It’s all about context. That’s one key factor a group of financial service compliance professionals wants the US Securities and Exchange Commission and Financial Industry Regulatory Authority to consider when holding a chief compliance officer personally liable for the wrongdoing of his or her company’s employees.
The recommendation of the National Society of Compliance Professionals (NSCP), the largest group of buy-side compliance managers recommendation, goes a step further than the New York Bar Association’s framework issued in June 2021. As a rule of thumb, the SEC looks at whether compliance officers were negligent in their responsibilities when deciding to fine them, but that litmus test leaves too many CCOs vulnerable to regulatory penalties. A committee of the New York Bar Association suggested that the standard for personal liability be raised to reckless. While agreeing with the New York Bar Association, the NSCP also wants regulators to consider the resources of the CCO. A framework based solely on the personal actions of the CCO isn’t enough, says the NSCP citing its recent survey showing that seventy percent of respondents are worried about being “underresourced” and that 35 percent are concerned they don’t have the resources to conduct compliance training. Hence, there is a need for an additional factor to complement the NYBA’s recommendations– the compliance department’s overall strength.
The issue of sufficient resources is one of several the NSCP proposes that the SEC and FINRA consider before holding a CCO personally liable. A yes response to the questions posed in the framework suggested by the group of compliance professionals could help the CCO mitigate the potential for regulatory penalties. “Resources include staff and technology,” Genna Garver, a partner at the law firm of Troutman Pepper in New York tells FinOps Report. “We want to make sure the regulator’s exam team understands the challenges faced by the CCO.” The SEC and FINRA, say compliance managers, need to know whether the CCO’s hands were constrained by the chief executive officer and other C-level officials who wanted to cut corners financially or wanted overlook the potential wrongdoing of rogue employees because they bolstered the firm’s bottom line.
The NSCP’s recommendations are timely. Faced with growing expenses due to remote working, financial firms are starting to cut back on compliance budgets or keeping them flat, according to Wall Street compliance managers. Six of the ten compliance officers who spoke with FinOps Report say that they they have been asked to reduce their budgets, while four were told they will not receive any increase. CEOs reason that if their firms have not been penalized by the SEC, FINRA, or other regulatory agency, there is no need to add staff or technology. Their reluctance to support their CCOs often leaves CCOs with two alternatives–either quit. or remain with the firm and document the refusal to adjust the compliance budget.
With proof in hand, one would think that the CCO couldn’t possibly be penalized by the SEC. Not exactly, according to the NSCP. “CCOs do not have any comfort to know whether their best efforts have been good enough,” says Garver who specializes in investment management regulations. “There have been instances where CCOs were still fined even though they documented their circumstances. Compliance policies can be reasonably designed but the current standard of negligence is rather low. “Rather than face personal liability, the CCO might decide to protect himself or herself and work for another firm where he or she will have the necessary resources,” says Jane Shahmanesh, managing director of Adherence LLC, a New York based regulatory compliance firm focused on the financial services industry. She approves of the NSCP’s recommendations as helping to ensure that Wall Street attracts the most qualified candidates as CCOs.
Resigning isn’t a decision to be made lightly. “The very tension between asking a compliance officer to do the right thing or be held personally liable seems sensible, but the cost of doing the right thing may be personally and professionally devastating,” says Bill Singer, a New York attorney specializing in broker-dealer regulations. “Being asked to fall on the sword comes at the expense of income, supporting families, or being blacklisted.” The fact that personal liability for CCOs even exists, says Singer, indicates that regulators aren’t doing their jobs correctly. “In-house compliance departments will never, ever prove competent to discharge their supervisory mandate if they are understaffed, underpaid and subject to oversight by C-suiters whose income may depend on loose regulatory standards and easygoing compliance oversight,” he says. “There is no political will at the SEC to force Wall Street to develop truly independent, empowered compliance departments.” Singer is just as critical about FINRA, whose board of governors, he believes is too lackluster to clean up its own house and its member firms.
Given there is unlikely to be any change in the status quo any time soon, compliance managers could try to use the NSCP’s guidelines as leverage in bargaining with the C-level suite and hope for the best in winning approval for a reasonable compliance budget. Todd Cipperman, managing principal for Wayne, Pennsylvania-based Cipperman Compliance Services, a regulatory compliance consultancy specializing in investment management firms, suggests that CCOs should ask for a budget representing no more five percent of a firm’s total revenues. “Some firms should spend more and some should spend less, but a baseline will at least get the CCO, the C-suite and regulators on the same page,” he writes, citing recent industry studies and his firm’s empirical evidence to bolster his stance.
However, the consensus among compliance managers and other experts contacted by FinOps Report is that relying on any random figure to set a compliance budget is ineffective. “Financial firms should hire qualified CCOs to do a needs analysis based on the risk of the business units involved,” says Christopher DiTata, vice president and general counsel for RIA in a Box, a New York-based technology and consulting firm specializing in compliance services for registered investment advisers. “Firms which have compliance managers with lengthy tenures will also likely need lower budgets than those who have a higher turnover of managers.” The reason: outside consultants may need to be brought to the table and additional technology purchased. Recently purchased by compliance technology and employee monitoring software giant ComplySci, RIA in a Box offers guidance on how to structure compliance departments and software to implement policies and procedures, archive firm communications and run an overall compliance program.
Hiring an outsourced CCO might reduce the compliance budget, but the financial firm will still be on the hook for any violations of securities laws and the outsourced CCO could be indemnifiedse. The firm’s regulatory risk could grow exponentially depending on how much oversight the CCO is given. “The outsourced CEO is typically detached from a firm and might not have the proper authority to do his or her job,” cautions DiTata. Out of sight, out of mind will be the mantra of company employees.
The number of cases where regulators have found CCOs personally liable remains limited, but CCOs are worried nonetheless. If regulators don’t find a way to ease the concerns of CCOs, investors will ultimately face the risk that more qualified CCOs will exit the market in favor of less qualified ones. For now, the NSCP is hopeful that at least its framework will give CEOs and CCOs a meaningful platform from which to build an effective compliance department that will give the C-suite and investors some peace of mind.