Everything old is new again eventually. So perhaps it should come as no surprise that compliance officer liability is back in the news.
The New York City Bar Association recently released a report warning that compliance officers face an increasing risk of personal liability for the failures of their compliance programs — and that risk, the report said, scares good compliance professionals away from the job.
We last saw compliance officer liability in the headlines circa 2016, amid several enforcement actions against compliance officers in the financial sector. That’s usually where sanctions against compliance officers happen, as they work under a higher standard set by the Investment Companies Act.
Even for compliance officers outside the financial sector, however, the NYC Bar Association report raises a thought-provoking question: To what extent should a compliance officer be personally responsible for a compliance program that’s floundering because the company just doesn’t care enough about compliance?
Regulatory guidance about the difference between “wholesale failure” (that is, gross negligence) and failure to implement something meaningful is hard to find.
Even if those program failures don’t lead to regulatory action against the compliance officer, they can still face difficult professional repercussions. Compliance officers can be set up to fail, or marginalized, or scapegoated after an embarrassing lapse.
That’s a real career risk for compliance professionals. So, what can be gleaned from the NYC Bar Association’s report to insulate yourself from that threat?
The Boundaries of Liability
Let’s start by defining compliance officer liability more clearly, since personal liability does make sense in some instances.
If a compliance officer directly participates in wrongdoing, most agree that of course they should face personal liability. Compliance officers can also face liability if they’re grossly incompetent or negligent. We see that from time to time when compliance officers neglect to file required reports with regulators, keep records, test internal controls, and so forth. If you aren’t doing your job at all — again, few people would dispute the potential for personal liability there.
There is, however, a third category: “failure to meaningfully implement” a compliance program. That’s the legal rationale FINRA and the Securities and Exchange Commission have used to hold compliance officers liable under the Investment Companies Act. It’s also the line of thinking that has the NYC Bar Association most concerned. We don’t have much clarity from regulators on what “meaningfully” actually means.
If, for instance, your firm gives you inadequate resources and you can’t get certain policies and procedures written in a timely manner, is that your fault, or the firm’s? If you are diligently keeping records or investigating internal reports, does that qualify as a “meaningful” compliance program? Is it half-meaningful? Does it count for anything?
We don’t know. Regulatory guidance about the difference between “wholesale failure” (that is, gross negligence) and failure to implement something meaningful is hard to find. Indeed, the NYC Bar Association report’s first call to action is for regulators to adopt formal guidance on that point.
Things are further complicated by regulators’ broad push for more individual accountability, including attestations or certifications from compliance officers. If, for example, a compliance officer certifies their firm’s compliance with the state of New York’s cybersecurity regulation, and a major failure happens anyway — who’s to blame?
Likewise, as regulators continue to talk up the importance of written policies and procedures “reasonably designed” to prevent a compliance failure, who should be held responsible when something fails anyway — The company, or the person responsible for writing the policy?
That’s a lot of ambiguity. So how can compliance officers prune it back?
Assessing Your Own Personal Risk
One point raised in the NYC Bar Association’s report was that compliance officer roles can be structurally weak. So, start by considering how much authority you truly have within your organization.
For example, the role might have “chief compliance officer” as the title, but you only have authority to implement a compliance program over one part of the enterprise. Conversely, you may have a low-level title (“senior manager for compliance”) and no power to set budgets or impose new procedures, but the management team still expects you to bear all responsibility for the compliance program.
Neither scenario is good, and persuading management to give you suitable authority and resources is rarely easy. Still, this is where you start — because if there’s ambiguity within management about your role, imagine how unclear the picture might look to regulators, business operating units, or others.
Second, consider how effectively you can raise compliance concerns to senior management, even if they then take no action. If you can document that you faithfully tried to raise concerns, but those warnings fell on deaf ears, that goes a long way to avoiding personal liability. Enforcement actions have hinged on that detail, spelling the difference between holding a CCO or their firm liable.
And as corny as it sounds, perhaps the most practical step is simply to take the job, and the mission of corporate compliance, seriously. Regulators do understand that compliance officers have limited resources; what they want to see is a compliance officer advocating for the cause of good corporate conduct: documenting concerns, pushing for sufficient budgets, advocating for voluntary self-disclosure, and so forth.
At least that shifts scrutiny away from your own performance and toward the attitudes and decisions of senior executives. And once senior executives understand that effective compliance is their responsibility too, they might take those compliance program failures more seriously.