We have frequently blogged here about the degree of attention that regulators pay to Chief Compliance Officers, and whether it is proper that they sometimes are named individually in Enforcement actions. And we are hardly the only ones who see this issue. The New York City Bar back in February – I know, that seems like a lifetime ago, as it was before COVID-19 really impacted us all – published a Report On Chief Compliance Officer Liability In The Financial Sector that explored the subject in great detail. It concluded that “Compliance officers can function as effective gatekeepers only if they are given the information and tools necessary to carefully police the boundary between culpable and permissible conduct—and do so without bearing a disproportionate risk of liability for others’ misconduct.”
Interestingly, that Report noted at the time that there was some reason for hope, citing remarks made by Peter Driscoll, the Director of the SEC’s Office of Compliance Inspections and Examinations (“OCIE”), at a spring 2019 conference. There, he announced that OCIE was embarking on a “pilot initiative to hold regional roundtables with CCOs in select locations” designed “to encourage productive dialogue with the compliance community and ‘search for ways to strengthen the role of the CCO, improve the culture of compliance, and deliver on the shared goal of investor protection.’”
Well, last week, Mr. Driscoll again offered remarks relating to CCOs that, once again, reveal not only that he feels their pain, but provide some solid guidance as to what the CCO job should look like and how CCOs should be treated by firm management. And while he was discussing CCOs of RIAs, not BDs, I think both should pay heed to his words, as they apply equally to both.
He started with this summary observation: A CCO “should be empowered with full responsibility and authority to develop, implement, and enforce appropriate policies and procedures for the firm. And a CCO should have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.” He then went on, very helpfully, to illustrate what that general description means by detailing what the SEC does NOT like to see during an exam:
- CCOs who are hired merely so the firm can “check the box,” but who are not supported or empowered by management;
- CCOs who hold one or more roles in a firm and are, as a result, inattentive to their compliance responsibilities;
- CCOs who are “too low in the organization to make meaningful change and have a substantive impact, such as a mid-level officer or placed under the CFO function”;
- CCOs who “are expected to create policies and procedures, but are not given the resources to hire personnel or engage vendors to provide systems to implement those policies and procedures”;
- When “a CCO is replaced because they challenge questionable activities or behavior”;
- When “a CCO is trotted out for an examination or sits silently in the corner in compliance discussions, overshadowed by firm senior officers”;
- When “a firm puts responsibility on the CCO for a failure of an employee or an officer to follow a firm policy or procedure.”
Then, he listed what the SEC LIKES to see in a CCO:
- CCOs who “are routinely included in business planning and strategy discussions and brought into decision-making early-on, not for appearances, but for their meaningful input”;
- CCOs with “access [to] and interaction with senior management, prominence in the firm, and when they are valued by senior management;”
- Senior management who evidence “demonstrable actions, not just words, supporting the CCO and compliance.”
He concluded his remarks with some very powerful statements on what makes not just a good CCO, but a good firm, a firm that is truly interested in achieving – and demonstrating to its regulators – effective compliance. If I was a CCO, I would print these things out and hand deliver them to firm management, and if all I got in return was a hearty laugh, I’d find somewhere else to work:
- The CCO is not there to fill out irrelevant paperwork or serve as a scapegoat for the firm’s failings.
- A firm’s compliance department should be fully integrated into the business of the adviser for it to be effective.
- Compliance regarding conflicts of interest, disclosures to clients, calculation of fees and protection of client assets should not be done from the sidelines. The CCO needs a meaningful seat at the table.
- Although the responsibilities and challenges are significant, the critical function of compliance should not all fall on the shoulders of CCOs.
- Without the support of management, no CCO, no matter how diligent and capable, can be effective.
- An effective CCO should have confidence that they can stand up for compliance and be supported.
- Compensation and job security for CCOs should be commensurate with their significant responsibilities.
- CCOs should not be made to feel that they are one “no” away from termination.
- CCOs should not be made the target of every problem. The cause or blame for a compliance issue or failure typically does not sit only with the CCO and may not sit at all with the CCO. In fact, we appreciate that often the CCO is the one responsible for identifying the problem and for fixing it.
So, let’s hear it for CCOs, as well as firms who rightfully value their CCOs. Let’s not just look at them merely as a line – and a big one, at that – on the expense side of the ledger. Let’s no longer brand them the “anti-sales department.” And let’s agree that Ari Spyros on Billions is not a realistic portrayal.