Proposed: Framework for CCO Liability

The New York City Bar Association has proposed a framework that the Securities & Exchange Commission should follow when deciding whether to charge a chief compliance officer for compliance failures at his or her firm. 

The framework, announced to the world on Wednesday, addresses points such as when a CCO should be charged for “wholesale failures” of the compliance program, how to evaluate potential obstruction or complicity of a CCO in wrongful acts, and whether charging a CCO even helps the SEC to further its mission and regulatory goals. (Spoiler: the NYC Bar Association generally believes not.) 

The framework also includes several mitigating factors that regulators should consider, such as whether structural or resource challenges hinder the CCO’s job performance, or whether the CCO voluntarily disclosed the misconduct in question and cooperated with investigations. 

The proposal is most relevant to compliance officers working at financial services firms, although compliance officers from any industry will appreciate the points raised. And this framework is only a proposal — the SEC (and to a lesser extent FINRA, the regulator for broker-dealer firms) can do whatever it likes with these ideas, including nothing at all. 

The NYC Bar Association has long been a critic of the SEC charging compliance officers. It published a report in February 2020 saying that CCO liability continues to be a concern in the profession, and called for more guidance about when a compliance officer’s conduct might place him or her in the regulatory crosshairs. That guidance hasn’t been forthcoming, so now the NYC Bar Association has followed up with its own proposal for a charging policy.

CCO Liability Factors

The proposed framework urges the SEC to start with a “general factor” — whether charging a CCO for compliance failures furthers the mission of the SEC at all. 

“In many circumstances, we believe that CCO conduct charges will fail to advance the interests of protecting the capital markets and investors,” the NYC Bar Association says, which should surprise nobody. “One primary goal of enforcement is deterrence, but we believe that CCO conduct charges do not meaningfully deter CCOs from future inappropriate conduct… If anything, we believe that CCO conduct charges may potentially increase future securities law violations.”

complianceHow so? The NYC Bar Association offers two reasons. First, the mere threat of CCO liability will drive compliance officers out of the profession, because they don’t want that risk. Second, the threat of liability might also tempt CCOs to be less involved in business operations, when regulators want the opposite: CCOs deeply involved in business operations, so they’re in a better position to drive an ethical corporate culture.

Beyond that general factor, the framework lists numerous other questions that regulators should consider before charging a CCO. 

For example, when considering whether to charge a compliance officer for “wholesale failures” of the compliance program (which generally means the compliance officer was negligent), prosecutors should ask themselves:

  • Did the CCO not make a good faith effort to fulfill his or her responsibilities?
  • Did the Wholesale Failure persist over time and /or did the CCO have multiple opportunities to cure the lapse? 
  • Did the Wholesale Failure relate to a discrete, specified obligation under the securities laws or the compliance program at the registrant? 
  • Did the SEC issue rules or guidance on point to the substantive area of compliance to which the Wholesale Failure relates?

The framework also proposed several more factors that regulators should consider when the accusation is that the compliance officer obstructed an SEC examination or investigation:

  • Were the acts of obstruction or false statements repeated? 
  • Was the obstruction denied when confronted, or did the CCO not immediately reverse course and cooperate? 
  • Did the obstruction relate to a necessary or highly relevant part of the examination or investigation? 
  • Did evidence show other indicia of intent to deceive or disregard for cooperation with the SEC’s regulatory mission?

What About CCO Complicity in Fraud?

This one is more interesting. The NYC Bar was quick to give a resounding “CCOs who engage in securities fraud or other violations of the securities laws deserve to be punished, like any other violator” — but then hedged that statement just a bit.

Yes, the bar association said, if a compliance officer is specifically charged with committing fraud, then no further considerations are necessary. But… 

If a CCO is charged in the context of performance of compliance duties, some may wonder whether the CCO simply joined the wrong firm and was too scared about his or her financial future to leave without another job lined up. While it is imperative for CCOs to evaluate a firm’s compliance culture before joining, and CCOs should try to leave firms that do not have strong compliance cultures, there are only so many jobs available at any one time; and it is largely impossible to accurately and comprehensively evaluate a compliance culture before joining a company.

Therefore, the bar association said, the SEC should demonstrate that the CCO’s conduct somehow “added value” to the fraud committed by the firm or the other persons charged.

I’m not quite sure how valid this point is. It reads more like the NYC Bar Association glossing over the rare but legitimate instances of compliance officers deliberately committing misconduct, to get back to the bar association’s main thesis that compliance officers shouldn’t be held liable for larger failures of conduct at their firms.

Mitigating Factors

And should regulators ever consider mitigating factors that might absolve a CCO of liability? Sure, the bar association said; and then it proposed three such factors:

  • Did structural or resource challenges hinder the CCO’s performance?
  • Did the CCO at issue voluntarily disclose and actively cooperate?
  • Were policies and procedures proposed, enacted or implemented in good faith?

For example, if the CCO did draft strong policies and procedures, but senior management then ignored those policies or didn’t give the CCO adequate resources to put them into effect, the compliance officer shouldn’t be left holding the bag for that neglect since it’s not his or her fault. “Individual liability will not have the intended effect when imposed on CCOs who reasonably carried out their duties,” the framework says.

Of course, “reasonably” is the key word in that last sentence. Which does bring up an important point: 

As a result, whether appropriate procedures existed and whether compliance with those procedures was monitored are highly relevant factors to be evaluated when attempting to distinguish between an unfortunate but good faith compliance failure and a failure resulting from culpable conduct.

That’s something to contemplate if you’re a compliance officer who’s over-worked, under-resourced, and wondering whether your struggling compliance efforts will ever explode into regulatory trouble for your firm. The above passage is what your defense lawyer would make to the SEC — so be sure that you have the “appropriate procedures existed” and “compliance with those procedures was monitored” parts locked down. If not, that’s on you.

So What Happens Next?

That remains unclear. The NYC Bar Association does have friends for the cause, including Republican SEC commissioner Hester Peirce and numerous other current or former SEC staffers. Plenty of people in the building do want compliance officers to understand that the commission views them as valuable allies, not potential enforcement targets.

Still, there’s also the reality that enforcement against compliance officers is a rare thing, and in the few cases we do see, the conduct of the compliance officers usually doesn’t do them any favors. So I wonder whether CCO liability will crack the SEC’s priority list, when the agency has so many other pressing issues that need attention right now. 

Leave a Comment

You must be logged in to post a comment.