Your Questions: The Role of the CCO

A Q&A session about the evolving role of the chief compliance officer

Last year we gathered Robert Chersi, Executive Director, Center for Global Governance, Reporting and Regulation at Pace University; Seth Rice, Assistant General Counsel – Compliance & Director of Global Ethics and Compliance for Kennametal; and Joe LeBas, Chief Strategy Officer of Convercent to discuss the quickly evolving role of the chief compliance officer. While the webinar is quickly coming up on its first birthday, their insights are still valuable as compliance professionals refine their craft and look for ideas and suggestions and topics to watch.

If you don’t feel like watching The Evolving Role of the Chief Compliance Officer in its entirety (it’s good though, so you should!), here’s the Q&A portion of the conversation to help you quickly digest some key takeaways. Now that we’re a few months down the road it’s interesting to see how some of these topics have played out!


Are there any examples of chief compliance officers being held personally liable?

Robert: I can give you an example that happened in the financial services industry in [2013] that really sent shutters through the industry. There’s a firm called Brown Brothers Harriman, it’s been around for over a century—a well respected, well established firm—and they got into an anti-money laundering violation issue with their regulators. They got a settlement as a firm. But in addition, the chief compliance officer of that firm A) was fined $25,000 that he had to pay personally and B) was suspended by the regulators.

This made it’s way to the newspapers and everything else. So it was a public show by the regulators that they’ll reach in and monetarily fine the chief compliance officer, but further, suspend him. This sent shutters through at least the financial services industry just because it’s a real world example of it happening,

I think what happens more often and out of the public eye is when a firm is negotiating a settlement with the regulators and the regulators are speaking to the board (and you’ll never now how many times this happens because it doesn’t show up in the newspapers and doesn’t show up in the minutes) but when the regulator says “Ok, you’ve got to clean house. You’ve got to get rid of the compliance officer.” And that’s one of the preconditions or requirements for the settlement. That happens often and doesn’t get overtly reported on. People can surmise, people speculate, but that’s happened for a long time.

I think the Brown Brothers case or the actual fine and suspension by the regulator, really sets a clear demarcation line that the world’s a different place and that the stakes of being a chief compliance officer are a lot more significant. The role’s evolved and it’s a high-risk, high-expose role for sure.

Note: I find this question particularly interesting now that there are several more examples of CCOs being personally held accountable. An article from the Wall Street Journal details the stir SEC actions have caused recently.

 

As ethics and compliance are co-mingled, lawyers have a tendency to take over. But law and compliance are not the same. How do you see the plus and minus of the intermingling of ethics and compliance?

Seth: I would agree with the premise of the question, which is that ethics and legal compliance are two separate things. The question [for me] is “can I,” which is the legal question, versus “should I?” When we get into the area of ethics, clearly there’s a compliance element but a lot of that is driven by Code of Conduct and a lot of other guidelines and positions the organization has taken of what is acceptable practice.

Within my organization I do report to the general counsel and there is always a challenge to maintain a separation between both the legal and ethics worlds. I don’t know that there’s necessarily on perfect solution for that.

The way in which we do it is to have very clear and define processes both on the ethics and the compliance side and have those cross-functional partners involved—with ethics clearly HR and other functions are very integral in that. So it’s not just the legal department’s show, nor should it be. I’ve seen a model done differently elsewhere where perhaps the ethics responsibility are situated entirely separately within another function outside the legal department.

In summary, I’d say I think it’s a very important question. I think every organization should be asking it and I’m not sure that there’s a clear right answer for everyone. It’s a question of what makes sense for your organization and the position you’re taking on both the ethics side and compliance.

Robert: I think that’s absolutely right. It depends on the firm, depends on the people, depends on the industry, and many different models can work. When I was CFO, compliance reported into me and that’s just one model.

It is very important that only one set of folks interpret the rules and what they mean to the company.

I will say, though, what is very important is that only one set of folks interpret the rules and what they mean to the company. What poses a risk or challenge to a company is when you have multiple interpretations of what a law or regulation might be. The reality is regulations today are complex and very subjective—the implementation is often subjective. So when you have many different interpretations floating around, that could give rise to risk. So the importance of knowing who makes the interpretations (and though there could be varying thoughts), the one person who makes the final call is a critical role.

Joe: It’s kind of like a charter. The reporting structure can be somewhat irrelevant if there’s an understood charter of defined compliance procedure and who makes that final call.

 

Given that virtually every line in regulations is a directive for something to be monitored and reported, how do you stay on top of ensuring that all needs are being met, especially in regards to new regulations?

Robert: It’s going to sound simple, but the best advice I can give you is read as much as you can, network as much as you can, read everything that’s published. Law firms, accounting firms, many different firms publish interpretations of what’s coming down the pike and how it might impact a particular industry. There’s a lot of information out there, you just have to make sure you’re in the flow and try and get as much as you can out of that flow. When I was practicing that’s what I found most effective, just read as much as you can, have as many contacts as you can. You’ll see different viewpoints and then you have to figure out what’s the right viewpoint for your firm and what makes sense for your firm.

Seth: To add to that, what I would suggest and what we do here at Kennemetal is try to do our best to leverage those cross-functional partners. There are different parts of the organization that are getting compliance input information—whether it’s finance, HR, IT or whatever it is. What I try to do in addition to the things that Bob is talking about, is to draw upon the resources within and have a dialog and an open communication channel with those other partners in the organization. That also feeds into the enterprise risk management process in terms of how we categorize and manage all the varying risks that are out there.

For any large organization, certainly a global organization, one of the challenges is to figure out what’s important and what’s not and what drives the risk and what doesn’t. That doesn’t mean you don’t look at the other things, but it helps focus the effort and not diminish your resources or focus looking at things that may not in the end be very relevant to the organization from a risk standpoint.

Joe: I’ve seen some companies really do a slick job leveraging technology. You can drown in the alerts that come out that are available on the web. And the best way to automate it, leveraging technology, is to get it in the hands of your subject matter experts to basically adjudicate whether this is germane and effects your risk threshold of your organization.

If compliance has to wear this burden on their shoulders of reading and making that determination, they’re not leveraging all their cross-functional partners. And if technology can help you route that in a smooth slick way, that really is using the whole largess of your organization to be more efficient.

 

Is there a trend toward direct reporting of functional compliance personnel to the chief compliance officer?

Robert: I saw a survey recently, I believe it was a Pricewaterhouse survey, that they really compared the various models that are in place—central accountability versus decentralized resources, who reports to the business line, who reports to the central compliance officer. Obviously the trade is, if you report to the central compliance officer arguably that’s an independent line whereas if you report to the business unit perhaps your independence can be a little challenged. On the other hand, reporting to the business units really gives you the touch and feel of the business and an understanding of what’s going on. Sometimes you can be a great compliance officer but if you’re sitting in headquarters and have no idea what’s going on in the field and the business line, you’re not going to be an effective compliance officer.

Based on that survey and some other surveys I’ve seen, I think the trend is more toward centralization. On the other hand, the dual line concept is becoming more and more prevalent—meaning two to hire, two to determine compensation. Meaning whether you report to the central compliance officer or you don’t, he or she has a say into the hiring process, into the firing process, in the performance, appraisal and compensation process.

It’s like many things in business, you’re trying to balance two outcomes of independence versus proximity to the business. Different companies go at it different ways, different models could work for different companies. But I think there’s more trend toward centralization.

Joe: I was in the UK last Fall and they really were going to centralization, especially the financial services industry. All their compliance units were very hardline direct reporting and the business units really had no say over regional compliance. I’m going back next month so we’ll see how that’s working out a year later!

I think the dual line, as Bob said, is becoming more prevalent where both stakeholders still feel some ownership over those teams. But the UK experiment will be interesting to see a year later with compliance having a very direct ownership and the business a little bit more detached.

 

Regulations and laws around anti-corruption really dominate the conversation right now. What’s the next topic on the horizon that compliance professionals, and particularly the chief compliance officer, need to be concerned about?

Joe: I don’t want to sound like a broken record, but just the complexity of regulations. Just regulatory management, regardless of what industry you’re in, just keeping up with it.

I was on a webinar, probably a year and a half ago, and there were about 600 participants and there was a poll question of “How do you handle regulatory management?” About 72% of the participants said by email with attachments. It’s still not a solved problem. How do we keep up with regulations? How do we get them into the hands of subject matter experts? I don’t think there’s a silver bullet for really predicating the next anti-corruption, but I do think there is the challenge of regulatory compliance and adjudicating how that effects a company’s risk threshold and being better armed on a forward looking basis.

Robert: It seems to me that this new regulatory agency created by the Dodd-Frank Act, the Consumer Financial Protection Bureau, if you look at their history, they’ve hit the ground running. The numbers and issues that they’ve gotten involved with span so many different areas.

Why do I think this is such a hot area? First, everyone’s a consumer. By its very name the agency deals with consumers and 300 million Americans are consumers, so there’s pretty much not a facet of American business life that it doesn’t touch. The second is, when you look at its history and its roots, as a regulator it was really framed and formed by Senator Warren with some strong feelings about the need for enhanced regulation.

And I would dare say over the past couple of years, as active as just about every regulator as been since 2008, this regulator has been especially active. And if you go to their website, the dollar amount of the fines and settlements that they’ve levied are just so so significant. That’s one I would advise just keep your eye on what’s hot with them. What are the topics that they’re writing about and focused on. They show all indications of being a very very active regulator for years to come. That’s not to say the others won’t be, but I think them especially so.

Seth: From my perspective, I think the whole area of data privacy and data management. I don’t think it matters what business you’re in, that’s a huge challenge not just from a regulatory prospect, but from a reputational perspective and managing your customers’ expectations. That’s a very challenging area and I think it will only become more and more complex. Some will obviously have bigger challenges than others, but as you see the flow of the news headlines and the continuing focus on data privacy internationally—the EU is very aggressive on this—I don’t know if it’s the next big thing or not but it’s certainly one that presents a lot of challenge and will be evolving for years to come.

Note: Seth hit the nail right on the head with this one! According to PwC’s 2015 State of Compliance Survey, the No. 1 area that compliance professionals see as a future risk is data security, a new risk area on this year’s survey. It was cited by 47% of respondents as one of their top three concerns. Privacy and confidentiality came in second with around 30%.

 

Speaking of the EU and data privacy, do you have any insights into what companies are doing to comply with those standards?

Seth: Within the EU our approach has been, and again I think this is evolving, is that whistleblower data and management of that information and how that all flows is all maintained within the EU. Even within the EU there’s not necessarily a consistent approach, to my knowledge, on how that should be handled, but I think it gets into needing to talk to your vendor about how they are managing that data and where that data is residing—is it residing on a sever in the UK or is it actually being routed to Boston? Those are all relevant questions. Additionally, depending where you operate, in France for example there are certain special rules around having processes in place for financial reporting. So that’s what we’ve done.