Rethinking RIA Compliance: Seeing CCO Liability Through a New Lens
The New York City Bar Association Compliance Committee—in partnership with the Association for Corporate Growth, the American Investment Council, and the Securities Industry and Financial Markets Association—recently suggested a Framework for Chief Compliance Officer Liability in the Financial Sector. Collectively, these organizations want the SEC to adopt a framework for determining when enforcement actions should be brought against individual chief compliance officers (CCOs). The framework presents a list of affirmative and mitigating factors that the group believes the SEC should consider when evaluating whether to hold CCOs personally liable for compliance violations.
The report also highlights some unfortunate facts regarding the challenges faced by CCOs at financial services firms. Here are some salient points from the report.
Lack of Control
Being a CCO means getting the firm to adopt and follow certain policies and procedures. The CCO is then tasked with verifying that all firm employees are doing what they are supposed to—and agreed to—do. In some ways, it’s like being a parent. You set house rules and expect your children to follow them, while recognizing that there is a 100% chance someone is going to break one or more rules. As the CCO, you’re then expected to use both sticks and carrots to address the misconduct and encourage the offending employee to do better.
Too Much Gray
Most noncompliance professionals underestimate the complexity of compliance. They assume you simply adopt a policy that represents industry best practices, tell everyone what it is, and monitor adherence. They see compliance as black and white. Unfortunately, compliance is mostly gray and almost entirely based on facts and circumstances. There is no one-size-fits-all approach to compliance. Nor are there one-size-fits-all policies. A firm’s policies should be tailored to its business goals, structure, and resources.
Even after a firm has adopted customized policies, the application of those policies is gray. CCOs are constantly faced with questions about how a policy applies to a given situation. Sometimes the answer is clear. Other times, it requires judgement and the assumption of some risk. And for many small firms, there is no precedent upon which to make that determination.
The framework lists four structural or resource challenges that CCOs face and that the SEC should consider when determining CCO liability, including whether the CCO
- maintains a position in the organization that is inferior to that of other similar control functions, such as chief executive officer (CEO), chief financial officer (CFO), chief operating officer (COO), chief information officer (CIO), chief human capital officer (CHCO), and chief legal officer (CLO);
- is directly involved with or provided the opportunity for meaningful input into material strategy and operational decisions;
- has sufficient authority to make decisions that could have prevented the alleged misconduct; or
- maintains adequate resources.
Perhaps the most frequent issue we see at financial services firms is the undervaluation of compliance. Too many firms view compliance as administrative or operational baggage that must be handled to conduct business. At many firms, the CCO is not on the same level as the CEO, CFO, and COO. CCOs may have a “C” in their title, but they’re left out of the suite. In fact, most CCOs are not allocated part of the operating budget. They must ask management for resources, hat in hand, and are frequently dismissed because there isn’t a “business” case for spending on compliance. (After all, isn’t that what the CCO is paid to do?)
At Joot, we encourage firms to think differently about compliance. Compliance isn’t operational baggage; it’s operational freedom. A well-run compliance program protects the integrity of the business and frees employees to focus on doing their best work. For owners, a compliance program helps to protect the business you’ve built and ensure its ongoing success.