The National Society of Compliance Professionals, which represents compliance officers specifically in the financial services world, has released a proposed framework to help regulators understand the threat of chief compliance officer liability and when such liability is or isn’t warranted for a compliance failure.
The NSCP released its framework on Monday: a series of nine questions that regulators could ask themselves about a specific case, where every “yes” answer would lean more and more toward not holding the CCO personally liable for the compliance failure at issue.
The framework also called for financial firms to empower their CCOs “with the full responsibility, ability and authority” to develop, implement, and enforce compliance policies; and it included some survey statistics to show that as much as regulators say holding compliance officers personally responsible for larger firm compliance failures isn’t a thing, compliance officers themselves don’t believe those promises.
“While securities regulators have expressed support for CCO empowerment and the enhancement of compliance resources, NSCP surveys demonstrate that significant practical concerns still exist,” the group said in its framework. To address the issue of CCO liability more effectively, the NSCP went on to say, “it is necessary to focus on the larger context of the compliance function within firms and to do so earlier in regulatory reviews, whether during examinations or enforcement investigations.”
If all this talk about CCO liability sounds familiar, that’s because the New York City Bar Association proposed its own framework for CCO liability last summer, and others have talked about the issue for more than a decade.
The usual line of argument is that even the mere threat of CCO liability drives good compliance officers away from the profession (why take the risk?), and those who remain are even less likely to be involved with business operations, when regulators should want the opposite: CCOs deeply involved in business operations, so they’re in a better position to drive an ethical corporate culture.
The usual rebuttal is that even with the higher standards of liability that compliance officers at financial firms face under the Investment Companies Act, enforcement against compliance officers is still a rare thing. In almost all instances, the compliance officer was either (a) involved in the misconduct; or (b) grossly negligent in his or her duties.
NSCP’s CCO Liability Questions
Anyway, we have nine questions from the NSCP that it wants regulators to consider when a compliance failure has occurred. They are:
- Did the CCO have nominal rather than actual responsibility, ability, or authority to affect the violative conduct?
- Was there insufficient support from firm leadership to compliance, including, for example, insufficient resources, for the CCO to affect the violative conduct?
- Did the CCO escalate the issue or violative conduct to firm management through a risk assessment, annual review, CEO certification meeting/report, or otherwise?
- Did firm management fail to respond appropriately after becoming aware of the issue (through the CCO or otherwise)?
- If the firm made misstatements or omitted material information, did the CCO have nominal rather than actual responsibility, ability, or authority for reviewing or verifying that information?
- Was firm leadership provided the opportunity to review and accept the policies and procedures?
- Did the CCO consult with legal counsel (in-house or external) and/or securities compliance consultants and adhere to the advice provided?
- Did the CCO otherwise act to prevent, mitigate, and/or address the issue?
- Did the CCO reasonably rely on information from others in the firm or firm systems?
You can see the major themes here. If the CCO had limited ability (or none at all) to intercept the misconduct; or if the CCO relied on the advice of others when responding to a compliance failure — then the presumption should be not to bring charges against the CCO personally.
The NSCP did stress that its proposed framework should be seen as a complement to, rather than a rival of, the NYC Bar Association framework. The NYC Bar framework dwells more on a compliance officer’s personal actions and whether they qualify as reckless, the NSCP said, while its own framework focuses on the overall strength of a firm’s compliance function.
“The NSCP believes that a framework focused on evaluating CCO liability based solely on the responsibilities and expectations of the position is only a partial solution,” the group said. “Careful consideration must be given to the full context in which the CCO functioned.” Hence the need for an additional framework.
Sounds reasonable enough to me. I just don’t believe the Securities and Exchange Commission or FINRA will ever act on these proposed frameworks — at least, not in any public, recognized way; although perhaps the agencies might incorporate some of the frameworks’ suggestions in individual regulatory examinations or enforcement actions.
Compliance officers and corporate defense lawyers, however, could use either of these frameworks as the basis of fighting back against pending charges. Like I said, they’re reasonable questions and they might resonate with the right prosecutor or judge.
What CCOs Believe
The NSCP also included several findings from a survey the group conducted of its 2,000+ members. The results of the survey demonstrate that compliance professionals still worry that personal liability will be imposed in cases where:
- Compliance acted negligently rather than recklessly (53 percent)
- Compliance relied on inaccurate data from another employee (66 percent)
- Compliance did not participate in the violations caused by the company or other executives (63 percent)
Even better, lots of compliance officers also have dour views about the expectations and burdens placed upon them, by regulators and senior management alike:
- 72 percent say regulators have expanded the role of compliance officers and the scope of their responsibilities in imposing personal liability;
- 70 percent believe the overall compliance function at their firms is under resourced;
- 35 percent reported insufficient resources to conduct compliance training;
- 20 percent reported insufficient authority to develop and enforce compliance policies and procedures at their firms.
To be clear, these numbers are all from compliance officers working at broker-dealers, hedge funds, asset management firms, and other financial services firms; not compliance officers working across all industries. (Although somehow I suspect lots of you at non-financial firms know exactly how the NSCP members feel.)
These numbers might be the most believable and true part of this whole drama. I don’t believe CCO liability in regulatory enforcement is a pressing worry. But financial firms still keeping compliance in the margins, while CCOs stress out and investors take the risk?
That part I believe without a doubt.