NSCP Firm and CCO Liability Framework Can Ease CCOs’ Liability Concerns

Chief Compliance Officers (“CCOs”) who are concerned about being held liable for compliance mistakes are not alone. According to the National Society of Compliance Professionals (“NSCP”), many of their colleagues in the compliance field share those concerns. These CCO liability concerns are magnified in a regulatory environment that has become increasingly complex. The risk of personal liability is real and of grave concern to compliance professionals.

To address these concerns, the NSCP recently proposed a Firm and CCO Liability Framework (“NSCP Framework”) to provide guidance to regulators, CCOs, and firms. The organization conducted surveys to evaluate members’ views on CCO liability, as well as CCO empowerment and resources. The NSCP’s Regulatory Advisory Committee used the results from those surveys as the foundation for its NSCP Framework.

The NSCP Framework is a practical approach to CCO liability that promotes investor protection and market integrity. The framework can be used to construct an effective compliance function at Registered Investment Advisors, broker-dealers, and investment companies. It is intended to reduce uncertainty among compliance professionals who are fearful that they will be held personally liable in situations they view as unreasonable.

Survey results show why CCOs may not sleep well at night

The NSCP found that 72 percent of compliance professionals are concerned that regulators have expanded the role of compliance officers and the scope of their responsibilities in order to impose personal liability. 70 percent of them believe that the overall compliance function at their firms is under-resourced.

The NSCP found that CCOs are concerned that personal liability might be imposed in the following situations:

• Compliance acted negligently rather than recklessly (53 percent);
• Compliance relied on inaccurate data from another employee (66 percent); and
• Compliance did not participate in the violations caused by the firm or other executives (63 percent).

According to the NSCP, 35 percent of CCOs reported that they were given insufficient resources to conduct compliance training. Twenty percent responded that they had insufficient authority to develop and enforce compliance policies and procedures at their firms. NSCP learned that 25 percent of those surveyed were unable to address compliance-related weaknesses and could not report their concerns to senior management.

How the NSCP Framework would protect CCOs

To evaluate the issue of CCO liability, the NSCP proposed that regulators should consider the following nine questions when a compliance failure appears to have occurred. Answering “yes” to any of those nine questions mitigates against CCO liability:

1. Did the CCO have nominal rather than actual responsibility, ability, or authority to impact the violative conduct?
2. Was there insufficient support for compliance from the firm’s leadership, such as insufficient resources, for the CCO to impact the violative conduct?
3. Did the CCO escalate the issue or violative conduct to the firm’s management through a risk assessment, annual review, CEO certification meeting/report, or some other means?
4. Did the firm’s management fail to respond appropriately after becoming aware of the issue from the CCO or in some other fashion?
5. If the firm made misstatements or omitted material information, did the CCO have nominal rather than actual responsibility, ability, or authority for reviewing or verifying that information?
6. Was the firm’s leadership given the opportunity to review and accept the policies and procedures?
7. Did the CCO consult with in-house or outside counsel and/or securities compliance consultants and did he or she adhere to the advice provided?
8. Did the CCO otherwise act to prevent, mitigate, and/or address the issue?
9. Did the CCO reasonably rely on information from others in the firm or firm systems?

The NSCP’s position is that CCOs’ responses to these questions provide a framework for examination and enforcement teams to use to properly evaluate CCO liability.

The NSCP Framework proposes the following:

• Firms of all sizes and structures should empower their CCOs with full responsibility, ability, and authority to develop, implement, and enforce appropriate policies and procedures. In addition, the leaders of firms should continually evaluate whether their compliance program has been provided with sufficient resources to support a robust compliance function.
• Regulatory examination and enforcement teams should have an appropriate foundation to evaluate compliance failures identified during their exams or investigations. Their evaluations should determine whether those failures rise to the level where an enforcement action against the CCO is necessary.
• CCOs should be given clear direction on their role and authority to manage compliance programs.

The firm’s leadership should agree to the CCO’s role and authority.

Imposing personal liability on CCOs impacts the culture of compliance

The NSCP Framework will not totally eliminate the risk of personal liability. Furthermore, the framework is not intended to protect legal and compliance personnel who have affirmatively participated in the misconduct or misled regulators. There will still be consequences for CCOs who clearly owe a duty to implement compliance programs or policies and fail entirely to carry out that responsibility. Clearly, the NSCP Framework is unlikely to help CCOs who have obstructed a compliance investigation.

Imposing personal liability on CCOs who have not engaged in misconduct or obstruction shifts responsibility from business line personnel and management to the CCO. The NSCP concluded that this shifting of responsibility could erode a firm’s culture of compliance and promote indifference among business line employees and management who will be less likely to follow the rules.

If CCOs are held responsible for compliance failures, they will ultimately take the blame for deficiencies instead of the firm’s leadership who failed to empower them. Many compliance departments are still viewed as cost centers and do not receive adequate support, resources, or authority from their firm to address compliance-related weaknesses in the appropriate manner.

Conclusion

The NSCP Framework can help to ensure that compliance personnel are given the tools and resources they need to do their job effectively without fear of unwarranted repercussions. If dedicated, competent, and conscientious CCOs face the prospect of being held liable for compliance failures, they are likely to forego a career in compliance. The loss of these talented CCOs may ultimately lead to a reduction in investor protection.

In addition to utilizing the NSCP Framework, most CCOs will have less anxiety about being held personally liable for compliance mistakes if they are assisted by an outside compliance consulting firm like ACA. If CCOs consult with and follow the advice of an outside securities compliance consultant, regulators are less likely to find material violations in their compliance programs. In addition, engaging a well-regarded consulting firm can enable CCOs to strengthen their own skillset, improve training, and draw from a deep bench of compliance professionals without adding to their company’s headcount. Furthermore, CCOs will not have to worry about hiring personnel with years of compliance experience, nor will they need to be concerned about turnover risk. CCOs have enough on their plate to worry about without dealing with those issues.