If you’re in Compliance, you know the crucial role that the Chief Compliance Officer plays in helping to maintain integrity in the securities industry and preventing violations. CCOs’ jobs are challenging enough given the wide range of obstacles they face day to day without having to routinely worry about whether simply carrying out their responsibilities will subject them to personal liability.
It’s to the benefit of everyone – compliance professionals, their firms, the investing public, and the regulators – to minimize concerns and clarify expectations around CCO liability.
Personal liability is a rising concern for compliance officers
Regulators recognize that CCOs and other compliance professionals play a key role in advancing their goal of facilitating best practices throughout the industry that emphasize following the rules and serving investors’ interest, and have acknowledged that the historic ambiguity surrounding CCO liability is troublesome. For example, SEC Commissioner Hester Pierce has been vocal in her concerns about the ambiguity, calling for frameworks “detailing which circumstances will cause the Commission to seek personal liability and which circumstances will militate against seeking personal liability”. She has noted that such frameworks would help the compliance community by eliminating uncertainty and inspiring good practices. And many throughout the industry have noted that ongoing concerns about potential CCO liability can negatively impact the goal intended to be achieved by strong compliance programs overseen by highly-qualified professionals: fear of personal liability can discourage qualified individuals from pursuing careers in compliance or result in those holding compliance roles seeking a career change, rather than live with ongoing worry about whether their efforts will put them at professional, financial, and/or reputational risk. Indeed, a report by the National Society of Compliance Professionals (NSCP) notes that 72% of compliance professionals are concerned that regulators have expanded the role of compliance officers and the scope of their responsibilities in imposing personal liability, and further opines that this concern can lead to unintended consequences including more regulatory violations if qualified professionals choose to leave the profession.
During the webinar Minimizing the Risk of CCO Liability, I polled a group of compliance professionals to see how many felt that they could be potentially be deemed a supervisor. 76% of respondents expressed concern that they could.
FINRA Regulatory Notice 22-10
Regulatory Notice 22-10, recently issued by the Financial Industry Regulatory Authority (FINRA), should help ease CCOs’ minds to some extent. Referring to imposition under FINRA Rule 3110 (Supervision) of specific supervisory obligations on member firms, the Notice emphasizes that responsibility for satisfying these obligations belongs to the firm’s business management and not its CCO or other compliance staff. The Notice acknowledges that a CCO’s role is advisory in nature and in itself not viewed as a supervisory function. FINRA unequivocally states that an action for failure to supervise will not be brought against a CCO unless the CCO has failed to reasonably carry out supervisory responsibilities conferred upon them by the firm. Indeed, FINRA’s perspective in this regard is supported by the small number of cases historically brought against CCOs for supervisory failures. As cited in the Notice, during the period 2018-2021, just 28 of the 440 enforcement actions involving failure to supervise under Rule 3110 included charges against a CCO, and of those only 10 involved charges against a CCO who was not also the CEO or president of the firm.
None of the above is meant to imply that CCOs can let their guard down or pursue their roles on the assumption that they are free from potential exposure. Rather, it underscores the need to ensure that the CCO’s role and the supervisory framework within their firms are clearly constructed to distinguish between compliance and supervision and facilitate the CCO’s ability to carry out the role without letting fear of potential liability get in the way.
To this end, various professional organizations have developed frameworks that address these concerns by providing guidance on determining if a CCO can be held personally liable for misconduct that their firm’s compliance program should have detected and remediated.
CCO Frameworks to Assess Liability
The New York Bar Association (NYBA) released a broad framework that assesses CCO liability by evaluating 12 mitigating factors and three affirmative factors. Mitigating factors include asking questions about the scope, timing, intent and impact of the violation along with the CCO’s willingness to cooperate with regulators. Affirmative factors ask if the charge helps to fulfill the SEC’s regulatory goals, if the CCO made a good faith effort to fulfill responsibilities and if there was a wholesale failure that relates to a fundamental aspect of the firm’s compliance program.
The National Society of Compliance Professionals’ (NSCP) framework builds on the NYBA’s by focusing on the context of how a firm’s compliance program fits into the overall governance structure of the firm. The framework asks questions considering the extent of the CCO’s responsibility, ability, or authority, senior management support and involvement, firm policies and procedures, and data and resources available to the CCO. The framework was updated in February of 2023 to incorporate feedback from both industry leaders and regulators, with a particular emphasis on the following points:
- Compliance is ultimately the responsibility of the firm.
- CCO's working in the compliance capacity are not supervisors of business functions within the firm.
- It may be appropriate not to charge a CCO with a violation if the CCO acted reasonably in spite of the infraction.
The concept of the Empowered CCO is also something that you’re all familiar with, and a crucial factor in managing the risk of CCO liability. Chief Compliance Officers need to be considered senior management, with appropriate independence and the authority to report directly to the CEO and, as applicable, the Compliance Committee. They need to have a seat at the table from the very beginning, and be part of business strategy discussions and product and services considerations throughout the entire process. I’ve been asked by CCOs if lacking authority in their role will help mitigate personal exposure, but actually the opposite is true. Regulators expect that as Chief Compliance Officer you have the power to monitor activity and call out the consequences. You should have the ability to influence the “tone at the top,” with a relationship with senior management sufficient to drive the compliance culture.
Don’t cross the supervisory line
While it’s critical that as a CCO you’re empowered and a member of the firm’s executive team, it’s equally critical that you don’t cross the line into supervision. The role of compliance should be to monitor and advise—and never to make business, operational or hiring decisions in areas outside of compliance.
Where is the line between compliance and supervision? To start understanding where that line lies in your firm. think about your day-to-day activities. Does the firm’s written supervisory procedures identify you as the individual responsible for overseeing any business, persons or activities (other than compliance staff)? Do you have the ability to hire, reward or punish any of those persons? Do you have authority and responsibility such that you could directly have prevented a violation from continuing? If you can answer yes to any of these questions, then you are at risk of being deemed a supervisor by regulators.
How can a CCO minimize exposure?
As a compliance officer, stick to monitoring, reviewing and advising, and do not take any employment action—or any direct action—with respect to non-compliance roles. Make sure that your firm has clear and well-written policies and procedures that clearly assign supervisory responsibilities to the lines of business. A well-documented escalation process should be in place as well. Keep management informed by holding meetings at least quarterly and providing regular and ad hoc reporting for review. If you’re participating on internal committees, make sure that your role is advisory and non-voting in nature.
What if you’re in a dual role?
In smaller firms, many Chief Compliance Officers also are responsible for duties across multiple functions throughout the organization. It can be a challenge to keep compliance responsibilities distinct from other responsibilities. If you’re wearing multiple hats, you need to have documented processes in place that help effectively distinguish your compliance role from your non-compliance role. Clear and defined policies and procedures can go a long way in reducing your risk of exposure. There will be times when there will be a conflict between your duties as the firm’s CCO and your other responsibilities. In those situations you should try your best to recuse from the situation. Given the size and nature of your firm, this may not always be possible. But keeping the potential conflicts in mind and doing your best to mitigate them will go a long way in minimizing your personal exposure.
For more insight on reducing exposure in the Chief Compliance Officer Role, watch the on-demand webinar Minimizing the Risk of CCO Liability.
Scott Noah has more than 35 years’ experience serving in senior legal and compliance roles in the financial services industry. He is currently Of Counsel at Stevens & Lee, a full-service law firm representing clients across the country. In this role, Mr. Noah provides legal and compliance advice to a broad range of financial institutions, with an emphasis on the investment advisory and broker-dealer arenas. Mr. Noah also serves as Chief Compliance Officer of Griffin Financial Group, Stevens & Lee’s broker-dealer affiliate.
Want to see firsthand how MyComplianceOffice can help you ensure and prove compliance? Contact us today for a demo.