Navigating CCO liability risks: Tips for staying out of the SEC's crosshairs

Fizza Khan

Fizza Khan

Fizza Khan (fkhan@silverreg.com) is CEO of Silver Regulatory Associates in New York, New York, USA.
Jessica Thayer

Jessica Thayer

Jessica Thayer (jthayer@starshep.com) is Senior Vice President at Starkweather & Shepley Insurance in Westwood, Massachusetts, USA.
10 minute read

By Fizza Khan and Jessica Thayer

The issue of chief compliance officer (CCO) liability has long been debated; it has become a grave concern for CCOs, CEOs, and other C-suite executives who put on “too many hats” within an organization and take on the firm’s compliance responsibilities. In fact, according to a survey completed by the Wall Street Journal in 2022 (Figure 1), the risk of regulatory scrutiny increased for compliance officers last year by 72%, with cybersecurity topping the charts for the greatest risk (86% increase in 2022) followed by privacy issues (73% increase).[1]

Figure 1: Risk types according to a Wall Street Journey survey[2]

This comes at a time when regulatory bodies continue to crack down on these types of issues. According to the Financial Industry Regulatory Authority (FINRA), CCOs were charged “in 28 cases out of about 440 FINRA disciplinary actions between 2018 and 2021 that involved supervisory failures under Rule 3110. . . In 18 of the 28 cases, the compliance chief also was the chief executive officer or president of the firm, a role that held supervisory responsibilities, and in the remaining 10 cases, the compliance chiefs held specific supervisory responsibilities given by the firm that they failed to perform.”[3]

As regulators work to formalize guidance for CCOs on the scope of their responsibilities and limitations around personal liability, now might be a good time for firms to better understand the extent of individual liability for compliance officers when determining potential compliance failures.

Understanding and defining CCO liability

CCO liability refers to the legal and financial consequences CCOs may face if their firm fails to comply with applicable laws, regulations, or industry standards. CCOs can be held liable for compliance failures in several ways, including:

  • Criminal liability: CCOs can be charged with criminal offenses if they are found to have participated in or facilitated unlawful activities within their organizations.

  • Civil liability: CCOs can be sued by employees, investors, or other stakeholders if they suffer damages as a result of the firm’s noncompliance. CCOs can also face regulatory enforcement actions by government agencies, resulting in fines, penalties, and other sanctions.

  • Reputation risk: Compliance failures can damage a firm’s reputation, which can also affect the CCO’s personal and professional reputation.

In looking at the regulatory landscape, CCOs operate in a complex and rapidly evolving regulatory environment, where laws and regulations can change quickly and without warning. It is essential for CCOs to stay informed of the latest regulatory developments and understand how they affect their organization’s compliance obligations.

At the federal level, the U.S. Securities and Exchange Commission (SEC) issued guidance on CCO liability under Rule 206(4)-7 of the Investment Advisers Act of 1940, as amended (the Advisers Act), which requires investment advisers to adopt and implement “written policies and procedures that [are] reasonably designed to prevent violations of the Advisers Act.”[4] However, Rule 206(4)-7 does not specify which elements investment advisers must include in their policies and procedures to meet this requirement.[5] Therefore, CCOs must be empowered with the necessary resources and authority to carry out their responsibilities effectively. In addition, the SEC has stated that CCOs can be held liable for failing to supervise compliance personnel or for making false or misleading statements to regulators. Overall, Rule 206(4)-7 is a wide-ranging regulation that lacks practical guidance for CCOs regarding its application.

At the state level, CCOs must navigate a patchwork of laws and regulations that vary from jurisdiction to jurisdiction. For example, in California, CCOs can be held liable under the state’s Unfair Competition Law for participating in or approving unfair or fraudulent business practices.[6]

Beyond the regulatory landscape, CCOs must also be aware of the growing trend of shareholder activism, where investors use lawsuits and other legal actions to hold corporate officers and directors accountable for alleged breaches of fiduciary duty.[7] CCOs can be named as defendants in these lawsuits if they are deemed to have played a role in the alleged misconduct.

This document is only available to members. Please log in or become a member.
Become a Member Login
 

What to read next...

ESG and securities litigation: An increased focus on allegations of "greenwashing"


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings