With an average package of close to Rs 45 lakh per annum and additional incentives, this should ideally be the dream job in the technology sector for seasoned professionals in India.
That, however, is far from the case. The liability risks involved with the job position of the Chief Compliance Officer or CCO has led to these roles either taking longer to get filled or staying vacant.
The advertisement for the Chief Compliance Officer India at Twitter reads: “We seek a seasoned professional to advise on a wide range of matters in India and to play a role in relation to compliance with legal and regulatory obligations.”
The job description sounds a lot better than the role itself. It involves protecting Twitter Inc’s interests in meetings with the government, responding to requests from the law enforcement agencies related to the platform, identifying potential risks for the platform as well as advising Twitter on corrective and preventive measures.
No surprises then that the vacancy is still open on the Twitter website.
The same goes for Facebook, which is also hiring a Chief Compliance Officer for India. This role has similar responsibilities, including ensuring compliance to local laws, developing effective relationships with government agencies as well as staying abreast with current and anticipated regulations.
Under the new IT Rules 2021, these technology platforms are required to appoint three key officers - Chief Compliance Officer, a Nodal Contact Person, and a Resident Grievance Officer.
Responding to a query by Moneycontrol, a Google spokesperson said that as applicable to them under the new IT rules, the company has appointed three officers in India.
WhatsApp, Facebook and Twitter did not respond to Moneycontrol's query about appointment of three key officers.
Who is qualified for these roles?
Individuals with more than 15 years of work experience with special focus on coordinating with the government and law enforcement agencies are eligible for the CCO post.
Those with some background in law would be preferable because the job role entails reviewing, processing and summarising court orders and search warrants.
Allied language skills with proficiency in English and Hindi is a must. Since these technology platforms operate across the country, knowledge of the languages that figure in the Eighth Schedule of the Constitution of India would be ideal.
The candidate also needs to be well-versed with the local laws, including the IT Rules 2021. He/she also needs to have prior work experience related to laws on takedown of online content (Section 69A of IT Act, 2000) and the disclosure of user data by online platforms (Section 91 of CrPC), among others.
The annual compensation for these roles would be Rs 45 lakh and upwards. Hiring consultants told Moneycontrol that global platforms would be ready to pay as high as Rs 65 lakh for qualified candidates.
Gaurav Chattur, Managing Director APAC at global technology-led executive search firm Catenon, said that CCO also ensures that the organisation is fulfilling all its legal obligations and communicating actively with government agencies to stay in the clear.
Monitoring external review processes regularly is an integral element of this role, he added.
When it comes to the time, Chattur noted that on an average, it can take anywhere between three to six months to hire a Chief Compliance Officer.
What do the IT Rules 2021 state?
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 were notified on February 25, 2021. The rules have been notified under the Information Technology Act, 2000.
Rishi Agrawal, CEO, Avantis Regtech, a TeamLease Group company involved in regulatory solutions, said that the Act provides for the regulation of electronic transactions and cybercrime.
The 2021 Rules replace the Information Technology (Intermediaries Guidelines) Rules, 2011. Here, intermediaries include social media intermediaries like Twitter, Instagram, Facebook as well as publishers of news and current affairs like The Times of India, The Indian Express and The Hindu, among others.
The IT Rules 2021 also include publishers of online curated content or over-the-top (OTT) platforms like Netflix, Hotstar and Amazon Prime.
Agrawal explained that a CCO is part of the key management personnel and must be an Indian resident, as per the rules.
“The implications of non-compliance is a jail term. According to Rule 7, non observance of Rules may be punishable under any law, including IPC (Indian Penal Code) where criminal charges can be determined and sentence for jail is also possible,” he added.
Considering these factors, Agrawal said, it is a challenging role.
“Deep knowledge of the law is necessary but not a sufficient condition for success in the role. The big tech platforms have hundreds of millions of subscribers generating upwards of 500 million posts per day. The subscribers cut across ideologies and beliefs and create vastly diverse content. To ensure compliance, the role requires deep knowledge of the law across the land,” he explained.
What is the compliance risk?
On paper, the CCO in a large technology company reports to the global team and is purely there to handle specific requests on the compliance front. But the liabilities attached are far higher.
Prasad Nakashe, Partner, Deloitte India, said that a CCO is responsible for establishing internal procedures and controls that enable all functions of an organisation to ensure compliance with all applicable laws and underlying compliance requirements.
“Thus, the impact of any non-compliance may be considered a directly attached risk to the role of CCO. Apart from that, any reputational damages, sanctions, etc. caused by non-compliances, also fall under the risk bucket of a CCO. Failure of internal controls, procedures, SOPs (standard operating procedures) and the associated damage also can be a result of inefficient functioning of compliance functions and CCOs,” he added.
Twitter was among the list of platforms that were asked to comply with the new IT rules framed by the Indian government.
On May 27, Twitter issued a statement stating that it would work on complying with the new rules in India but is concerned by the recent incidents regarding its employees in the country.
The IT Rules 2021, constituted in February this year, state that technological platforms should comply with the requirements by May 25. This included appointing key officers, removing obscene content within 24 hours of notice, as also making users aware about not posting content that is defamatory, which threatens the unity and integrity of India or is misleading in nature.
Nakashe said while there is a demand for such talent in India, well experienced and qualified CCOs are not very groomed in Indian compliance since a very low percentage of Indian companies have set up compliance functions and programmes.
A public policy expert from a large social media firm said that in theory, it should not be too difficult to appoint a Chief Compliance Officer under new IT rules.
But, in reality, he points out that it is the elephant in the room and the liabilities people don’t want to talk about.
This expert explained that the CCO is taking the liability of anything that goes wrong in the platform and that is too much of a responsibility.
“It is a huge process and there is a government mandated deadline, which is hardly enough,” he added.
Harsh Walia, Partner, Khaitan & Co. said that prior to the new IT Rules, the concept of a Chief Compliance Officer was a relatively unchartered territory.
“The CCOs have been tasked with crucial responsibilities and corresponding risks and liability. This can be a challenging role indeed, especially as the new rules have been met with significant criticism and several challenges before courts,” he added.
Is the CCO at a higher risk?
In a typical work setting, the Managing Director (MD) or Chief Executive Officer (CEO) and Chairman of the company are ultimately responsible for all the wrongdoing and the biggest liability lies with them.
However, when it comes to the IT Rules 2021, compliance obligations are higher for the CCO.
Walia explained that even the members of a company are protected (from liability for acts of the company) by the ‘corporate veil’, which can only be pierced in limited circumstances.
“The IT rules present a peculiar situation where the Chief Compliance Officer would be responsible for the non-compliance of IT laws by the platform, regardless of whether the negligence was attributable to the Chief Compliance Officer or not,” he added.
Since any non-compliance is a punishable offence, the CCO is at the risk of being prosecuted by law enforcement agencies. This means that if any user makes an inflammatory post and the social media platform does not act, the CCO will be liable even though he/she was not responsible for making a hateful or objectionable statement.
This could be one of the crucial reasons why there is a longer time being taken to fill these posts.
Walia of Khaitan & Co. said that in case of multinational companies (MNCs), there is a demand that the CCO should be an employee of the parent entity, i.e. the entity that has control over social media functions.
Given that technology laws are relatively nascent in India, he added that it is certainly difficult to find the right fit to entrust such vital responsibilities with.
Are there specific risks for Twitter?
The Centre told the Delhi High Court on July 5 that social media giant Twitter Inc has failed to comply with India's new IT Rules, which is law of the land and is mandatorily required to be complied with.
The Centre, in an affidavit filed in the high court, said any non-compliance amounts to breach of provisions of IT Rules, leading to Twitter losing its immunity conferred under the IT Act.
Over the last few weeks, multiple cases have been filed against Twitter India MD, Manish Maheshwari. Starting with the Ghaziabad video assault case, where he was sent a legal notice over a viral video of an elderly man in Loni being assaulted with the intent of "provoking communal unrest", to the more recent case filed with the Delhi Police Cyber Cell for child porn content shared on Twitter.
“Would you take the job if it came with a threat too, if it came with this caveat that you could be put in jail, for someone's random tweet,” asked an executive, who has experience working with social media companies.
“So then why do you think anyone else would want to, no matter how much money you give people. Who signs up for a job that comes with the threat of incarceration?”
Hence, will the responsibility fall from India MD to chief compliance officer now?
“The thing is there's no saying who is going to be made the scapegoat for what. This is not being done as per the rules. You see, there's no logic that underpins any of these actions. They don't necessarily follow logical arcs,” said the expert quoted above.
For example, in one of the FIRs filed against Twitter related to the company misrepresenting India by not showing Jammu & Kashmir and Ladakh as outside India, Twitter India’s head of News Partnerships Amrita Tripathi was also named.
This, even though Tripathi wasn’t directly involved in the process of making the maps, per se.
To comply with the laws, appointment of the CCO is a must to operate in India without any legal liabilities.
Hiring experts are of the view that additional sops and buying liability insurance covers for these professionals could go a long way in attracting qualified talent for these roles.
This is also because there is no Plan B available, other than to hire a CCO.
“The risk is inversely correlated to an organisation’s keenness to comply with the country’s laws. The risk involved can be high if the company does not follow the law of the land. However, if the company plans to comply, these roles are as simple as finance, HR, or other functions,” said Chattur.The only difficulty is to convince potential candidates of this logic.