CCO Liability: Do you have a target on your back?
When the SEC set out to require registered investment advisers to implement a compliance program and designate a chief compliance officer, did they hope to have a scape goat to target for a firm’s compliance failures? We don’t think that was the regulators’ intention, but that is how many CCOs feel these days. Some professionals have steered away from the titled CCO role out of fear of personal liability for a firm’s compliance failures.
The reality is that though there have been enforcement cases against CCOs, the SEC treads carefully when including a CCO on such an action. When the Compliance Program Rule was implemented over 17 years ago, the requirement was that the CCO needed to have sufficient knowledge and authority to administering written policies and procedures that are reasonably designed to prevent violation of the Act and the rules that the Commission has adopted under the Act.[1] Additionally, the SEC wanted the CCO to be empowered to enforce the firm’s policies. Thus, it is expected by regulators that the CCO be in a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.
When evaluating the three broad categories of cases where the SEC has charged Chief Compliance Officers, instances where the CCO exhibited negligent conduct by failing to carry out his or her responsibilities tend to be the trigger for anxiety amongst most compliance professionals. Compliance Departments often have limited resources to work with compared to other departments within a firm and, as a result, the CCO is left juggling a lot of balls. It can be a struggle to stay on top of everything when you are pulled in so many different directions, trying to balance regulatory requirements with business needs. In fact, in a November 2020 Division of Examination Risk Alert, the SEC specifically highlighted this as a deficiency. As noted in the Risk Alert, “OCIE staff observed CCOs who lacked sufficient authority within the adviser to develop and enforce appropriate policies and procedures for the adviser. For example: Advisers that restricted their CCOs from accessing critical compliance information, such as trading exception reports and investment advisory agreements with key clients; Advisers where senior management appeared to have limited interaction with their CCOs, which led to CCOs having limited knowledge about the firm’s leadership, strategy, transactions, and business operations, and Instances where CCOs were not consulted by senior management and employees of the adviser regarding matters that had potential compliance implications[2].”
But do not fret! There are a number of steps you can take to help mitigate the liability that comes along with the role of Chief Compliance Officer:
- Make sure you are covered under your firm’s D&O insurance policy.
Review your firm’s policy and ensure the role of Chief Compliance Officer qualifies as an officer of the company and that regulatory investigations and proceedings are covered under the policy. Also, assess whether the amount of coverage available to you is appropriate. Some insurance providers now offer supplemental policies for CCOs to address coverage gaps. The key is to make sure you have a thorough understanding of the coverage and have identified any potential gaps so you can determine whether you will need additional coverage.
- Be able to show regulators that you have sufficient knowledge and authority at the firm.
So how can you evidence your authority at the firm? Stay up-to-date on new rules, regulations and best practices. Have a forum for communicating regulatory updates with other members of senior management, such as a Compliance or Risk Committee. Join compliance organizations and have your firm join industry associations. Consider obtaining a compliance designation, such as the CSCP offered by the National Society of Compliance Professionals. These are all steps you can take to show regulators your personal commitment to compliance and that you have sufficient knowledge to be in the role of CCO.
When it comes to having sufficient authority at the firm, getting buy-in from the business leaders is going to be key. Many CCOs work at firms where executive management understands that a good Compliance Office can add value to the business; however, that is not the case at all firms. If you are in a situation where you find it to be a struggle to get that buy-in from the executives at your firm, try partnering with them. Take a business-friendly approach to the role and try to present solutions to compliance issues and new rules to show the leaders at your firm that you are there to help the business. Engaging executive management in the process can go really far with building trust and getting invited to important business meetings.
- Delegate compliance to other members of senior management and other departments.
It’s important for other business leaders and really everyone in your organization to understand that compliance is not just the CCO’s obligation, it’s the entire firm’s obligation. Do not take on all compliance responsibilities at the firm! Take a look at the firm’s policies and procedures and think about how you can delegate and get other departments more involved in compliance, so the burden doesn’t just fall on you.
- Get a fresh set of eyes on your compliance program.
Engage a firm to conduct an independent review of your compliance program to help find any gaps. Having someone, other than a regulator, with knowledge of the regulatory requirements review your compliance program allows you to be proactive rather than reactive. An independent review can also provide an additional layer of oversight and provide support for you to get buy-in from management to make necessary changes to the organization. Some insurance carriers also offer significant discounts to Advisers for getting a mock- SEC or risk assessment performed. Ask your insurance carrier if they offer such a discounted program!
- Promptly remediate issues detected at the firm.
When issues are detected, have a remediation action plan and track the progress the firm is making on addressing any issues or gaps. This can go far in showing regulators that the firm has a process in place to identify and mitigate risks and compliance violations at the firm. Also, consider tracking violations and identified deficiencies for patterns of non-compliance so you can evaluate whether any changes need to be made to the firm’s procedures or internal controls.
- Utilize technology to help evidence Compliance oversight and supervision and steps you take as a CCO to detect and correct issues.
Whether it is for trade surveillance, oversight of portfolio management, or supervising personal trading, there are a lot of tools available to help CCOs evidence that the firm has controls in place to mitigate violations.
- Implement a “CYA protocol” when needed.
It’s important that executive management understand the liability concerns that CCOs face because there’s going to be times when the CCO and business don’t see eye-to-eye. Have a direct conversation with upper management so they understand that if the business does not take your compliance recommendations and it results in an issue, it could create some liability for you as the CCO. Also, document your concerns and recommendations to the firm. You can do this confidentially, and in certain situations it may be appropriate to do so under attorney client privilege.
It’s encouraging that we’re seeing recognition by the SEC that CCOs are on the front lines and an understanding of the challenges they face. We hope to see more support on that front from the new Chair of the SEC.
[1] https://www.sec.gov/rules/final/ia-2204.htm#:~:text=Under%20rule%20206(4)%2D,any%20of%20its%20supervised%20persons.
[2] https://www.sec.gov/files/Risk%20Alert%20IA%20Compliance%20Programs_0.pdf