It’s largely impossible to effectively assess an organization’s culture of compliance prior to taking a chief compliance officer job. And yet, regulators’ growing interest in holding CCOs responsible for company misconduct has understandably raised anxiety for would-be compliance chiefs.

They might be asking themselves questions like:

  • What if liability is imposed when compliance acts negligently, rather than recklessly?
  • What happens when compliance relies on inaccurate data from another employee?
  • Are compliance officers still liable if they haven’t participated in the violations caused by the company or other executives?

A study by the National Society of Compliance Professionals (NSCP) published in January 2022 found 70 percent of compliance professionals surveyed believed their function was under resourced. One quarter (25 percent) reported “an inability to address compliance-related weaknesses and report concerns to senior management.”

Despite these significant issues outside the control of most CCOs, some regulators have signaled more individual liability cases are to be expected. Will accepting the wrong job, in hindsight, make it your last?

It’s important to know what you’re getting yourself into as you navigate the chief role in our profession. Nonbinding protocols, regulatory guidance, and recent cases—all in the financial services industry—provide edge insights into how to protect yourself from prosecution.

In 2021, the New York City Bar Association’s compliance committee took the lead in recommending the creation of a formalized regulatory framework (nonbinding) for CCO liability in the financial sector. It provided factors for regulators to consider when deciding whether to charge a CCO for “conduct relating to their compliance-related duties.”

The NYC Bar asked regulators—namely, the Securities and Exchange Commission (SEC)—to reflect, as a threshold issue, on whether bringing a charge against a CCO would help fulfill agency regulatory goals. It went on to articulate a good-faith standard, with obstruction or active fraud participation by the CCO as aggravating factors.

The following year, the NSCP published its own liability framework, which was more focused on the overall strength of a financial firm’s compliance function and stressed the need for consideration of “the full context in which the CCO functioned.” Updated in February 2023 after SEC and Financial Industry Regulatory Authority (FINRA) input, it is intended to be a “living document.”

In March 2022, then-Assistant Attorney General Kenneth Polite Jr. announced the Department of Justice (DOJ) would consider requiring chief executive officers and CCOs to certify all corporate resolutions, including guilty pleas, non-prosecution agreements, and deferred prosecution agreements.

They would “certify at the end of the term of the agreement that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law (based on the nature of the legal violation that gave rise to the resolution, as relevant) and is functioning effectively,” he said.

While Polite—a former CCO himself—said the intent of the certification was to empower CCOs and ensure they had “the data, access, and voice” they need, many were concerned the certifications increased the risk they would be criminally prosecuted for corporate wrongdoing.

The certification requirement was applied for the first time in the DOJ’s settlement agreement with commodities trader Glencore in May 2022. And yet, questions remain (e.g., what if a CCO signs a certification only to later discover violations?)

Case studies

Although no unified standard has been adopted, a review of recent cases provides some indication of how personal charges against CCOs and others in gatekeeper functions might be handled:

  • Sterling Bank (2024): Cease-and-desist order issued against general counsel by the Treasury Department’s Office of the Comptroller of the Currency (OCC). The OCC acknowledged the general counsel was hindered in her ability to investigate suspicious activity and lacked sufficient authority to act but ultimately found she failed to ensure the bank conduct—or suggest to the board that the bank conduct—an investigation into concerns, failed to ensure an adequate system of internal controls, and failed to timely report suspicious activity.
  • Binance (2023): CCO individually prosecuted and fined $1.5 million by the Commodity Futures Trading Commission, which determined he was “willfully aiding and abetting Binance’s numerous violations” of the Commodity Exchange Act.
  • Southridge/Ocean Cross (2020): FINRA disciplinary action against CCO upheld by the SEC. CCO “failed to make reasonable efforts” to fulfill the responsibilities of his position. Upheld on appeal. Sanctions and fines imposed against CCO and statutorily disqualified.
  • Pennant (2018): SEC declined to bring charges against CCO appointed to the role with no prior experience. CCO was found to have done his best by repeatedly requesting program resources and warning of his inability to effectively assess risk without that support. CEO held liable for contributing to compliance failures.
  • Southwind (2017): SEC found former CCO liable for wholesale failure of compliance program. Firm repeatedly failed to cooperate with its own retained compliance consultant recommendations and repeatedly failed to take any remedial action in light of clear systemic failures. Cease-and-desist order entered against CCO and a limitation on industry supervisory and compliance activity.

These cases fail to clarify a consistent standard that would confidently reassure most compliance professionals. It is unclear whether such a standard is forthcoming, so a pragmatic, interim approach is to extract the aforementioned proposed frameworks, DOJ pronouncements, and cases to emphasize the following protective measures CCOs can employ:

  1. Ensure you are empowered in title, compensation, and authority in alignment with other risk functions;
  2. Ask for the resources you need and keep executive management and the board informed of gaps in compliance coverage and events that must be remediated;
  3. Conduct program/risk assessments;
  4. Act on recommendations provided by outside counsel or program/risk assessments;
  5. Document all the above, especially any program gaps; and
  6. Personally (informally) assess your company’s demonstrated progress and commitment to improvement. If you are not feeling confident about your organization’s level of support and action to compliance, it might be time to get your résumé together.

This list is not exhaustive and might need additional items depending on your circumstances.

Knowing your limits

Another useful exercise is to think about what your “red line” would be before you find yourself in a challenging situation. What would it take to make you walk away?

For example, what would you do if you learned one of your company executives impersonated an executive of another company on an investor call and the board declined to conduct a formal, independent investigation?

How long is reasonable to repeatedly ask for resources from the CEO and board and continue to get little traction on important compliance program initiatives? Three months? Six months? A year?

In the Pennant case, the CCO allegedly tried for more than two years. He wasn’t charged, with the SEC noting his repeated good-faith efforts to get resources and expertise. How long would you stick around in a situation like that?

The professional and reputational harm of staying too long cannot be overstated (e.g., the general counsel from Sterling Bank is required to show that consent decree to future employers—quite a professional albatross).

If your company finds itself under investigation, consider the following additional actions:

  1. Adopt business-level compliance sub-certifications. Like Sarbanes-Oxley-specific compliance controls, organizational business units are accountable for maintaining an effective compliance program. Consider having compliance certifications for all departments: finance, human resources, sales, etc. Compliance can rely on these sub-certifications as part of the compliance program, before being subject to a possible DOJ certification requirement.
  2. Require board members sign off on the minutes of compliance committee meetings.
  3. Keep mirror documentation of high-risk transactions.
  4. Determine whether you are covered under the company’s directors and officers liability insurance policy.
  5. If you do not have an indemnification agreement with your employer, consider negotiating for one.
  6. Ensure you are effectively represented and advised. You might want to privately engage and consult with your own counsel.

While prosecutions against CCOs are rare, it is wise to be aware of the current liability landscape and the options you can pursue to protect yourself. As most cases demonstrate, to be held personally liable a CCO must generally have been found willfully negligent—or to have been directly involved in the misconduct.

Until a universal liability standard is adopted and consistently applied in enforcement actions, CCOs are right to be concerned. It’s wise to be proactive and alert to your actions—or inaction—and how they might be viewed in hindsight.

A former Fortune 5 executive, Amii Barnard-Bahn is a partner at Kaplan & Walker. She has been recognized by Forbes as one of the world’s leading coaches for legal and compliance professionals.View full Profile

More from Amii Barnard-Bahn