Chief Compliance Officer Liability

December 19, 2023

An important topic that is a real concern for CCOs across our industry is CCO Liability. Ensuring CCOs are not held personally liable for compliance violations when the CCO did not engage in misconduct or obstruction is essential to not only the well-being of CCOs and their direct reports, but also to the overall well-being of advisers and funds that need more talented individuals in the compliance industry, not less.

The SEC currently does not have a formal framework for evaluating CCO liability when analyzing compliance-related issues or violations at a registrant. This has led to two organizations recently developing and offering their own frameworks for the regulators to consider. In June 2021 the New York City Bar Association released its Framework for CCO Liability in the Financial Sector. In January 2022, the National Society of Compliance Professionals published its Firm and CCO Liability Framework and then revised it in February 2023 after receiving feedback from regulators.

On October 24, 2023, Gurbir Grewal, the SEC’s Director of the Division of Enforcement, directly addressed this topic in his remarks to the New York City Bar Association Compliance Institute. In his remarks, Mr. Grewal stated that actions charging compliance officers are rare and Enforcement does not intend to second-guess good faith judgements made by compliance personnel after reasonable inquiry and analysis. He also stated there are 3 situations where Enforcement typically recommends actions against compliance personnel:

1. Where compliance personnel affirmatively participated in the misconduct, unrelated to the compliance function.
2. Where compliance personnel misled regulators.
3. Where there was a wholesale failure by compliance personnel to carry out their compliance responsibilities.

While his remarks shed light on Mr. Grewal’s perspective on this important topic, his third scenario leaves a lot of room for interpretation.

We want to offer our perspective and a few tips on reducing CCO liability in your firm. Compliance is a firm-wide responsibility. While the CCO is responsible for implementing the compliance program, the CCO is not responsible for supervision solely because he or she is the CCO. The business functions are responsible for ensuring compliance with relevant policies and procedures and those supervising employees in that business function are responsible for supervision.

One of the simplest ways to reduce CCO liability is to ensure the firm has a strong culture of compliance. If every employee sees compliance as their responsibility, firms are less likely to experience employee indifference toward following policies and procedures, and therefore less likely to experience violations. Below are a few things to consider, which will enhance your firm’s compliance culture:

Assign oversight of policies to business functions whenever possible. There are only a handful of policies that should be overseen by Compliance. This does not mean Compliance doesn’t review those business practices or test the policies, it means the business function head is responsible for making sure the policy is followed by the appropriate staff.

Involve the business lines in regular review and update of key compliance documents. Circulate policies and procedures, the Form ADV 2A Brochure and other core compliance documents to relevant employees to get their feedback. This not only ensures you’ll end up with documents that better reflect the firm’s processes, but it will ensure the business lines see these documents as a firm-wide responsibility.

Embed yourself within your firm’s committees or working group. This helps ensure Compliance becomes aware of potential initiatives early in the process and allows the business lines to see Compliance as partners rather than a necessary evil.

Conduct regular training with employees that includes a fun, engaging quiz at the end with a small prize for winners. Share lessons learned from recent Enforcement actions with relevant employees. Regularly email reminders to staff of policies on key, high risk areas such as Code of Ethics, cybersecurity or electronic business communications.

If your firm sets team and/or employee goals, ensure there are appropriate compliance goals included that can be measured and assessed.

Additionally, there are some proactive steps CCOs can take that will help reduce their personal liability in the event the SEC identifies an issue during an exam:

Ensure you have regular contact with executive leadership. Send your Annual Review Report to executive leadership and schedule time to discuss it. This is your opportunity to walk through compliance initiatives, express your view on adequacy of compliance resources, discuss violations that occurred and remediation efforts, and ensure executive leadership is aware of the current and upcoming regulatory environment.

Review policies and procedures and ensure they are not implying the CCO is responsible for supervision in his or her compliance capacity when such supervision is not appropriate. We often see compliance policies that directly state the CCO is responsible for overseeing a policy that should be overseen by the leaders of the Portfolio Management or Trading departments, as an example. If a CCO serves dual roles and is legitimately tasked with overseeing employees within a business function, ensure the policy utilizes the CCO’s non-compliance title when describing such supervision.

We view the Form ADV as a business document, not a compliance document. In order to promote more engagement by management related to the firm’s ADV, ask an officer to review the Form ADV and, if possible, have the officer sign the execution page when the filing is submitted, rather than having the CCO sign it.

Finally, the CCO should be a named officer within the firm’s D&O insurance policy.