The SEC’s recent aggressive enforcement posture against chief compliance officers has raised many concerns, including whether the SEC’s actions are actually chilling robust compliance efforts. To protect themselves against SEC scrutiny and regulatory enforcement actions, CCOs and their firms should assess their current policies and practices, incorporate the SEC’s expectations in their planning, and take steps to reduce their risk.
When Doing the Right Thing Is Not Enough (for the SEC)
Can you guess what happened to a chief compliance officer who took the following steps relating to compliance with a new SEC rule?
- Provided guidance, training, and conducted testing with respect to the rule
- Held multiple meetings to discuss compliance with the rule
- Had sufficient written supervisory procedures that were consistent with appropriate industry standards
- Relied on clear written representations from others that the rule was being followed
- Took prompt and substantial remediation efforts after an audit revealed issues with compliance
- Had no knowledge of rule violations and upon learning of the violations disclosed the violations to FINRA (violations that consisted of only 1,500 transactions out of 1 billion handled by the firm and that accounted for only $59,000 in revenue)
Would you believe an SEC administrative law judge found the chief compliance officer negligent and liable for causing his firm’s violation of the securities laws? And it could have been worse. The SEC’s enforcement staff actually sought to impose more serious liability on the officer, including a fraud-based violation and a bar from the securities industry.
The SEC’s pursuit of Thomas R. Delaney II, a former chief compliance officer (CCO) of a broker-dealer, is part of a controversial enforcement trend by the SEC relating to chief compliance officers at broker-dealers, investment advisers, and registered funds. Compliance officers at these regulated entities should be alarmed by the trend, which includes mixed messages from the SEC Enforcement Division, conflicting cases, and a public debate among two recent SEC Commissioners about the SEC’s pursuit of compliance officers.
SEC’s Enforcement Policy Relating to CCOs
In a pair of speeches in 2015 and 2014, SEC Enforcement Director Andrew Ceresney set forth the factors the SEC will consider in assessing the conduct of CCOs. Ceresney stated that CCOs should not fear enforcement action if they perform their responsibilities diligently, in good faith, and in compliance with the law. He claimed cases against CCOs fall into three categories:
1. CCOs who are directly involved in fraudulent activity or other conduct that harms investors, often in other roles unrelated to their compliance function,
2. CCOs who engage in efforts to obstruct or mislead the SEC staff; and
3. Where the CCO has exhibited a wholesale failure to carry out his or her responsibilities.
Is the SEC Following Its Policy?
Despite Ceresney’s statements, the SEC’s cases against CCOs raise questions about whether the SEC is following its own policy. For example, in his 2014 speech, Ceresney said the Delaney case fit all three categories, yet an administrative law judge found the CCO did not have actual knowledge of the violations, did not affirmatively participate in the violations, and did not conceal violations from regulators. Delaney, and two other cases brought by the SEC in 2015, have raised concerns about the liability standard for CCOs where their liability is based on an alleged failure to prevent a violation by another. In the Matter of SFX Financial Advisory Management Enterprises, Inc., AP File No. 3-16591 (June 15, 2015); In the Matter of Blackrock Advisors, LLC, AP File No. 3-16501 (April 20, 2015).
Critics contend the liability standard being applied by the SEC is one of simple negligence, where a compliance officer is alleged to have “caused” a primary violation committed by another. Letter from National Society of Compliance Professionals to Ceresney, August 18, 2015; “The Most Thankless Job on Wall Street Gets a New Worry,” Wall Street Journal, Feb. 3, 2016. According to the NSCP, the SEC should pursue CCOs when they act intentionally or recklessly, and a negligence standard is liability by hindsight and second-guessing. Further, CCOs should not be charged when someone commits a violation despite the policies and procedures that are in place. Such policies and procedures are rarely perfect and may not prevent violations.
SEC Commissioners Spar on CCO Enforcement
The SFX and Blackrock cases, where the SEC charged CCOs with causing the violations of others based on a negligence theory, prompted a public dissent by then SEC Commissioner Daniel Gallagher. Commissioner Gallagher stated that both cases illustrate a trend toward strict liability for CCOs and will disincentivize a vigorous compliance function at investment advisers. According to Gallagher, the SEC’s actions are “sending a troubling message that CCOs should not take ownership of their firm’s compliance policies and procedures, lest they be held accountable” for the conduct of others. Id. “Or worse, that CCOs should opt for less comprehensive policies and procedures with fewer specified compliance duties and responsibilities to avoid liability when the government plays Monday morning quarterback,” Commissioner Gallagher added. Id.
Gallagher’s comments drew a sharp response from SEC Commissioner Luis Aguilar, who stated that cases against “pure” CCOs are rare and that CCOs charged by the SEC are usually engaged in “egregious misconduct.” Id. However, Commissioner Aguilar’s claim about “egregious misconduct” cannot be reconciled with the SEC’s recent cases against CCOs.
Judges Push Back on the SEC
Despite the SEC’s aggressive posture toward CCOs, in litigated cases the SEC has met with resistance from administrative law judges (ALJs). In three cases brought by the SEC against compliance officers in 2015, the ALJs rejected all or a part of the SEC’s claims. In Delaney, the ALJ, while finding the CCO negligent, rejected the SEC’s more serious charge of aiding and abetting and declined to impose a bar from the securities industry. In another case, the ALJ declined to impose any sanctions on a compliance officer of Wells Fargo. In the Matter of Judy K. Wolf, AP File No. 3-16195, Initial Decision, August 5, 2015. The ALJ stated, “[t]here is a real risk that excessive focus on violations by compliance personnel will discourage competent persons from going into compliance, and thereby undermine the purpose of compliance programs in general.” Id. at 22.
Another ALJ in a different matter ruled against the SEC and dismissed fraud charges against an investment adviser and its CCO. In the Matter of The Robare Group, et al., AP File No. 3-16047, Initial Decision, June 4, 2015. The case involved the same alleged compliance failures as Blackrock, an alleged failure to disclose a conflict of interest. The difference in result is due to a number of factors, including: (1) the SEC had to prove its allegations to a judge, a task more difficult than extracting a settlement from a regulated entity; (2) the ALJ found the CCO to be honest and committed to meeting disclosure requirements; and (3) the adviser and CCO relied in good faith on the advice of two compliance firms. It also helped that the ALJ found that “investment advisers operate in an uncertain regulatory environment in respect to disclosing potential conflicts of interest” and the SEC does not provide clear and consistent guidance. Id. at 30.
Interestingly, the two cases where the SEC’s most serious claims were rejected were decided by the SEC’s two newest ALJs. While CCOs and their firms can take some comfort in these apparent checks and balances on SEC enforcement, it is not enough to avoid the pain and expense of an SEC investigation and a public and career-damaging enforcement action.
What to Do Now to Reduce Risk
The SEC’s recent activity against CCOs should serve as a warning to all investment advisers, broker-dealers, and compliance professionals that it would be wise to review their policies, procedures, and practices to ensure they are adequate in today’s regulatory environment.
In a speech in late 2015, Andrew Donahue, Chief of Staff to SEC Chair Mary Jo White, outlined what he believes are the responsibilities of a CCO, and while some steps seem obvious, the list puts firms and compliance professionals on notice of the SEC’s expectations:
- Firsthand knowledge of the applicable laws and regulations
- Deep understanding of the firm, its structure, and internal operations
- Significant attention to conflicts of interest, including how they are identified, frequency of review, how conflicts are resolved, and effective disclosure of conflicts
- Detailed understanding of the firm’s clients/customers and the products and services provided to them
- Understanding of the firm’s compliance and technology platforms and whether they can accommodate implementation of the firm’s compliance procedures
- Knowledge of policies and procedures and how they are applied and monitored
- Understanding of the various markets in which the firm operates, including any specific practices in those markets that may raise concerns
- Grasping the culture of the firm and if necessary changing it to promote robust compliance
In addition, based on cases where the SEC has found firms to be remiss in the compliance area, firms and CCOs should consider these factors to reduce risk:
- CCOs should be wary of taking on roles unrelated to their compliance function, and firms should avoid having CCOs take on such roles; similarly, persons who already perform other services at a firm should be wary of assuming the role of CCO.
- CCOs should raise unresolved compliance issues with management and document such steps (in a recent action the SEC charged the firm and two principals but not the CCO, who raised several compliance issues with management but was ignored).
- CCOs should take steps to make sure they are adequately protected in the event of regulatory scrutiny of their actions. Where practical, CCOs should seek indemnification provisions in their employment contracts and officer status within the firm to get coverage under the firm’s directors and officers liability insurance, coverage that often extends to defense costs arising out of regulatory investigations. Ideally, CCOs should seek protection that includes advancement of costs, as defending an action can prove very costly.
- CCOs should pay significant attention to identification of conflict of interest issues, an area of increasing activity by the SEC’s enforcement division; CCOs should create and maintain a robust conflicts inventory addressing conflicts, mitigating controls and disclosure.
- CCOs should actively review, monitor, and enforce the firm’s policies and procedures, and document all of these steps, including exceptions. For fund CCOs, it is important to ensure that the annual report identifies each material compliance matter.
- Firm leadership should make clear how important compliance is and empower CCOs to have the last word on compliance issues; under no circumstances should management seek to exercise undue influence over the CCO.
- Firms should devote sufficient resources to compliance and employ experienced and knowledgeable people in the compliance area.
- Where compliance issues result in potential violations, take immediate remedial steps, document such steps, review disclosure obligations and in the case of registered investment companies, ensure that the matters are properly reported to the board.
Given the SEC’s recent activity against chief compliance officers, CCOs and their firms should assess their current policies and practices, incorporate the SEC’s expectations in their planning, and take steps to reduce their risk.
© 2016 Perkins Coie LLP