Board Members and Compliance: What They’re Actually Responsible For

SPEAKER_02 (0:00): Welcome to the Nonprofit Compliance Brief, where we explain charitable solicitation and multi-state fundraising requirements in clear, practical terms for nonprofit leaders and finance teams. This podcast is produced by Ironwood Registrations.

SPEAKER_00 (0:15): It is really great to be here for this deep dive today.

SPEAKER_02 (0:19): Yeah, we’re glad to have you. So I want you to picture this for a second. You are really passionate about a cause. Maybe it’s literacy, maybe it’s saving the wetlands, whatever it is.

SPEAKER_01 (0:29): Right. You’re deeply invested.

SPEAKER_02 (0:30): Exactly. You’ve been volunteering, you’ve been, you know, donating a bit, and finally, someone taps you on the shoulder and says, “Hey, we want you on the board.”

SPEAKER_01 (0:37): Oh, that’s a moment of pride for a lot of people. You really feel like, “Wow, I’m gonna make a difference.”

SPEAKER_02 (0:43): Yeah, you say yes, you show up to that very first meeting, and then the binder lands on the table.

SPEAKER_01 (0:47): The dreaded binder.

SPEAKER_02 (0:49): Or you know, these days, the massive Dropbox link arrives. And suddenly it is not just about saving the wetlands anymore. It’s about fiduciary duties, liability insurance, multi-state compliance. I mean, I’ve had friends tell me they actually wanted to quit after their first meeting because they were just terrified.

SPEAKER_01 (1:07): They’re gonna break a law they didn’t even know existed. Exactly. Yeah. That’s what I call the Sunday night panic. It is incredibly common. Because that shift from being a supporter to being a governor, it’s a massive psychological leap. You go from basically cheering for the team to suddenly realizing you are technically responsible for the entire stadium.

SPEAKER_02 (1:28): And that is exactly the murky water I want to clear up for everyone in our deep dive today. Because there is just this massive gap between what people think a board member is responsible for—which is usually, you know, everything—and what they are actually responsible for. So to set our roadmap today, we need to answer the central question: If I’m on a board, do I need to be the one filing the tax returns? Do I need to, like, memorize the charitable solicitation statutes of all 41 states?

SPEAKER_01 (1:57): The short answer is a very hard no. But the long answer is that you do need to know enough to know if those things are actually happening. We really need to separate oversight from operations today. I mean, if you are doing the actual filing, you aren’t governing. You’re just volunteering as unpaid staff.

SPEAKER_02 (2:16): Which happens a lot.

SPEAKER_01 (2:17): It does. But those are two very different lanes.

SPEAKER_02 (2:19): Okay. Let’s establish those lanes right now because I think they get blurred constantly, especially in smaller organizations where everyone is just pitching in. If the board’s lane is oversight, what does that actually look like in practice? Because “oversight” is kind of just a vague corporate buzzword.

SPEAKER_01 (2:33): It is vague, yeah, until you break it down into the actual legal framework. In the nonprofit world, we generally talk about the three primary fiduciary duties. And honestly, if you take nothing else away from this discussion today, memorize these three: Duty of Care, Duty of Loyalty, and Duty of Obedience.

SPEAKER_02 (2:51): Okay, those sound a little bit like wedding vows. To love, honor, and obey.

SPEAKER_01 (2:57): They kind of are.

SPEAKER_02 (2:58): Let’s unpack them a bit. So Duty of Care. That sounds like I just, you know, need to be nice to people.

SPEAKER_01 (3:05): It sounds soft, sure, but it is actually about competence. Duty of care means you are simply paying attention. You are reading the board packet before the meeting. You’re asking questions. Like, if the building is actively burning down, you aren’t ignoring the smoke. It essentially means acting with the level of care that a “prudent person” would use in a similar situation.

SPEAKER_02 (3:27): So if I skip, say, five meetings in a row and I don’t bother to read the financial report that clearly says we’re going bankrupt, I’ve breached the duty of care.

SPEAKER_01 (3:35): Precisely. You were completely asleep at the wheel. That’s a breach.

SPEAKER_02 (3:38): Got it. Okay, number two is Duty of Loyalty.

SPEAKER_01 (3:40): Yeah. This one is about putting the organization’s interests way above your own. This is basically where conflicts of interest live. So let’s say you’re on the board and your brother owns a printing company. The nonprofit needs some new brochures. If you push the organization to hire your brother without disclosing that relationship to anyone, or if the price is way higher than the standard market rate, that is a breach of the duty of loyalty. You are serving your brother, not the nonprofit.

SPEAKER_02 (4:11): That feels pretty straightforward, though. I bet it gets really messy in, like, small towns where everyone knows everyone.

SPEAKER_01 (4:17): Oh, absolutely. It happens all the time.

SPEAKER_02 (4:18): What about the third one? Duty of Obedience. That one sounds the most strict. Who exactly are we obeying? The board chair?

SPEAKER_01 (4:25): No, no. You are obeying the mission and the law. And this is really where compliance comes in. You have a strict duty to ensure the organization stays true to its tax-exempt purpose.

SPEAKER_02 (4:35): So, no mission drift.

SPEAKER_01 (4:36): Exactly. If you’re an animal shelter, you can’t suddenly start using funds to, I don’t know, fix potholes in the city streets. But you also have to obey external laws. That includes IRS filings, basic employment laws, and crucially for our listeners today, charitable solicitation registration.

SPEAKER_02 (4:54): Right. And this is exactly where the anxiety spikes for people. Because “obeying the law” sounds very binary. You either did it or you didn’t. And if the organization missed a filing in, say, Mississippi, has the board breached its duty of obedience? Are they in trouble?

SPEAKER_01 (5:11): This is where the nuance really matters. The board is not expected to know the exact deadline for the Mississippi renewal form. They are expected to ensure a system exists that knows the deadline.

SPEAKER_02 (5:21): Ah, okay. A system.

SPEAKER_01 (5:23): If the board says, “Hey, we don’t care about state laws, we’re just going to fundraise illegally anyway,” that is a massive breach. But if the board says, “Executive Director, do we have a process for our state registrations?” and the ED says yes, and then the ED just makes a clerical error and misses one…

SPEAKER_02 (5:37): That’s not on the board.

SPEAKER_01 (5:38): Exactly. That is not a board failure. That’s an operational error.

SPEAKER_02 (5:41): Wow. Okay. That is a huge distinction. So my job isn’t to actually, you know, lick the stamp. My job is to ask, “Do we have a budget for stamps? And is someone assigned to mail these letters?”

SPEAKER_01 (5:54): Exactly. But the key is you have to actually ask. You can’t just assume it’s happening. The whole day-to-day misconception is that the board needs to micromanage those filings. They really don’t. In fact, if a board member is, like, rewriting the grant application or double-checking the math on the state registration forms, they are probably getting in the way.

SPEAKER_02 (6:14): There’s that old phrase, right? “Nose in, fingers out.”

SPEAKER_01 (6:17): That is the classic mantra. Stick your nose in to smell if anything is burning, but keep your fingers completely out of the pie.

SPEAKER_02 (6:24): I love that. Let’s talk about the money, though, because duty of care implies I really need to understand the financials. And frankly, a lot of board members are not accountants. They see a massive spreadsheet, their eyes totally glaze over, and they just vote “yes” to approve the budget because they don’t want to look stupid in front of everyone else.

SPEAKER_01 (6:41): And that is an incredibly dangerous dynamic. Look, you do not need to be a CPA, but you absolutely need to understand the narrative of the numbers. Financial oversight is the bedrock of compliance.

SPEAKER_02 (6:54): Because it all comes back to the money.

SPEAKER_01 (6:56): Always. Almost every single compliance failure eventually shows up somewhere in the bank account.

SPEAKER_02 (7:01): So give us the cheat sheet then. If I’m a non-financial person looking at a big balance sheet, what are the red flags I should be hunting for?

SPEAKER_01 (7:08): I always tell people to look for three specific things.

1. Solvency: Do we actually have enough cash to pay the bills for the next three months? If the cash flow is razor-thin, you need to be asking really hard questions about sustainability right then and there.
2. Restricted Funds: This is a huge trap for nonprofits.

SPEAKER_02 (7:28): Explain that one a bit more. The difference between restricted and unrestricted.

SPEAKER_01 (7:32): Sure. Let’s say you got a $50,000 grant specifically to build a new playground. But payroll is coming up on Friday, and the general checking account is totally empty. So the Executive Director decides to just “borrow” from the playground money to pay the staff, fully intending to put it back later when donations come in.

SPEAKER_02 (7:51): I mean, that sounds logical, but I’m guessing it’s highly illegal.

SPEAKER_01 (7:55): It is a massive compliance violation. That is restricted money, period. If a board member sees that the “playground fund” is empty, but they look outside and no playground has been built, they need to stop the meeting immediately. That is a duty of obedience issue. You cannot use restricted funds for basic operating expenses.

SPEAKER_02 (8:14): That is a really great specific example. What’s the third thing on your cheat sheet?

SPEAKER_01 (8:18): The connection to the audit. If you are a big enough organization to actually have an independent audit, the auditor will give you something called a “management letter.” It’s usually separate from all the big number crunching. It lists your internal control deficiencies.

SPEAKER_02 (8:32): That sounds incredibly boring, but I’m guessing it’s where all the skeletons are buried.

SPEAKER_01 (8:36): It is arguably the most important document the board will ever see. It tells you if, for example, the exact same person writing the checks is also the person balancing the checkbook. If an auditor says, “Hey, you have a major lack of segregation of duties here,” and the board just ignores it for three years, and then someone eventually embezzles 100 grand—now the board is absolutely on the hook because they were officially warned and they did nothing about it.

SPEAKER_02 (9:03): Okay, you just said the scary phrase, “on the hook.” Let’s pivot to personal liability. Because this is the nightmare scenario for everyone, right? I’m volunteering my free time, I’m trying to help my community, and suddenly I’m being personally sued or fined because the nonprofit messed up. How real is that fear, really?

SPEAKER_01 (9:22): The fear is often much larger than the reality, but I have to be honest, it’s not zero. The legal standard for personal liability usually involves gross negligence or willful misconduct.

SPEAKER_02 (9:32): Define gross negligence for us. Is that just making a really, really big mistake?

SPEAKER_01 (9:37): No, no. Making a normal mistake is just negligence. Gross negligence is a reckless disregard for the truth. It’s basically seeing the cliff approaching and hitting the gas pedal anyway. So if a board member actually steals money: liability. If the board knows the organization is actively running a fraudulent fundraising scheme and just sits back and does nothing: liability. But if the organization simply forgets to file a 990 extension and gets hit with a penalty fee, that just comes out of the organization’s budget. It does not come out of the board members’ personal pockets.

SPEAKER_02 (10:11): So regulators aren’t, like, hunting for board members’ houses because of a typo on the state form.

SPEAKER_01 (10:16): Exactly. Regulators just want compliance. They don’t want your house. They want to see what we call active governance.

SPEAKER_02 (10:22): What does active governance actually look like to an outsider? If an Attorney General from, say, California or New York looks at a charity, how do they know if the board is doing its job?

SPEAKER_01 (10:32): They look at the minutes.

SPEAKER_02 (10:33): The minutes. The boring notes that literally nobody wants to take.

SPEAKER_01 (10:37): I know, but if it isn’t written down legally, it didn’t happen. If the board made a major decision—like entering a contract with that brother’s printing company we talked about earlier—and the minutes don’t show a discussion, a formal vote, and a recusal by the brother, then it looks like corruption to an investigator. But if the minutes show a robust debate, a review of three competitive bids, and note that the conflicted member physically stepped out of the room, it looks like perfect governance. Documentation is your shield.

SPEAKER_02 (11:07): That is so important. So we’ve covered the duties, we’ve covered the liability, but organizations change over time. A startup board is going to act very differently from the board of a $20 million organization. As the nonprofit grows, the compliance footprint gets way bigger, doesn’t it?

SPEAKER_01 (11:22): It does. And this brings us to a really critical realization, which is that compliance tends to expand alongside fundraising growth. And organizations that review requirements periodically avoid most problems.

SPEAKER_02 (11:34): It almost sounds like a law of physics. As the money grows, the paperwork grows.

SPEAKER_01 (11:38): It’s undeniable. Think about it. When you start out, you’re usually just asking friends and family for money. You’re likely only registered in your home state. But then you add a “Donate Now” button to your website…

SPEAKER_02 (11:50): And suddenly anyone can give.

SPEAKER_01 (11:52): Exactly. Suddenly you might be soliciting in all 50 states. Then you start mass email campaigns. Then you hire a professional fundraiser. Every step adds a new layer of rules.

SPEAKER_02 (12:05): And I assume the states don’t all use the exact same form, right? That would be too easy.

SPEAKER_01 (12:09): I wish they did. There is something called the Unified Registration Statement, or URS, which was a noble attempt to standardize things years ago. But honestly, many states have moved away from it entirely to their own custom online portals. So now you have different deadlines, different fee structures, entirely different audit thresholds for every state.

SPEAKER_02 (12:28): So a board member of a rapidly growing organization just needs to pause and ask, “Hey, we just launched a national campaign. Did we actually update our state registrations?”

SPEAKER_01 (12:36): Exactly. The board does not go fill out those state forms, but they must ensure the annual budget includes the filing fees and the staff or external partners to manage that sheer volume of work. You cannot run a national fundraising program on a local compliance budget.

SPEAKER_02 (12:53): That makes perfect sense. And this brings us right to policies. Earlier we talked about duty of loyalty, and you mentioned conflicts of interest. Is that usually just a handshake agreement among friends?

SPEAKER_01 (13:04): No, it needs to be a written policy formally signed annually by every member. This is really where the board protects itself. A conflict of interest policy is your first line of defense, but there are a few others you absolutely need.

SPEAKER_02 (13:17): Which ones are completely non-negotiable?

SPEAKER_01 (13:19): A whistleblower policy is essential.

SPEAKER_02 (13:21): See, that always sounds so dramatic to me. Like we’re expecting a corporate spy in the ranks. Why does a tiny literacy nonprofit need a full whistleblower policy?

SPEAKER_01 (13:30): Because intimidation happens everywhere, regardless of size. If a junior accountant notices the Executive Director is using the company credit card for personal vacations, they need a legally safe way to report that directly to the board without getting fired by that same ED. If that policy doesn’t exist, the fraud just continues until the money is completely gone. The policy creates a safe pathway for the truth to reach the board.

SPEAKER_02 (13:56): That totally makes sense. It’s a safety valve. What about document retention?

SPEAKER_01 (14:00): That’s the third big one: Document Retention and Destruction Policy. It sounds incredibly dry, but you need to know exactly how long to keep donor records, employment records, and board minutes. And equally important, when to actually destroy them so you aren’t paying ridiculous storage fees for paper from 1990 that you have zero legal requirement to keep.

SPEAKER_02 (14:20): So true. All right, so we have the three duties, the growth curve, the policies. But let’s get real for a second. Most board members are busy professionals, they have full-time day jobs, they’re quickly reading the board packet on the train on the way to the meeting. How do they actually do all of this oversight without it becoming a second full-time job? We need some practical habits here.

SPEAKER_01 (14:40): It really comes down to the dashboard concept. You do not need to read every single email the staff writes. You just need a simple one-page dashboard presented at every meeting.

SPEAKER_02 (14:49): What’s on a dashboard?

SPEAKER_01 (14:50): Compliance status: Green, Yellow, Red. Are our state filings up to date? Yes or no? Are our 990 and our audit on schedule? Yes or no?

SPEAKER_02 (14:58): So I don’t need to see the actual receipt for the filing fee. I just need to see the green light.

SPEAKER_01 (15:03): Correct. And then you need a section for risk. What is keeping the Executive Director up at night right now? Is it a cash flow issue? Is it a potential lawsuit? A new state regulation? The board meeting should focus on the future and the big risks, not just reviewing what happened three months ago.

SPEAKER_02 (15:19): That is a great pivot for a board to make. Move from history class to a strategy session.

SPEAKER_01 (15:24): And part of that is asking the right questions. Instead of asking, “Hey, why did we spend $50 on coffee for the office?” ask, “Do we have sufficient reserves to cover next month’s payroll if this big grant is delayed?” That is a governance question. The coffee is a management question.

SPEAKER_02 (15:42): That distinction right there—governance versus management—that seems to be the hardest thing for people to learn, especially if the board member used to be a hands-on volunteer who literally was the one making the coffee.

SPEAKER_01 (15:54): Oh, it is the hardest transition by far. We often call it “founder syndrome” when the original board just can’t let go of the daily tasks. But for an organization to scale, the board has to mentally move up to the balcony. You simply can’t see the whole dance floor if you’re down there in the mosh pit.

SPEAKER_02 (16:09): I love the idea of the balcony. But sometimes, you know, the view from the balcony is a bit foggy. What if the staff just isn’t being transparent? What if the dashboard is showing all green lights, but the reality on the ground is red?

SPEAKER_01 (16:21): That is exactly where the relationship comes in. Ronald Reagan used to say, “Trust, but verify.” This is why you have an external audit. This is why you occasionally hold executive sessions where the board meets without any staff present, just to check in honestly with each other. And honestly, it’s why you have to cultivate a culture where bringing bad news is okay.

SPEAKER_02 (16:42): Say more about that culture piece.

SPEAKER_01 (16:43): Well, if a board screams and points fingers every time there is a tiny mistake, the staff will naturally start hiding their mistakes. But if the board says, “Thank you so much for bringing this compliance gap to our attention, let’s figure out how to fix it,” then you get real transparency. You want a culture where the Executive Director feels completely safe saying, “Hey, we messed up and missed a deadline in Florida.”

SPEAKER_02 (17:06): Because if they are too scared to tell you about Florida, they definitely won’t tell you about a massive financial crisis.

SPEAKER_01 (17:12): Exactly. Fear always drives compliance underground. Support and resources bring it into the light.

SPEAKER_02 (17:18): We’ve covered a ton of ground here today. We’ve gone from the big three duties (care, loyalty, obedience) all the way to the specifics of financial red flags and the absolute necessity of good policies. If we had to boil this down for the listener who is, let’s say, walking into a board meeting tonight, what is the one single thing they should change about their approach?

SPEAKER_01 (17:39): Stop trying to do the work yourself and start ensuring the work can actually be done by the organization.

SPEAKER_02 (17:45): “Ensure the work can be done,” meaning giving them resources.

SPEAKER_01 (17:48): Yes. A board absolutely cannot demand gold-standard compliance and then turn around and refuse to approve the budget for a compliance officer or an external firm or good software. You can’t ask for a mansion on a tent budget. The most compliant thing a board can ever do is ensure the staff has the time, the money, and the expertise to handle the regulations.

SPEAKER_02 (18:08): It’s basically putting your money where your mission is.

SPEAKER_01 (18:10): It is. And it’s realizing that your true value as a board member is your judgment. You are there to ask: “Does this make sense? Is this legal? Is this ethical?” You are the conscience of the organization, not the administrative assistant.

SPEAKER_02 (18:22): I think that’s going to be a huge relief for a lot of people listening. You don’t have to be the expert in every single thing. You just have to be the expert in asking “why” and “how.”

SPEAKER_01 (18:31): And “who”? Who is actually responsible for this task? If you know who is responsible and they have the resources, you’re halfway there.

SPEAKER_02 (18:38): I want to leave our listeners with a bit of a provocative challenge today to think about on their own. We talked earlier about “nose in, fingers out,” but I want you to think about your specific organization right now. If the entire board disappeared tomorrow—just completely vanished—would the organization’s compliance system keep running smoothly? Or would it completely collapse because you are the one holding it together with tape and string?

SPEAKER_01 (19:04): Man, that is the ultimate test right there.

SPEAKER_02 (19:07): It really is. Because if the answer is “it would collapse,” then you haven’t actually built a system. You’ve just built a dependency. And true governance is about building something that lasts way longer than your personal term limit.

SPEAKER_01 (19:20): That is the very definition of stewardship.

SPEAKER_02 (19:22): Helping versus hovering. Building versus patching. That has to be the goal.

SPEAKER_01 (19:27): Absolutely. Couldn’t agree more.

SPEAKER_02 (19:29): If you found this discussion helpful, you can find additional compliance guides and visual resources at ironwoodregistrations.com. Thanks for listening.