The lack of specific guidance regarding failure to supervise liability for chief compliance officers (“CCOs”) has been a controversial and opaque topic that both FINRA and the SEC have struggled with for well over a decade. Back on September 30, 2013, the SEC’s Division of Trading and Markets issued guidance with “FAQs” entitled “Frequently Asked Questions about Liability of Compliance and Legal Personnel at Broker-Dealers under Sections 15(b)(4) and 15(b)(6) of the Exchange Act.” These FAQs focused on the potential supervisory liability of compliance personnel. Just over two years later, on November 4, 2015, the then Director of the Division of Enforcement gave the keynote address at the 2015 National Society of Compliance Professionals, National Conference,   in which he described a limited number of categories regarding the infrequent circumstances in which the SEC would consider charging a CCO. Despite these and other historical attempts at clarifying guidance, just this past year we have seen additional attempts to seek and obtain more regulatory clarity for this high-risk area. On June 2, 2021, the New York City Bar issued a Committee Report entitled “Framework for Chief Compliance Officer Liability in the Financial Sector.” Most recently and earlier this year, the National Society of Compliance Professionals (“NSCP”) offered a “Firm and CCO Liability Framework.” (More information on this can be found on NSCP’s website.) In this “Framework,” NSCP proposed that regulators consider CCO liability contextually in reference to resources made available to CCOs in the first instance.

Notably, NSCP’s Framework was driven by surveys issued by NSCP to its compliance-based membership, many of whom indicated that firms needed to do more to support the compliance function with additional budgeting for compliance. Taken in context, therefore, circumstances in which a firm has a systemic problem leading to potential allegations of supervisory failures among other potential violations, the Framework asks regulators to consider nine questions in cases where a compliance failure may have occurred, and proposes that a “yes” answer to any of the questions should reduce a CCO’s individual liability. These include:

• Did the CCO have nominal rather than actual responsibility, ability, or authority to affect the violative conduct?
• Was there insufficient support from firm leadership with regard to compliance, including, for example, insufficient resources, for the CCO to affect the violative conduct?
• Did the CCO escalate the issue or violative conduct to firm management through a risk assessment, annual review, CEO certification meeting/report, or otherwise?
• Did firm management fail to respond appropriately after becoming aware of the issue (through the CCO or otherwise)?
• If the firm made misstatements or omitted material information, did the CCO have nominal rather than actual responsibility, ability, or authority for reviewing or verifying that information?
• Was firm leadership provided the opportunity to review and accept the policies and procedures?
• Did the CCO consult with legal counsel (in-house or external) and/or securities compliance consultants and adhere to the advice provided?
• Did the CCO otherwise act to prevent, mitigate, and/or address the issue?
• Did the CCO reasonably rely on information from others in the firm or firm systems?

NSCP believes these questions should be asked at the earliest opportunity in evaluating a firm-level regulatory failure, such as during the examination phase, to properly evaluate the issue and head off issues as to potential CCO liability. Equally as important is for a firm (and CCO) to use the Framework internally in analyzing and externally in responding to potential systemic failures raised during an examination or an enforcement investigation. Notably, NSCP provided its Framework to and communicated with FINRA (and separately the SEC) prior to this recent regulatory notice release.

FINRA Regulatory Notice 22-10 (“FINRA CCO Reg. Notice”) advances upon the industry’s efforts by demonstrating FINRA’s understanding of the issues raised. While limited to FINRA member brokerage firms and linked to FINRA’s Supervision Rule 3110, this notice should be given appropriate weight and credit.

The FINRA CCO Reg. Notice provides several important parameters that can be used as a framework and as future guidance for firms which are aligned with the NSCP Framework. First and foremost, it states that a CCO will be subject to liability under Rule 3110 only when the firm designates the CCO as having supervisory responsibility. More specifically, only in circumstances when a firm has expressly or impliedly designated its CCO as having supervisory responsibility will FINRA bring an enforcement action against a CCO for supervisory deficiencies. The FINRA CCO Reg. Notice then provides that this may occur in several ways:

• the member’s written procedures might assign to the CCO the responsibility to establish, maintain and update written supervisory procedures, both generally as well as in specific areas (e.g., electronic communications);
• the written procedures might assign to the CCO responsibility for enforcing the member’s written supervisory procedures or other specific oversight duties usually reserved for line supervisors;
• apart from the written procedures, a member firm, through its president or some other senior business manager, might also expressly or impliedly designate the CCO as having specific supervisory responsibilities on an ad hoc basis; or
• the CCO may be asked to take on specific supervisory responsibilities as exigencies demand, such as the review of trading activity in customer accounts or oversight of associated persons.

In assessing CCO liability, FINRA will apply a reasonableness standard and will consider whether charging a CCO under Rule 3110 is the appropriate regulatory response to address the violation(s). As part of these assessments, FINRA will consider the following factors that may weigh in favor of charges:

• the CCO was aware of multiple red flags or actual misconduct and failed to take steps to address them;
• the CCO failed to establish, maintain, or enforce a firm’s written procedures as they related to the firm’s line of business;
• the CCO’s supervisory failure resulted in violative conduct (e.g., a CCO who was designated with responsibility for conducting due diligence failed to do so reasonably on a private offering, resulting in the firm lacking a reasonable basis to recommend the offering to its customers); and
• whether that violative conduct caused or created a high likelihood of customer harm.

On the other side of the scale, factors that might weigh against charging the CCO include, but are not limited to, the following:

• the CCO was given insufficient support in terms of staffing, budget, training, or otherwise to reasonably fulfill his or her designated supervisory responsibilities;
• the CCO was unduly burdened in light of competing functions and responsibilities;
• the CCO’s supervisory responsibilities, once designated, were poorly defined, or shared by others in a confusing or overlapping way;
• the firm joined with a new company, adopted a new business line, or made new hires, such that it would be appropriate to allow the CCO reasonable time to update the firm’s systems and procedures; and
• the CCO attempted in good faith to reasonably discharge his or her designated supervisory responsibilities by, among other things, escalating to firm leadership when any of the above issues were occurring.

In evaluating the above factors, the FINRA CCO Reg. Notice provided that FINRA will assess charging the firm, its president, or other individuals with more direct, line supervisory responsibility. This all seems consistent with NSCP’s Framework.

This effort by FINRA through the FINRA CCO Reg. Notice, like many previous efforts in this controversial area, may not satisfy all industry participants, but it appears to commendably provide guidance for how firms and CCOs can delineate in policies and procedures what specific role the CCO will play, including as red flags may arise. It further provides guidance regarding the factors that FINRA will consider for and against charging CCOs with Rule 3110 violations and practical alternatives that FINRA will take into account in its charging decisions.