Who’s to Blame?

Chief compliance officers (CCOs), charged with ensuring regulatory compliance on behalf of their employers, have always faced some risk of being held liable in regulatory actions and lawsuits based on their obligation to stop organizational negligence and reckless or illegal behavior.

The number of cases resulting in findings of personal liability or settlements against CCOs is comparatively small. But public statements by regulators, such as the U.S. Securities and Exchange Commission and the Financial Industry Regulatory Authority (Finra), regarding expectations for chief compliance officers and heightened regulatory actions in certain areas are raising concerns in some quarters, particularly in the financial services sector.

In March, Finra, a not-for-profit organization that self-regulates financial brokerage firms doing business with the U.S. public, issued a regulatory notice reminding member firms about when a chief compliance officer is—and is not—subject to potential liability under Finra’s supervision rule.

Exposure for chief compliance officers based upon SEC actions may be expanding. The SEC is taking increasing enforcement actions with respect to environmental, social and governance (ESG) compliance, says Nirali Shah, a partner in financial lines at McGill and Partners.

“Regulators are becoming more active, certainly in the U.S. but also globally, and we’ve seen the global trend for longer than we’ve just seen in the U.S.,” Shah says. “In the U.S., in the last two years, you’re seeing the SEC trying to come out with certain rules and regulations around topics that they weren’t previously really keyed in on. That presents a very different exposure than what companies may have been used to. Because there’s so much ambiguity on exactly what those rules may look like, it’s hard to understand how the company should operate, what decisions they should be making, and who should be part of that decision-making process really, which could increase the risk of exposure for CCOs.”

Chief compliance officers’ personal liability exposure concerns may be diminished in Europe, says Francis Kean, a London-based partner at McGill and Partners serving U.K. and other European clients. “CCO liability is a theme that crops up every now and then, but I wouldn’t describe it as a growing area of concern and would describe it as simply part of the greater general focus on senior management accountability since the [2008] financial crash,” Kean says.

A High-Pressure Job That Many Avoid

Chief compliance officer is a high-pressure position with some inherent liability risks, notes Kevin LaCroix, executive vice president at RT ProExec, a division of RT Specialty.

“If the company has violated some legal requirement as a result of guidance they got from the chief compliance officer,” LaCroix says, “the possibility of liability for the compliance officer, as well as the company, is there if they are found to have breached some legal duty they owed to the company.”

Many CCOs are spooked by the possibility of being held personally liable. A recent survey by the National Society of Compliance Professionals (NSCP), a financial services industry organization, found 72% of compliance professionals are concerned that regulators have expanded the role of compliance officers and the scope of their responsibilities in imposing personal liability.

In January 2022, to help ensure investor protection and market integrity through effective compliance functions at broker-dealers, investment advisors and investment companies, the NSCP released guidelines for firms and chief compliance officers. The society’s CCO Liability Framework was designed to provide guidance to regulators, chief compliance officers and firms regarding perceived or actual CCO liability and prevent unwarranted enforcement actions against CCOs.

Chief compliance officers are particularly vulnerable to enforcement actions involving personal liability. While generally very well compensated, CEOs and CFOs can often rebound to a new company despite an adverse enforcement or a major adverse legal decision. For CCOs, whose stock in trade is compliance acumen and who usually do not command the same salaries as a company’s top executives, being held personally liable or even being named publicly in an enforcement action can taint or end a career. While no one knows the exact number of qualified professionals who demure from becoming compliance professionals due to the exposure risk, some interviewed estimate the number is high.

“We hear people talking all the time who say, ‘Oh, I don’t want to go on the compliance side. I want to stay on the legal side, because if I go on the compliance side, there’s potential liability there,’” says Brian Rubin, a partner and co-head of litigation at the Washington, D.C., office of Eversheds Sutherland law firm and co-head of securities enforcement nationally. Rubin, a former deputy chief counsel at NASD/Finra, had earlier served as senior counsel at the SEC’s Division of Enforcement. He is on the board of the NSCP and co-wrote the NSCP’s CCO Liability Framework.

“Your professional and personal liability are always on the line,” says Patrick Hayes, an attorney at law firm Calfee who serves on the board of the NSCP. With Rubin, Hayes wrote the CCO Liability Framework and serves as a CCO for some of his clients. “It is particularly stressful because as CCO you are on the line for ensuring compliance for areas of the company at which you are not necessarily an expert,” Hayes says, “and the compliance function is not a revenue center and is typically under-resourced.”

The consequences of that, of course, ultimately fall back on the insurance industry, which ends up insuring clients who are less able to address or mitigate compliance risks because of less competently staffed compliance units.

There is, however, often good news that insurance brokers who address the needs of CCOs can bring to clients. In many cases, LaCroix says, brokers can help clients protect CCOs from liability claim risk by adding CCOs as covered parties to existing D&O policies at little additional cost and with little effect upon terms and conditions.

A Framework for CCO Protection

Optimizing tools to protect chief compliance officers from personal liability requires understanding a framework that includes organizational indemnification, D&O coverage, sometimes exculpation, and, finally, defensible conduct. It is also worth noting that CCOs are not the only employees who might be in this bucket. “A lot of times general counsel who are not CCOs or risk managers are also people who are not explicitly covered by indemnification and D&O policies,” Shah says. “So there’s a question of, do we need to add them to the policy; is there something else that we can do to ensure that they are going to have coverage?”

Indemnification

There is some misconception that D&O insurance policies are the dominant form of protection for officers and directors. Instead, indemnification, the willingness of the organization to protect and hold harmless a director or officer from personal legal liability, is described by many as the key layer, with D&O insurance often contingent upon it and supporting it. Indemnification, LaCroix notes, covers the cost of defending suits brought against directors and officers and payment of any judgments or settlements resulting from those suits.

D&O insurance is subject to limits of liability, whereas indemnification is theoretically unlimited (although, of course, practically limited by the indemnifying company’s financial resources). Indemnification is often very broad, frequently extending “to the maximum extent permitted by law,” LaCroix says, whereas D&O insurance policies contain numerous exclusions and conditions. In addition, D&O insurance must be renewed each year, with possible changes in terms and conditions. Indemnification rights are much less likely to be changed, he says, particularly for corporate officials who negotiate their own indemnification contracts.

Who is and is not indemnified is a critical question that depends upon an organization’s key documents, such as articles of incorporation and bylaws, which can define officers who will potentially qualify for protection, as well as the organization’s willingness to identify them.

“A lot of it will tie back to how the company treats certain individuals in terms of indemnification and protection from the company,” Shah says. “When I say a designated officer, that is something that the company actually will define.”

It is important for brokers and clients to examine indemnification issues early, LaCroix says, including whether chief compliance officers are covered. A separate written indemnification provision can offer much greater procedural specificity, as well as protections against wrongful withholding of indemnification, by providing presumptions in favor of indemnification. LaCroix says the separate provision can also provide for “fees on fees”—that is, fees incurred in order to enforce rights to advancement or indemnification.

Key indemnification provisions can be negotiated in such agreements, LaCroix says. “One is that indemnification is mandatory rather than merely permissive,” he says. “Another is that you’re entitled to indemnification, whether or not you’re a party to the proceeding. So if you’re merely a witness, you’re still entitled to indemnification.”

D&O Coverage

Given that D&O policies are manuscript policies with widely varying provisions, LaCroix says, often there is much to be negotiated. LaCroix’s website (dandodiary.com) contains a thorough primer on the basics of D&O insurance coverage. The coverage provision in which the D&O policy provides individuals with insurance protection when indemnification is not available is commonly referred to as Side A coverage.

It is important to understand the relationship between D&O coverage and indemnification. Many carriers want to see good indemnification in place and D&O supplementing that, LaCroix says. Many policies protect insurers from poor indemnification arrangements by specifying that, for purposes of the policy, indemnification is presumed to the maximum extent permitted by law.

“When we have the discussion with companies about who is covered and who is not under the policy,” Shah says, “one of the considerations is always what level of indemnification are you providing. The expectation from the insurance carrier is that you are going to indemnify these individuals just like you would any other director or officer. We’ve sometimes seen instances in which an insured company says, ‘Well, that is not a role or an individual that we intend to actually provide indemnification to.’ Then the conversation becomes, ‘OK, well, if you’re not going to do that, unfortunately, the insurance company may not extend coverage to that individual.’ We have to have that conversation up front, and we’ve also got to be very clear with the insurance carriers on how that process works for a company, because whether or not they want to extend coverage will hinge on that conversation.”

It is particularly important, Shah says, to determine carrier expectations as to indemnification whenever a policy is not explicit on its face.

Typically, says Amy Klitzke, senior vice president of management liability at Marsh McLennan Agency, D&O insurance will reimburse the insured company for its indemnification of the individual insured persons, subject to the policy retention amount and its full terms and conditions. In some cases, Klitzke says, such as when fines and penalties are not covered by the D&O policy or when another policy exclusion comes into play, the D&O policy will not apply, and thus corporate indemnification is of utmost importance to the individuals. The company is covered under typical D&O insurance for its indemnification obligations of insured persons. Given this, Klitzke says, if the policy is not structured properly to respond to the exposures of a non-officer, the company could be left without the insurance coverage to reimburse for indemnification amounts in excess of the applicable policy retention.

Relevant policy provisions, Klitzke says, include the insuring agreements, definitions of “insured person” and “loss,” and, if applicable, the presumptive indemnification clause. Dedicated Side A DIC (difference in conditions) policies are also a critical consideration for chief compliance officer exposure. “These policies are a backstop to corporate indemnification, as they are designed to respond only in the event of a non-indemnifiable loss of an individual insured person,” says Klitzke. “The Side A DIC contract is typically broader than traditional D&O insurance in that it contains fewer exclusions, will generally respond in the event of failed or refused indemnification by the company, and may respond more broadly to certain types of loss such as fines and penalties.”

A component of a dedicated Side A DIC limit has become an integral part of a best-in-class public company D&O program, Klitzke says, and this would especially be true when assessing coverage for chief compliance officers.

Aside from the relationship to indemnification, the other key question is whether the D&O policy covers the chief compliance officer. “It’s about reviewing who is and is not covered explicitly within the policy and whether that chief compliance officer fits the definition of what we call an ‘insured person,’” Shah says, and, to the degree that the CCO isn’t covered, “how you get them onto the policy, how you add their cover.”

Much depends on the definition of what an officer is. “It depends on what the D&O policy says,” LaCroix notes. “It depends on what the articles of incorporation and bylaws of this specific company say. It also depends on what the specific individual responsibilities are. The policies typically say an officer is any duly elected or appointed officer, which means you have to then go back to the foundational documents of the company, like the articles of incorporation and bylaws, to see what the company says about who is an officer. And that may wind up being a factor of the applicable law of the state in which the company was incorporated and so on.” Many times, Shah says, D&O brokers must take a further step and map out the actions and responsibilities of chief compliance officers to make sure they are covered. “Some policies will very explicitly include general counsel, and some don’t,” she says. “This is where D&O really comes down to customization and making sure that you have a broker who’s keyed in on what the terms and conditions are in the policy. How do I explain to my client who is or is not covered? Why might that be good or bad? How do we expand this to really be a customized fit for the client that we’re working with? The broker has to step in and say, ‘Here’s actually what the definition says. Does this person fit that definition? If they don’t, how do we make sure that they do?’ For example, oftentimes there can be questions of, ‘I’ve got a general counsel here who’s not necessarily a designated officer of the company. Does that preclude them from coverage?’ There are things that we have to sift through to really explain how the coverage would operate and then explain the changes that we could potentially make to ensure that we are covering the right people, that the coverage is extending the way that the client wants, and walking the clients and the underwriters through that so they really understand who is making these decisions and how those decisions are going to impact the company and their business.”

Pinning carriers down on such issues can sometimes be challenging, says Michael McLaughlin, management liability practice leader at Insurance Office of America. “Carriers may be reserved when it comes to responding to whether coverage exists, given that they want to account for all factors at the time a claim is reported instead of making broad statements saying that a CCO would or would not find coverage under the policy,” McLaughlin says.

Lawyers have a particularly high standard of conduct due to their obligations as officers of the court. Lawyers can also face disciplinary proceedings that could cripple their ability to serve the corporation as an officer of the court. Thus, McLaughlin says, legal officers may want to ensure appropriate protection is afforded through their company’s insurance package.

Sometimes carriers offer multiple options to address a chief compliance officer’s personal liability. As an example, CCOs are considered insureds under Chubb’s D&O policy if they are considered officers and indemnified as such by their firm’s bylaws, says Stephen Troiano, executive vice president for Chubb’s Financial Institutions Group.

As part of its Asset Management Protector policy, Chubb also offers an endorsement tailored to chief compliance officers, says Erika Critchley, vice president and asset management product manager at Chubb’s Financial Institutions Group.

“This chief compliance officer coverage endorsement provides a separate, dedicated Side A limit for CCOs,” Critchley says. “The CCO endorsement is non-indemnifiable coverage for CCOs and is not shared with other parties under the policy. This dedicated Side A coverage gives CCOs confidence in knowing they will have coverage even if they are not indemnified by their organization. The Chubb Asset Management Protector form is a modular insurance policy comprised of coverages including, but not limited to, private company directors and officers, professional liability, investment company liability and private fund liability.”

Parsing out this coverage may be outside the wheelhouse of many brokers, who turn to specialty wholesale brokers such as Shah’s McGill and Partners and LaCroix’s RT ProExec for support.

Negotiating More Coverage

When a broker determines coverage will not be extended for a chief compliance officer or is unlikely under an existing D&O policy, the conversation turns to obtaining coverage. “How we deal with this, from a D&O standpoint, is probably just to amend the policy as specified, such as, ‘Anyone with a title of compliance officer or chief compliance officer shall be an insured under the policy,’” LaCroix says. “I don’t think there would be much pushback on that. It is frequently the case that there is a need to clarify that persons with, for example, a title of chief legal officer are endorsed on the policy just to make sure there is no ambiguity about whether the person is an officer within the meaning of the D&O insurance policy. That’s something that can easily be done and probably for companies in the financial services industry is routinely done. That’s the remedy, and I wouldn’t expect any change in terms and conditions if that amendment is made, given that the things that affect the scope of liability are so much bigger and so much more important and this is a relatively small thing.”

On the other hand, IOA’s McLaughlin says he has seen pricing impacts for such coverage. “The increase in SEC involvement is definitely taken into consideration with the pricing and the scrutiny that we’ll see from underwriters,” he says. “Oftentimes, we’ll see employed lawyers liability added on as an enhancement endorsement for an additional premium to mitigate any coverage concerns.”

Exculpation

In some states, exculpation provides a third layer of protection for some corporate officers. Exculpation laws shield chief compliance officers from liability by recognizing enhanced indemnification that seeks to remove liability for a breach of a duty of care that would otherwise be actionable.

Delaware is one of the leading locations for corporate organization and has acted to limit director and officer liability through exculpation. Effective last August, the Delaware General Assembly amended the Delaware General Corporation Law, Section 102(b)(7), to permit the exculpation of corporate officers. Exculpation of directors was already allowed and is provided for as a standard provision in many Delaware documents of organization.

“If it’s a Delaware corporation, the availability of that exculpation is something that all of the senior executives might want to consult their outside counsel about,” LaCroix says, “and check for its availability in other jurisdictions.”

This also may require adjustments to a company’s incorporation documents, LaCroix notes.

Defensible Conduct

Company and chief compliance officer conduct and organization design are also relevant factors here.

“Communications with the public is probably the single most litigation-sensitive thing that companies do,” LaCroix says. “They should really dial it down to a very small circle of people who are authorized to make public statements on behalf of the company. And those people should be very intensively trained. I wouldn’t have my compliance officer making statements. For me, a compliance officer is advisory and not supervisory. And in that role, they should be speaking to the other senior executives. They shouldn’t be speaking to the investment public.”

Companies should also double down on compliance efforts. In its compliance framework, the National Society of Compliance Professionals said firms of all sizes and structures should empower their CCOs with the full responsibility, ability and authority to develop, implement and enforce appropriate policies and procedures. In addition, company leadership needs to continually assess whether the compliance program has adequate resources to support a robust compliance function. The society also said CCOs should have clear direction from company leadership on their roles and their authority to manage compliance programs specifically tailored to their organization and designed to prevent violations of federal securities laws. Hayes, the Calfee attorney, says it is important that organizational policies and procedures clearly set forth who is responsible for what functions, which could help chief compliance officers by limiting their direct responsibilities.