Welcome to the Research Assistant Weekly Newsletter - a subscriber-only resource for insight into emerging compliance challenges, details on peer calls, and links to new Research Assistant reports, documents, tools, and more.

Sponsored by TCN

Last week, at the RMAi Executive Summit, I had the pleasure of speaking on a panel where we discussed executive liability and the potential risks for those in leadership positions. The research I did to prepare for the panel left me concerned that those in leadership positions underestimate the potential personal risks and how to proactively protect themselves. Here are a few of the high-level takeaways along with some supporting resources.

Federal Regulators are Doubling Down on Personal Liability 

You don’t have to look far to see that the CFPB, FTC, and DOJ have been heavy handed over the past few years on this issue. Here’s a round-up of recent actions: 

• Consumer Financial Protection Bureau (CFPB)

• United Holding Group Owners are being held liable. 

• Transunion Former Executive is being held liable. 

• CFPB Prepared Remarks on “Repeat” offender executive

• Chopra remarks “Reining in Repeat Offenders”: 2022 Distinguished Lecture on Regulation, University of Pennsylvania Law School”
  

• Federal Trade Commission (FTC) 

• FTC Drizly Consent Order targeted the company and its CEOs for insufficient information security practices and/or corrective actions after breach. 

• GLBA Safeguards Rule – The Qualified Individual requirement creates accountability with one person. This is designed this way and not by committee intentionally.
  

• Department of Justice (DOJ)

• The DOJ raised the stakes in March 2023 on corporate compliance by stating they will evaluate compliance programs and will be specifically looking to see whether financial incentives tied to compliance initiatives in their “Evaluation of Corporate Compliance Programs” memo.

State Level Actions

Personal liability has also popped up at the state level. For example: 

• California recently tried to pass a bill that would hold compliant management personally liable.

• Both Massachusetts and New York have personal liability language related to information security.

• 201 CMR 17.03 in Massachusetts requires any company, regardless of domicile, who stores information of Massachusetts citizens, to maintain a set of minimum-security requirements including designating an individual to “maintain the comprehensive security program” (aka, a CISO).

• 23 CRR-NY 500.4 in New York, requires companies to have a chief information security officer responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy.

• Nevada recently changed their Qualified Manager requirement to Compliance Manager for licensing with specific language regarding the role.  

Protecting Yourself

How Can You Protect Yourself?

1. Ensure you have a structure in place that supports separation of functions and drives accountability.

2. Make sure your Compliance Department has the resources they need to report on risks regularly to the board of directors or highest governing body. And ensure all remediation of risks are documented.

3. Review your Director and Officers Insurance Coverage. Make sure “federal regulatory” claims are included and that everyone is included that needs to be on the policy. An example of what one of these policies may include is here.

Understandably, this is a tough subject to broach with your Executive team. Especially, when it comes to compensation. However, I would personally rather know this information before and Regulatory exam, than after when it’s too late.

Documents and Crowdsourced Materials:

• Director and Officers Insurance Information 

• Minnesota Updated the Credit Counseling Insert AGAIN! Here’s the latest version. 

• Crowdsourcing Questions from 8/7/2023

Top Reads:

• Auriemma Roundtables Acquires insideARM, LLC

• CFPB’s Summer Edition of Supervisory Highlights Focuses on Auto Lending/Servicing and Debt Collection Practices

Upcoming Webinars/ Other Announcements:

• Upcoming Webinar: Work Smarter, Not Harder – Compliance Sells! The Intersection Between Compliance and Sales, August 22nd at 2:00 ET,  Register here.

• Reminder: Send any topics or questions that you want to discuss to sara@insidearm.com by Thursday to ensure it makes it on our agenda!