Compliance Group Releases CCO Liability Framework

News January 19, 2022 at 05:33 PM
Share & Print

The National Society of Compliance Professionals has released a framework for chief compliance officer liability to help regulators evaluate whether a CCO should be held liable for a compliance failure.

An industry-wide survey of 2,000 NSCP members — which focused on "CCO Liability" and "CCO Empowerment" — found that compliance professionals remain concerned that personal liability will be imposed in cases where compliance:

  • acted negligently rather than recklessly (53%);
  • relied on inaccurate data from another employee (66%); and
  • did not participate in the violations caused by the company or other executives (63%).

To more effectively address the issue of CCO liability, NSCP said, it's necessary to focus on "the larger context of the compliance function within firms and to do so earlier in regulatory reviews, whether during examinations or enforcement investigations."

The New York City Bar's "Framework for Chief Compliance Officer Liability in the Financial Sector," released last June, focuses on "evaluating CCO liability based solely on of the responsibilities and expectations of the position,"  which is only a partial solution, NSCP maintains.

"Careful consideration must be given to the full context in which the CCO functioned," NSCP said. "As a result, the NSCP is advocating an additional framework."

Lisa Crossley, NSCP's executive director and CEO, told ThinkAdvisor Wednesday in an email that SEC Commissioner Hester Peirce's November 2020 keynote address at NSCP's national conference prompted the framework.

Peirce "addressed the increasing responsibilities of compliance officers and questioned the 'parameters of personal liability for compliance officers,'" Crossley explained.

Peirce further stated that Rule 206(4)-7, the investment advisor compliance rule, "exacerbates the problem. It supports a negligence-based charge against an adviser's CCO, whom the rule makes 'responsible for administering written policies and procedures that must be reasonable designed to prevent violations, by the CCO and supervised persons.'"

Peirce "went on to invite the compliance community to provide input on a framework she would like to develop 'detailing which circumstances will cause the Commission to see personal liability and what circumstances will mitigate again seeking personal liability…'" Crossley said.

Citing industry surveys, NSCP also stated that:

  • 72% of compliance professionals are concerned that regulators have expanded the role of compliance officers and the scope of their responsibilities in imposing personal liability;
  • 70% believe the overall compliance function at their firms is under resourced;
  • 35% reported insufficient resources to conduct compliance training;
  • 20% reported insufficient authority to develop and enforce compliance policies and procedures at their firms; and
  • 25% reported an inability to address compliance-related weaknesses and report concerns to senior management.

"Imposing personal liability on CCOs who have not engaged in misconduct or obstruction has the impact of shifting responsibility from business line personnel and management to the CCO," the framework states. "This could diminish the culture of compliance within firms and promote indifference from business line employees and management to follow the rules. It could ultimately lead to firm-wide deficiencies being attributed to compliance and benefit management who failed to empower compliance."

Brian Rubin, an NSCP's Regulatory Advisor Committee member and a partner at law firm Eversheds Sutherland who helped develop the framework, told ThinkAdvisor in an email that the framework "has been presented to the SEC and FINRA, and we have had some follow-up discussions with them."

Rubin added that "because of the importance of these issues, we surveyed our members who confirmed that they are concerned about whether they have targets on their backs and whether they have sufficient resources at their firms."

The NSCP framework "is more holistic than the NYC Bar Framework and than other suggested guidelines," Rubin said. "It is important not just to focus on what the CCO did or didn't do, but also to focus on issues such as whether the CCO had responsibility or authority to perform certain tasks."

Anecdotally, Rubin said, "we have heard that this framework is being used at firms to see how compliance fits within the firms' overall management structure."

Adequate Compliance Resources

In commenting on the framework, Cipperman Compliance Services notes in a recent blog post that the NSCP urges the Securities and Exchange Commission and the Financial Industry Regulatory Authority "to consider whether management allocated adequate compliance resources and whether management offered sufficient support and ensured the CCO had sufficient authority."

The NSCP framework, Cipperman said, "also asks whether the CCO escalated issues and whether management responded. The regulators should also give credit for seeking outside advice from counsel or consultants and attempting to mitigate identified issues."

Cipperman said that it agrees that regulators "should consider the broader context, and we also generally agree with the NYC Bar standard. However, we would like to see the NSCP go further and define 'sufficient resources' because most CCOs plead for more and many (most) managements feel they spent enough (too much) already."

Based on industry studies and Cipperman's empirical experience, "we believe that a good baseline is that firms should spend no less than 5% of revenue on compliance. Some firms should spend more, and some should spend less, but a baseline will at least get the CCO, the C-suite, and the regulators on the same page."

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center