For many firms, chief compliance officers (CCOs) are often looked at as the “first and last line of defense.” They help design and implement compliance programs, educate and train firm personnel, and work in tandem with senior business management and legal departments. These roles and responsibilities have never really been called into question. However, what has been a topic of controversy for the past decade or so is the potential liability CCOs face regarding breakdowns in a firm’s supervisory responsibilities.

Well, it appears FINRA has heard the industry’s cry for more clarity. Just recently, FINRA issued Regulatory Notice 22-10, which discusses the circumstances under which a firm’s CCO might be subject to personal liability for “failure to supervise” under its Rule 3110. FINRA starts off by acknowledging that the responsibility of FINRA Rule 3110 rests with a firm’s business management, not its compliance officials. In fact, FINRA goes on to say that “the CCO’s role, in and of itself, is advisory, not supervisory.”

What Does FINRA Rule 3110 Require?

Rule 3110 sets out a comprehensive set of supervisory obligations for member firms and requires firms to designate individual supervisors and identify their responsibilities. The rule requires each member firm to establish and maintain a system, including written procedures, to supervise the activities of each associated person that is reasonably designed to achieve compliance with applicable securities laws and regulations.

A firm’s supervisory obligations under Rule 3110 rest with the firm and its president (or equivalent officer or individual, e.g., CEO) and flow down by delegation to the firm’s designated supervisors. The firm’s president (or equivalent officer or individual), not its CCO, “bears ultimate responsibility for compliance with all applicable requirements unless and until he [or she] reasonably delegates particular functions to another person in that firm, and neither knows nor has reason to know that such person’s performance is deficient.

What is the Role of the CCO?

FINRA recognizes that compliance and supervision are separate, if related, functions. Compliance is responsible for setting forth the applicable rules and policies that must be adhered to and describe specific practices that are prohibited. By contrast, the firm’s written supervisory procedures document the supervisory system to ensure that compliance guidelines are being followed.

To fulfill the compliance function, FINRA requires firms to designate one or more appropriately registered principals as a CCO. As set forth in FINRA Rule 3130, “A [CCO] is a primary advisor to the member on its overall compliance scheme and the particularized rules, policies and procedures that the member adopts.”

Is a CCO Inherently Liable under FINRA Rule 3110?

Just by its sheer nature, a CCO is not subject to liability under Rule 3110 simply because of the CCO’s title or because the CCO has a compliance function at a member firm. A CCO will be subject to liability under Rule 3110 only when—either through the firm’s written supervisory procedures or otherwise—the firm designates the CCO as having supervisory responsibility. This designation can occur in several ways. For example, the member’s written procedures might assign to the CCO the responsibility to establish, maintain and update written supervisory procedures, both generally as well as in specific areas (e.g., electronic communications).

Even when a CCO has been designated as having supervisory responsibilities, FINRA will only bring an action under Rule 3110 against the CCO if the CCO has failed to discharge those responsibilities in a reasonable manner—as it would with any individual who has supervisory responsibility.

When Would a CCO be Found Liable?

FINRA’s Regulatory Notice says that it will bring enforcement actions against compliance personnel only when: (1) They are expressly or impliedly delegated supervisory functions; and (2) They did not reasonably discharge those delegated duties; and (3) The balance of aggravating or mitigating factors favor a supervisory violation charge.

Once a “supervisory role” is established, aggravating factors include: (1) Actual awareness of red flags or violations without action to address them; (2) Failure to establish, maintain or enforce WSPs; (3) The failure resulted in the violation; and (4) The violative conduct, caused or created a high likelihood of customer harm.

Mitigating factors include: (1) Insufficient firm support or resources; (2) Having been unduly burdened by competing functions or responsibilities; (3) Supervisory delegation was poorly defined or shared in a confusing way; (4) New business changes without adequate time to adapt; or (5) A good-faith attempt to discharge the supervisory responsibilities, including escalation to management.

To read FINRA’s complete Regulatory Notice 22-10, click here.