Ten Steps Compliance Officer Can Take to Avoid Trouble

Being a compliance professional, especially in the financial services industry, is an increasingly stressful way to make a living.  New regulations continue to be issued by federal and state regulators.  New court decisions regularly interpret or re-interpret existing regulations.  Compliance budgets are continually squeezed, while compliance staff are asked to do more without corresponding increases in resources.  

Adding to this stress, as every financial services compliance officer is probably aware, over the past several years, federal regulators and self-regulatory organizations have brought a number of enforcement actions accusing compliance professionals of misconduct.  See In the Matter of Michael LaFontaine, Number 2020-01, Department of The Treasury Financial Crimes Enforcement Network, Eugene Terracciano, SEC Release No. 34—83604 and Meredith A. Simmons, Esq., SEC Release No. 34-90061 for recent examples of enforcement actions against compliance professionals.

These actions raise the stress level of an already taxing job to DEFCON 1.  Other than quitting their jobs to open a goat yoga business, what can compliance officers do to reduce the size of the target on their backs?  Here are a few suggestions.

1. Be Competent.  Some of the actions brought against compliance officers alleged failures to perform the basic functions of the job.  [insert example].  The lesson here is to learn your craft.  Knowing and understanding the regulations that apply to your business is just a start.  You must know how the business operates and how the regulations apply to it.  You need to comprehend the technology platforms on which the business runs.  And because you can’t rely on technology alone, you need to understand the limits of that technology.
2. Ask questions.  It is important to be curious and skeptical.  If something seems off, don’t ignore it.  Operate under the philosophy that there are no dumb questions but there are dumb mistakes, which can lead to disastrous consequences.  
3. Have adequate resources.  Does your company provide the compliance department with an adequate budget for personnel, technology and training?  If your staff is too small, isn’t properly trained, and is underpaid and over-worked, trouble is sure to follow. 
4. Have adequate authority.  Does the line of business follow your advice?  When you identify an issue is it adequately addressed?  If the answer to these questions is “no”, it is probably because management doesn’t sufficiently prioritize compliance.  If management doesn’t support your authority then your risks are much greater.
5. Manage expectations.  Make sure your understanding of the job’s functions and reach match your employer’s.  Resist taking on responsibilities beyond what a CCO should be reasonably expected to cover.  
6. Don’t ignore red flags.  For example, when your surveillance software starts kicking out exceptions, have procedures in place to ensure there is proper follow-up.  What if the surveillance system isn’t flagging anything?  That could be a sign it’s not properly calibrated, so follow-up on that too.
7. Know the lines of authority.  Make sure your position reports to someone who can and will act on the concerns you raise.  Depending on the size of the organization, this might be the chief risk officer, general counsel, CEO or the board of directors.  To whomever you report, you need to know that compliance issues are being put before the highest decision makers and being acted upon.  
8.  Develop a network.  There can be safety in numbers.  If you work in a small shop, you may benefit from a sounding board of people on the outside to ask for advice.  An easy way to do this is to join industry groups such as  Securities Industry and Financial Markets Association or the National Society of Compliance Professionals, which provide valuable content on industry best practices, join forums for asking questions and maintain relationships with regulators.  Several bar associations have compliance committees that serve the same function.  You can also create your own less formal group of advisors by establishing or joining an email group of people whose jobs are similar to yours.
9. Maintain regulatory relationships.  Regulators are people too.  Think of any interaction with your regulators as a chance to develop or strengthen a relationship.  When they are on sight or send you an information request treat them with courtesy and respect rather than acting as if they are an annoyance.  When appropriate, reach out and ask questions.  This will make the process go more smoothly when you need to report a problem, receive an examination findings letter or are subjected to an enforcement action, and may help insulate the compliance officer from bearing the brunt of the regulator’s wrath.
10. Remediate.  No business is perfectly run so issues that require remediation are inevitable.  When these issues arise make sure they are fixed expeditiously.  Few things anger regulators more than a firm that is aware of a problem but doesn’t take adequate steps to fix it.  

I admit that following some of these directives is easier than others.  But if you can manage your job around these ideas you, can reduce the risk of finding yourself (and your employer) in the regulatory crosshairs and sleep better at night.