Skip to content
Best Practices Ethics & Culture Regulations

Protecting Your Chief Compliance Officer From Undue Liability

CCOs are increasingly worried their responsibilities could find them facing career-ending securities charges. Here’s how a new framework for determining liability, along with modern compliance software, could help

Compliance helps set the tone for an enterprise financial firm. Where there’s a positive culture of compliance—a culture where employees by and large follow the rules, and risk is therefore kept at a minimum—you can be sure there’s a CCO at the top of the org chart helping set that tone. Conversely, where there’s a poor culture of compliance—a culture where employees give lip service, at best, to following the rules, and risk is always bubbling just beneath the firm’s operational surface—you can be sure there’s a CCO helping set that tone, or maybe helping set no tone for the organization at all.

But with great power comes great potential liability. CCOs are increasingly worried their responsibilities for catching securities violations could mean being held personally at fault for misses over which they might have little, if any, control. A new framework being proposed by the New York City Bar Association (NYCBA) seeks to guide regulators in bringing enforcement actions against financial sector CCOs, and in the process ease these concerns. Today we cover this framework, and explain how modern compliance software and the automation it brings can go a long way toward keeping risk at bay and keeping CCOs feeling taken care of in an increasingly perilous and complex role.

This proposed framework was released to the public in 2021 and was written by the New York City Bar Association Compliance Committee in partnership with the Securities Industry and Financial Markets Association (SIFMA), the American Investment Council, and the Association for Corporate Growth. The opening paragraph of the report neatly summarizes the thinking behind it:

For several years now, CCOs in the financial sector have voiced a sustained tide of concern … [around] increased enforcement actions holding [them] personally liable, in particular for actions that do not result from fraud or obstruction on their part. These career-ending … actions discourage individuals from becoming or remaining compliance officers and performing vital functions that regulators stretched too thin would otherwise be unable to perform, particularly when other options, such as providing legal advice or becoming an outside compliance service provider or businessperson, involve less personal risk.

The framework offers a total of 15 factors for the SEC to consider in its evaluation of whether to bring charges against CCOs for conduct arising out of their compliance-related duties. The 12 affirmative factors are factors that should be present to bring a CCO Conduct Charge. The three mitigating factors are factors that, if present, should weigh against bringing a CCO Conduct Charge. Each of these factors is explored in detail in the report itself. Here’s an overview:


General Factor:

1. Does the CCO Conduct Charge help fulfill the SEC’s regulatory goals?

Wholesale Failure Factors:

2. Did the CCO not make a good faith effort to fulfill his or her responsibilities?

3. Did the Wholesale Failure relate to a fundamental or central aspect of a well-run compliance program at the registrant?

4. Did the Wholesale Failure persist over time and/or did the CCO have multiple opportunities to cure the lapse?

5. Did the Wholesale Failure relate to a discrete, specified obligation under the securities laws or the compliance program at the registrant?

6. Did the SEC issue rules or guidance on point to the substantive area of compliance to which the Wholesale Failure relates?

7. Did an aggravating factor add to the seriousness of the CCO’s conduct?

Active Participation In Fraud:

8. The SEC should demonstrate that the CCO’s conduct “added value” in some way to the fraud committed by the firm or the other individuals charged.

Obstruction Factors:

9. Were the acts of obstruction or false statements repeated?

10. Was the obstruction denied when confronted or did the CCO not immediately reverse course and cooperate?

11. Did the obstruction relate to a necessary or highly relevant part of the examination or investigation?

12. Did evidence show other indicia of intent to deceive or disregard for cooperation with the SEC’s regulatory mission?


1. Did structural or resource challenges hinder the CCO’s performance?

2. Did the CCO at issue voluntarily disclose and actively cooperate?

3. Were policies and procedures proposed, enacted, or implemented in good faith?

The introduction to the NYCBA framework notes that “numerous U.S. Securities and Exchange Commission Commissioners and Staff members, including Commissioner Hester Peirce in multiple speeches … have repeatedly discussed the issue [of CCO liability] in public speeches and conference appearances and attempted to offer comfort and guidance.” The NYCBA is obviously trying to make it very clear they are not off on their own—trying to protect CCOs who aren’t good at their jobs, are indifferent to firm culture, or are outright malevolent in their intentions—that they even have the explicit backing of the SEC in this attempt to bring clarity to the issue of CCO liability.

The SEC hasn’t formally commented on the proposed framework. Presuming a typically slow government response in reviewing and adopting the framework—particularly with everything else the new US administration has on its plate—what can firms do right now to make sure their CCOs feel protected from undue legal liability for doing a job essential to firm profitability, firm reputation, and fair markets?

People aren’t machines. People miss things. Most people can’t muster the kind of unwavering attention to tasks that a machine can, especially tasks that are repetitive and devoid of intellectual stimulation. This describes much of the work that needs to be done on a day-to-day basis by compliance. Responding to pre-clearance trade requests. Cataloguing gift and entertainment spends. Monitoring the increasingly complex flow of MNPI. But these kinds of mundane tasks—fundamental to a compliance program that doesn’t let anything slip through the cracks—are exactly what modern compliance platforms excel at.

It’s automation in the compliance space. The kind of automation that frees up a department’s line officers to do the work that suits their human brains best: investigative work. As anomalies are automatically surfaced by the software—constantly combing through massive amounts of data with said unwavering attention—compliance officers follow up on the software’s insights and determine if some potentially serious regulatory infraction is looming. With data and analytics capabilities that are only becoming more powerful, working as part of a platform that consolidates all employee activities into a single system, you now have a compliance program far less prone to error: the kind of error that can prick a regulator’s ear and become a major issue for the CCO.

The proposed NYCBA framework is good news for CCOs. But until it’s adopted, there’s action your firm can take sooner than later to keep your CCOs feeling protected in their roles: prioritize the implementation of a comprehensive, modern compliance platform. It’s possible such a system could be the differentiator for a great CCO looking for a new firm, or the deciding factor in whether or not your current CCO wants to stay at yours. The best CCOs keep firms profitable by keeping them on the right side of regulators, keeping their reputations intact, and helping set a positive overall tone: plenty of reason to keep them around anyway you can.