The National Society of Compliance Professionals has released a framework for chief compliance officer liability to help regulators evaluate whether a CCO should be held liable for a compliance failure.
An industry-wide survey of 2,000 NSCP members — which focused on "CCO Liability" and "CCO Empowerment" — found that compliance professionals remain concerned that personal liability will be imposed in cases where compliance:
- acted negligently rather than recklessly (53%);
- relied on inaccurate data from another employee (66%); and
- did not participate in the violations caused by the company or other executives (63%).
To more effectively address the issue of CCO liability, NSCP said, it's necessary to focus on "the larger context of the compliance function within firms and to do so earlier in regulatory reviews, whether during examinations or enforcement investigations."
The New York City Bar's "Framework for Chief Compliance Officer Liability in the Financial Sector," released last June, focuses on "evaluating CCO liability based solely on of the responsibilities and expectations of the position," which is only a partial solution, NSCP maintains.
"Careful consideration must be given to the full context in which the CCO functioned," NSCP said. "As a result, the NSCP is advocating an additional framework."
Lisa Crossley, NSCP's executive director and CEO, told ThinkAdvisor Wednesday in an email that SEC Commissioner Hester Peirce's November 2020 keynote address at NSCP's national conference prompted the framework.
Peirce "addressed the increasing responsibilities of compliance officers and questioned the 'parameters of personal liability for compliance officers,'" Crossley explained.
Peirce further stated that Rule 206(4)-7, the investment advisor compliance rule, "exacerbates the problem. It supports a negligence-based charge against an adviser's CCO, whom the rule makes 'responsible for administering written policies and procedures that must be reasonable designed to prevent violations, by the CCO and supervised persons.'"
Peirce "went on to invite the compliance community to provide input on a framework she would like to develop 'detailing which circumstances will cause the Commission to see personal liability and what circumstances will mitigate again seeking personal liability…'" Crossley said.
Citing industry surveys, NSCP also stated that:
- 72% of compliance professionals are concerned that regulators have expanded the role of compliance officers and the scope of their responsibilities in imposing personal liability;
- 70% believe the overall compliance function at their firms is under resourced;
- 35% reported insufficient resources to conduct compliance training;
- 20% reported insufficient authority to develop and enforce compliance policies and procedures at their firms; and
- 25% reported an inability to address compliance-related weaknesses and report concerns to senior management.
"Imposing personal liability on CCOs who have not engaged in misconduct or obstruction has the impact of shifting responsibility from business line personnel and management to the CCO," the framework states. "This could diminish the culture of compliance within firms and promote indifference from business line employees and management to follow the rules. It could ultimately lead to firm-wide deficiencies being attributed to compliance and benefit management who failed to empower compliance."