The issue of chief compliance officer (CCO) liability has long been debated; it has become a grave concern for CCOs, CEOs, and other C-suite executives who put on “too many hats” within an organization and take on the firm’s compliance responsibilities. In fact, according to a survey completed by the Wall Street Journal in 2022 (Figure 1), the risk of regulatory scrutiny increased for compliance officers last year by 72%, with cybersecurity topping the charts for the greatest risk (86% increase in 2022) followed by privacy issues (73% increase).
This comes at a time when regulatory bodies continue to crack down on these types of issues. According to the Financial Industry Regulatory Authority (FINRA), CCOs were charged “in 28 cases out of about 440 FINRA disciplinary actions between 2018 and 2021 that involved supervisory failures under Rule 3110. . . In 18 of the 28 cases, the compliance chief also was the chief executive officer or president of the firm, a role that held supervisory responsibilities, and in the remaining 10 cases, the compliance chiefs held specific supervisory responsibilities given by the firm that they failed to perform.”
As regulators work to formalize guidance for CCOs on the scope of their responsibilities and limitations around personal liability, now might be a good time for firms to better understand the extent of individual liability for compliance officers when determining potential compliance failures.
Understanding and defining CCO liability
CCO liability refers to the legal and financial consequences CCOs may face if their firm fails to comply with applicable laws, regulations, or industry standards. CCOs can be held liable for compliance failures in several ways, including:
Criminal liability: CCOs can be charged with criminal offenses if they are found to have participated in or facilitated unlawful activities within their organizations.
Civil liability: CCOs can be sued by employees, investors, or other stakeholders if they suffer damages as a result of the firm’s noncompliance. CCOs can also face regulatory enforcement actions by government agencies, resulting in fines, penalties, and other sanctions.
Reputation risk: Compliance failures can damage a firm’s reputation, which can also affect the CCO’s personal and professional reputation.
In looking at the regulatory landscape, CCOs operate in a complex and rapidly evolving regulatory environment, where laws and regulations can change quickly and without warning. It is essential for CCOs to stay informed of the latest regulatory developments and understand how they affect their organization’s compliance obligations.
At the federal level, the U.S. Securities and Exchange Commission (SEC) issued guidance on CCO liability under Rule 206(4)-7 of the Investment Advisers Act of 1940, as amended (the Advisers Act), which requires investment advisers to adopt and implement “written policies and procedures that [are] reasonably designed to prevent violations of the Advisers Act.” However, Rule 206(4)-7 does not specify which elements investment advisers must include in their policies and procedures to meet this requirement. Therefore, CCOs must be empowered with the necessary resources and authority to carry out their responsibilities effectively. In addition, the SEC has stated that CCOs can be held liable for failing to supervise compliance personnel or for making false or misleading statements to regulators. Overall, Rule 206(4)-7 is a wide-ranging regulation that lacks practical guidance for CCOs regarding its application.
At the state level, CCOs must navigate a patchwork of laws and regulations that vary from jurisdiction to jurisdiction. For example, in California, CCOs can be held liable under the state’s Unfair Competition Law for participating in or approving unfair or fraudulent business practices.
Beyond the regulatory landscape, CCOs must also be aware of the growing trend of shareholder activism, where investors use lawsuits and other legal actions to hold corporate officers and directors accountable for alleged breaches of fiduciary duty. CCOs can be named as defendants in these lawsuits if they are deemed to have played a role in the alleged misconduct.
Key cases that illustrate the potential dangers of CCO liability
All these heightened regulatory components further push the issue of liability to the forefront of concerns among CCOs, as well as other C-suite management, as they look for ways to avoid SEC-imposed enforcement actions. CCOs should be aware of the two most well-known issues, including the Kirkpatrick case and the Gilder Gagnon Howe & Co. (GGHC) matter.
In June 2022, the SEC filed charges against Jeffrey Kirkpatrick, CCO and principal of Hamilton Investment Counsel LLC, alleging he aided and abetted in violating the firm’s compliance rule violations, pursuant to Section 206(4) and Rule 206(4)-7 of the Advisers Act.
Opining on the matter, Commissioner Hester M. Pierce stated “the SEC’s determinations about whether to charge a compliance officer are consequential not only for the particular compliance officer, but more generally for the profession. CCOs play a vital role in ensuring that investment advisers, broker–dealers, and other registered entities comply with the securities laws. A good CCO expertly weaves compliance into all of the firm’s activities. Attracting well-qualified people to the profession is important, and fears of facing liability for someone else’s missteps can dissuade excellent candidates from seeking compliance jobs.”
While in this case, Commissioner Pierce came out in support of the settlement against Kirkpatrick, she reiterated her concerns about the need to impose “a properly calibrated CCO framework” such as that proposed by the Compliance Committee of the New York Bar Association in June 2022, as well as guidelines issued by the National Society of Compliance Professionals in January.
In the GGHC case, the SEC levied a $1.7 million fine against GGHC, a dually registered investment adviser and broker–dealer (also registered with FINRA), for violations of Section 206(4) and Rule 206(4)-7 of the Advisers Act and found that the CCO “willfully aided and abetted GGHC’s violations.”
GGHC failed to meet this requirement despite being previously warned by FINRA that they had not done enough “to establish and enforce an adequate supervisory system as it related to the supervision of trading activity and failed to evidence that it was actively monitoring turnover rate, cost-to-equity ratio, and in-and-out trading.”
This is a perfect example of a CCO being held personally liable for lack of supervision and engaging in fraudulent activities uncovered during a routine SEC examination. In announcing the decision, the SEC personally fined the CCO $45,000 and barred her from the securities industry.
Tips for protecting yourself against CCO liability
The Kirkpatrick and GGHC cases are examples of CCOs explicitly and blatantly not fulfilling their CCO responsibilities. However, most CCOs are conscious of their regulatory obligations and want to do right and respect their CCO roles. Understanding CCO liabilities, the regulatory landscape, and examples of “bad behavior” are the most vital steps in protecting CCOs against potential risks down the line. But with so much on the line for CCOs, particularly those who might be new to the position and lack the experience and knowledge of pitfalls that exist across an organization, there are some best practices that CCOs should follow.
Below are 10 tips to help protect CCOs and keep them out of the crosshairs of regulators:
Avoid too many cooks in the kitchen: Designate one person to be CCO and include that person in business planning and strategy discussions while bringing them in early on decision-making—not simply to “check the box,” but for thoughtful and strategic input and analysis.
Make sure to invest in insurance: CCOs should review their firm’s insurance policies to ensure there is sufficient coverage in the event of a claim and that the CCO is a covered officer of the firm. Errors and omissions (E&O) insurance and directors and officers (D&O) insurance are specialized liability insurance programs designed to protect against business losses not covered by traditional liability insurance. While the former provides protection for any firm representatives, the latter specifically protects D&Os against legal liability. A CCO, as both a firm representative and a senior officer, should be covered by both policies. CCOs should confirm that the firm provides indemnification. In the event the CCO is not a corporate officer, according to the bylaws, indemnification may not be provided, and the CCO would need to be specifically named on the D&O policy to obtain coverage. CCOs should build a relationship with a trusted insurance provider who can provide guidance on these E&O and D&O insurance policies, including assessing potential coverage gaps. Understanding these policies is crucial for the firm and protecting the CCO as an individual from personal liability. Additional dedicated D&O coverage for the CCO may also be available for protection not shared with the firm’s program.
Establish a fail-safe corporate compliance program: This one might seem obvious, but CCOs should create a comprehensive compliance program that outlines the firm’s policies, procedures, and controls for ensuring compliance with applicable laws, regulations, and industry standards. The program should also include a system for monitoring and reporting compliance-related issues. It is imperative to remember that third-party resources, such as regulatory compliance consultancies, are available to partner with CCOs, review compliance programs, and weigh in on areas that need to be tightened up in order to further protect them from CCO liability.
Build a team for scale: Ensure CCOs have the staff and resources available to help them manage and implement effective compliance policies while giving the CCO the authority to manage and supervise the compliance program. CCOs should draw a firm line in the sand in terms of responsibility and employee oversight to ensure the CCO is only responsible for overseeing employees and helping them manage their compliance program; if bad acts are committed by staff that falls outside of the CCOs direct line of supervision, this will help to limit the CCO’s liability.
Conduct periodic firm risk assessments: CCOs should regularly assess their firm’s compliance risks and prioritize their compliance efforts accordingly. This includes identifying areas of the business that are most vulnerable to compliance failures and implementing measures to mitigate those risks.
Ensure employees are well-trained: CCOs should provide regular training and education to employees on the firm’s compliance policies and procedures. This can help ensure that everyone in the organization is aware of their responsibilities and the consequences of noncompliance. Similarly, CCOs themselves should attend continuing education seminars to learn new regulatory updates and industry best practices.
Foster a culture of compliance: CCOs should work to create a culture of compliance within their firm in all aspects of the business. This includes promoting ethical behavior, encouraging employees to speak up about compliance concerns, and ensuring the firm’s leaders are committed to compliance—essentially, creating a culture of compliance by ensuring a “tone from the top.”
Monitor/audit compliance efforts: CCOs should regularly monitor and audit the firm’s compliance efforts to identify any potential issues before they become problems. This includes conducting internal investigations, reviewing compliance reports, and analyzing compliance-related data.
Establish an amicable relationship with regulators: CCOs should establish positive relationships with regulators, especially during routine and for-cause regulatory examinations. This includes cooperating with regulatory investigations and taking corrective actions as needed.
Stay informed on regulatory updates and rule changes: The SEC and other regulatory bodies update existing regulations frequently. These agencies often issue press releases or Risk Alerts to inform the public of proposed rule changes or impending updates to existing rules. CCOs should stay current on changes to laws, regulations, and industry standards that could affect their firm’s compliance efforts. This includes attending industry conferences, subscribing to compliance-related newsletters, and networking with other compliance professionals.
The critical role CCOs play in ensuring their firms comply with a wide range of federal and state laws, regulations, and industry standards simply cannot be overstated. However, with that responsibility comes a significant risk of violating those laws and regulations. CCOs can be held personally liable for any compliance failure, which can lead to significant legal and financial consequences and overall reputational harm for both the firm and the CCO. To manage these risks, CCOs should follow the above best practices to help protect not only their firms but also themselves.
As regulators work to formalize guidance for chief compliance officers (CCOs) on the scope of their responsibilities and limitations around personal liability, now is the time for firms to better understand the extent of individual liability for compliance officers when determining potential compliance failures.
CCO liability can be a complex yet nebulous concept to navigate. Therefore, it’s essential to understand how CCO liability is defined by regulating bodies.
Mitigating the risks of CCO liability hinges on understanding the types of cases out there that triggered regulatory enforcement actions. Therefore, certain top matters elucidating the potential dangers of CCO liability are highlighted.
Understanding CCO liabilities, the regulatory landscape, and examples of “bad behavior” are important steps in protecting CCOs against potential risks, especially with so much on the line for CCOs.
CCOs can be held personally liable for any compliance failure, which can lead to significant legal and financial consequences and overall reputational harm for both the firm and the CCO.