Concerned that an increasing number of Securities and Exchange Commission (SEC) enforcement actions could result in more chief compliance officers being held personally liable for misconduct that occurs on their watch, the New York City Bar Association has proposed a framework for regulators to use when considering charging CCOs.

The framework, issued Wednesday, is meant to provide a series of nonbinding factors for the SEC to consider as it weighs whether to lay charges against a CCO at the conclusion of an investigation into securities law violations. In particular, the framework homes in on charging decisions made for actions that do not result from fraud or obstruction on the part of the CCO. In many cases, charging CCOs for “wholesale failures” to carry out their responsibilities can be “career ending enforcement actions,” the bar said in its framework, which will “discourage individuals from becoming or remaining compliance officers.”

The bar said that while some parts of the framework likely already factor into the SEC’s decision-making process on whether to charge CCOs of a crime, formalizing the framework will “help provide clear guidance to CCOs and enable them to confidently engage in their necessary work” and would “provide enforcement clarity CCOs seek.”

The framework builds on a February 2020 report from the bar on CCO liability in the financial sector, which posited that CCOs face “unnecessary risks” that undermine their effectiveness, as well as regulatory goals.

It also builds on sentiment within the SEC itself that charging CCOs with negligence is counterproductive.

“Just because the Commission can do something under our rules does not mean that we should do it,” SEC Commissioner Hester Peirce said in an October 2020 speech. “Indeed, charging CCOs based on mere negligence could be harmful to our efforts to foster compliance because it dissuades people from taking jobs in compliance and can encourage dishonest efforts to ‘cover up’ failings rather than openly correcting them.”

When should a CCO face enforcement?

The bar’s framework lays out the affirmative factors that should be present in order to bring charges against a CCO and some of the mitigating factors that would weigh against bringing charges. It suggests creating a formal ongoing method of dialogue between the compliance industry and regulators through the formation of a compliance advisory committee.

Even though the SEC has the right to lay a CCO conduct charge, the agency should be reticent to do so, according to the bar. “In many circumstances, we believe that CCO Conduct Charges will fail to advance the interests of protecting the capital markets and investors,” the framework said.

The framework also says if one of the main goals of enforcement actions is deterrence, laying a CCO conduct charge doesn’t accomplish that goal. The law makes CCOs personally responsible for their firm adhering to securities laws when whether a law is broken or not is often “determined by other human beings whom the CCO cannot control.” CCOs don’t have any special anti-retaliation protections, have to make yes or no decisions in real time (often with limited information), and yet can be held personally liable for illegal acts committed by others.

Placing CCOs on the so-called “firing line” makes it more likely they will leave in-house positions at financial service firms to become compliance consultants, which have less personal risk. Further, CCOs could react to the current situation by withdrawing from the type of deep involvement in a firm’s activities that regulators prefer.

Some of the questions regulators should answer when weighing whether to lay a CCO conduct charge include:

  • Did the CCO make a good-faith effort to fulfill his or her responsibilities?
  • Did the wholesale failure relate to a fundamental or central aspect of a well-run compliance program at the registrant?
  • Did the wholesale failure persist over time, and/or did the CCO have multiple opportunities to cure the lapse?
  • Did the wholesale failure relate to a discrete, specified obligation under securities laws or the compliance program at the registrant?
  • Did the SEC issue rules or guidance on point to the substantive area of compliance to which the wholesale failure relates?
  • Did an aggravating factor add to the seriousness of the CCO’s conduct?
  • Was fraud or repeated obstruction involved in the CCO’s conduct and response to investigators?

Mitigating factors in the framework include:

  • Did structural or resource challenges hinder the CCO’s performance?
  • Did the CCO at issue voluntarily disclose and actively cooperate?
  • Were policies and procedures proposed, enacted, or implemented in good faith?

“Given the special role that CCOs play and the compliance community’s legitimate concerns, we believe that instituting a Framework of nonbinding factors will provide the compliance community with the guidance it needs balanced against regulators’ need for ultimate discretion,” the framework said.