Follow ACC Docket Online:  

How to Define Your Domain as the Head of Compliance

Business ethics Column

Art by F. P. Ardizzone. [email protected]

This article is the first of a series discussing how to turn compliance into a growth opportunity for you and your organization.

Which appellation do in-house lawyers dread most?

  1. Ambulance chaser
  2. Land shark
  3. Son of a ____!
  4. Chief compliance officer

For the uninformed, it’s often chief compliance officer. As the head of compliance, you’re the sheriff of your company and occasionally the “bad cop.” Though sometimes reviled for enforcing pesky policies, your role as the regulatory compass helps to keep the company in check.

But what are the borders of your Nottingham? How do you define your domain so that you are ready to lay down the law effectively and fairly?

First, delve into your corporate compliance responsibilities to see where your jurisdiction begins and ends. This research also helps you to develop your management skills and learn more about the underlying business.

Before you can manage corporate compliance, you need to reach an agreement with other team members about what compliance means. For some organizations, the compliance team focuses solely on legal responsibilities to regulators. At others, compliance can encompass responsibilities to commercial partners and suppliers, such as a corporate lender.

You should begin by creating a master inventory of the industry-specific rules that apply to your business. For example, consumer lending rules include:

  • Fair lending laws,
  • Debt collection rules,
  • Credit reporting regulations, and
  • Consumer disclosure requirements.

If you are new to the industry and don’t know all the potentially applicable rules, start searching for enforcement actions against companies in your field.  For example, if your company has publicly traded securities in the United States, follow the Securities and Exchange Commission (SEC) enforcement actions, which are regularly published on the SEC website. For some industries, such as brokerage firms, you need to also be aware of enforcement actions by non-government industry self-regulatory organizations like the Financial Industry Regulatory Authority (FINRA).

Interview each department lead about which set of rules they believe they are obliged to follow. Your fact-finding tour should not be limited solely to the departments that create the products or services that you sell. Even US companies in largely unregulated industries have employees and contractors, which trigger a host of local, state, and federal requirements.

[Related: How to Build an Award-winning Ethics and Compliance Program]

Similarly, companies sitting on large amounts of capital likely have securities and banking laws applicable to their treasury operations. For example, if your company fails to follow appropriate settlement rules before reselling a recently purchased stock from a cash account, its account could be restricted pursuant to the US Federal Reserve Board Regulations.

Your employees may be subject to professional responsibility and conduct requirements. Just as the rules of professional conduct apply to you as a lawyer, other professions — such as real estate agents and brokers, medical personnel, and investment advisors — have rules of conduct that could result in both legal liability and embarrassment for the company if violated.

A Minnesota hospital learned this the hard way when it was held liable for an individual doctor’s malpractice. In this case, the hospital credentialed a doctor who had been disciplined by the state Board of Medical Practice and failed his board certification examination three times before passing.  

Next, start examining what promises you have made to customers, lenders, and business partners. There might not be a legal requirement that you use only Fair Trade Certified coffee; however, you may have made that promise to your customers — and doing so triggers a compliance requirement.

[Related: Creating an Ethics and Compliance Program from Scratch] (PDF)

Remember the maxim that you can delegate authority, but not responsibility. This means that you are responsible for compliance by the scores of third parties acting on your organization’s behalf.

In today’s interdependent world, much of the classic work of the enterprise is done by third parties. For example, Amazon Web Services operates the web servers that run in-house. However, their third-party call centers act on behalf of the company to speak with its customers, and separate third-party advertising networks and algorithms handle advertisement placement.

It’s time to review all your third-party contracts to study what compliance regimes you are enforcing.

So, who is supposed to ensure that all these obligations are properly fulfilled? In our next article, we will discuss the basics of setting up a compliance team.

About the Author

Neil PeretzNeil Peretz has been general counsel of three companies in the financial services and technology industries. He was previously a trial attorney in the Civil Division of the US Department of Justice and co-founder of the Office of Enforcement at the Consumer Financial Protection Bureau.

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.