Chief compliance officers need a new operating model, not a new legal framework, to avoid being personally penalized unfairly by the US Securities and Exchange Commission for regulatory infractions, say some legal experts.
The New York City Bar Association’s recent framework suggesting that the SEC be more understanding of the challenges faced by chief compliance officers is a good start, but not the solution. The recommendations only protect CCOs rather than solve the core structural problem. A far better idea would be for CCOs to be given independent reign over a company’s compliance systems through a new governance structure. CCOs shouldn’t have to report to the chief risk officer, chief legal officer or even the chief executive officer as many do.
“The current in-house compliance system is an outdated relic in which low paid compliance staff are frequently asked to butt heads with top revenue producers, or traders and that tends to go badly,” explains Bill Singer, a New York attorney focused on securities laws for broker-dealers. “It would seem that a sounder, more prudent approach would be to separate compliance from the in-house payroll and create a corporation of professionals, akin to certified public accountants who would be hired by Wall Street firms to audit and oversee the firm’s compliance protocol.” As long as compliance officers are paid corporate animals, there will be powerful conflicts that will impede their making the right decisions, he believes. Small registered investment advisers already rely on outsourced CCOs and must report they do so on Form ADV, which some legal experts say puts them under grewter regulatory scrutiny.
“I think there should be more emphasis on strengthening the role of CCOs so that CCOs are not put in a position where they are covering up wrongdoing, such as fraud rather than halting it” says Jason Zuckerman, an attorney with Zuckerman Law in Washington DC representing whistleblowers. “CCOs should report to the Audit Committee and have a degree of independence. If a CCO is reporting only to the legal department, the legal department can steer the CCO’s findings to a position that aligns with the company’s defense strategy. While the role of the CCO is to find weaknesses and prevent wrongdoing, the role of the chief legal officer is to protect and defend the firm. Hence, there is an inherent conflict of interest. By contrast, the Audit Committee’s interests align with the CCO in mitigating regulatory risk. Only broker-dealers typically have audit committees. Rule 206(4)-7 of the Investment Advisers Act of 1940 requires registered investment advisers to conduct an annual review of compliance, typically done by the CCO, who must report any material findings to senior management.
CCOs at Wall Street firms have become worried over the past few years about enforcement actions brought by the SEC for alleged dereliction of their duties under federal securities laws. A recent survey conducted by the National Society of Compliance Professionals (NSCP) shows that about 66 percent of 230 respondents were very worried about personal liability even when acting in good faith, while 63 percent were very worried they would be whammed by the SEC for wrongdoings of the company or another employee. The Regulation Advisory Committee of the NSCP will soon follow the NYCBA in releasing its own framework for when the SEC should hold CCOs personally liable.
In 2015, the NSCP requested that the SEC adopt the standard of aiding and abetting to determine when a CCO should be personally fined instead of the standard of negligence. Doing otherwise, misses the practicalities of how CCOs work in notifying management of a regulatory violation. “The compliance manager may after the fact detect a violation,” writes Lisa Crossley, chief executive of the NSCP in her organization’s letter to the SEC’s enforcement division. “However, he or she in doing so did not play a role in its execution.” Genna Garver, a partner in the investment management practice at the law firm of Troutman Pepper in New York and a member of the NSCP’s Regulatory Advisory Committee cites the SEC’s new “marketing rule” for registered investment advisers as heightening the potential liability for CCOs. “The amendments to the rules on reporting advertisements and solicitations under the Investment Advisers Act replace prescriptive elements with a principles-based approach, leaving CCOs susceptible to a subjective and after the fact assessment by the SEC of whether their firms’ policies and procedures were reasonably designed for the new marketing rule.” she says. In the NSCP’s February 2020 comment letter to the SEC, Crossley called on the SEC to clarify that barring extreme circumstances the ultimate responsibility for complying with the new “marketing rule” rests with the investment adviser and not the CCO. In its final adoption of the rule the SEC did not make that clarification.
Financial penalties imposed on CCOs come with the effective end of a career. Anti-money laundering compliance directors appear to have the greatest cause for concern with more stringent AML regulations and more corporate resistence to spending additional money to add staff or new technology. “Chief compliance officers are spread thin trying to keep up with new regulations and increased AML risks in the wake of Congress enacting the Anti-Money Laundering Act of 2020,” says Zuckerman. “The Biden administration also issued an anti-corruption directive to federal agencies to prioritize efforts to combat corruption including money laundering.” The directive, he adds, spells a more aggressive approach to enforcement than under the Trump administration. The Anti-Money Laundering Act, comprised of 56 sections, represents one of the most significant changes to the cornerstone Bank Secrecy Act in codifying the risk-based approach to AML compliance, expanding the enforcement abilities of the US Department of Treasury’s Financial Crimes Enforcement Network and incentivizing AML whistleblowers.
The NYCBA’s new framework, created in conjunction with the Securities Industry and Financial Markets Association, the American Investment Council, and the Association for Corporate Growth, builds on its February 2020 analysis which says that CCOs face unnecessary risks that undermine their effectiveness. To support its recommendations the NYCBA points to public comments made by SEC officials, such as Commissioner Hester Peirce. In an October 2020 speech before the NSCP, she said that a framework detailing what circumstances should cause the SEC to determine personal liability would help both CCOs and the SEC. The new framework asks regulators to evaluate the actions of CCOs through the lens of twelve affirmative actions and three mitigating factors. The dozen affirmative factors include whether the CCO made a good faith effort to fulfill his or her responsibilities; whether the action or inaction of a CCO constituted a wholesale failure or active participation in fraud or obstruction and whether the wholesale failure persisted over time without being corrected by the CCO. The three mitigating factors include whether there were structural or resource challenges that hindered the CCO’s performance; whether the CCO voluntarily disclosed the violation and actively cooperated with regulators; and what policies and procedures were subsequently implemented.
The NYCBA’s position is that if one of the main goals of enforcement action is deterrence, laying a CCO conduct charge doesn’t accomplish that goal. The law makes CCOs personally responsible for their firm adhering to securities laws when whether a law is broken or not is often “determined by other human beings whom the CCO cannot control.” CCOs don’t have special anti-retaliation protections, have to make yes or no decisions in real time often with limited information, yet they can be held personally liable for illegal acts committed by others. Placing CCOs on the firing line makes it more likely they will leave in-house positions at financial service firms to become compliance consultants, which have less personal risk. Furthermore, CCOs could decide to withdraw from deep involvement in the firm. “Given the special role that CCOs play and the compliance community’s legitimate concerns, we believe that instituting a framework of nonbinding factors will provide the compliance community with the guidance if needs balanced against regulators’ need for ultimate discretion.” says the NYCBA’s framework written by its compliance committee. The committee is chaired by Patrick Campbell, a partner at the law firm of BakerHostetler in New York.
The SEC has not said whether it would follow the NYCBA’s framework, but regulatory compliance consultants say that CCOs should still be proactive in mitigating personal liability. Zuckerman suggests that CCOs develop a strong compliance program, which includes conducting a thorough investigation of any wrongdoing and documenting their remediation steps. “It is also important to create a culture that encourages employees to step forward,” he says. “I have often seen compliance programs that appear to include the bells and whistles on the surface, but are ineffective because employees fear reprisal if they speak up. When a senior manager has a history of intimidating or bullying employees that express any dissent, the CCO should take steps to fix the broken culture in that division or business unit.”
Regulators rarely personally fine CCOs unless they have egregiously missed the mark doing their jobs. “However, it is still a good idea for CCOs to follow through on the policies and procedures listed in their compliance manual and to fix any deficiencies the SEC or Financial Industry Regulatory Authority finds during exams,” says attorney Jane Shahmanesh, managing partner at Adherence LLC, a New York based regulatory compliance and operations consultancy which offers outsourced CCO services. Of course, that means that CCOs should verify their firms will give them the necessary resources to do the job. “They need to make sure senior management takes a holistic approach to a firm’s compliance setting the tone at the top and providing the compliance department with adequate resources to manage the firm’s risks,” says Garver. “CCOs also need adequate guidance from the SEC on interpreting its rules so they won’t have to worry about being second guessed when they do a good job.”
Shahmanesh recommends that CCOs be included in director and officer insurance. “Existing insurance policies may be insufficient to protect CCOs so they should consider extra insurance that sits above a directors and officers iability policy specifically fo CCO liability,” says Garver who also chairs the NSCP’s ad-hoc comment letter committee. D&O liability insurance protects the personal assets of directors and officers, and their spouses, in the event they are personally sued by employees, investors, customers, vendors and others. It can also cover legal fees and costs.
AML compliance directors, in particular, should do their best to convince senior management to pay for the necessary staff and technology to detect any violations of the Bank Secrecy act and take steps to correct any shortcomings, says Zuckerman. If a firm decides not to file a suspicious activity report for fear of potentially losing a high revenue generating client, the CCO hould continue to escalate the issue up the chain and document his or her findings. “It is important for the CCO to show what steps he or she took to rectify the situation,” he says. The Bank Secrecy Act requires financial firms to file SARs to FinCEN if they have any inkling of possible illegal business activity.
What should CCOs do if they can’t fix any reglulatory deficiencies? “In my practice, I have seen effective CCOs suffer retaliation,” says Zuckerman. “Fortunately the whistleblower protection provisions in the recently enacted Anti-Money Laundering Act and the Sarbanes Oxley Act protect CCOs.” Still, if all else fails, it might be time to throw in the towel, say some legal experts. “The buck ultimately stops with the CCO and if the other C-level executives won’t listen it might be a good time for the CCO to look or another job,” says Shahmanesh.
While the NYCBA’s framework suggests that the SEC should give CCOs a break for mitigating circumstances, there is no guarantee it will do so and without complete independence CCOs will remain vulnerable to being the fall guys for corporate wrongdoing or not speak up at all. “Many firms seek out pliable and vulnerable individuals to take on the role of CCO,” says Singer. “Wall Street is too disposed to a John the Baptist approach to regulation whereby the head of a CCO is offered up as a trophy to regulators when all blame is placed on that individual. After professional decapitation is performed, everyone else winks, smiles and goes on.”