Is Compliance Failure A Crime? Lessons From The Efcc's Prosecution Of Orbby Vanessa Agwuncha

INTRODUCTION

The arraignment of Orbby Vanessa Agwuncha before the Federal High Court by the Economic and Financial Crimes Commission (EFCC) has triggered a wave of questions within Nigeria's compliance, regulatory, and legal communities. According to public statements, the defendant was charged with allegedly failing to appoint a “compliance desk officer” and failing to develop programmes to prevent money laundering and other unlawful financial activities. The EFCC described her as the “Compliance Officer” of the business, trading as Bill Interserve Global, which it classified as a Designated Non Financial Business and Profession (DNFBP).

A compliance officer is a professional appointed within an organization to ensure that business operations comply with applicable laws, regulations, and internal policies. A compliance Desk officer on the other hand is a terminology introduced by theEFCC's allegation which does not appear in either the Act or the Regulations. It is possible that the term refers to a junior-level compliance employee supporting the Compliance Officer, as sometimes occurs in larger organisations.

However, this interpretation remains speculative and is ultimately for the court to determine. For legal analysis, the statutory obligation remains the appointment of a management-level Compliance Officer. The introduction of a non-statutory job title, therefore, raises important questions about how the court will interpret what the law actually requires and whether the alleged omission corresponds to any actionable statutory or regulatory duty.

This situation raises several doctrinally significant questions. The case is now before a court, and no assumptions can be made about what facts will ultimately be proven. However, even without reaching conclusions on the merits, the arraignment provides an important opportunity to examine the statutory framework governing DNFBPs, the nature of preventive Anti-Money Laundering (AML) obligations, and the legal principles that determine when individual liability may arise from organisational non-compliance. The central issues illuminated by this case include:

1. how DNFBP status is established under Nigerian law;
2. what preventive AML obligations arise from that status; and
3. under what circumstances individual liability (particularly that of a compliance officer) may be appropriate for organisational non-compliance.

The compliance obligations in issue arise under the Money Laundering (Prevention and Prohibition) Act 2022 (“MLPPA”) and the EFCC/SCUML AML/CFT/CPF Regulations 2024 (“the Regulations”), which establish the statutory and regulatory standards applicable to Designated Non-Financial Businesses and Professions, subject to judicial determination of the facts.

DNFBP STATUS: THE STATUTORY PREREQUISITE FOR AML OBLIGATIONS

Under Section 30 of the Act, a DNFBP includes specific businesses and professions such as dealers in luxury goods, real estate agents, consultants, legal practitioners, accountants, and other high-risk sectors. This statutory classification matters because DNFBP status is what triggers the preventive AML/CFT obligations imposed by Sections 9, 10, 11 and 14 of the Act. These obligations do not arise automatically for every business operating in Nigeria; they arise only when a business falls within one of the categories expressly listed in the Act or when it has been lawfully designated under the Act's expansionary provisions. Thus, a core legal prerequisite for any prosecution based on DNFBP non-compliance is demonstrating that the business in question was, in fact, a DNFBP at the material time.

UNDERSTANDING DNFBP AML OBLIGATIONS UNDERTHE LAW

AML Obligations under the Act:

Once DNFBP status is established, the Act imposes certain mandatory organisational duties. Two of which are directly relevant to the charges reported by the EFCC:

1. Development of AML/CFT/CPF Programmes: Section 10(1) of the Act requires DNFBPs to establish internal policies, controls, procedures, customer due diligence measures, record-keeping systems, and internal audit and risk-management structures. These are organisational responsibilities that must be implemented at the institutional level. They form the backbone of the preventive framework and cannot be executed by an individual employee without the appropriate corporate authorisation, resources, and governance structures to support them.
2. Appointment of a Management-Level Compliance Officer: Section 10(1)(a) also requires DNFBPs to designate “compliance officers at management level at its headquarters and at every branch or local office.” This statutory language means that a single management-level Compliance Officer(CO) is sufficient where the DNFBP operates only from its headquarters without branches. The Act does not define or require any position titled “compliance desk officer,” and there is presently no statutory or regulatory text that uses this terminology.

How the Regulations Complement the Act:

The Regulations build on the Act by providing structural and operational expectations for DNFBPs. Regulation 9(2)(d) requires DNFBPs to establish compliance management arrangements, including the appointment of a management-level Compliance Officer. Regulation 9(4) then provides that DNFBPs must put in place a structure that ensures the operational independence of the Chief Compliance Officer (CCO) and other Compliance Officers(COs).

These Regulations do not expand the statutory obligation to appoint personnel beyond what the Act already requires. Rather, they elaborate on the structural and independence requirements necessary to ensure that the Compliance Officer performs effectively. As subsidiary legislation, the Regulations cannot impose obligations that exceed the scope of the parent Act. Harmonising the Act and the Regulations, therefore, requires interpreting the Regulations as reinforcing the governance structure around the statutory role, not multiplying the number of statutorily required compliance personnel.

THE CORE LEGAL CHALLENGE: CAN ORGANISATIONAL NON-COMPLIANCE CREATE INDIVIDUAL CRIMINAL LIABILITY?

The duties alleged in the charge, failure to develop AML programmes and failure to appoint a designated officer, are foundational organisational duties. They rest primarily with the company as a legal person, its board of directors, and senior management. Compliance Officers are appointed to implement systems that must already exist at the organisational level. The question, therefore, arises: under what circumstances can an individual officer or employee become criminally liable for organisational omissions of this kind?

Liability of Officers, Directors, Managers and Employees

Section 19 of the Act provides that where a body corporate violates a requirement under the Act, its directors, officers, or employees may be liable where they have acted negligently, in bad faith, or have participated in, connived at, or facilitated the breach. Importantly, Section 22 of the Act complements this by establishing that where an offence committed by a body corporate is attributable to the instigation, connivance, or neglect of a director, manager, secretary, or similar officer or anyone purporting to act in such a capacity that individual may also be guilty of the offence. These provisions signal that individual liability is possible, but only where there is a demonstrable causal connection between the individual's conduct and the corporate breach.

Neither Section 19 nor Section 22 automatically transfers liability from the company to an employee simply because the employee holds a particular job title, including that of Compliance Officer. Instead, the prosecution must show that the individual's acts or omissions contributed to the breach in a manner contemplated by the statute. In the present case, this means the court will need to determine whether the defendant was actually a management-level Compliance Officer, a junior employee, or someone whose responsibilities included establishing or facilitating AML compliance structures. It must also consider whether any necessary factual link exists between her role and the alleged organisational omissions.

Administrative Versus Criminal Enforcement

The Regulations create an extensive administrative enforcement framework for DNFBPs, including warning letters, corrective directives, monetary penalties, enhanced monitoring, and ultimately suspension or revocation of licences. The Third Schedule explicitly sets out penalties for failures such as not implementing Section 10 obligations. These penalties range from ₦1,000,000 to ₦2,000,000 depending on the type of entity, and the Schedule further provides that criminal prosecution applies only in “aggravated circumstances”.

This distinction is crucial. It raises the question whether the EFCC sought to utilise the administrative penalty regime before resorting to criminal prosecution or whether it interpreted the situation as constituting “aggravated circumstances.” As the full facts surrounding the case are not publicly available, these questions are left for judicial interpretation.

IMPLICATIONS AND LESSONS FOR COMPLIANCE OFFICERS

Whatever the court ultimately decides, this case highlights several important considerations for organisations and compliance officers:

1. First, it underscores the need for clarity regarding statutory obligations. Organisations must fully understand the difference between the minimum obligations created by the Act, the structural expectations articulated by the Regulations, and internal governance arrangements adopted voluntarily. A failure to appreciate these distinctions may expose the organisation to unintended regulatory consequences.
2. Second, it highlights the importance of properly documenting the appointment of a Compliance Officer. Appointments should be formal, clearly communicated within the organisation, and accompanied by the necessary governance structures to enable the Compliance Officer to perform effectively. Informal or poorly documented appointments create ambiguity that may complicate legal accountability.
3. Third, the case emphasises the need to ensure that the Compliance Officer's independence, access to senior management, and authority are not merely theoretical but supported by the organisation's governance framework. Compliance is not a nominal function; it requires resources, authority, and institutional backing.
4. Finally, the case serves as a reminder that personal liability is a real possibility where individuals knowingly ignore statutory obligations, fail to escalate issues, or participate in or facilitate breaches of the Act. Compliance Officers should therefore ensure they maintain clear documentation of their advice, escalations, and efforts to secure organisational compliance.

CONCLUSION

The prosecution of Orbby Vanessa Agwuncha has surfaced significant questions regarding the classification of DNFBPs, the scope of preventive obligations under the Act, and the circumstances under which individual criminal liability may arise. Without anticipating the court's findings, the case highlights the need for a balanced approach that distinguishes organisational responsibility from individual accountability, and administrative lapses from criminal conduct.

At its core, the unresolved question is fundamental: When does compliance failure stop being an administrative lapse and become a crime? The court's eventual answer will have far-reaching implications for DNFBPs, compliance officers, regulators, and the evolution of AML enforcement in Nigeria.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.