NYC Seeks To Clarify Personal Liability Risks For CCOs
The threat of jail or fines is causing a drop in the number of active compliance officers policing financial services firms. A new framework designed to fix the issue has been proposed, underlining the case for enhanced monitoring and surveillance tools that will help compliance become better at their job and provide them a safety net for speaking out.
Career-ending enforcement actions are deterring a generation of compliance officers from taking up jobs in Wall Street, amid concerns that the personal liability risk is becoming too great.
The issue of dwindling, and in some cases reluctant talent, has prompted the New York City Bar Association to draw up a legal framework that adds some clarity to the “chilling” exposure that chief compliance officers (CCO) face.
The guidance gives regulators a checklist to follow when considering whether to charge an individual, and provides compliance officers with a comprehensive guide to the regulator’s thinking during enforcement actions.
Firms will increasingly be expected to provide compliance officers with better technology to do their jobs, as, previously, CCOs have been held liable for misconduct despite having poor tools that did not enable them to identify or prevent breaches.
The New York City Bar Association’s framework claims that the risk of facing an enforcement action has discouraged qualified individuals from accepting or sticking around in the crucial CCO role.
The framework is aimed at guiding the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) in considering whether to charge CCOs for conduct relating to their compliance-related duties.
It lists multiple factors required to bring charges and three mitigating factors that would weigh against such charges.
Under the plan, questions that regulators would weigh up include whether charging a compliance officer would achieve the SEC’s regulatory goals and whether a CCO made a good-faith effort to do their job. A defusing factor would be if a CCO voluntarily disclosed and actively cooperated with regulators.
Neither the SEC nor FINRA have publicly indicated their intention to follow the proposals.
Compliance Still At Risk
Some professionals feel the proposals, such as structural changes to financial firms’ reporting lines and the level of involvement in key business decisions, do not go far enough. There is still a feeling that CCOs bear too much responsibility for misconduct occurring under their watch, regardless of how much they know about an incident.
Industry experts said it was helpful that some of the concerns compliance officers have about their jobs have been aired, and it could help in clarifying expectations.
But, without changes at the corporate level, many compliance professionals remain susceptible to liability dilemmas in their day-to-day work.
Caution remains, given the number of compliance officials who have faced individual charges for institutional failures in recent years.
“It helps raise the concern, but doesn’t solve the problem,” said Eric Young, former compliance boss at the Americas unit of BNP Paribas SA who now runs a compliance advisory firm. While it is a step in the right direction, regulators still need to take action to address industry concerns and signal their backing for the plan, Young said.
“It’s a good thing to have it out there,” said Alma Angotti, regulatory risk expert and Partner at consultancy Guidehouse. Compliance officers often end up being blamed when companies focus on profit over risk management, lack a good compliance culture, or don’t have channels for chief compliance officers to raise concerns with senior management, Angotti said.
The framework would give compliance officers a measure of protection in knowing they won’t be in the firing line when minor mistakes or miscalculations occur, or if companies fail to provide them with the tools to do their job, she said.
Governance structures inside many firms, where a CCO may report to the head of legal or risk instead of the board may hinder the independence of the compliance team as a second line of defense. If something goes wrong, the CCO may be blamed for not speaking out, Young said.
Compliance officers also might face challenges in resolving breaches after raising red flags because of budget constraints, he added. “It’s a Catch-22,” he said. Budget or operational restrictions on compliance departments are among the mitigating factors listed.
In addition to the Bar Association’s proposal, Young suggested two further measures to support the independence of companies’ compliance departments. The first is for chief compliance officers to report directly to boards of independent directors, and the second is to extend insurance for personal liability to CCOs, who might not qualify at some companies.
Ball In Regulator’s Court
The proposal reflects a significant amount of work and careful consideration about how to continue to permit effective regulation of CCO conduct without singling them out for unfair targeting and treatment, according to James Lundy, lawyer at Faegre Drinker.
“As the current complement of SEC Commissioners and senior staff members begin to make their mark through enforcement priorities, amongst other regulatory initiatives to be prioritized, it will be interesting to see whether the framework, and other efforts like it, spur any action in the near term,” Lundy said.
The SEC has previously said deciding whether to prosecute a CCO for negligence is one of its greatest challenges, and in such cases, just because the rules say it can, doesn’t mean it should.
“While this does not necessarily suggest that the SEC will adopt the framework anytime soon, it perhaps suggests a recognition by the SEC that it must seriously consider the circumstances under which charging COOs is justified,” said Bryan Hogg, regulatory lawyer at Vinson & Elkins.
Having a robust and advanced compliance program is the best form of defence for any compliance officer in the first regard, industry experts said; preventing the problem removes any element of risk.
Other best practices include maintaining detailed documentation of compliance tasks, including demonstration of how problems are addressed promptly and appropriately; ensuring policies reflect practices; a clear line on supervisory responsibilities, including escalation policies;, and the use of attestations in certifying understanding of roles and expectations.