Serving as a chief compliance officer (CCO) or other compliance professional is a particularly challenging position in the modern corporate hierarchy. Unlike general counsel, who, wrapped in the protective cloak of attorney-client privilege, simply defend and advise the corporation, the CCO acts as monitor and enforcer of good corporate behavior. Often with limited visibility into daily operations and a lean team, CCOs have come under increasingly intense scrutiny by regulators and prosecutors when misconduct is exposed.
Will a compliance officer be given the benefit of the doubt should the government come knocking? Where is the line drawn between a failed but good-faith effort and a simple failure to stop corporate misconduct?
Defining Parameters of Liability
Securities and Exchange Commission Commissioner Hester M. Peirce recently made remarks before the National Society of Compliance Professionals in which she focused on the question of how to define the parameters of personal liability for compliance officers.
She expressed renewed concerns that “the increasing specter of personal liability could cause talented individuals to forgo a career in compliance, among other negative effects.” Indeed, as Peirce noted, the responsibilities of compliance officers are growing, but the nature of the liability they face in executing those responsibilities remains unclear.
In her remarks, Peirce referred to an address given Nov. 4, 2015, by Andrew Ceresney, then-director of the SEC Division of Enforcement, in which he identified three broad categories of cases where the SEC has charged CCOs: “(1) cases where the compliance officer participated in the underlying misconduct unrelated to her compliance duties; (2) cases where compliance officers obstructed or misled Commission staff; and, (3) cases where, in the Enforcement Director’s words, ‘the CCO has exhibited a wholesale failure to carry out his or her responsibility.’”
The first two categories are not particularly controversial and, not surprisingly, the third category of cases is what Peirce described as “the one that understandably generates the most controversy and is the most challenging area for [her].”
In such cases, the SEC charges the compliance officer with aiding and abetting the company’s violations, causing the company’s violations, or both. Aiding and abetting liability requires the SEC to show that the compliance officer engaged in reckless conduct, which Peirce confirmed is “not simply negligence on steroids.”
Causing liability, in contrast, involves a negligence standard. Accordingly, when a company commits a violation that does not require scienter, a compliance officer can be held to have caused the violation based on the officer’s own negligent conduct.
Second-Guessing CCOs on Compliance Failures?
Critically, Peirce stated that just “because the Commission can do something under [its] rules does not mean that [it] should do it.” (emphasis in original).
Peirce recognized that charging CCOs based on negligence could be harmful to efforts to foster compliance “because it dissuades people from taking jobs in compliance and can encourage dishonest efforts to ‘cover up’ failings rather than openly correcting them.”
Enforcement actions may send the message that CCOs are being second-guessed when there is a compliance failure. And while some might say that charges against CCOs for causing compliance failures are infrequent and the sanctions are light, Peirce would respond with the realities of the situation: SEC “enforcement actions can be career-ending and are always traumatic events for their subjects.”
Peirce therefore encouraged thinking and collaboration “about ways to provide guidance to compliance professionals about what a wholesale compliance failure means and how to avoid one.”
For the SEC’s part, Peirce suggested that guidance can be provided about when the SEC will bring enforcement actions against compliance officers. And for her part, she is considering developing a draft framework to share with her colleagues.
Steps Compliance Pros Can Take
CCOs must serve as gatekeepers for compliance efforts with the knowledge that regulators may be just around the corner, ready to point fingers and bring charges should compliance failures occur. While the parameters for personal liability are uncertain, there are certain steps compliance professionals can take to ensure they are in the best position to demonstrate good-faith and diligent efforts:
- Document processes. Compliance professionals should ensure that efforts to create a culture of compliance, conduct periodic reviews, and improve the entity’s compliance program are well documented.
- Stress test the compliance program. Stress-testing the compliance program identifies areas for improvement, focuses priorities, and helps build a culture of compliance within the organization.
- Seek advice of outside counsel. Seeking the advice of outside compliance counsel demonstrates independence and good faith, as it shows a commitment to compliance efforts and diligence in strengthening those efforts.
- Report to a board-level risk committee. Raising concerns to independent board members allows the CCO access to individuals above senior management in cases where the alleged misconduct has risen to the C-suite.
Serving as a compliance professional is not without its challenges, but there are tools and resources to mitigate the risk of personal liability. Peirce’s remarks signal that this may soon be an area of focus for the SEC, with additional guidance to come.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
John J. Carney is a partner at BakerHostetler and co-leader of the firm’s White Collar, Investigations and Securities Enforcement and Litigation team. He is also a former securities fraud chief, assistant U.S. attorney, SEC senior counsel, and certified public accountant at a “Big Four” accounting firm.
Bari R. Nadworny is an associate at BakerHostetler. She focuses her practice on white collar defense and corporate investigations, regulatory enforcement, securities and governance litigation, and other complex litigation.