Leader, Marsh

While severe weather is the most common event of concern, parametric cover can also apply to terrorism and pandemic risks.

“We offer a terror attack quote on every one of our event policies because everyone asks for it,” said Beazley’s Phillips.

Advertisement




“We didn’t do it 10 years ago, but that’s the world we live in today.”

An attack could lead to civil unrest, fire or any number of things outside an insured’s control. It would likely disrupt travel over a wide geographic region.

“A terrorist event could cause wide area devastation and loss of attraction, which results in lost income for hospitality companies,” Nusslein said.

Disease outbreaks also dampen travel and tourism. Zika, which was most common in South America and the Caribbean, still prevented people from traveling to south Florida.

“Occupancy went down significantly in that region,” Marsh’s Ryan said.

“If there is a pandemic across the U.S., a parametric coverage would make sense. All travel within and inbound to the U.S. would go down, and parametric policies could protect hotel revenues in non-impacted areas. Official statements from the CDC such as evacuation orders or warnings could qualify as a trigger.”

Less data exists around terror attacks and pandemics than for weather, though hotels are taking steps to collect information around their exposure.

“It’s hard to quantify how an infectious disease outbreak will impact business, but we and clients are using big data to track travel patterns,” Ryan said.

Hospitality Metrics

Any data collected has to be verified, or “cleaned.”

“We only deal with entities that will clean the data so we know the historical data we’re getting is accurate,” Phillips said.

“There are mountains of data out there, but it’s unusable if it’s not clean.”

Parametric underwriters also tap into the insured’s historical data around occupancy and room rates to estimate the losses it may suffer from decreased revenue.

Bob Nusslein, head of Innovative Risk Solutions for the Americas, Swiss Re Corporate Solutions.

“The hospitality industry uses two key metrics to measure loss of business income. These include occupancy rate and revenue per available room, or RevPAR. These are the traditional measurements of business health,” Swiss Re’s Nusslein said.  RevPAR is calculated by multiplying a hotel’s average daily room rate (ADR) by its occupancy rate.

“The hotel industry has been contributing its data on occupancy, RevPAR, room supply and demand, and historical data on geographical and seasonal trends to independent data aggregators for many years. It has done an exceptional job of aggregating business data to measure performance downturns from routine economic fluctuations and from major ‘Black Swan’ events, like the 9/11 terrorist attacks, the 2008 financial crisis or the 2009 SARS epidemic.”

Claims history can also provide an understanding of how much revenue a hotel or an event company has lost in the past due to any type of business interruption. Business performance metrics combined with claims data determine an appropriate payout amount.

Like coverage triggers, payouts from parametric policies are specifically defined and pre-determined based on data and statistical evidence.

This is the key benefit of parametric coverage: triggers are hit, payment is made. With minimal or no adjustment process, claims are paid quickly, enabling insureds to begin recovery immediately.

Applying Parametric Payments

For hotels with no physical damage, but significant drops in occupancy and revenue, funds from a parametric policy can help bridge the income gap until business picks up again, covering expenses related to regular maintenance, utilities and marketing.

Because payment is not tied to a specific type or level of loss, it can be applied wherever insureds need it, so long as it doesn’t advance them to a better financial position than they enjoyed prior to the loss.

Advertisement




Parametric policies can be designed to fill in where an insured has not yet met their deductible on a separate traditional policy. Or it could function as excess coverage. Or it could cover exposures excluded by other policies, or for which there is no insurance option at all. Completely bespoke, parametric coverages are a function of each client’s individual exposures, risk tolerance and budget.

“Parametric insurance enables underwriting of risks that are outside tolerance levels from a traditional standpoint,” NPU’s Glassman said.

The non-physical business interruption risks faced by the hospitality industry match that description pretty closely.

“Hotels are a good fit for parametric insurance because they have a guaranteed loss from a business income standpoint when there is a major storm coming,” Glassman said.

While only a handful of carriers currently offer a form of parametric coverage, the abundance of available data and advancement in data collection and analytical tools will likely fuel its popularity.

Companies can maximize the benefits of parametric coverages by building them as supplements to traditional business interruption or event cancellation policies. Both New Paradigm Underwriters and Beazley either work with other property insurers or create hybrid products in-house to combine the best of both worlds and assemble a comprehensive risk transfer solution. &

Katie Siegel is an associate editor at Risk & Insurance®. She can be reached at [email protected]