personal liability on ccos for regulated industries

Personal liability for CCOs? OS33’s Morley Ivers responds to this valid concern.

In response to the growing concern over the personal liability that falls on the shoulder of compliance professionals, the New York City Bar Association has unveiled a proposed framework to guide the decisions of the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) as to whether to press charges against compliance officers for job-related conduct.

Compliance officers have become increasingly concerned that as they work to fix potential violations, they may increase their own vulnerability to charges related to these same violations. And while the SEC has communicated on this topic through statements, the New York City Bar Association has gone a step farther with written guidance. The Bar’s goal is to provide more clarity around when and under what circumstances a compliance professional can face charges.

The framework provides guidance for regulators via the evaluation of twelve affirmative factors and three mitigating factors that take place when the actions (or inactions) of compliance officers in particular Chief Compliance Officers (CCOs) – are reviewed.

OS33 President, Morley Ivers, provided his thoughts on the implications of the threat of personal liability for professionals in regulated industries. “Currently, in the financial services sector, a CCO can be held personally liable for his or her compliance duties in the workplace. What makes most of us sit up and take notice is that these compliance officers are not only on the hook for decisions they make, but also for the decisions they do not make – meaning they can be held responsible if their firm does not implement the prescriptive protocols or technologies needed to protect the firm and client data.”

“It is interesting to think through what this assumed risk means to the way a CCO should operate. I’d go as far as to say that the head of compliance cannot afford to stand by idly if she is not empowered by the firm to make the needed regulatory and security control process or technology decisions. CCOs must take action; and CCOs must ensure they have access to the needed budget to ensure the firm is fully in compliance, especially in the arena of data security,” Ivers continued.

While the Bar’s framework does answer some questions, additional uncertainties remain:

  • How will regulators determine whether a CCO makes a “good-faith” effort?
  • In instances where obstruction or false statements are discovered, how is it determined whether those actions were repeated?
  • Is the CCO hindered by structural challenges and/or a lack of resources to get the needed work completed?

Ivers shared that the role of the CCO is rapidly evolving.  “For many years, the CCO has been regarded as simply a necessary title within a regulated firm. And until recently, that did not necessarily translate into an empowered CCO holding budget with the ability to invest as needed. But now, especially with personal liability and a cyber environment at an all-time high threat level, that’s all changing.”

Within the system created by the SEC, compliance officers are now – before all others within a firm – placed in a position where they face great risk and a potentially hefty price to pay for non-compliance actions. Whether these actions are by the CCO or anyone else in the organization, it is the compliance officer who will face the repercussions.

This means CCOs must think differently about how they will guide a firm, along with all its employees, toward a compliant future. “I do believe that CCOs will strategically and proactively determine how take needed actions to shore up compliance issues. They must do that to protect themselves at both a personal and professional level. Let’s be blunt: they will likely have a lot of work to do. Cybersecurity issues are on the rise, and this is just one example of what is top of mind for CCOs today. It’s going to take a lot of resources – both money and manpower – to do it correctly,” Ivers concluded.

Leave a Reply

Your email address will not be published. Required fields are marked *