CCO liability framework: what could it look like in practice?

On 30 June 2022, the Securities and Exchange Commission published administrative proceedings against an investment firm, as well as the Chief Compliance Officer of that firm.

In brief, the CCO, Jeffrey Kirkpatrick, had been made aware of potentially non-compliant action within the firm but failed to take sufficient action for over a year. In settled proceedings, the SEC banned Kirkpatrick from acting in a supervisory or compliance capacity for at least five years, as well as issuing a $15,000 fine.

This action is not the first of its kind against senior members of the compliance team, but it inevitably raises questions against the extent to which employees can – and should – be held individually accountable for compliance failures.

Picking up on this point, SEC Commissioner Hester Pierce has issued a statement looking to explore the consequences of the proceedings. While the SEC does not have current plans to set out an individual liability for CCO, the Compliance Committee of the New York City Bar Association has recently published a “Framework for Chief Compliance Officer Liability in the Financial Sector”. Within her statement, Pierce explores what CCO liability could look like in practice.

The dangers of a CCO liability framework

It is no secret that the role of the Chief Compliance Officer is both vital and highly demanding. CCOs are responsible for ensuring that they are abreast of all relevant regulations, and that the organisation is adhering to those regulations across all lines of business. There is a concern, Pierce acknowledges, that “fears of facing liability for someone else’s missteps can dissuade excellent candidates from seeking compliance jobs”. As such, it is important that regulators approach individual liability with caution.

Pierce adds that ultimately “the compliance obligation belongs to the firm” and that it is their responsibility to ensure they have provided adequate resources to the compliance function – and “appropriately defer to the judgement” of the compliance department.  

What could a CCO liability framework look like?

However, while ultimate responsibility may subsist within the firm that is not to say that the CCO is devolved of accountability. The overriding question when determining the extent to which a CCO should be held accountable, says Pierce, is to distinguish whether “wildly inappropriate” or “a wholesale failure” has occurred. The New York Bar’s liability framework sets out a series of component questions, which can determine overall responsibility:

1. Did the CCO not make good faith efforts to fulfil their responsibilities?
   
   
2. Did the Wholesale Failure relate to a fundamental or central aspect of a well-run compliance program at the registrant?
   
   
3. Did the Wholesale Failure persist over time and/or did the CCO have multiple opportunities to cure the lapse?
   
   
4. Did the Wholesale Failure relate to a discrete specified obligation under the securities law or the compliance program at the registrant?
   
   
5. Did the SEC issues rules or guidance on point to the substantive area of compliance to which the Wholesale Failure relates?
   
   
6. Did an aggravating factor add to the seriousness of the CCO’s conduct?

When considering these questions against the facts of Kirkpatrick, Commissioner Pierce agreed that Kirkpatrick should indeed be held liable for the compliance failings. Following the 6 steps, she said:

1. The CCO had awareness of the inadequacy of the firm’s compliance program since December 2019, as well as the authority to address those inadequacies.
   
   
2. The failures related to outside business activities of an investment adviser which was not an area of uncertainty for the firm who had clear rules for such activities.
   
   
3. The CCO failed to “address known weaknesses in their compliance program” which persisted for over a year. The CCO was made aware of the potential non-compliant activity and had “multiple opportunities to cure” it.
   
   
4. This was a “fundamental failure to deploy the compliance program effectively”.
   
   
5. The CCO’s lapse could not be attributed to a lack of clear guidance from the SEC.
   
   
6. The aggravating factors was that many of the activities that were outside of business activities were flagged to the CCO by the associated broker dealer.

The importance of the whole picture

In her statement, Pierce notes the importance of taking a holistic view of the facts to avoid “unjustified liability for CCOs”. In this particular instance, given all the information, the CCO “had the opportunity to improve the compliance program, but did not do so”. As such, the action against the CCO was not unjustified – his conduct “fell materially short”.

CUBE comment

The accountability of Chief Compliance Officers and other functions in the event of non-compliance is not a new concept, but the prominence of regulatory focus in this area is undoubtedly on the rise. Last month, we saw the European Banking Authority (EBA) set out its expectations for the AML compliance officer, and individual enforcement action has been steadily increasing.

As ex-compliance head, Sylvia Yarbough, noted in her recent compliance confessional – she frequently receives recruitment opportunities in this space. In part, this is owing to a lack of talent in the space.  No doubt, as the individual burden tightens, the appeal of compliance may well reduce. In an industry that is in dire need of increasingly committed and inquisitive compliance officers, this would be a shame.

That being said, if individual liability frameworks are to be introduced, compliance teams should be proactively anticipating such changes and tightening any known gaps. Proactively modernising compliance systems is a cause CUBE has long advocated for, and could be essential for Chief Compliance Officers who want to ensure they’ve properly carried out their responsibilities. As the case of Kirkpatrick clearly shows, burying heads in the sand is no longer a viable option.

If you’re looking to close the gaps in your compliance system, speak to CUBE.