CCO liability framework seeks to acknowledge compliance support concerns

Last June, the New York City Bar Association created a framework for regulators, namely the Securities and Exchange Commission (SEC), to consider when determining whether to charge a CCO for securities law violations that occur at his or her financial services firm. The framework homed in on charging decisions made for actions that do not result from fraud or obstruction on the part of the CCO.

The bar’s framework set a recklessness standard, in which a CCO could be found liable if he or she were deemed to have made wholesale failures in carrying out the responsibilities that were clearly assigned to them. The framework posed a series of questions for regulators to answer when weighing whether to lay a CCO conduct charge. It also listed mitigating factors to consider.

What if, however, a lack of resources for a compliance function, or a lack of support for compliance within a company or from company leadership, rendered a firm’s compliance division ineffective? Should the SEC still consider a CCO liable under those circumstances?

The National Society of Compliance Professionals (NSCP), a nonprofit group representing more than 2,000 compliance professionals in the financial services industry, said many of its members are worried a firm’s lack of resources and weak compliance culture can undercut a CCO’s effectiveness. Those factors shouldn’t make a CCO liable for the wrongdoing of others, the NSCP members believe.

“CCOs are taking on more responsibility. Look at cybersecurity, look at cryptocurrency and blockchain. These are areas where compliance officers are being required to get involved,” said NSCP Executive Director and Chief Executive Officer Lisa Crossley, herself a former CCO.

Many CCOs, particularly at smaller firms, don’t have expertise in those areas, she said. “If a compliance violation occurs, the CCO could be on the hook for it,” she said. The rules and standards for CCO conduct in the financial services industry have not kept pace with that reality, she said.

The NSCP issued a framework of its own Monday that urges regulators to consider CCO liability more holistically, in the context of the compliance culture within a CCO’s firm. Is the compliance function adequately supported by management? Is it properly funded? Is the CCO and his or her team empowered to enforce violations within the firm? Regulators concluding the answer is “no” to these questions should consider these mitigating circumstances that affect the CCO’s ability to do his or her job within those particular circumstances and environment.

In addition, the NSCP argues such questions should be asked by regulators earlier in the process—during an examination, for example, so that issues can be addressed, instead of at the end of an enforcement action. This is the case in the Department of Justice’s “Evaluation of Corporate Compliance Programs,” where an update in June 2020 directed prosecutors to ask companies whether the compliance program is “adequately resourced and empowered to function” effectively.

“If something goes wrong, there’s always a question about a CCO’s role,” said Brian Rubin, a partner at Eversheds Sutherland and member of NSCP’s board of directors and its regulatory advisory committee. “If there is a target on the back of compliance, that leads to all kinds of problems and issues.”

The NSCP framework asks a series of questions to be considered by regulators regarding a CCO’s liability when a compliance failure has occurred. Answering “yes” to any of the questions would mitigate against a CCO’s liability, the framework said.

• Did the CCO have nominal rather than actual responsibility, ability, or authority to affect the violative conduct?
• Was there insufficient support from firm leadership to compliance, including, for example, insufficient resources, for the CCO to affect the violative conduct?
• Did the CCO escalate the issue or violative conduct to firm management through a risk assessment, annual review, CEO certification meeting/report, or otherwise?
• Did firm management fail to respond appropriately after becoming aware of the issue (through the CCO or otherwise)?
• If the firm made misstatements or omitted material information, did the CCO have nominal rather than actual responsibility, ability, or authority for reviewing or verifying that information?
• Was firm leadership provided the opportunity to review and accept the policies and procedures?
• Did the CCO consult with legal counsel (in-house or external) and/or securities compliance consultants and adhere to the advice provided?
• Did the CCO otherwise act to prevent, mitigate, and/or address the issue?
• Did the CCO reasonably rely on information from others in the firm or firm systems?

Regulators, particularly the SEC, have a long list of goals to pursue in 2022. “We are aware that CCO liability may fall far down the list,” Crossley said. Current SEC Commissioner Hester Peirce previously spoke in October 2020 of developing a draft framework to share with her fellow commissioners, though she has not publicly revisited the topic since.

The NSCP has had informal discussions with SEC regulators about the framework, Rubin said, and hopes to continue pressing home the point about the issues that arise when CCOs could be found liable for the misconduct of others.

“Imposing personal liability on CCOs who have not engaged in misconduct or obstruction has the impact of shifting responsibility from business line personnel and management to the CCO,” the framework said. “This could diminish the culture of compliance within firms and promote indifference from business line employees and management to follow the rules. It could ultimately lead to firmwide deficiencies being attributed to compliance and benefit management who failed to empower compliance.”