Last week, yet another US Department of Justice (DOJ) official reportedly stated new corporate settlements “most likely” will include a requirement that the company’s chief compliance officer (CCO), as well as the chief executive officer, certify the compliance program is “reasonably designed” to prevent future violations. This requirement presents a problem if the CCO does not have the responsibility, ability, or authority from the company to ensure that the certification is accurate and can be implemented and enforced. Certain CCOs may not have such power.

On a panel during an event with the Women’s White Collar Defense Association, Lauren Kootman, the Assistant Chief of the Corporate Enforcement, Compliance & Policy Unit in the DOJ’s Fraud Section, emphasized the importance of ensuring the compliance function is “empowered” to effectively implement the program. Kootman’s statements follow Assistant Attorney General Kenneth A. Polite Jr.’s announcement of the forthcoming CCO certifications during his remarks in March 2022.1 Assistant AG Polite stressed these certifications are intended to “empower and punish” CCOs: companies should “empower” compliance professionals and ensure CCOs “have true independence, authority, and stature within the company.”

While CCO certification requirements in DOJ corporate settlements may be new, the necessity of “empowering” CCOs and providing them with adequate authority and resources to effectively implement the compliance program has been a longstanding, recurring theme from enforcement authorities and regulators. Prior DOJ guidance, as well as statements and guidance from the US Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA), have used extremely similar—if not the exact same—language that appeared in Kootman and Assistant AG Polite’s remarks.

  • The DOJ Evaluation of Corporate Compliance Programs2 emphasizes that supporting a capable, experienced CCO is an integral part of an effective compliance program. The Evaluation of Corporate Compliance Programs, which is intended to provide guidance to DOJ attorneys in evaluating the adequacy and effectiveness of a corporate compliance program, is structured around three key questions, one of which is whether the program is “being applied earnestly and in good faith.” DOJ attorneys are instructed to consider whether the compliance program is “adequately resourced and empowered to function effectively” when conducing this analysis.
  • The SEC also has focused on CCO “empowerment.” For example, a November 2020 speech given by Peter Driscoll, then-Director of the Office of Compliance Inspections and Examinations, was entitled “The Role of the CCO – Empowered, Senior and With Authority” and included a variation of the word “empowerment” ten times.3 Referencing the Compliance Rule Adopting Release,4 which also says that the CCO “should be empowered with full responsibility and authority to develop, implement, and enforce appropriate policies and procedures for the firm,” then-Director Driscoll noted certain firms’ problematic “check-the-box” approach, where a CCO existed but was not empowered.
  • FINRA expressly addressed CCO liability earlier this year in Regulatory Notice 22-10 entitled “FINRA Reminds Member Firms of the Scope of FINRA Rule 3110 as it Pertains to the Potential Liability of Chief Compliance Officers for Failure to Discharge Designated Supervisory Responsibilities.”5 The Regulatory Notice discusses factors for and against charging a CCO under Rule 3110 (Supervision). Certain factors that weigh against charging the CCO similarly consider whether the CCO has the ability and resources to fulfill his or her responsibilities, including whether “the CCO was given insufficient support in terms of staffing, budget, training, or otherwise to reasonably fulfill,” or “the CCO was unduly burdened in light of competing functions and responsibilities.”

As CCOs’ exposure to personal liability increases, CCOs and other compliance personnel are craving additional formal guidance on CCO liability. The National Society of Compliance Professionals recently published the Firm and CCO Liability Framework (Framework) to address broker-dealers, investment advisers, and investment companies’ compliance officers’ concerns about personal liability.6 The Framework notes securities regulators’ “expressed support for CCO empowerment,” and proposes nine questions that regulators should contemplate when determining whether a compliance failure occurred and CCOs may be held liable. These factors include whether the CCO had “nominal rather than actual responsibility, ability, or authority” and whether the CCO had insufficient resources.7

SEC Commissioner Hester Peirce also has noted the need for additional formal SEC guidance on CCO liability. In an October 2020 speech, Commissioner Peirce noted that “compliance officers’ responsibilities are growing, but the nature of the liability they face in executing those responsibilities remains unclear.”8

* * *

Requiring CCOs to certify the compliance program as part of corporate resolutions unfortunately may subject CCOs to significant additional liability because CCOs may not be able to ensure their certification. This approach could discourage qualified candidates from taking these important positions—especially for companies previously subject to enforcement actions which are most in need of strong CCOs.

At the same time, however, the emphasis on CCO empowerment could lead companies’ board of directors and/or senior management to devote more resources to making CCOs’ jobs easier and to the compliance function generally. Failure to do so may lead to CCO turnover, which—particularly for companies that have recently entered into a corporate resolution—could generate increased scrutiny from DOJ and other regulators, as well as bad publicity that could affect the company’s relationships with shareholders and business partners. Indeed, in his November 2020 speech, then-Director Driscoll explicitly warned firms about this exact issue: “If we see that an adviser has changed CCOs recently or frequently, we are very likely to ask about the circumstances of those actions on an exam.”

Given these risks, companies should take this opportunity to re-evaluate the adequacy of the resources they devote and authority they allocate to their CCOs and compliance functions—the DOJ and regulators’ focus on CCO empowerment isn’t going away.