Compliance group introduces framework for tackling CCO liability

The National Society of Compliance Professionals (NSCP) has released a framework that it hopes chief compliance officers (CCOs), financial services firms and regulators can use to address the long-standing issue of CCO liability.

The NSCP framework is a response to concerns common among compliance professionals that they may find themselves held personally liable in circumstances they regard as unreasonable or unfair – such as when they have not been involved in misconduct or obstruction.

The results of recent NSCP surveys conducted among its membership of more than 2,000 CCOs and other compliance professionals highlight how widespread these concerns are. More than half (53 percent) fear facing personal liability where compliance ‘acted negligently rather than recklessly.’ Almost two thirds (66 percent) worry compliance professionals may face personal liability for having ‘relied on inaccurate data from another employee’ and 63 percent fear personal liability will be imposed where compliance ‘did not participate in the violations caused by the company or other executives.’

In addition, 72 percent are concerned that regulators have expanded the role of compliance officers and the scope of their responsibilities in imposing personal liability, 70 percent believe the compliance function at their firm is under-resourced and 25 percent report an inability to address compliance-related weaknesses and report concerns to senior management.

Brian Rubin, co-chair of Eversheds Sutherland’s litigation group in Washington, DC and a member of the committee that drafted the NSCP framework, tells Corporate Secretary that one danger arising from fear of personal liability might be that CCOs ignore problematic issues at their firm and hope nobody notices them. It may also be difficult to find good people who are willing to take on compliance jobs for fear of having a ‘target on their back,’ he adds.

SEC member Hester Peirce has also raised concerns about the potential regulatory liabilities facing CCOs and suggested the commission – and the profession – develop new guidance. In a speech to a 2020 NSCP conference, Peirce said she shared fears some observers have raised that a growing ‘specter of personal liability’ may lead to some talented individuals giving up a career in compliance.

‘While securities regulators have expressed support for CCO empowerment and the enhancement of compliance resources, NSCP’s surveys demonstrate that significant practical concerns still exist,’ the group states in outlining its framework. ‘Many compliance departments continue to be viewed as cost centers, not receiving the proper support, resources or authority from their firm to appropriately address compliance-related weaknesses.’

It adds: ‘By bringing these concerns to the forefront, the NSCP hopes to alleviate the uncertainty faced by compliance officers and provide a framework that more directly aligns with statements made by SEC and FINRA leadership and industry professionals, and promotes investor protection and market integrity.’

The NSCP supports the New York City Bar’s 2021 ‘Framework for [CCO] liability in the financial sector,’ but states that ‘a framework focused on evaluating CCO liability based solely on the responsibilities and expectations of the position is only a partial solution. Careful consideration must be given to the full context in which the CCO functions. As a result, the NSCP is advocating an additional framework.’

What Rubin describes as the more holistic approach taken by the NSCP covers individuals, firms and regulators. The NSCP urges companies of all sizes to empower their CCOs with ‘the full responsibility, ability and authority to develop, implement and enforce appropriate policies and procedures’ and to continually assess whether the compliance program has sufficient resources.

The group says CCOs should have clear direction and agreement from the leadership of the firm on its roles and authority to manage compliance programs ‘tailored to the firm and reasonably designed to prevent violations of federal securities laws.’

In addition, it says regulatory examination and enforcement teams should have an ‘appropriate foundation to evaluate compliance failures identified during the course of examinations or investigations and in particular, whether those failures rise to the level where formal charges should be referred to enforcement or brought against the CCO.’

Lisa Crossley, executive director and CEO of the NSCP, tells Corporate Secretary the framework is intended to be used across the board to look at and assess a firm’s compliance function, such as whether it has adequate resources. She hopes it will lead to a review of whether the SEC’s relevant compliance rules and the term ‘reasonably designed policies and procedures’ have kept pace with changes in the financial services industry. 

Crossley also hopes the framework will help lead to discussions between compliance professionals and regulatory exam officials. It would be valuable for industry members to explain to examiners the practicalities of their work and daily lives, and for examiners to share with compliance officers what they are seeing as best practices in the industry, she adds. 

THE FRAMEWORK
Specifically, the NSCP framework states that in evaluating CCO liability where a compliance failure may have occurred, regulators should consider the set of questions below. It adds that a ‘yes’ answer to any of the questions mitigates against CCO liability:

• Did the CCO have nominal rather than actual responsibility, ability or authority to affect the violative conduct?
• Was there insufficient support from company leadership to compliance – including, for example, insufficient resources – for the CCO to affect the violative conduct?
• Did the CCO escalate the issue or violative conduct to company management through a risk assessment, annual review, CEO certification meeting/report or otherwise?
• Did company management fail to respond appropriately after becoming aware of the issue (through the CCO or otherwise)?
• If the firm made misstatements or omitted material information, did the CCO have nominal rather than actual responsibility, ability or authority for reviewing or verifying that information?
• Was company leadership provided the opportunity to review and accept the policies and procedures?
• Did the CCO consult with legal counsel (in-house or external) and/or securities compliance consultants and adhere to the advice provided?
• Did the CCO otherwise act to prevent, mitigate and/or address the issue?
• Did the CCO reasonably rely on information from others in the company or company systems?

A request for comment from the SEC was not returned immediately. A FINRA spokesperson declined to comment on the NSCP project. A spokesperson for the New York City Bar did not have immediate comment.