This article was featured in Issue 3 of Orbit TRC Magazine, Global Relay’s exclusive publication focusing on Technology, Risk, and Compliance.
In the US, chief compliance officers can be held liable for their financial services firms’ failures to comply with regulations – whether they’re involved or not. In this article, we look at a framework proposed by the New York City Bar Association to help to reduce the burden on CCOs.
“These career-ending enforcement actions discourage individuals from becoming or remaining compliance officers and performing vital functions that regulators stretched too thin would otherwise be unable to perform, particularly when other options, such as providing legal advice or becoming an outside compliance service provider or businessperson, involve less personal risk.”
Framework for Chief Compliance Officer Liability in the Financial Sector, Prepared by the New York City Bar Association Compliance Committee, summer 2021
In the US, chief compliance officers (CCOs) in the financial sector are deemed wholly responsible for compliance. They have voiced a ”sustained tide of concern,” according to the New York City Bar Association (NYCBA), about the increasing number of enforcement actions that have seen them being held personally liable for actions that did not result from fraud or obstruction on their part.
In response to CCOs’ concern, the NYCBA’s Compliance Committee, in partnership with the Securities Industry and Financial Markets Association, the American Investment Council, and the Association for Corporate Growth, has proposed the creation of a formalized regulatory framework1 of non-binding factors for the US Securities and Exchange Commission (SEC) to consider in determining whether to hold a CCO primarily accountable for a compliance breakdown or wholesale failure of an organization’s compliance program.
Such a formalization should help to provide clarity and guidance to CCOs and ”enable them to confidently engage in their necessary work,” says the NYCBA. The proposed framework has a mixture of affirmative and mitigating factors.
The recent fining of Credit Suisse by US and UK regulators for defrauding investors in the financing of an $850m loan for a tuna fishing project in Mozambique is a case in point. The SEC has fined the Swiss banking group nearly $100m and requires its CCO to submit annual certifications attesting to its adherence to its plea and deferred prosecution agreements with the Justice Department, as well as the terms of the SEC’s order.
In a statement about the SEC’s decision, Commissioner Hester M Peirce said, “I have spoken publicly of my concern that we may be placing undue pressures on CCOs. Mandating certifications of the sort found in this order can only increase CCO anxiety over heightened personal liability. If the Commission has concerns that the applicants are not meeting their obligations, then the proper response is a visit from an exam team, not the approach we have taken here.”
General factor – does the CCO (mis)conduct charge help to fulfil the SEC’s regulatory goals?
- ‘Wholesale failure’ factors include whether the CCO acted in good faith, the length of time a failure persisted, and whether the SEC had issued specific rules or guidance related to the area of failure.
- Active participation in fraud – the SEC should demonstrate that the CCO’s conduct ‘added value’ in some way to the fraud committed by the firm or other individuals charged.
- Obstruction factors include whether the acts of obstruction or false statements were repeated and whether the obstruction was denied when confronted.
In mitigation, the factors to be taken into account are:
- Did structural or resource challenges hinder the CCO’s performance?
- Did the CCO voluntarily disclose and actively cooperate?
- Were policies and procedures proposed, enacted, or implemented in good faith?
Accountability Around the World
The US is one of a small number of jurisdictions without a specific personal accountability regime. Regimes have been implemented in the UK, Hong Kong, and Australia. Singapore’s Guidelines on Individual Accountability and Conduct were due to take effect at the end of 2021, and Ireland has introduced draft legislation for its Senior Executive Accountability Regime.
Enforcement action taken under these new rules to date has been limited, albeit that activity has been affected by regulators’ supervisory forbearance and resource constraints because of the Covid-19 pandemic.
The UK’s Senior Managers and Certification Regime (SMCR) is one of the most prescriptive frameworks. It was first introduced in 2016 and is made up of three parts:
- The Senior Managers Regime requires senior decision makers to be approved, have defined responsibilities, be assessed as fit and proper, and meet enhanced conduct requirements.
- The Certification Regime requires firms to certify that significant risk-taking individuals are fit and proper.
- Conduct rules set minimum standards of behavior that apply to all financial services employees.
Utilizing the SMCR, the UK regulators can take enforcement action against senior managers for not taking “reasonable steps” to avoid compliance breaches. The level of enforcement activity has, so far, been limited – the only case being the CEO of Barclays, who was fined £642,430 in 2018 for violating conduct rules. Separately, the imprisonment of a UBS compliance officer in 2019 is a stark reminder of the criminal action that can be taken for market abuse.
Australia implemented the Banking Executive and Accountability Regime (BEAR) in 2018 and there are government proposals to extend the accountability and responsibility frameworks to all entities regulated by the Australian Prudential Regulatory Authority (APRA). A breach of obligations can lead to an ‘accountable person’ being disqualified, but there has not yet been significant enforcement action under the BEAR.
In 2021, APRA closed its first formal investigation into a large bank and its senior officials relating to breaches of anti-money laundering and counter-terrorism financing rules, following separate action taken by the financial crime regulator AUSTRAC.
Hong Kong implemented the Manager-in-Charge Regime in 2017, which requires every licensed corporation to nominate and disclose to the Securities and Futures Commission at least one ‘manager-in-charge’ for core functions such as key business lines, operational controls, risk management, and compliance.
Although each regime is different, there’s clear consensus among global regulators on the need to hold senior individuals to account. But there are real risks of unintended consequences for CCOs. At one end of the scale is the cost of higher compensation packages to attract candidates for CCO positions that have greater exposure. At the other is both the challenge to fill senior positions and the loss of skills and knowledge as people leave roles for contract or advisory positions. The proposals by the NYCBA specifically note the risk of CCOs ”leaving the profession for adjacent positions such as compliance consulting, providing legal advice, or deal-making.”
The recruitment and retention challenges are unsurprising given the considerable concern that compliance officers will take the blame for breaches that have arisen on their watch. As the NYCBA explains in its proposals, ”CCOs remain concerned because the system that the SEC has created, with individual accountability for compliance, has uniquely placed CCOs in the ’firing line‘ of being charged, above and beyond all other employees and partners of a financial firm.”
Regardless of the rules or regime in place, it’s critical that compliance is recognised as a collective responsibility. The mitigating factors outlined in the proposal are intended to provide that certainty and comfort for CCOs.
Future of Personal Liability
Undue CCO liability is an increasingly critical issue as the world of financial services continues to evolve. In addition to the proposed framework, the NYCBA has recommended increasing transparency and communication between regulators and compliance officers, together with additional, granular detail to be included in enforcement actions.
While the framework’s adoption would constitute progress, there are other avenues that firms, and their CCOs, may consider exploring. Firstly, the US is somewhat out of step globally in terms of holding CCOs solely to account for compliance breaches – elsewhere, senior managers are responsible for compliance in the area under their management. That doesn’t mean a CCO won’t be held personally liable but it is a strikingly different cultural and risk management approach that has many benefits.
One key benefit which US financial services may wish to consider as a hybrid step is the concept of ‘responsibility maps,’ under which it is made clear who is responsible for what and, by association, to ascribe relevant compliance obligations to senior managers rather than solely the CCO.
Much of the focus of the proposed framework is on seeking clarity and consistency of supervisory approach for CCOs and to avoid the uncertainty arising from regulation by enforcement. The introduction of responsibility maps, particularly if adopted by all US financial services regulators, may be a welcome step towards preventing talented CCOs from leaving the profession. However, any move towards responsibility maps would take time, and in the interim it behooves the SEC to respond, and respond positively, to the proposed framework.
Orbit TRC, offers a unique blend of perspectives for corporates and regulated entities on the latest developments that impact technology, risk and compliance.