The issue of chief compliance officer (CCO) liability has long been debated; it has become a grave concern for CCOs, CEOs, and other C-suite executives who put on “too many hats” within an organization and take on the firm’s compliance responsibilities. In fact, according to a survey completed by the Wall Street Journal in 2022 (Figure 1), the risk of regulatory scrutiny increased for compliance officers last year by 72%, with cybersecurity topping the charts for the greatest risk (86% increase in 2022) followed by privacy issues (73% increase).[1]
This comes at a time when regulatory bodies continue to crack down on these types of issues. According to the Financial Industry Regulatory Authority (FINRA), CCOs were charged “in 28 cases out of about 440 FINRA disciplinary actions between 2018 and 2021 that involved supervisory failures under Rule 3110. . . In 18 of the 28 cases, the compliance chief also was the chief executive officer or president of the firm, a role that held supervisory responsibilities, and in the remaining 10 cases, the compliance chiefs held specific supervisory responsibilities given by the firm that they failed to perform.”[3]
As regulators work to formalize guidance for CCOs on the scope of their responsibilities and limitations around personal liability, now might be a good time for firms to better understand the extent of individual liability for compliance officers when determining potential compliance failures.
Understanding and defining CCO liability
CCO liability refers to the legal and financial consequences CCOs may face if their firm fails to comply with applicable laws, regulations, or industry standards. CCOs can be held liable for compliance failures in several ways, including:
-
Criminal liability: CCOs can be charged with criminal offenses if they are found to have participated in or facilitated unlawful activities within their organizations.
-
Civil liability: CCOs can be sued by employees, investors, or other stakeholders if they suffer damages as a result of the firm’s noncompliance. CCOs can also face regulatory enforcement actions by government agencies, resulting in fines, penalties, and other sanctions.
-
Reputation risk: Compliance failures can damage a firm’s reputation, which can also affect the CCO’s personal and professional reputation.
In looking at the regulatory landscape, CCOs operate in a complex and rapidly evolving regulatory environment, where laws and regulations can change quickly and without warning. It is essential for CCOs to stay informed of the latest regulatory developments and understand how they affect their organization’s compliance obligations.
At the federal level, the U.S. Securities and Exchange Commission (SEC) issued guidance on CCO liability under Rule 206(4)-7 of the Investment Advisers Act of 1940, as amended (the Advisers Act), which requires investment advisers to adopt and implement “written policies and procedures that [are] reasonably designed to prevent violations of the Advisers Act.”[4] However, Rule 206(4)-7 does not specify which elements investment advisers must include in their policies and procedures to meet this requirement.[5] Therefore, CCOs must be empowered with the necessary resources and authority to carry out their responsibilities effectively. In addition, the SEC has stated that CCOs can be held liable for failing to supervise compliance personnel or for making false or misleading statements to regulators. Overall, Rule 206(4)-7 is a wide-ranging regulation that lacks practical guidance for CCOs regarding its application.
At the state level, CCOs must navigate a patchwork of laws and regulations that vary from jurisdiction to jurisdiction. For example, in California, CCOs can be held liable under the state’s Unfair Competition Law for participating in or approving unfair or fraudulent business practices.[6]
Beyond the regulatory landscape, CCOs must also be aware of the growing trend of shareholder activism, where investors use lawsuits and other legal actions to hold corporate officers and directors accountable for alleged breaches of fiduciary duty.[7] CCOs can be named as defendants in these lawsuits if they are deemed to have played a role in the alleged misconduct.