New York City Bar Association Releases Report on CCO Liability: Four Recommendations for Regulators

by Pat Campbell, Adam Felsenthal, Scott Gluck, Pat Nicholson, Marc Tobak, and Michael McMaster

At every financial firm subject to the relevant regulatory regimes, there is at least one person serving as Chief Compliance Officer (CCO) charged with creating and enforcing a compliance manual and ensuring that the firm complies with its legal and regulatory obligations.  The functions CCOs serve ultimately protect investors.  At large institutions, there can be hundreds or even thousands of people involved in compliance efforts.  However, in recent years, these essential gatekeepers have faced increased regulatory focus on holding them personally liable for institutional failures, often arising out of assessments made in hindsight regarding what compliance officers or programs ought to have detected or prevented. 

The Compliance Committee of the New York City Bar Association recently issued a report (the “Report”) detailing its concerns about compliance officer liability and calling on regulators to provide limitations and guidance on when a compliance officer should be charged.[1]  The concerns in the Report are summarized below.

Concerns Regarding CCO Liability

Over the past few years, agencies that regulate the financial sector, such as the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC), have chosen to bring enforcement actions against CCOs at financial firms, alleging that they personally violated securities laws or regulations or that they “caused” their firms to violate these laws or regulations.  While the Report expresses no sympathy for bad actors, including those that are involved in fraud or obstructing regulators, it expresses concern that certain of these cases appear to involve compliance officers who have in good faith attempted to ensure compliance and/or remediate noncompliance. [2]   

In the absence of more explanation of the facts of these cases or guidance about the circumstances that led to the enforcement decision, these cases appear to be classic “prosecution by hindsight.”  They also appear to fail to take into account the unique structural obstacles compliance officers face.  Compliance officers are required to make decisions with limited guidance in real time on how complex transactions should comply with complex regulatory regimes.  Recent regulatory directives have imposed greater duties and requirements on compliance officers, including having to police areas such as privacy and cybersecurity that have not traditionally been within the purview of a compliance officer.  Despite these greater requirements, compliance officers frequently do not have the ability to unilaterally effect change in their firms.  Rather, they depend on the firm’s businesspeople to implement initiatives designed to ensure that compliance directives are followed. 

Without greater guidance, compliance officers are increasingly hesitant and worried that, if regulators later disagree with their judgment, their careers may be ruined, or, at best, they will be financially harmed by having to defend themselves against costly government investigations.  In many cases, compliance officers are leaving the profession for less risky ones.   

For their part, regulators have attempted to make clear that they are not “targeting” compliance officers.  In a 2015 speech providing some guidance on the topic, then-Director of the Division of Enforcement of the SEC Andrew Ceresney stated that a compliance officer can be charged if, among other things, he or she has exhibited “wholesale failure” to carry out his or her responsibilities.[3]  In its approval of sanctions imposed on former CCO Thaddeus North, the SEC stated that “disciplinary action against individuals generally should not be based on an isolated circumstance where a COO, using good faith judgment makes a decision, after reasonable inquiry, that with hindsight, proves to be problematic.”[4]  However, this standard has not been clearly distinguished from operational failures or missteps that fall short of a “wholesale failure” to discharge duties.  The SEC and FINRA in recent years have, to their credit, attempted to comfort the compliance community in recent public statements, but prior enforcement actions remain a concern, SEC and FINRA leaders come and go, and enforcement priorities change.  More formal, longer-lasting steps must be taken to restore the compliance community’s confidence and trust.

Recommendations for Regulatory Agencies

As a result, the Report calls on regulatory agencies to implement several recommendations.  First, regulatory agencies should provide formal guidance on what factors would lead them to consider or reject a case of compliance officer liability, including factors such as whether the compliance officer acted in good faith, and whether structure or resource challenges hindered the compliance officer’s performance.  Second, agencies can use existing methods of communication, such as FAQs, other informal guidance documents, or settled prosecutions, to explain more fully the circumstances in which an enforcement action against a compliance officer is necessary.  Third, regulatory agencies and compliance officers should have an ongoing, meaningful and informal method of communicating before the fact, to help compliance officers more easily make decisions.  In this regard, we applaud OCIE for highlighting in its 2020 examination priorities the “Importance of Compliance” and need for C-level executives at registered firms to provide the compliance function at their firms with sufficient resources and to make clear to all employees of the firm via a “tone from the top” that compliance is important.  Fourth, the regulators should set up a formal advisory board with leaders in the compliance community to discuss issues of mutual concern.  In summary, compliance officer liability should be considered only with significant deliberation.

Conclusion

These reasonable recommendations do not require fundamental regulatory or legislative reform and would be meaningful to the compliance community.  With the adoption of some important steps, regulatory agencies, the compliance community, and the investing public can continue working together to achieve the mutual goals of regulatory compliance and fair and efficient capital markets.

Footnotes

[1] The report, titled “Chief Compliance Officer Liability in the Financial Sector,” was published in February 2020 by the New York City Bar Association (NYCBA), in partnership with American Investment Council (AIC), Association for Corporate Growth (ACG), and the Securities Industry and Financial Markets Association (SIFMA).  James H.R. Windels and Marc Tobak of Davis Polk & Wardwell participated in drafting the report.  The report is available at https://www.nycbar.org/member-and-career-services/committees/reports-listing/reports/detail/chief-compliance-officer-liability-in-the-financial-sector.

[2] See, e.g., Report at 10 (discussing how the SEC alleged in BlackRock Advisors LLC, Investment Advisers Act Release No. 4065 that the CCO did engage in a legal and compliance review of the conflict of interest at issue but was still found to have “caused” a violation of the Investment Company Act).

[3] 2015 National Society of Compliance Professionals, National Conference: Keynote Address Andrew Ceresney, Dir., Div. of Enforcement (Nov. 4, 2015), available at https://www.sec.gov/news/speech/keynote-address-2015-national-society-compliance-prof-cereseney.html.

[4] Thaddeus J. North, Exchange Act Release No. 84500, 2018 WL 5433114, at *9 (Oct. 29, 2018).

Pat Campbell is a partner at BakerHostetler and Chair of the New York City Bar Association’s Compliance Committee (the “Compliance Committee”). Adam Felsenthal is Deputy Chief Compliance Officer and Counsel at Great Point Partners, and Secretary of the Compliance Committee. Scott Gluck is a partner at Duane Morris and a Member of the Compliance Committee. Pat Nicholson is Chief Compliance Officer at S&P Global Ratings and a Member of the Compliance Committee. Marc Tobak is counsel at Davis Polk & Wardwell and a Member of the Compliance Committee. Michael McMaster is a Member of the Compliance Committee.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.