FINRA Clarifies CCO Supervisory Liability

In the securities industry, regulators like to say that the compliance professionals are their “partners.” But every so often, those regulators charge one of their compliance partners with rule violations. The compliance community understandably gets unsettled, expresses concern, and regulators respond with a “don’t worry” clarification explaining those charges were driven by unusual “facts and circumstances.” That cycle just completed again.

On March 17, the Financial Institution Regulatory Authority (“FINRA”) issued Regulatory Notice 22-10 to clarify the circumstances under which firms’ Chief Compliance Officers (“CCO”) might be subject to personal liability for “failure to supervise” under its Rule 3110.

Rule 3110 imposes a series of supervisory obligations on firms and their management, including (1) maintaining written supervisory procedures (“WSP’s”) reasonably designed to ensure compliance with law and regulation; (2) designating registered principals to supervise each of the firm’s lines of business and each registered representative of the firm; and (3) to investigate “red flags” suggesting wrongdoing and to follow up on that investigation. That responsibility lies with the firm’s chief executive officer and flows to every person who delegated any of those functions.

By contrast, the firm’s compliance function (headed by the CCO) is an advisory staff (not line) function to ensure compliance with those supervisory obligations. See FINRA Rule 3130. FINRA’s Regulatory Notice says that it will bring enforcement actions against compliance personnel only when: (1) They are expressly or impliedly delegated supervisory functions; and (2) They did not reasonably discharge those delegated duties; and (3) The balance of aggravating or mitigating factors favor a supervisory violation charge.

Once a “supervisory role” is established, aggravating factors include: (1) Actual awareness of red flags or violations without action to address them; (2) Failure to establish, maintain or enforce WSPs; (3) The failure resulted in the violation; and (4) The violative conduct, caused or created a high likelihood of customer harm.

Mitigating factors include: (1) Insufficient firm support or resources; (2) Having been unduly burdened by competing functions or responsibilities; (3) Supervisory delegation was poorly defined or shared in a confusing way; (4) New business changes without adequate time to adapt; or (5) A good-faith attempt to discharge the supervisory responsibilities, including escalation to management.

The topic of CCO liability is a perennial issue for the compliance community, in part due to some lack of role definition within firms, especially small ones, and because the slightest violation by a compliance officer can torpedo a career. In June 2021, the NY City Bar Association released a report calling for a more comprehensive framework for CCO liability. See New York Bar Ass’n, Framework for Chief Compliance Officer Liability in the Financial Sector 1 (2021).  This January, the National Society of Compliance Professionals (“NSCP”) released its own Framework for CCO Liability. FINRA’s recent release responds to those concerns, but in its typical “don’t worry” fashion. That’s the usual cycle of concern and clarification.

FINRA Reg. Notice 22-10 may be found here.

Thomas K. Potter, III ( is a partner in the Securities Litigation Practice Group at Burr & Forman LLP. Tom is licensed in Tennessee, Texas, and Louisiana. He has over 35 years of experience representing financial institutions in litigation, regulatory, and compliance matters.

Posted in: FINRA
Jump to Page
Arrow icon Top

Contact Us

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.