The New York City Bar Association released a report on Tuesday warning that compliance officer liability continues to be a worrisome part of regulatory enforcement, and called for more guidance about when a compliance officer’s conduct can leave him or her in regulators’ crosshairs.
The report focused on compliance officers working in financial services firms, although compliance officers from any industry will appreciate the points raised. Its chief complaint is that compliance officers fear growing personal liability for failures of their firm’s compliance program, when those failures might be more due to insufficient budgets, weakly structured compliance roles, or management that just doesn’t care much about the importance of a strong compliance function.
The report also complained that enforcement actions against compliance officers suffer from hindsight bias. That is, compliance officers are supposed to implement programs “reasonably designed” to prevent violations, but you can’t really assess the quality of that effort until a violation has actually happened — which creates the risk that what seemed reasonable at the time will look unreasonable after something has gone wrong.
So how should regulators ease those liability fears? The report urged four steps:
- Draft formal guidance to explain the circumstances when a compliance officer might be subject to personal liability;
- Offer greater detail in enforcement actions, risk alerts, speeches, or other informal guidance about why regulators did or didn’t bring enforcement actions against compliance officers in certain cases;
- Create new channels of communication between compliance officers and regulators, such as industry roundtables or dedicated contacts within agencies where a compliance officer could call with questions;
- Establish a standing advisory committee to meet with regulators and talk about compliance issues, including liability.
Will any of these recommendations see real action? I don’t know, but they’re all good ideas that should resonate with regulatory leaders — who repeatedly stress that they see compliance officers as valuable allies. The report has the feel of something that might get submitted as a formal petition for rulemaking or picked up as a pet cause by an SEC commissioner.
The report also has the support of several private equity and financial industry lobbyists, such as the Association for Corporate Growth and SIFMA, the Securities Industry and Financial Markets Association. Those groups do know how to push a policy agenda. So stay tuned.
Boundaries of Compliance Officer Liability
Compliance officer liability is a tricky thing. First, for ethics and compliance officers who don’t work in financial services, the enforcement threat is miniscule — like, I can’t recall a single instance of a compliance officer suffering an enforcement action unless he or she was implicated in the wrongdoing. For example, the former CCO of Alstom, Jean-Daniel Lainé, was among several executives charged with corruption by British authorities in the mid-2010s. He was acquitted at trial in 2018.
For compliance officers at hedge funds, registered investment advisers, banks, and other financial services firms, things are more complicated. They can theoretically face liability under the Investment Companies Act or the Bank Secrecy Act for failing to implement an effective compliance program; and continued pressure from regulators for those firms to “do better” at compliance is translating into fears of personal risk for compliance officers.
For example, in the state of New York, compliance officers need to certify the effectiveness of their anti-money laundering, cybersecurity, or cryptocurrency programs. As the NYC Bar Association report said:
Regulators increasingly dictate the responsibilities of compliance personnel, increasing risks to those that serve in these roles in the event of compliance failures. These heightened regulatory requirements not only stretch limited compliance resources, but focus enforcement attention onto particular individuals, often those serving in the compliance function.
That’s a fair point. Regulators keep raising their expectations for good compliance, and keep stressing the desire to hold individuals accountable for corporate misconduct — but they aren’t providing more guidance about what creates personal liability for compliance officers. So even if the true risk of liability remains low (and I’m not sure that it is), the perception of that risk is going up.
The report also explored structural obstacles that compliance officers might face. For example, you might be the “chief compliance officer” in title, but have actual authority over only one part of the enterprise. Or you might be excluded from the senior management team, and not know about new business projects that will affect your program. Or you might not get the budget you need for the risks your firm has.
The real question here is how much liability should compliance officers face when they lack the ability to build the compliance program they want, and that regulators expect.
That’s a point even compliance officers outside financial services can appreciate, because they face it too: the company won’t dedicate the resources necessary for a good compliance program, and then everyone gives you the side eye when the compliance program fails.
Don’t Go Overboard
My one beef about this report is that it doesn’t provide many examples of compliance officers who got a raw deal from regulators. It does have numerous examples that demonstrate the potential for personal liability gone wild — but in many of those cases, the actual facts don’t paint a picture of injustice.
For example, the report cites an SEC enforcement action against the chief compliance officer of BlackRock Advisers, except that CCO didn’t act upon a clear conflict of interest with one of the firm’s portfolio managers. In another instance, the report cites an enforcement action against the compliance officer of a broker-dealer firm who had failed to file suspicious activity reports, when others had brought red flags about the firm specifically to his attention.
“Despite such facts regarding the alleged misconduct being expressed in the settlement orders,” the report said, “these actions nonetheless raise important questions regarding the principle of holding individual compliance officers liable for the firm’s failure to meet regulatory requirements.”
Well, yes they do raise important questions about the principle. It would just be nice to find examples that weren’t so factually uncomfortable. Sometimes compliance officers actually do, ya know, screw up and deserve punishment.
Likewise, the report also said this:
In annual surveys conducted over the last three years, DLA Piper found that 74 percent of CCOs surveyed were “at least somewhat concerned” regarding their personal liability. Respondents from another survey contend that this risk is expected to increase in the coming years. In DLA Piper’s 2016 survey, two-thirds of respondent CCOs indicated they would think more carefully about future roles they might consider given the risk of personal liability.
That’s not necessarily a bad thing. People should feel at least some personal liability for doing their job well; otherwise they’ll have no incentive to pay attention. They also should think about future roles, and strive to work only for firms that give them the resources to succeed.