There are good reasons why compliance is treated as a specialized skill in most established financial firms of all sizes and why Chief Compliance Officers (CCOs) typically have years of professional experience in their field.
It takes a significant amount of expertise, knowledge, and professional judgment to be a CCO. In fact, the lack of such credentials can exacerbate the outcomes of a regulatory inquiry or enforcement action. Lacking qualifications can lead courts to find that a CCO aided and abetted their firm’s regulatory violations.
This concept is often specifically codified in rules or regulations. For example, Rule 206(4)-7 under the Investment Advisers Act of 1940 states, “An adviser’s chief compliance officer should be competent and knowledgeable regarding the Advisers Act and should be empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the firm.” Failing to meet the criteria of competence and knowledge in the compliance field can open up liability for both firms and individuals.
A recent report from the New York City Bar Association Compliance Committee (published in February 2020) highlights what is at stake. Many financial innovators may feel tempted to take the same approach to compliance as they do to product development, given the startup world’s acceptance of fast failure and learning on the fly. In a word, our advice is simple: don’t.
Here’s a summary of the NYC Bar report.
- Because of their role, compliance officers are inherently at risk of becoming subject to regulatory investigations and personal liability.
- CCOs face a growing risk of personal liability and individual accountability from the day-to-day performance of the compliance function. In the case of complaints or investigations, examiners scrutinize what a compliance officer or program ought to have detected and prevented.
- Good faith efforts and well-intentioned conduct may be punished with fines or even jail time. In other words, compliance is not a discipline that should be taken on by willing but inexpert resources, which goes counter to the prevailing mindset of many startup cultures.
- In November 2019, a FINRA opinion reaffirmed that “when a CCO engages in wrongdoing, attempts to cover up wrongdoing, crosses a clearly established line, or fails meaningfully to implement compliance programs, policies, and procedures for which he or she has direct responsibility, we would expect liability to attach.”
- State and federal regulators are increasingly imposing additional attestation and certification requirements on compliance officers. Such regulatory requirements exist with respect to anti-money laundering (“AML”) programs at financial institutions and compliance programs in the virtual currency industry.
- The role of the compliance function can put it at odds with the rest of the c-suite who naturally focus on business growth and profitability. This may raise structural barriers to important information reaching CCOs, thereby impeding their ability to discover and prevent misconduct. Despite this, the CCO bears responsibilities to work to reasonably ensure that their employers remain in compliance even when regulatory compliance could conflict with profitability.
- CCOs must make decisions in real-time against the backdrop of heightened individual enforcement, increased regulatory responsibilities, limited resources, and little guidance.
- In annual surveys conducted over the last three years, DLA Piper found that 74% of CCOs surveyed were “at least somewhat concerned” regarding their personal liability.
- Compliance officers face an information gap when existing guidance does not cover a novel circumstance or close question. They can also face considerable uncertainty when well-intentioned regulations are cryptic and overly complex.
Very simply, personal liability has become an increasing concern among in-house compliance professionals. The risks are real.
At InnReg, we work with our clients to help mitigate those risks by rigorously designing, planning, implementing, and running compliance programs. We bring decades’ worth of focused compliance experience to every client relationship. We are able to provide resources who take on the role of a firm’s Chief Compliance Officer.
If you have questions about liability and mitigating liability risks for your firm, please don’t hesitate to be in touch.
Frequently Asked Questions About Compliance Liability
What is the regulatory definition of the role of a CCO?
Each adviser registered with the SEC is required to designate a chief compliance officer to administer its compliance policies and procedures. An adviser's chief compliance officer should be competent and knowledgeable regarding the Advisers Act and should be empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the firm. Thus, the compliance officer should have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.
How can a CCO meet their responsibility and avoid conflicts of interest?
A CCO who is an employee of a fund's investment adviser might be conflicted in her duties because the investment adviser's business interests might discourage the adviser from making forthright disclosure to fund directors of its compliance failures. Therefore, a fund's CCO is required to report directly to the board. The board, and the board alone, can discharge the officer.
Under what circumstances would a CCO take on personal liability?
In principle, a CCO can be held personally liable as the outcome of any regulatory examination. While regulations are not designed to expose CCOs to undue personal risk, they do hold CCOs to high standards of competence and knowledge. If a determination is made that gaps in a compliance program opened the door to violations and that a competent professional ought to have identified and closed such gaps, the risk of personal liability is significant.
Can a CCO plead ignorance?
No. CCO liability is determined by examining the conduct of the CCO as well as of the firm. Lack of knowledge or ambiguous interpretations of how regulations apply to new technologies or business models will not necessarily impact the disciplinary actions taken by regulators.
What about ”bad faith” infractions?
A determination of willful negligence is entirely possible and can entail individual liability as well. At the beginning of March, the Financial Crimes Enforcement Network (FinCEN) assessed a $450,000 penalty against an attorney and former Chief Compliance Officer (CCO) at a major financial institution for failures in AML compliance. The severity of this penalty stemmed in part from a finding that they recklessly disregarded their obligations to report suspicious activity and willfully participated in violations of AML regulations. (Source)
What are some recent case examples?
Relevant cases include:
- David Osunkwo, a consulting advisor contracted to provide outsourced CCO services who overstated the assets under management of the investment firms he represented by nearly $120 million.
- In BlackRock Advisors LLC, the SEC charged BlackRock’s CCO with having “caused” BlackRock to willfully violate even though the statutes and rules impose requirements on the investment adviser generally, not specifically on an adviser’s CCO.
- In Windsor Street Capital, L.P., the SEC found the CCO personally liable for aiding, abetting, and causing the firm’s failure to file suspicious activity reports under the Bank Secrecy Act.
- In U.S. Dep’t of Treasury v. Haider, FinCEN and the U.S. Attorney’s Office for the Southern District of New York partnered to take action against Haider, the former CCO of MoneyGram, for his alleged failure to implement and maintain an effective AML program and report suspicious activity.
- In the case of Thaddeus North, the SEC upheld sanctions imposed on the CCO of Southridge Investment Group LLC by FINRA for, among other things, failing to establish and maintain a supervisory system reasonably designed to achieve compliance with applicable securities laws.
The NYC Bar report contains numerous other examples.
What should we do if we feel exposed to CCO liability risks?
If you believe there are gaps in your compliance processes, if your CCO has flagged potential risks to you, or if you are merely uncertain of your risk exposure, the best thing to do is consult with legal and compliance professionals. Letting problems fester is never an appropriate solution.