• A powerful legal body in the heart of Gotham has calibrated the elements of individual liability for top compliance leaders in high-profile program failures, a move done to temper the rising fears of a community of professionals responsible for decisions and actions largely out of their control.
• The New York City Bar Association (NYCBA) Wednesday released a proposed “Framework for Chief Compliance Officer Liability in the Financial Sector,” in a bid to add for more transparency, clarity and potentially even leniency when federal regulators deem a compliance breakdown, or “wholesale failure” of a program, should be laid primarily at the feet of the chief compliance officer (CCO).
• The non-binding framework pushes regulatory watchdogs to weigh 12 affirmative factors – the degree of knowledge and participation for instance – and three mitigating factors, including being hamstrung by a lack of authority or senior management support, the enemy of a “good faith” effort to comply.

By Brian Monroe
bmonroe@acfcs.org
June 4, 2021

A powerful legal body in the heart of Gotham has weighed in on the debate of individual liability for top compliance leaders in high-profile program failures, a move done in response to temper the rising fears of a community of professionals responsible for decisions and actions largely out of their control.

The New York City Bar Association (NYCBA) Wednesday released a proposed “Framework for Chief Compliance Officer Liability in the Financial Sector,” in a bid to add for more transparency, clarity and potentially even leniency when federal regulators deem a compliance breakdown, or “wholesale failure” of a program, should be laid primarily at the feet of the chief compliance officer (CCO).

The non-binding framework pushes regulatory watchdogs to analyze, scrutinize and weigh 12 affirmative factors – the degree of knowledge, participation and extensiveness of failings, for instance – and three mitigating factors, including was the CCO hamstrung by a lack of authority, resources or was blown off by senior management, thwarting a “good faith” effort to comply.

The issue of individual personal liability for CCOs – or even in recent years, anti-money laundering (AML) leaders, general counsels and similar upper echelon risk management and corporate governance bigwigs – while rare, is an incendiary one.

Why?

Those involved, even if later found guilty of a lesser offense, face permanent or lifetime bans, hundreds of thousands of dollars or even millions of dollars in penalties, and the effective end of a career.  

The 13-page missive is a bit of an irony as it is not trying to give more ammunition to the regulators it is trying to influence – chiefly the Securities Exchange Commission (SEC) and Financial Industry Regulatory Authority (Finra) – by charting out these amorphous gray areas of compliance enforcement.

Conversely, the goal of the association is actually the opposite.

CCOs should be viewed as examiner allies, not regulatory targets

The NYCBA created the framework out of frustration as a potential shield to defend individuals who sit at the nexus of legal, compliance and investigations disciplines.

The tacit argument: CCOs should be viewed as an erstwhile regulatory ally that extends examiner capabilities.

But instead, they can face harsh judgement for a compliance program where the quality, success and eventual conclusions, reports and outputs are mostly out of their hands, crafted, executed and decided on by teams in and out of compliance many levels below – yet they still shoulder the bulk of the blame and liability for egregious missteps.

As potential solutions in the interim before a framework is adopted – regulators have no requirement to do so – the bar association is asking regulators to put more details in CCO enforcement orders and create a regulator, regulated advisory committee to foster and improve ongoing dialogue, a model that could be similar to the Bank Secrecy Act Advisory Group (BSAAG).  

The bar association stated that that the first, and most important question in any of these cases is if the “CCO Conduct Charge help fulfill the SEC’s regulatory goals?”

The answer, more often that not, will be no, according to the NYCBA.

“One primary goal of enforcement is deterrence, but we believe that CCO Conduct Charges do not meaningfully deter CCOs from future inappropriate conduct,” the report stated, adding that such a sentiment was highlighted by SEC Commissioner Hester Peirce at a conference in October.

“Prosecutorial discretion is fundamental to a regulatory mission, and as Commissioner Peirce noted in her speech on CCO liability, ‘[j]ust because the Commission can do something under our rules does not mean that we should do it.’”

“In many circumstances, we believe that CCO Conduct Charges will fail to advance the interests of protecting the capital markets and investors,” the group said in the report.

“Individual liability will not have the intended effect when imposed on CCOs who reasonably carried out their duties,” a critical caveat as the regulatory standard isn’t perfection, it is one of being “reasonable,” a dangerous, vague and subjective term.

Individual penalties could harm compliance, cause mass CCO exodus

Rather than shocking other CCOs into compliance, the group argues that penalties against these compliance champions could cause mass exodus of people who truly care about the company, compliance directives and field.

The result: Leaving only those with less skill, less understanding and less commitment to having skin in the game.

In the same vein, such a crackdown on CCOs honestly trying to do their best – a “reasonable” or “good faith effort” – would irrevocably crack the passion and purpose needed for success in such a stressful and evolving station, prompting professionals to be less involved so examiners would not be able to tie more decisions directly back to them.

The logic: How can I be liable for what I didn’t know, didn’t get involved in directly and didn’t decide on personally?

The report also notes regulators need to have a sense of context when CCOs come on board to a company and be cognizant they can’t know it all, see it all and be responsible for the unknown – even though a person is essentially doing exactly that by becoming the CCO.

CCOs on the hotseat: How should a company’s top compliance backstop be graded when a failure becomes ‘wholesale?’  

1. AFFIRMATIVE FACTORS
2. General Factor
3. Does the CCO Conduct Charge help fulfill the SEC’s regulatory goals?
4. “Wholesale Failure” Factors
5. Did the CCO not make a good faith effort to fulfill his or her responsibilities?
6. Did the Wholesale Failure relate to a fundamental or central aspect of a well-run compliance program at the registrant?

iii. Did the Wholesale Failure persist over time and/or did the CCO have multiple opportunities to cure the lapse?

1. Did the Wholesale Failure relate to a discrete, specified obligation under the securities laws or the compliance program at the registrant?
2. Did the SEC issue rules or guidance on point to the substantive area of compliance to which the Wholesale Failure relates?
3. Did an aggravating factor add to the seriousness of the CCO’s conduct?
4. Active Participation in Fraud
5. The SEC should demonstrate that the CCO’s conduct “added value” in some way to the fraud committed by the firm or the other individuals charged
6. Obstruction Factors
7. Were the acts of obstruction or false statements repeated?
8. Was the obstruction denied when confronted or did the CCO not immediately reverse course and cooperate?

iii. Did the obstruction relate to a necessary or highly relevant part of the examination or investigation?

1. Did evidence show other indicia of intent to deceive or disregard for cooperation with the SEC’s regulatory mission?
2. MITIGATING FACTORS
3. Did structural or resource challenges hinder the CCO’s performance?
4. Did the CCO at issue voluntarily disclose and actively cooperate?
5. Were policies and procedures proposed, enacted or implemented in good faith?

III. OTHER PROPOSALS

1. Increased detail regarding enforcement actions
2. Creation of a Compliance Advisory Committee or other formal ongoing communication mechanism

A look at balancing compliance effectiveness with individual liability, accountability

The CCO enforcement framework builds on a prior NYCBA analysis of individual liability at that lofty level from Feb. 2020, previewing some of the issues that would later be fleshed out and given more sharpness, depth and dimension in the latest framework.

To read the full report, click here.

In the earlier report, the bar’s compliance committee concluded compliance liability is not likely to achieve regulatory goals unless certain prerequisites are certified:

• Did the Compliance Officer Act Willfully or Recklessly?
• Did the Compliance Officer Fail to Use Good Faith Efforts to Fulfill Duties?
• Did the Compliance Officer Fail to Carry Out Duties and Responsibilities Clearly Delineated by Relevant Law and Guidance?

But those could be mitigated by:

• Whether Structural or Resource Challenges Have Hindered the Compliance Officer’s Performance.
• Whether the Compliance Officer at Issue Voluntarily Disclosed and Cooperated.
• Whether Effective Policies and Procedures Were in Place.

The group also offered recommendations to lay the groundwork of the incoming foundation of the framework, including:  

• Formal guidance on exercise of enforcement discretion: What combination of elements, participation, willingness, knowledge and timing put the bullseye on the CCO?
• Use existing regulatory communications to provide additional guidance: Regulators can use industry alerts, guidance and direct messages to firms to help them understand their individual risks and exposure points.
• Create new platforms for internal communication: Can regulators coach, or help securities firms, not just better communicate and share information on potential suspicious activities, a safe harbor under Patriot Act Section 314(b), but also open the door to talking about compliance program best practices in a safe space.
• Create compliance advisory groups: As we mentioned above, this is already occurring for banks subject to AML rules with the BSAAG. Can something similar be replicated in the securities field, where SEC and Finra examiners can talk trends, gaps and regulatory focal points – without being at a particular operation’s doorstep, clipboard in hand.

Put the blame where it belongs: from the CCO to the C-suite

While the SEC and Finra adopting a more formalized framework for the elements of a charge against a CCO would be a welcome change, some believe the NYCBA could have gone even further.

In fact, the liability in some cases should be redirected from the CCO to the C-suite and board that overruled the person or disregarded their pleas for change or protestations of potential impropriety – a novel approach that would share blame, rather than making top compliance leaders perennial sacrificial lambs.

How, here are some thoughts by Eric Young, the former CCO for BNP Paribas:

I propose the following ADDED factors to the NYC Bar’s proposed “factors” of six “wholesale failures” and three “mitigating” ones (helpful for CCO):

• 1. These factors should not be considered mutually exclusive.
• For example, a major mitigating factor is “structural” (see Mitigating Factor IIA – “Did structural or resource challenges hinder the CCO’s performance?” If the CCO was found structurally restricted / suppressed, then fault should directly rest with the CEO, CFO and / or GC boss of the CCO (and the parent bank’s CEO, CFO, GC (if applicable)).
• 2. Indeed, if the CCO is structurally restricted / suppressed, then those factors should also REDUCE the aggravating “wholesale failure” factors against the CCO under Section 1B.i.-iii. (good faith, well-run, sustainable compliance program).
• 3. Sadly, the wrong structure contributes mightily to a CCO’s “failure” because little CCO authority reflects a lack of authority generally with both hands tied to achieve / sustain the right skills, headcount, and automated surveillance tools.
• 4. This leads as well to poor KYC processes, no “veto” authority” over powerful business heads insisting on overriding new account concerns / red flags (eg, Epstein, WireCard, 1MDB, Archegos, many other examples), and a major backlog of surveillance alerts – particularly for SAR reporting.
• 6. As cause and effect, the CCO should not be charged if structurally challenged – but instead the CEO, CFO and potentially the chief legal officer restricting CCO structure and suppressing the right compliance culture which in turn, drives the overall control culture of the first line business supervisors and representatives.

“THEY should be charged, for preventing the CCO and Compliance from doing their job,” he said.