November 9, 2022 | Amanda Khatri
Estimated reading time: 7 minutes
So, you want to be a Chief Compliance Officer (CCO)
Compliance expert and former Head of Compliance, Sylvia Yarbough, shares secrets and insights from the heart of the compliance team.
If you have a compliance confession or are worried about emerging regulations, visit our Compliance Confession Booth.
You’ve been dreaming of this for years as you’ve grown your compliance career – working your way up from an analyst to a manager to a senior manager to a senior director. Now, the perfect opportunity is in front of you for a CCO role.
We all have been there whether it is the CCO role or some other executive leadership role, and we all believe we can do it just as good, if not better if we were given the chance.
The younger me used to dream big dreams such as wanting to be the CCO. As l grew my career, I had the opportunity to work directly with, and be the right-hand/occasionally confidante, of some incredible CCOs, so I got first-hand knowledge (sometimes, too much information) of what the role really entailed.
The Department of Justice on individual criminal liability
In March 2022, the Assistant Attorney General, Kenneth A. Polite Jr, in his remarks at NYU Law’s program on Corporate Compliance and Enforcement (PCCE) said “I have been fortunate in my career to have served as a prosecutor, as a defense attorney, and to work as a chief compliance officer of a Fortune 500 company. The detection and prevention of criminal conduct has been a constant across these three roles. Perhaps the most challenging of the three roles has been serving in compliance. I know the resource challenges. The challenges you have accessing data. The relationship challenges. The silo-ing of your function. You are called upon to be a resource for information, an enforcer of law and policy, and somehow the primary architect of your company’s ethical culture…”
We have all read about the new Department of Justice’s (DoJ) policy that may require an organization, subject to enforcement actions, to have the CCO certification as part of the settlement agreement.
The CCO would need to certify that the organization’s compliance program is reasonably designed and implemented to detect and prevent violations of the law. The policy goes on to state that the CCO may be subject to individual criminal liability if found to have made false statements when certifying.
Does Mr Polite’s statement contradict the DoJ’s CCO certification?
Well for those of you still pursuing the dreams of being a CCO and for those already in that role, you may be rethinking your career choices. I personally found this “doubling down” on CCOs by DoJ contradictory to Mr Polite’s statement at the NYU Law program.
I can’t speak to CCO roles in other industries but within Financial Services, Mr Polite’s statement on the challenges of being a CCO was spot on. So how do certifications and possible personal liability on top of dealing with the enforcement action help the CCO? I can’t speak to the mindset of other CCOs but the ones I have been able to work with took their roles very seriously and personally felt the weight of every regulatory action taken against their organization.
I remember reviewing some statistics on CCOs that included the average tenor of 5-7 years. That doesn’t sound too bad for an executive-level position. Except, for some, that 5–7 years can be torturous based on how well-respected compliance programs are in their organization. Some regulatory matters, like consent orders and enforcement actions, are a matter of public record. When that CCO decides to find the next gig, they sometimes find themselves having to sell themselves harder because the new organization may see these regulatory actions as a reflection of their abilities.
Yes, other executives may have a hard time landing the next – let’s say – Sales role. However, they don’t have a 10+ page document published by some Federal Agency about your last organization’s compliance’s bad behavior and the associated large fines in Google’s search results when discussing the next role at an interview.
Mr Polite goes on to state that the expectations around a good compliance program include:
(1) are well designed
(2) are adequately resourced and empowered to function effectively and,
(3) work in practice
For those of us in compliance at larger financial services organizations, this is not a new statement the details of expectations are well outlined by the FRB in SR8-08 “Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles” published on October 16, 2008, and Revised February 26, 2021.
Similar expectations are also covered in 12 CFR 30, appendix D, “OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches,” which applies to organizations $50 billion or greater in asset size.
What challenges do CCOs face?
I have yet to work with a CCO who is not well versed and serious about their responsibilities and is making a concerted effort to carry out Mr Polite’s three points daily. What continues to persist, in many organizations, are the points made in his opening statement at NYU.
The issues I have seen repeatedly and heard from my peers include:
- Resource challenges – As with all corporate support functions, compliance is often viewed as over-staffed and constantly pressured to cut resources. Even with advancing technology, well-trained compliance officers are still needed.
- Access to data – The type of data needed for compliance is not often straightforward and requires a level of subject matter expertise between the business, compliance and technical experts to develop good analytics.
- Relationship challenges – Business partners still see compliance as something to tolerate not a part of their responsibilities. Compliance Officers are not always respected and their opinions are not always valued.
- Compliance function Silo – Compliance is viewed as a separate responsibility owned by a handful of people who are not well integrated into the business lines measure of performance.
- Enforcer of policy – Compliance is often viewed as the enforcer, not as a business partner. When necessary, they must act as enforcers.
- Ethical conduct – Compliance teams are cast as the judge and jury of ethical conduct. Even though policies are in place, the expectation of “doing the right thing” sometimes gets lost in the quest for sales and growth.
When you look at these challenges, you would think that a CCO at any organization would be well supported by the CEO and members of the executive team as well as the Board of Directors. Some are – to a point.
In my observations, CCOs seem to have the best operating environment to have proper authority when they are under enforcement actions, consent orders or multiple MOUs/ MRAs. When things settle down compliance is once again put on the back burner.
Some CCOs, depending on the size or structure of the organization, don’t even have necessary direct access to their Board of Directors. With all these ongoing challenges well-known by the DoJ, why double down with certifications on top of the enforcement action? Can you imagine how impossibly hard it is for a CCO, regardless of governance routines, to know if the certification is accurate? Who would want that job?
What is the ideal scenario?
In an ideal world scenario, Mr Polite’s statement “…Chief Compliance Officers and their functions should have true independence, authority, and stature within the company…” would be accurate. From my observations, Compliance Functions still have a long way to go to achieve that lofty goal. If the regulators and the DoJ want to help the compliance function, they should consider:
- A certification process for all executive management and board members as part of a routine process (before the violations occur).
- Mandatory requirements on performance language for all executive management around compliance management.
- Mandatory compensation “claw-backs” around compliance issues (big and small).
- All executive management and board of directors have personal liability including fines and possible criminal prosecution – not just the CCOs.
In the meantime, CCOs keep up the good fight and for those of you who continue to pursue the dreams of being a CCO, best of luck to you. Hopefully, you will get your reward in the next life because you may not find it in this one.
In the meantime ask your organization to provide you with personal liability insurance to cover fines and a good defense attorney.
CUBE can help you keep abreast of every regulatory change and make sense of it for your business, from the DoJ to compliance worries.