Last month, the Securities and Exchange Commission brought a settled enforcement case against a chief compliance officer (CCO) and a registered investment advisor, causing many in the securities industry to scratch their heads and others to quake in their boots.
Regulators have said they would not "second guess" CCOs and would charge CCOs only if there were "wholesale failures." Here, there was no material failure, but the CCO was booted from the industry, with a five-year bar as supervisor or compliance officer and a $15,000 penalty.
Because of the importance of CCO liability to the financial services industry, various organizations, including the New York City Bar Association (NYCBA) and the National Society of Compliance Professionals (NSCP), have proposed frameworks to assist regulators in the difficult task of assessing the conduct of CCOs.
Indeed, in a separate statement supporting the settlement, Commissioner Hester Peirce addressed some of these issues and attempted to apply the NYCBA's framework. Unfortunately, applying such standards is difficult because the order omits many facts, raising questions about the role of CCOs and what liability standards the SEC applies.
Had the SEC applied these frameworks, and in particular the NSCP's framework, it would have addressed issues such as the responsibility, ability and authority of the CCO, as well as viewed this conduct holistically, examining the conduct of the RIA's management and other parties.
The SEC's Allegations
The SEC charged the RIA with failing to adopt and implement reasonable written policies and procedures and charged the CCO with aiding and abetting and causing those violations.
The CCO was a firm "principal" and a registered representative with a broker-dealer used by the RIA in its advisory business. The case revolved around an investment adviser representative (IAR) who allegedly failed to disclose his outside business activities (OBAs) to the RIA and failed to comply with the policies of the unaffiliated BD. (The SEC's order does not state that the IAR has been charged separately.)
Regarding the CCO, the order alleged that he failed to:
- Make sufficient changes to the design and implementation of the RIA's compliance program.
- Require the IAR to complete and submit the RIA's OBA form.
- Conduct sufficient review to determine whether the OBA presented conflicts of interest and was adequately disclosed to clients.
- Conduct sufficient review of the IAR's transactions involving the OBA, which had been flagged by the BD.
- Take sufficient steps to monitor the IAR's compliance with the BD's policies after becoming aware that the IAR took some steps to avoid the BD's compliance program.
- Take sufficient steps to ensure that a second OBA was being properly reported.
For each issue, the order alleged that the CCO took steps or other action deemed not "sufficient," without providing detail of what he actually did. In addition, the order failed to state what the CCO could have done differently.
Questions About the Order's Failures
The order's bare-bones factual findings raise many questions demonstrating that the order omitted material facts relevant for establishing liability. Those facts would have also assisted other CCOs in knowing what conduct is expected and what to do to avoid liability. Had the SEC focused more on the questions presented in the NSCP's and the NYCBA's frameworks, answers to those questions would have provided the industry with much-needed guidance.
1. Inadequate implementation of compliance program
Does the failure by one individual to take certain (unspecified) steps constitute an inadequate implementation of a program, or is that simply evidence that one person (allegedly) failed to perform one aspect of the job adequately?
Did the CCO have sufficient support from firm leadership to affect the violative conduct? (The fact that the SEC chose to charge both RIA and the CCO suggests that that SEC considered the failures to go beyond the CCO's conduct.)
Did the CCO reasonably believe that others at the RIA or the BD were addressing the issues?
What authority did the CCO have as a "principal"? (In trying to apply the NYCBA Framework, Commissioner Peirce stated that "As a principal of the firm, he had adequate authority to address the compliance inadequacies," however, the Order never stated that he had "authority," and public records indicate that he was a minority owner of the RIA.)
2. Failure to control the IAR
Did the CCO supervise the IAR and have actual responsibility, ability, or authority to affect his conduct by requiring the IAR to complete and submit the OBA form? (The Order does not state who supervised the IAR.)
3. Failure to disclose the OBA to clients and review conflicts