Although regulators often seek to empower compliance officers within their institutions, a troubling question lingers as to whether regulators are undercutting this important message by simultaneously sending mixed or unrefined signals about when a Chief Compliance Officer should be held personally liable for the compliance failings of his or her firm. The director of the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations recently urged investment firms to empower Chief Compliance Officers (CCOs), saying, “The CCO is not there to fill out irrelevant paperwork or serve as a scapegoat for the firms’ failings. A firm’s compliance department should be fully integrated into the business of the [regulated entity] for it to be effective.”
This will not be the last time that a regulator seeks to use a bully pulpit to empower the role of compliance officers, and that is a good thing. But a troubling question lingers as to whether regulators are undercutting this important message by simultaneously sending mixed or unrefined signals about when a Chief Compliance Officer should be held personally liable for the compliance failings of his or her firm. It is rarely the case that a CCO will have an oversized influence on the structuring, resourcing or staffing of the company’s compliance function. Typically, it is the opposite. As with all other important functions of a firm, responsibility for the performance of a company’s compliance staff, and the effectiveness of the compliance function overall, lies at the feet of top decision makers – the most senior management and Board of Directors.
The lack of consistency in messaging was highlighted this year by two important voices on the topic. First, in February 2020 the New York City Bar Association Compliance Committee issued its Report on Chief Compliance Officer Liability in the Financial Sector (the “NYCBA Report”). This well-received report thoroughly analyzed the issue of personal liability for CCOs and offered a number of sensible recommendations to address regulatory uncertainty. The report also noted that, despite the efforts of regulators to soothe CCO concerns, “compliance officers remain concerned that their good faith efforts and well-intentioned conduct may be punished.”
That concern is eminently justified. A widely noted “standard” for consideration of CCO personal liability has grown out of 2015 remarks by a former Director of Enforcement for the SEC. That standard can be summarized as follows: compliance officers could face liability where (1) the compliance officer participated in the underlying misconduct unrelated to the compliance duties; (2) the compliance offer obstructed or misled Commission staff; and (3) the compliance officer “has exhibited a wholesale failure to carry out his or her responsibility.”
The first two categories of course make sense, as they apply equally to all employees at a firm. A compliance employee who engages in misconduct subject to civil or criminal liability and unconnected to compliance duties should be dealt with like any other employee. The same goes for a compliance employee who interferes with a regulatory or criminal investigation; indeed, this may make the employee’s conduct even more culpable given his/her/their expected knowledge of a firm’s responsibilities to respond to examinations and investigations.
The third category, however, is concerning. For example, it is the view of both the SEC and certain courts that the securities laws allow for a compliance officer to be liable for causing a violation by a firm based merely on negligence: “[W]here a company has committed a violation [of the securities laws] that does not require scienter – such as failing to have sufficient policies and procedures – a compliance officer can be held to have caused their violation based on her own negligent conduct.”
Once that idea sets in, one very well might be inclined to blurt out, “Yikes!”
It arguably gets worse. As pointed out in the NYCBA Report, in 2018 the SEC upheld a FINRA disciplinary ruling that suspended and fined a CCO for a number of alleged serious deficiencies in his firm’s compliance program. See in the Matter of the Application of Thaddeus J. North, Exchange Act Release No. 84500 (Oct. 29, 2018) While the SEC determined that FINRA’s findings established that the CCO’s failures were “egregious,” in so doing the agency described a standard for CCO liability apparently broader than that noted in the 2015 Enforcement director’s remarks: “[A]bsent unusual mitigating circumstances, when a COO engages in wrongdoing, attempts to cover up wrongdoing, crosses a clearly established line, or fails to meaningfully implement compliance programs, policies, and procedures for which he or she has direct responsibility, we would expect liability to attach.”
The standard of “meaningfulness” described in the Commission’s opinion does not immediately lend itself to critical analysis. This supposed measure of civil liability appears substantially less severe and less concrete than the “wholesale failure” standard articulated in the SEC Enforcement Director’s 2015 remarks. While the facts of the North case arguably show a considerable compliance lapse, even an “egregious” one, the general guidance issued in this opinion seems at best not thoroughly thought through. Just as a compliance officer has a duty of care to investors and their firm, so does a regulator have the obligation to carefully consider each phrase of guidance provided. This obligation is even more acute where there is a paucity of guidance in the field — as there is concerning personal liability of compliance officers under regulatory prescriptions.
This is where a second, important voice on this topic recently chimed in. In remarks given in October 2020 to the National Society of Compliance Professionals, SEC Commissioner Hester M. Peirce turned to this issue generally and the North case specifically. Although unable to say much about North because the case is on appeal, Commissioner Peirce nevertheless dropped a clue, at least about her own views: “[S]tatements in the Commission’s orders reviewing FINRA disciplinary actions do not necessarily reflect the Commission’s view of how it should exercise its own enforcement discretion when enforcing its own statutes and rules.”
Let us hope so. Recognizing that this is not an easy area for a regulator or prosecutor to navigate under any circumstances, the consequences of overzealous enforcement against compliance officers individually will likely undermine effective compliance programs — not foster them. As Commissioner Peirce noted, “[a] firm that has reasonably designed policies and procedures nevertheless can experience a securities violation.” As further pointed out by the NYCBA Report, the consequences of brutish or irregular enforcement against compliance officers may “discourage appropriate activity by compliance officers, isolate compliance officers far from other business processes, or, at the extreme, lead individuals to leave compliance roles for fear of bearing liability for the misconduct of others. . . . The risk of liability threatens to reduce the ranks of effective, qualified candidates seeking and remaining in compliance positions.”
Maintaining a robust community of capable compliance officers is essential for firms and government agencies alike. And our experience is that almost all compliance officers are diligent, committed to compliance with the law, and ethical, doing the hard and often thankless work of protecting an institution against wrongdoing. Compliance officers undertake these efforts through the existing internal systems and controls in a company. Sometimes, with the help of outside compliance consultants and technology vendors who bring particular expertise to the relevant industry or systems employed by the company, compliance officers are able to further enhance their compliance programs. These efforts typically benefit the firm and avoid any unwelcome situation for the compliance function.
Fortunately, Commissioner Peirce has taken on this cause. In her recent remarks the Commissioner embraced the suggestion of the NYCBA Report that regulators strive to provide additional guidance on when to bring enforcement actions against compliance officers. Commissioner Peirce suggested that she herself is considering developing a “draft framework” to share with SEC colleagues and has sought input on “what factors are relevant to the decision about whether to charge compliance personnel.”
This is a worthy endeavor. Regulators and prosecutors have provided guidance in other areas of enforcement, and this is clearly one that will benefit from thoughtful consideration. This type of exercise will help to keep focus on the signal purposes of regulatory enforcement: penalizing serious misconduct engaged in by firms; encouraging other firms to stay within the guardrails; and articulating standards for all firms and the decision makers who guide them. Turning the screw tighter against individual compliance officers, without further guidance about the standards for enforcement, risks undoing years or even decades of the hard work of building effective compliance programs that has so far been achieved.