Skip to content
Regulations

Understanding the Evolving Role of Compliance Officers & the Liability Risks

CCOs play a critical role in developing strong systems of controls to prevent violations of federal securities laws. However, understanding how CCO liability is defined by regulatory bodies is complicated. It’s important for those in leadership positions to understand the increasing scope of CCO responsibilities, the global requirements they must adhere to, and the common liability risks associated with their role. Here, we discuss the risks associated with the CCO role and offer some mitigation strategies. 

The Increasing Scope of CCO Responsibilities

A chief compliance officer’s responsibilities are multifaceted, but all are aimed at ensuring and enforcing regulatory compliance within their organizations. They are tasked with, among other duties:

  • Interpreting how industry rules and regulations apply to the specific firm and its business model
  • Developing and implementing effective compliance programs
  • Understanding firm operations and team structures
  • Fostering a culture of compliance within the organization

CCOs often need to delegate and collaborate across departments to implement company-wide changes. For example, they may work with Human Resources to update policies and conduct annual compliance trainings in line with changing regulations. This collaborative approach is essential to fostering a holistic and integrated compliance culture throughout the organization.

However, due to the nature of the CCO’s role, the blame for any breach of compliance naturally falls on their shoulders. Ideally, the firm’s leadership team should take ultimate responsibility for the oversight and support the CCO by responding appropriately to any conduct violation within their organization. Rather than allowing their CCOs to take the fall for any and all compliance breaches, leadership teams must adopt a top-down approach to compliance, embodying an attitude of compliance themselves to ensure it becomes integral to the organization’s operations.

Global Requirements For Compliance Officers

Many CCOs operate in a multinational landscape, where adherence to global regulatory frameworks is non-negotiable. Naturally, different countries have different regulations that CCOs must comply with, adding layers of complexity to their roles. For example, notable global regulations for the financial sector include:

  • Financial Conduct Authority (FCA) – UK
  • Senior Manager & Certification Regime (SMCR) – UK
  • Individual Accountability Framework (IAF) – Ireland
  • Individual Accountability and Conduct (IAC) – Singapore
  • Financial Accountability Regime (FAR) – Australia
  • Banking Executive Accountability Regime (BEAR) – Australia
  • Financial Industry Regulatory Authority (FINRA) – U.S.

U.S. Federal Requirements For Compliance Officers

In the U.S., the Securities and Exchange Commission (SEC) provides guidance on CCO liability under Rule 206(4)-7 of the Investment Advisers Act of 1940. This rule requires investment advisers to adopt and implement written policies and procedures designed to prevent violations of the Advisers Act, to be reviewed annually.

However, the rule lacks specific guidance on the elements that must be included in these policies and procedures, leaving room for interpretation. If their own understanding of the rule differs from that of the regulatory body, CCOs can be held liable for failing to supervise compliance personnel or for making false or misleading statements to regulators.

At The State Level

U.S.-based CCOs must navigate a complicated web of laws and regulations at the state level, with infinite variations between jurisdictions. For example, under California’s Unfair Competition Law, CCOs can be held liable for participating in or approving unfair or fraudulent business practices, but the definition of “unfair” may be unique to California.

In The Industry

CCOs must also be aware of the growing trend of shareholder activism, in which investors use lawsuits and legal actions to hold corporate officers and directors accountable for alleged failure to act in the best interest of their clients. CCOs can be named as defendants in these lawsuits if they are deemed to have played a role in the alleged misconduct.

It’s a pervasive problem that C-suite executives, including chief compliance officers, wear too many hats in their organizations—over half of CCOs polled by the Wall Street Journal in 2022 experienced an over 50% increase in influence within their organizations. Unfortunately, too many responsibilities can lead to a dilution of vigilance and a (not necessarily intentional) negligent approach to compliance. Executives need to take warning—the WSJ also found that the risk of regulatory scrutiny for CCOs rose by 72%.

Common Situations That Warrant Regulatory Action Against CCOs

CCOs can be held personally liable for any and all compliance failures, leading to significant legal consequences, financial penalties, and reputational damage to themselves or their organization. Understanding the types of cases that trigger regulatory enforcement actions is critical.

In October 2023 remarks to the New York City Bar Association Compliance Institute, SEC Division of Enforcement Director Gurbir S. Grewal (echoing former Director Andrew Ceresney’s remarks in 2015) outlined three scenarios that would trigger regulatory action against a CCO or compliance personnel:

  1. When the CCO or employees knowingly participate in misconduct related to compliance;
  2. When the CCO or employees deliberately mislead regulators;
  3. When there is a complete failure on the CCO’s or employees’ parts to carry out compliance responsibilities.

The key here is whether the firm specifically confers supervisory responsibilities upon the CCO; if the CCO does not have specific supervisory duties, they may not be held liable for any of these breaches. It is because of this loophole that disciplinary action against CCOs accounts for a relatively small portion of enforcement actions by FINRA. Recent data from 2018–2021 shows that out of approximately 440 FINRA disciplinary actions involving supervisory failures under Rule 3110:

  • Only 28 included charges against a CCO;
  • Of those, 18 CCOs were also the CEO or president of their firms;
  • Only 10 held specific supervisory responsibilities that they failed to perform.

Whether this is good or bad news depends on the perspective. For example, the UK’s Financial Conduct Authority (FCA) is penalizing individuals for compliance breaches in increasing numbers each year; in 2021, they fined only two individuals, whereas in 2022–2023 they fined a total of nine. This may be indicative of a rising trend in singling out individuals (likely CCOs or other multi-role executives) for compliance errors, in addition to the entire firm.

Presumably, far fewer disciplinary actions may be taken against CCOs if their role and liability were more explicitly defined by regulatory bodies.

Empowering CCOs: More Than a Box-Ticking Exercise

The description of chief compliance officer’s role should be written so as to:

  • Clearly distinguish between compliance responsibilities and supervisory responsibilities
  • Enable the CCO to perform their role without fearing liability

Unfortunately, the fear of personal liability can discourage qualified individuals from pursuing careers in compliance or lead those holding compliance roles to seek a career change. This reticence can also have unintended consequences, including more regulatory violations if qualified professionals choose to leave the profession. The first step in mitigating this fear is understanding exactly how regulatory bodies currently define the CCO’s role.

Regulatory bodies in many countries are mitigating the risk of disciplinary gray areas by requiring a Statement of Responsibilities from all regulated organizations that details the specific responsibilities of all executive officers and assigns appropriate accountability.

In the UK, the Senior Manager & Certification Regime (SMCR) was introduced in 2016 to enhance accountability and governance within financial services firms. It aims to ensure that individuals in key positions within these firms—including the CCO—are held responsible for their actions and decisions. Consequences for not clearly defining the CCO’s role include:

  • Inability to perform effective oversight of compliance functions
  • Unnoticed or unaddressed compliance issues
  • Increased scrutiny from regulatory authorities, such as the FCA
  • Difficulty in assessing the CCO’s fitness for the role

Similar frameworks to SMCR include Ireland’s Individual Accountability Framework (IAF), Singapore’s Individual Accountability and Conduct (IAC), and Australia’s Financial Accountability Regime (FAR). These frameworks all ensure clarity in roles and responsibilities, empowering CCOs to carry out their duties without fear of unwarranted liability.

No such accountability regime exists for U.S. firms—and therein lies the challenge.

SEC Commissioner Hester Peirce expressed her frustration with this lack of clarity in a 2020 address to the National Society of Compliance Professionals, as well as the habit of using CCOs as automatic scapegoats when something goes wrong. “I am concerned that we appear to assume that every securities violation we find indicates a problem with the firm’s compliance program,” she said. “A firm that has reasonably designed policies and procedures nevertheless can experience a securities violation.”

In another 2020 speech at the National Investment Adviser/Investment Company Compliance Outreach program, Peter B. Driscoll, SEC Director of the Office of Compliance Inspections and Examinations, emphasized the importance of instilling empowerment, seniority, and authority in CCOs within their organizations. He highlighted common deficiencies observed in compliance, including:

  • Inadequate resources for CCOs to hire personnel, provide compliance training, or implement new policies
  • Lack of authority or unclear reporting chains for CCOs
  • CCOs’ inability to demonstrate that they had adequately performed annual reviews

Driscoll advocated for transparency around these deficiencies to assist CCOs in promoting compliance within their firms. “Compliance must be integral to an adviser’s business and part of its senior leadership,” he stressed. “Compliance regarding conflicts of interest, disclosures to clients, calculation of fees and protection of client assets should not be done from the sidelines. The CCO needs a meaningful seat at the table.” He also identified management support, adequate compensation, and job security as crucial elements in supporting effective CCO performance.

The Necessity of Adequate Resources for Compliance

Around the world, regulatory expectations for compliance oversight are high, illustrating the need to allocate adequate resources to CCOs and compliance departments.

First and foremost, it’s important to acknowledge that supervisory duties should belong to a firm’s business management team, not to the CCO or other compliance staff (as outlined in FINRA Regulatory Notice 22-10). The CCO’s role should be primarily advisory in nature, so any failures of supervisory duties should not be attributed to the CCO (unless those duties have been specifically conferred upon them).

Firms should regularly assess whether their compliance programs have sufficient resources to address the evolving regulatory landscape and the specific needs of the organization. Even if there is no sign of malfeasance, simply having weak systems for securing sensitive data is enough for firms and CCOs to be penalized.

The following are among the most critical resources CCOs need to perform effectively.

  • Access to regulatory updates: Keeping abreast of changes in regulations enables CCOs to make informed decisions, avoid liability in a changing landscape, and make adjustments to compliance programs.
  • Financial resources: An adequate budget is necessary for investing in compliance infrastructure and technology.
  • Ongoing employee training: This ensures that compliance staff and relevant stakeholders are well-informed about regulatory changes.
  • Automated systems: Compliance software can enhance efficiency in monitoring and managing compliance tasks, as well as free up team members to perform more high-value tasks.
  • Staffing: Even if the team structure is optimized and the work is spread equitably, it is still critical to have enough personnel to feasibly manage the workload associated with compliance functions.

Providing CCOs with adequate resources is not only essential for meeting regulatory expectations but also for the effective functioning of compliance programs, minimizing potential exposure, and contributing to the overall success and reputation of the organization.

Practical Steps to Empower Firms and CCOs

Even if regulatory bodies leave room for interpretation when outlining C-suite roles, there are a number of practical steps your firm can take to mitigate risk and empower CCOs to successfully lead their teams.

  1. Limit the CCO role to one person. Too often, C-suite executives will assume multiple roles; the president will also be the chief compliance officer, or the CCO will be tasked with human resources duties outside the scope of their original role. On the other hand, multiple executives may own different parts of compliance, which muddies the waters and can create inefficiencies and miscommunication. Clearly define the CCO’s role as one person who acts as a monitor and advisor, not a supervisor or decision-maker outside of compliance. Document the processes that effectively distinguish the compliance role from non-compliance roles within the organization.
  2. Develop clear policies and procedures.
    Leave no room for ambiguity when developing policies that guide the compliance efforts program. Clarity helps streamline decision-making and ensures consistency in compliance efforts. Ensure these policies are available and accessible to all employees.
  3. Invest in Insurance.
    Consider purchasing investing coverage to protect against potential legal and financial consequences. Insurance coverage can serve as a financial safeguard for both the CCO and the firm in the event of legal challenges arising from compliance-related issues.
  4. Establish a corporate compliance program.
    A fail-safe compliance program anticipates potential risks and includes mechanisms to address and rectify compliance failures promptly.
  5. Build a team for scale.
    As compliance responsibilities grow across industries, build a capable team to ensure that the organization can scale its compliance efforts effectively. Invest in upskilling as necessary so individual employees can handle more high-level tasks.
  6. Monitor compliance efforts and conduct periodic firm risk assessments.
    Regularly assess the firm’s risk exposure and update compliance measures accordingly. Risk assessments can help identify evolving compliance risks as regulations inevitably change.
  7. Ensure employees are well-trained.
    Ongoing training ensures that employees are well-informed about compliance requirements, reducing the likelihood of inadvertent violations (it happens!).
  8. Foster a culture of compliance.

Cultivate a culture of compliance throughout the organization. Go beyond emphasizing the practical importance of adherence to regulations and encourage employees to adopt a mindset of responsibility to your industry and its consumers.

  1. Establish a positive relationship with regulators.
    Transparent communication and cooperation goes much further with regulators than mere lip service. Demonstrate your firm’s commitment to compliance by keeping comprehensive documentation and being proactive about possible compliance issues.
  2. Stay informed of regulatory updates.
    Keep up with regulatory updates and rule changes that may impact your organization’s compliance obligations. Follow applicable regulators’ newsletters and attend info sessions when available.
  3. Invest in automated software. Automated compliance software can streamline processes, mitigate risks, and enhance the overall effectiveness of your compliance efforts. Reducing manual tasks can lessen the chance of careless mistakes and free up more personnel for other tasks.

Of course, simply ticking off all of these items one by one does not automatically equal a strong compliance program; it requires a holistic approach that encompasses organizational culture, clear delineation of roles, and continuous support from senior management.

For more resources on empowering chief compliance officers with technology, explore StarCompliance’s suite of solutions for maintaining regulatory and employee compliance.