DOJ to place additional burdens on CCOs

Eversheds Sutherland (US) LLP

Eversheds Sutherland (US) LLPLast week, yet another US Department of Justice (DOJ) official reportedly stated new corporate settlements “most likely” will include a requirement that the company’s chief compliance officer (CCO), as well as the chief executive officer, certify the compliance program is “reasonably designed” to prevent future violations. This requirement presents a problem if the CCO does not have the responsibility, ability, or authority from the company to ensure that the certification is accurate and can be implemented and enforced. Certain CCOs may not have such power.

On a panel during an event with the Women’s White Collar Defense Association, Lauren Kootman, the Assistant Chief of the Corporate Enforcement, Compliance & Policy Unit in the DOJ’s Fraud Section, emphasized the importance of ensuring the compliance function is “empowered” to effectively implement the program. Kootman’s statements follow Assistant Attorney General Kenneth A. Polite Jr.’s announcement of the forthcoming CCO certifications during his remarks in March 2022.1 Assistant AG Polite stressed these certifications are intended to “empower and punish” CCOs: companies should “empower” compliance professionals and ensure CCOs “have true independence, authority, and stature within the company.”

While CCO certification requirements in DOJ corporate settlements may be new, the necessity of “empowering” CCOs and providing them with adequate authority and resources to effectively implement the compliance program has been a longstanding, recurring theme from enforcement authorities and regulators. Prior DOJ guidance, as well as statements and guidance from the US Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA), have used extremely similar—if not the exact same—language that appeared in Kootman and Assistant AG Polite’s remarks.

  • The DOJ Evaluation of Corporate Compliance Programs2 emphasizes that supporting a capable, experienced CCO is an integral part of an effective compliance program. The Evaluation of Corporate Compliance Programs, which is intended to provide guidance to DOJ attorneys in evaluating the adequacy and effectiveness of a corporate compliance program, is structured around three key questions, one of which is whether the program is “being applied earnestly and in good faith.” DOJ attorneys are instructed to consider whether the compliance program is “adequately resourced and empowered to function effectively” when conducing this analysis.
  • The SEC also has focused on CCO “empowerment.” For example, a November 2020 speech given by Peter Driscoll, then-Director of the Office of Compliance Inspections and Examinations, was entitled “The Role of the CCO – Empowered, Senior and With Authority” and included a variation of the word “empowerment” ten times.3 Referencing the Compliance Rule Adopting Release,4 which also says that the CCO “should be empowered with full responsibility and authority to develop, implement, and enforce appropriate policies and procedures for the firm,” then-Director Driscoll noted certain firms’ problematic “check-the-box” approach, where a CCO existed but was not empowered.
  • FINRA expressly addressed CCO liability earlier this year in Regulatory Notice 22-10 entitled “FINRA Reminds Member Firms of the Scope of FINRA Rule 3110 as it Pertains to the Potential Liability of Chief Compliance Officers for Failure to Discharge Designated Supervisory Responsibilities.”5 The Regulatory Notice discusses factors for and against charging a CCO under Rule 3110 (Supervision). Certain factors that weigh against charging the CCO similarly consider whether the CCO has the ability and resources to fulfill his or her responsibilities, including whether “the CCO was given insufficient support in terms of staffing, budget, training, or otherwise to reasonably fulfill,” or “the CCO was unduly burdened in light of competing functions and responsibilities.”

As CCOs’ exposure to personal liability increases, CCOs and other compliance personnel are craving additional formal guidance on CCO liability. The National Society of Compliance Professionals recently published the Firm and CCO Liability Framework (Framework) to address broker-dealers, investment advisers, and investment companies’ compliance officers’ concerns about personal liability.6 The Framework notes securities regulators’ “expressed support for CCO empowerment,” and proposes nine questions that regulators should contemplate when determining whether a compliance failure occurred and CCOs may be held liable. These factors include whether the CCO had “nominal rather than actual responsibility, ability, or authority” and whether the CCO had insufficient resources.7

SEC Commissioner Hester Peirce also has noted the need for additional formal SEC guidance on CCO liability. In an October 2020 speech, Commissioner Peirce noted that “compliance officers’ responsibilities are growing, but the nature of the liability they face in executing those responsibilities remains unclear.”8

* * *

Requiring CCOs to certify the compliance program as part of corporate resolutions unfortunately may subject CCOs to significant additional liability because CCOs may not be able to ensure their certification. This approach could discourage qualified candidates from taking these important positions—especially for companies previously subject to enforcement actions which are most in need of strong CCOs.

At the same time, however, the emphasis on CCO empowerment could lead companies’ board of directors and/or senior management to devote more resources to making CCOs’ jobs easier and to the compliance function generally. Failure to do so may lead to CCO turnover, which—particularly for companies that have recently entered into a corporate resolution—could generate increased scrutiny from DOJ and other regulators, as well as bad publicity that could affect the company’s relationships with shareholders and business partners. Indeed, in his November 2020 speech, then-Director Driscoll explicitly warned firms about this exact issue: “If we see that an adviser has changed CCOs recently or frequently, we are very likely to ask about the circumstances of those actions on an exam.”

Given these risks, companies should take this opportunity to re-evaluate the adequacy of the resources they devote and authority they allocate to their CCOs and compliance functions—the DOJ and regulators’ focus on CCO empowerment isn’t going away.


1 “Assistant Attorney General Kenneth A. Polite Delivers Remarks at ACAMS 2022 Hollywood Conference,” US Department of Justice (Mar. 22, 2022) available at

2 Evaluation of Corporate Compliance Programs, US Department of Justice Criminal Division (June 2020).

3 “The Role of the CCO – Empowered, Senior, and With Authority,” Peter Driscoll, Director, Office of Compliance Inspections and Examinations (Nov. 19, 2020) available at

4 See Release No. IA-2204, Compliance Programs of Investment Companies and Investment Advisers (Dec. 17, 2003).

5 “FINRA Reminds Member Firms of the Scope of FINRA Rule 3110 as it Pertains to the Potential Liability of Chief Compliance Officers for Failure to Discharge Designated Supervisory Responsibilities,” Regulatory Notice 22-10, available at

6 “Firm and CCO Liability Framework,” National Society of Compliance Professionals, (Jan. 10, 2022).

7 For an analysis of how this Framework would apply to SEC and FINRA enforcement cases, seeA Tale of Two Enforcement Actions Against Compliance Officers: An analysis applying the NSCP Firm and CCO Liability Framework.” See also the “Framework for Chief Compliance Officer Liability in the Financial Sector” issued by the New York bar on June 2, 2021.

8 “When the Nail Fails – Remarks before the National Society of Compliance Professionals,” SEC Commissioner Hester M. Peirce, US Securities and Exchange Commission (Oct. 19, 2020) available at

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Eversheds Sutherland (US) LLP | Attorney Advertising

Written by:

Eversheds Sutherland (US) LLP

Eversheds Sutherland (US) LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.