This sounds well lined up with what I was saying? The CRO doesn't manage risks. Having him in with the executives is a signal that the company is putting resources into communicating with the regulators rather than that they are committed to managing risks in any way. That isn't what these regulatory-heavy roles are for. Their job is to make sure the regulators don't investigate. That is in no way a signal that the company has any ability at risk management, and is a slight signal that they might think "risk" just means that the government will sue them or shut them down.

If a company were actually serious about managing the risks it'd be some relatively quiet role reporting to someone responsible for operations like a CTO, COO or head of product. Maybe part of the CEOs personal staff but not an exec.