Regulatory issues can have a major impact on a Compliance professional’s career. In this episode of the Oyster Stew podcast Oyster’s experts, who are former CCOs, talk about the issues they faced, from liability and escalation to managing the relationship between Business and Compliance. 


Transcript provided by TEMI

Libby Hall:  Hi, and welcome to the Oyster Stew podcast. I’m Libby Hall, Director of Communications at Oyster Consulting. Compliance is a profession and like other professions, regulatory issues can have a major impact on a compliance professional’s career.  In today’s podcast, Oyster experts, Ed Wagner, Brent Nicks, Glenn Schwalje, and Heather Vitek who all have real world experience as compliance and regulatory officers talk about the issues they faced from liability and escalation to managing the relationship between business and compliance.  Navigating these issues can be tricky. Ed, let’s start with you.

Ed Wegener:  Well, thanks Libby, and hello everyone. I’m Ed Wegener. I am the head of Governance, Risk and Compliance with Oyster. One of the things we like to cover in these podcasts are current challenges that compliance professionals face and some thoughts around how to address those challenges. And I’m really fortunate to have three of our newest consultants joining us today. All of whom were recently working in compliance roles at broker dealers and investment advisors with me. I have Heather Vitek, Brent Nicks and Glenn Schwalje. Thanks for joining us, really excited to have all of you with Oyster. Now, I’m really excited to work with you going forward and talking to you on the podcast today. One of the things that has been at the forefront for compliance is the issue of compliance officer liability compliance is a profession like any other professions. If you have regulatory issues that come up, it can have a major impact on the compliance professional’s career.

I know that the New York Bar Association and the SEC each put out frameworks recently related to CCO liability and FINRA recently issued regulatory notice 2210, where they reiterated that while CCOs aren’t immune from liability, supervisor responsibility really rests with the firm’s business and management and not with compliance officials.  That being said, navigating this can be really tricky for compliance professionals and the challenges can be different depending on whether you’re with a small firm or a large firm. And so I thought maybe we would start there as just talking about, those challenges and how to navigate those challenges. And maybe Glen, we’ll start with you. You’ve worked with a number of smaller broker dealers. What are some of the challenges that you see with respect to managing liability and exposure as a compliance officer at a smaller firm?

Glenn Schwalje:  I think Ed, I’d say the first thing you need to do is get a picture of your overall liability exposure.  Not necessarily the firm’s liability exposure, but you as a compliance officer or a CCO.  One thing I found was depending on how small your small firm is, you may well wind up being the compliance department. And if that’s the case, more often than not, you’re also wearing many other hats at the same time. So you’re not going to be as easily able to separate yourself from a supervisory, as well as also a compliance, role. So if that’s the case for you, where you’re wearing all the hats, there’s your risk picture.  It’s all on you. If you’re lucky enough to also have a COO and or a sales manager or two, there’s still likely the chance at a small firm that you’re going to find yourself sharing some supervision. And in that case, that means you’re also sharing and taking on at least some liability. But in either case, you have to know where, and what, are your biggest risks and problems.  Where they come from, then to obviously tighten up your WSPs accordingly to address those risks. And that’ll help you not only manage your supervisory liability, but it should also help you staying on path to doing your main job of keeping the firm compliant.

Ed Wegener:  That’s a great point because you know, when you look at these different frameworks for CCO liability and you read the guidance from the regulators, both FINRA and the SEC, they talk about the liability, the responsibility for supervision rests with the person to whom it’s designated. And usually that’s designated with somebody with the business who’s a supervisor.  But at smaller firms, you’re right, you don’t have the resources to be able to split those up amongst people. And so you can get named as somebody who does have supervisory responsibility. So it’s important a to know what you’re responsible for.  But what are some of the other ways that you think you can manage liability in a situation where you’re required to wear multiple hats?

Glenn Schwalje:  First and foremost CEO/CCO has to know to what extent they’re also going to be required to be a supervisor. If it’s the I wear all the hats case, then, like I said earlier, that’s it.  It’s all on you. You’re a compliance officer and you’re a supervisor. If it’s somewhat more of a shared supervision situation where you’ve got sales managers, or maybe the firm president is acting in a supervisory capacity to some extent.  Maybe you’re lucky enough to have a COO.  Each supervisor needs to know exactly what they are responsible for supervising.  Each supervisor should also, at the same time, know what the other supervisors are responsible for. You know, people do get sick, they have a car wreck. You may have to pick up the slack one day and you’ll need to know where to pick it up. Once you’ve got those supervisory responsibilities clearly delineated, you need to spell them out just as clearly and precisely in your WSPs.

I also have found in the past, you want to give each supervisor an opportunity to look at the WSPs and make sure they say exactly what that supervisor is doing to review that specific activity.  Because you don’t want to find yourself in a case where your procedures say you’re doing one thing and you’re doing something else.  Because not only are you setting yourself up for an exam finding of firm failed to follow its own WSPs, but if you are doing something in the way of supervisory review, but your procedures say you’re doing something different, you may unwillingly be expanding your supervisory responsibility and thereby increasing your overall level of risk.

Ed Wegener:  That’s a great point.  I think back when I was at FINRA and this is one of the issues that we had when we would do exams of smaller firms. And I think you are spot on when you talk about making sure that it’s clear, who’s responsible for what in those situations and that not only it’s clear in your procedures, that everybody who is responsible for those items understands what specifically they’re responsible for.  Because where I would really see problems happen was when something doesn’t get done that was supposed to, and it’s not clear in the procedures.  And fingers start pointing all over the place. That’s where you really start having some issues and situations like that. And if you’re the compliance officer, they’ll look at the procedures and say, were those procedures reasonably effective, were they drafted in such a way that people understood what they were responsible for?

And so you you’re absolutely right. In order to really limit your responsibility, make sure all of that’s clear in the procedures and make sure everybody understands what they’re responsible for. Great points with respect to small firms. But Heather is somebody who’s worked for larger firms where there might be more clarity in terms of the lines between supervision and compliance. That helps because, in compliance, you can focus on compliance and understand where your liability is and where supervision’s responsibilities and liabilities lay.  But I’m sure there’s challenges there as well. What challenges would you be faced with in that scenario?

Heather Vitek:  Thanks, Ed. Yes. Coming from a larger firm, we had a clear division between compliance and supervision. We did not get into any supervising. Our branch managers were the ultimate supervisor responsible for their employees that they had at their location. We also had a separate review desk that was delegated some of the branch manager responsibilities, and that was all well and good. There was often confusion between the two on who was ultimately responsible for issues that arose.  The review desk would escalate issues to the manager. And some things would just kind of get lost. They didn’t understand who was ultimately responsible for following up. That became an issue. And also in this larger firm, the branch managers, their responsibility was also to bring in revenue for their branch and for hiring new people. So they tended to focus more on that than the supervision.  That became an issue, especially for branch managers who had multiple branches to supervise.  The best way to handle those challenges for us was just constant communication, trying to get with your upper management, get them to buy into how important supervision is to protect the firm, having clear communication with the review desk and understanding what they’re supposed to be reviewing and understanding what they’re responsible for.  And with the main branch managers, what they’re responsible for following up on also.

A good recommendation would be to have a separate set of supervisory procedures, just for those in supervision, that maybe spell out directly what they’re supposed to be doing daily.  A branch manager checklist would be a good idea. We did have those and that listed what the manager was responsible for each month. That was helpful as well.

Ed Wegener:  So, it sounds like in both of these cases, it really comes down to making sure that there’s clarity and communication with respect to responsibility and ownership of particular responsibilities.   And then making sure that those responsibilities are being carried through. And it sounds like with that communication and making sure that you’re able to do that effectively, it really takes a strong partnership between compliance and the business. The one point that you made that I think is spot on is that on the business side, the people who are ultimately responsible for the supervision piece, when they have multiple goals and priorities and things that they have to work through, and you need to make sure that they’re focusing on revenue generation and bringing in new advisors and making sure that the business is productive and profitable.  But they can’t. They need to make sure that they’re also prioritizing their supervisory responsibilities. And that really comes down to making sure that compliance has a strong partnership with the business and can get the business to understand that they need to prioritize compliance.  And Brent having worked for large firms as well, can you discuss maybe some of the best practices that you’ve found regarding building a strong working relationship between compliance and the business?

Brent Nicks:  Certainly, Ed, and thank you. I’ve had as a matter of fact, an opportunity to do this a few times in my career. And one thing I will tell you is anytime I’ve really started as the CCO with a new organization, really the first piece of advice that I would give anyone is honestly, just be a bit patient. Is it 60 days? Is it 90 days?  But take time to observe and understand the firm. And, honestly, you could even do this as a reboot with your existing firm, especially if the business is changing direction, adding new products, new programs, to really get an idea of what you’re looking at. And during that time, where you are kind of assessing and observing, you really need to be thoughtful about the program.  And honestly think about things such as reviewing the duties of the senior personnel, the others that are going to support you on the business line that you’re on.  Meet with them, ask about their concerns, think about ways that you can help address those concerns.  And take the time to recognize any misconceptions on what each individual’s duties might truly be and what they are really responsible for in the organization.

So you can begin to identify gaps and provide some solutions, make sure that you’re connected to, or a part of, any of the committees, the proper committees in the organization, or identify committees or groups that may need to be created. That can be helpful in communicating and discussing key objectives of the firm as far as mitigating risk.  And openly discuss these needs and those committees with all the appropriate decision makers.  And probably most important, is to be really thoughtful about gauging the risk appetite and the business model of the firm for which you are providing your services and understand what your role is going to be in meeting those needs.  And that sometimes decisions and directions are not a regulatory no go, but are simply things that we are going to have to work to build the mitigation tools around for different levels of risk.

So in short – position yourself as a partner.  Try not to be perceived as that necessary hire to cover what they believe they need to have, but don’t necessarily want to have. And how do you do that? So, a few ways that I’ve tried to integrate the job on the C-suite compliance officer as a partner over the years is first demanding an expectation with the CEO or the other senior officer, whatever it’s designated at your firm, so you have an opportunity on a regular basis to have substantive one on one or small group conversations with that person.  Because ultimately they’re going to be the one who’s reviewing the work in your 3120, or your 2067 reports. So you want to be able to keep them up to date along the way. And to give an example, I used to do something called five things you need to know once a quarter.  I would sit down with my CEO, and I would have packaged up what I think were the biggest concerns going on with the firm right of the moment.  And have a very constructive and just plain language conversation about why it’s important and what the risk we’re really looking at is.  Then documenting that effort throughout the year.

And if you feel like you need to extend that to your peers in the other C-suite positions or the heads of other departments, to make sure that you’re continuing to hear their concerns to be able to figure out how best to interact with those department heads.  And use a sales approach when you’re doing it.  So many times when we are presented with an opportunity to provide advice or an opinion or a rationale for what’s going on, it’s perceived as either yes or no and most commonly, no. The approach, honestly, that I really like to take is kind of T-bar the situation and take the same approach. They would, it’s a sales approach.  Rather than saying yes or no to the outcome or to the thing that was laid out in front of you, take some considerations for a couple of approaches and say, hey, if you want to do it this way, here’s the things we need to consider here.  Here’s how we can build that.

If we want to try to go another route, here’s the things we want to consider. And here’s how we can build some risk walls around this approach. And it sounds a bit squishy, but it, that’s a way that you can present yourself as being a champion for the firm and trying to find ways to not only do your job, but to meet the needs of the firm that’s employing you. So identify the issues, have solutions, suggestions to problems when they come up, particularly if things are coming to you from the state or federal regulators.  Have a thoughtful discussion and thought process around them first and come with here’s what’s going on, but here’s how I think we can address it, and here’s what I think our communication could look like.  And get an opportunity by doing these things, to provide some wins to management. Think about areas where you can compromise; think about areas that are not regulatory black and white, but again are back to this risk appetite of the firm where you can again, be perceived as a partner and not a barrier.  

It’s going to give you some latitude and some equity when it comes to those items, those black and white items where you you’ve got to dig your heels in and start to give the hard, no.  Or, hey guys, this just isn’t something we can do when you’re collaborative. In most all instances, that’s going to help management see you in that capacity and hopefully see the difference. And when you do dig your heels in, they’re going to take it seriously.  For getting the heads of the departments, but also have an expectation to have an avenue of communication to the field, to the advisors you support.  Be engaged in preparing and excited to deliver content to the reps or the advisor reps from time to time.  Help build things that speak to them in a way that they understand. And rather than citing rule notes, and we can do this, or we can’t do that, try to get into the crux of whys and how it’s protecting them. Because in the end, if you’re loved by the advisor, if you’re loved by the masses, then you’re going to be loved and respected by the management because the reps run the show and how they feel about things.   The revenue producers are going to go a long way towards your perception with management. So just be a good communicator and sell what is expected and what is needed for you to be able to be their advocate and support their business model.

Ed Wegener:  Those are all really excellent suggestions. And you’re right. It’s building that partnership. And, I think, one of the first things that you said, really sets that tone is understanding the business and being seen as understanding the business so that when you do have to provide that type of advice, it’s based on your understanding of the business.   When we’ve talked about how compliance is advisory and the business owns the liability and responsibilities, the advisory piece is an important role. So show your value, provide that information to the business so that they can make well informed decisions and understand the risks of those decisions that they make from a regulatory standpoint. So that’s terrific. And so, whether we’re talking about CCO liability, which can be mitigated through building those strong relationships with the business, it’s a great start to the relationship that you have between compliance, the business and making sure that the organization is managing its regulatory risks effectively in terms of other challenges. Do you guys have other challenges that you’ve seen that you thought you might want to raise or some best practices that you’ve taken in your roles in compliance?

Brent Nicks:  Yeah, this is Brent. I’ve probably got one more thing that I think is super important and it’s less rule based the crux of the job, but it’s being the heart of an engaged business, and that’s communicating.  All of these things that we’ve just talked about are only effective when there’s an adequate level of resource dedicated to the function. So being engaged in understanding of the hiring and budgeting practices, understand the business, try to break down metrics that you can use to quantify when and how you need additional resources.  Whether that’s additional account levels, or number of reps per individual supporting them, or however best it fits the needs of your firm.  Because you don’t want to get caught in a situation where you’re provided that notice through either regulatory action or a letter or some other things. Although those can be helpful to get you employees, by that time, that may be a bit too late.

So you want to set the expectations of what’s needed and you can bring this back to the business model or the practice simply by talking frankly about the tasks and the risks that are involved with the business model.  Ad all you’re really expressing to them are the tools that you need, whether that be through personnel or educational resources, to make sure that individuals are up to speed on the business and its practices and bring that back to the success of their future growth plans, their business model.  These all work together.   If you’ve built those early relationships, kind of continuing to educate on what is needed so they can continue to be successful. We’re successful when obviously the firm stays in a very good middle of a row compliant place, but we also have to work within the bounds of where the firm’s trying to go. And we need to be able to advocate for that, be educated to what they’re trying to do, but then be comfortable enough to explain to them what we need to make them successful, not us, but them. And that’s a challenge in a lot of firms and it goes with building that rapport early on.

Ed Wegener:

Absolutely. And the regulators are going to be looking to make sure that you have the adequate resources necessary to be effective.  Glen and Heather, other items?

Glenn Schwalje:

I don’t know, a couple things, maybe.  Over the years, I found as many ways as you can find to make your job more efficient, identify those means and then take action and work them in your favor. One of the easiest I found over the years was in regard to email review, take a look at your keyword lexicon. It is probably, if you’ve never looked at it, it’s probably too big and it’s capturing too many potential problem words.  Where if your volume of daily flagged emails is through the roof, there’s something wrong with your lexicon. A lot of people try to approach it if they have the option to, if it’s not a packaged deal that comes with a prepopulated set of keywords. If you’ve got an option to add your own, a lot of people try to approach that from the standpoint of what might a customer say in an angry email, that’s either giving me a heads up about a complaint.

Either it is a complaint or is identifying another potential problem I’ve got in the firm. Maybe there’s a rep saying something they shouldn’t say.  That’s misleading or promissory in an email conversation with clients. So try to get ahead of that. I’ve seen firms where they have FINRA or SEC as a keyword thinking that a customer’s going to say, I am very, very mad. If you don’t resolve this problem immediately, I’m going to go straight to FINRA. Well, just about every firm has in their email disclosures at the bottom X, Y Z Corp is a member of FINRA.   Congratulations. You’re flagging every single email sent and received by your firm. You’re giving me tons of false positives and it’s not doing you any good. So to the extent you can clean those up, make them more efficient, bring your total number of flagged emails down.

You’re actually going to be identifying problem areas that you can look into and fix. And it’s something you can easily do on an ongoing basis. If certain areas in the industry pop up as potential problems, you can go in and add relevant keywords. If other things have fallen out of a risk potential, you can take those words out.  Something else I’ve found over the years too, and it’s almost just as easy as staying on top of your email lexicons.  It is make a point to stay in touch with your assigned district coordinator or whatever FINRA’s calling them these days. It doesn’t need to be anything too frequent. You don’t want to come off as the student, brown-nosing the teacher kind of approach, but reach out touch base with them. Maybe once a quarter, at least just let them know that you view them as a resource and want to be able to take any advice they can give you to help make your job more efficient.  You will gladly take whatever they can give you. For example, hey coordinator Bob, this is Glen at X, Y Z co. I took a look at the list of FINRA exam priorities when it came out in the early part of the year but here we are halfway through the year. I was just curious, are any of your examiners maybe coming back with additional issues that weren’t on that list? Can you give me a heads-up? Maybe there’s some areas of my WSPs I need to look at and tighten up a little bit.  As long as they know you are worried and know what you need to be worried about and you’re trying to make an effort to stay on top of it. That’s likely to help move you a little bit, make you a smaller blip on their regulatory radar and anything you can do to be as blipless as possible, for lack of a better phrase, you want to do it.  It’s in your interest.

Ed Wegener:

Well, and that’s definitely true. And as the regulators have moved to become what they call more risk based, I think one of the things that they’re really looking to understand are not just what are the risk with a particular firm, but what types of controls do they have in place to mitigate those risks? So being open with the regulators in terms of, hey, these are the controls that we have in place.  Being open to get that sort of input like you were talking about.  What are the things we should have on our radar?  But you want to give them the sense that regardless of your overall risk profile, from the type of business that you’re engaged in, show them that you have those areas well controlled. Talk to them about the controls that you have in place, because when they’re doing the risk assessments, which drive how often they come out and how frequently and what areas they review, it’s going to be based on how they perceive the risk at your firm. And if you can give them the impression that you have strong controls in place, it might go a long way to making them feel more comfortable about how often they need to come out and visit you, which I’m sure everybody is interested in. Heather, what do you think in terms of other challenges or think of best practices that people can employ?

Heather Vitek:  One thing I was going to mention is – I know these days, a lot of firms are short staffed and have limited resources. And we’ve had so many regulations in the past two or three years come out that we have to get new procedures and processes for, you might want to think about outsourcing some of those items or branch audits.  Anything that you can do to stay up with the current regulations and not get behind in your compliance duties. I know that’s been an issue for our firms in the past, just trying to stay up with everything, but outsourcing might be a good fit for some of the firms to help you out.

Ed Wegener:  Absolutely. And it’s just one of the challenges I think I keep saying while we’re in a very regulation heavy period right now, but I don’t know when I’ve ever not said that. Right. You know, so the more you can really focus in on making sure you’re on top of things and that you’re adapting to all these changes in the regulations, changes within the environment, the better off you are.  And whether that’s through outsourcing or to your point earlier, Glen, trying to find efficiencies in how you do these things, you’ll be better positioned to be able to withstand these periods where there’s a lot of new regulations. Right now, between reg best interest being just a couple years old and the regulator’s really starting to do more substantive exams in that area, and the DOL rule coming out, and the new SEC marketing rule, that’s a lot to absorb in a short amount of time. And so you need to make sure that you have the resources available to be able to address those. And that’s either getting new resources or being more efficient with the resources that you have. So terrific points and terrific points all around. I really appreciate your input. I’m sure they’ll be very valuable for our clients and really appreciate you joining us today and look forward to working with you in the future.

Libby Hall:  Thanks everyone for listening. If you’d like to learn more about our experts and how Oyster can help your firm, visit our And if you like what you heard today, follow us on whatever platform you listen to and give us a review.  Reviews, make it easier for people to find us.  Have a great day.

About The Podcast Speakers
Photo of Ed Wegener

Ed Wegener

Ed Wegener is an innovative compliance, risk management and supervisory controls expert with deep understanding of Federal Securities Laws and the rules of self-regulatory organizations, as well as technology optimization and risk mitigation. Prior to joining Oyster, Ed held several posts in FINRA, most recently as  Senior VP and Midwest Regional Director.

Photo of Heather Vitek

Heather Vitek

Heather Vitek is a Financial Services professional with over 25 years of industry experience. Heather has extensive expertise in investment advisor Operations and Compliance.

Photo of Glenn Schwalje

Glenn Schwalje

Glenn has extensive expertise in broker-dealer and RIA risk management and compliance, including creating and implementing Written Supervisory Procedures, AML Compliance Programs, as well as conducting branch exams and email review.

Photo of Brent Nicks

Brent Nicks

Brent brings a wealth of experience and expertise in the Chief Compliance Officer (CCO) and Supervision roles, as well as developing sales in wealth management products.

View Our Team