Recent SEC Charges Suggest CCOs Have Target on Their Backs

CCOs have long felt under siege. In fact, according to industry-wide surveys conducted by the National Society of Compliance Professional (NSCP), 72 percent of compliance professionals are concerned that regulators have expanded the role of compliance officers and the scope of their responsibilities in imposing personal liability.[1]

As such, various SEC commissioners and staff have given speeches over the years about the importance of trying to “get it right,” by charging CCOs in only limited circumstances. As former Commissioner Daniel M. Gallagher stated, the commission should “tread carefully when bringing enforcement actions against compliance personnel”[2]; and as current Commissioner Hester Peirce stated, “We should not bring enforcement actions simply because we disagree, in hindsight, with [CCOs’] judgment.”[3]

Because of the importance of this issue to compliance professionals and others in the financial services industry, various organizations, including the New York City Bar Association (NYCBA) and the NSCP, have proposed frameworks to assist regulators in the difficult task of assessing the conduct of CCOs.[4]

Indeed, in a separate statement supporting the settlement against the registered investment adviser and the CCO, Peirce addressed some of these issues as well as attempted to apply the NYCBA’s framework.[5]

“I have spoken in the past of the importance of thinking carefully about when to impose liability against a CCO. I have underscored that the compliance obligation belongs to the firm, not to the CCO,” she said. “Reminding firms that compliance is their responsibility helps to ensure that they dedicate adequate resources to, and appropriately defer to the judgment of, their compliance departments.”

Given the dearth of facts alleged in the order, it was difficult for Peirce to apply the NYCBA’s framework. For example, one question from the NYCBA’s framework is whether the CCO made a good faith effort to fulfill his or her responsibilities. Peirce responded to this question by concluding that, “As a principal of the firm, he had adequate authority to address the compliance inadequacies.”

While the order did state that the CCO was a principal, the order did not explain what that term meant in this context. Additional research (outside of the order) shows that the CCO was a minority owner of the RIA.[6] Moreover, although Peirce used the word “authority,” the order never used that word.

Instead, the order stated that the CCO was “responsible” for “administering” the compliance program and “implementing” the firm’s compliance policies and procedures. However, the order did not state that he had the authority (or responsibility or ability) to affect the conduct of investment advisory representatives (IARs). And that issue is relevant because a primary allegation in the order is that the CCO did not require one specific IAR to complete and submit an outside business activities (OBA) form.

In determining whether to charge the CCO here, the commissioners could also have applied the NSCP’s “Firm and CCO Liability Framework,” which focuses on “the larger context of the compliance function within firms,” evaluating real-world issues, such as whether the compliance officer had actual ability to affect conduct and the resources to do the job.

As such, the framework presented nine questions to be “considered by regulators where a compliance failure may have occurred.” According to the framework, a “yes” answer to any of the questions “mitigates against CCO liability.”

Although the order did not address several of the factors outlined below, it appears that the following questions could have been relevant to the case:

• Did the CCO have nominal rather than actual responsibility, ability or authority to affect the violative conduct?
• Was there insufficient support from firm leadership to compliance, including, for example, insufficient resources, for the CCO to affect the violative conduct?
• Did the CCO escalate the issue or violative conduct to firm management through a risk assessment, annual review, CEO certification meeting/report or otherwise?
• Did firm management fail to respond appropriately after becoming aware of the issue (through the CCO or otherwise)?
• Did the CCO consult with legal counsel (in-house or external) and/or securities compliance consultants and adhere to the advice provided?
• Did the CCO otherwise act to prevent, mitigate and/or address the issue?
• Did the CCO reasonably rely on information from others in the firm or firm systems?

While we will not address each of these factors because of the lack of information provided in the order, some factors are relevant and appear to have been ignored in the order. Had these issues been addressed, firms and CCOs would have a better understanding of the basis for the charges against the CCO — and what is expected of them going forward.

The SEC’s order — and unanswered questions

As explained above, the SEC’s settled administrative action was against an RIA and its CCO, who was a “principal.” The CCO was also a registered representative with a broker-dealer (BD) used by the RIA in its advisory business. The order stated that, pursuant to the RIA’s compliance program, IARs were required to disclose OBAs to the firm and were “required to comply” with the compliance policies of the unaffiliated BD. Presumably, the unaffiliated BD also had OBA requirements and required its registered representatives to report them, but the order did not address that.

Below is a recitation of the SEC’s findings, along with several questions regarding those findings. These questions reveal that the order omitted several material facts, which appear to be relevant for establishing liability.

In addition, those facts would have assisted other CCOs in knowing what conduct is expected of them and what steps to take to avoid liability. Had the SEC focused more on the questions presented in the NSCP’s and the NYC Bar’s frameworks, answers to those questions would have provided the industry with much-needed guidance.

The SEC’s findings

Paragraph 4. “From at least December 2019, [the CCO] knew or should have known that [the RIA’s] compliance program was inadequately implemented. Despite this, he did not make sufficient changes to the design and implementation of [the RIA]’s compliance program.”

Unanswered questions:

1. What is the basis for allegations that the compliance program was inadequately implemented? The only facts presented in the order’s subsequent paragraphs address the CCO’s knowledge about the IAR’s conduct and the “insufficient” steps taken by the CCO (without a detailed recitation of what the CCO actually did and what the CCO could have done differently). Does the failure by one individual to take certain (unspecified) steps constitute an inadequate implementation of a program, or is that simply evidence that one person (allegedly) failed to perform one aspect of the job adequately?
2. What changes to the design and implementation of the compliance program could the CCO have made? Did he have the actual responsibility, ability, or authority to take the undefined steps that, according to the order, he failed to do?
3. Did the CCO have sufficient support from firm leadership, including, for example, sufficient resources, to affect the violative conduct?
4. Did the CCO escalate the issue to RIA firm management, particularly since the CCO was not the majority owner of the firm? If firm management was, in fact, aware of the issue, how did management respond?
5. Did the CCO reasonably rely on information from others in the RIA or at the BD (which is discussed in more detail below) that, for example, the OBA was not reportable or that someone else was addressing the issue?

Paragraph 5. “From at least February 2020, [the CCO] received communications from [an IAR] regarding an OBA being conducted by the IAR but did not require the IAR to complete and submit the formal reporting form required for OBAs by [the RIA’s] compliance manual, although [the CCO] instructed the IAR to do so, and did not conduct sufficient review to determine whether the OBA presented any conflicts of interest, as he was required to under the compliance manual. Furthermore, [the CCO] did not take sufficient steps to verify that [the RIA] or the IAR had adequately disclosed to clients the IAR’s relationship to the OBA or any associated conflicts of interest.”

Unanswered questions:

Regarding the IAR’s completion and submission of forms

1. What communications did he receive, and from whom? (Hypothetically, he could have heard that someone else was handling the issue.)
2. Did the CCO supervise the IAR? In other words, did the CCO have actual responsibility, ability, or authority to affect the conduct of the IAR to complete and submit the forms?
3. Who supervised the IAR? Was that person aware of these issues? And if so, what did that supervisor do?
4. What did the order mean by using the words “require” and “instruct”? Did the CCO have the actual responsibility, ability, or authority to require the IAR to complete and submit the form? What does “instruct” mean? For example, does it mean that he said, “Please complete the form”?
5. Did the CCO communicate about this issue to RIA firm management or to the BD?

Regarding the adequacy of disclosures

1. Why did the order fault the CCO for not taking sufficient steps regarding adequacy of disclosure to clients about the OBA or any associated conflicts? The order did not allege that those were the CCO’s responsibilities. (In contrast, in the prior sentence, the Order did state that, under the compliance manual, it was the CCO’s responsibility to determine whether the OBA presented conflicts of interest.) Did the CCO have the actual responsibility, ability, or authority to verify the adequacy of the disclosures?
2. Who had actual responsibility, ability, or authority to verify the adequacy of the disclosures?
3. Did the CCO communicate about this issue to RIA firm management, to anyone else at the RIA, or to the BD?

Paragraph 6. “In June 2020, [the CCO] received further communications related to the OBA that indicated the IAR had failed to meet the requirements of [the IAR’s] compliance program. Despite this notice, [the CCO] did not sufficiently ensure the OBA was being adequately and accurately reported pursuant to [the RIA’s] compliance program.”

Unanswered questions:

1. What further communications did he receive, and from whom? (Hypothetically, he could have heard that someone else was handling the issue.)
2. Does the failure to “meet the requirements” relate to the IAR’s failure to complete and submit a reporting form referenced in Paragraph 5, or were there other requirements that the IAR allegedly failed to meet?
3. How could the CCO have sufficiently ensured that the OBA was being adequately and accurately reported? Did the CCO have actual responsibility, ability or authority to accomplish this reporting?
4. Did the CCO have reporting obligations, as suggested in this paragraph, that are different from the IAR’s reporting obligations, as alleged in Paragraph 5?
5. Did the CCO communicate about this issue to RIA firm management or to the BD?

Paragraph 7. “In August 2020, [the CCO] received notice that certain transactions conducted by the IAR involving transfers of [the RIA] client assets to the IAR’s OBA had been flagged by the broker-dealer for review, but [the CCO] did not conduct sufficient review to determine the legitimacy of the transactions.” 

Unanswered questions:

1. Why were the transactions flagged?
2. Why did the BD report this issue to the RIA?
3. Did the CCO understand that the BD had taken additional actions regarding the transactions other than flagging them? Does flagging the transactions mean that the BD had constructive notice of the OBA?
4. What does “legitimacy” mean? Were they, in fact, not “legitimate”?
5. What was the CCO’s actual responsibility, ability, or authority regarding transaction review? Nowhere else did the order suggest that the CCO’s function included transaction review.
6. Who had actual responsibility, ability, or authority to verify the legitimacy of transactions?
7. Did the CCO communicate about this issue to RIA firm management or to anyone else at the RIA?

Paragraph 8. “In September 2020, [the CCO] received information that the same IAR took steps to avoid the broker-dealer’s compliance program. Despite receiving the information, [the CCO] did not take sufficient steps to monitor the IAR’s compliance with the broker-dealer’s policies as required by [the RIA]’s compliance manual.”

Unanswered questions:

1. What parts of the BD’s compliance program did the IAR “take steps to avoid”? Did these steps have anything to do with the OBA?
2. What was the CCO’s understanding of any actions taken by the BD regarding this conduct? Did the steps taken by the CCO relate to any action that the BD took in response?
3. If the IAR only “took steps,” but did not actually “avoid” the BD’s compliance program (whatever that means), what is the significance of this conduct? (Presumably, it would have been significant if the IAR actually avoided the compliance program, but the order did not allege that.)
4. What steps did the CCO take that were not “sufficient”? What else could the CCO have done? Did the CCO have the actual responsibility, ability, or authority to take sufficient steps?
5. Did the CCO communicate about this issue to RIA firm management, anyone else at the RIA, or anyone at the BD?

Paragraph 9. “In November 2020, [the CCO] became aware that the same IAR had been using [the RIA]’s office address for another OBA. Despite his awareness and concerns, he did not take sufficient steps to ensure that the OBA was being adequately and accurately reported pursuant to [the RIA]’s compliance program.”

Unanswered questions:

1. What is the connection between this other OBA and the rest of the order? (The subsequent paragraphs in the order ambiguously refer to an “OBA,” but it is not clear which OBA is being referenced.)
2. What steps did the CCO take that were not “sufficient”? What else could the CCO have done? Did the CCO have the actual responsibility, ability or authority to take sufficient steps?
3. Did the CCO communicate about this issue to RIA firm management, anyone else at the RIA or anyone at the BD?

Paragraph 10. “In January 2021, [the CCO] received additional communications concerning the OBA and did not take sufficient steps to ensure that the OBA was being adequately and accurately reported pursuant to [the RIA]’s compliance program.”

Unanswered questions:

1. Which OBA is being referenced (the initial one or the one referenced in Paragraph 9)?
2. What additional communications did he receive and from whom? (Hypothetically, he could have heard that someone else was handling the issue.)
3. What steps did the CCO take that were not “sufficient”? What else could the CCO have done? Did the CCO have the actual responsibility, ability or authority to take sufficient steps?
4. Did the CCO communicate about this issue to RIA firm management, anyone else at the RIA or anyone at the BD?

Paragraph 11. “In June 2021, [the CCO] received additional information regarding the extent of the investment advisory representative’s involvement with the OBA and, thereafter, reported the OBA to the broker-dealer. [The CCO]’s reporting of the OBA ultimately resulted in the broker-dealer terminating its relationship with [the RIA].”

Unanswered questions:

1. Which OBA is being referenced (the initial one or the one referenced in Paragraph 9)?
2. What additional information did he receive? (Hypothetically, he could have heard that someone else was handling the issue.)
3. Why did the CCO determine at that time to report?
4. What, if anything, is the connection between Paragraph 5’s allegations regarding the IAR’s failure to complete and submit an OBA form and the CCO’s report alleged in this paragraph? (The order did not allege that the CCO could have or should have taken this step when he first received communications about the OBA.)
5. What did the BD know about the OBA prior to this communication? (Based on Paragraph 7, it appears that the BD already had some knowledge.) If the BD had prior knowledge, what steps did it take and did that impact the CCO’s conduct?
6. If this paragraph means that the CCO ultimately “did the right thing,” was that fact taken into account with regard to the violations or the sanctions? And if so, how?

Conclusion

The SEC’s order is problematic in several respects. First, with regard to the RIA’s conduct, to the extent the case is premised on the RIA’s failure to adequately monitor compliance with the BD’s policies, how did such conduct violate the Advisers Act?

The RIA appears to have voluntarily taken on that monitoring, which was not required under the Advisers Act. Thus, the SEC did not need to bring an action. The SEC certainly does not charge IAs with violating the Advisers Act every time they violate their own policies and procedures.

Moreover, to the extent that this case involves investor protection considerations, presumably, the BD was responsible for enforcing its own policies. Second, who is the “bad guy” in this fact pattern, without whom this saga never would have been written? It is the IAR who engaged in an OBA that he did not formally report to the RIA.

The SEC’s order did not mention an enforcement action against him. Does that mean that the SEC will not charge him or that the investigation regarding his conduct is ongoing? We don’t know. Third, going up the “food chain,” who supervised the IAR, and what was his or her knowledge and responsibility, ability or authority to affect the violative conduct of the IAR? Again, we don’t know.

Fourth, who supervised the CCO, and who actually ran the RIA? We have the same questions, and the order provided the same answers. Why did the SEC bring an action against the CCO, who is considered to be an “ally” of the SEC,[7] but no one else? Again, we don’t know.

Finally, with regard to the CCO’s conduct and the allegations in the order, many other questions are unanswered. The order stated, without more, that the CCO took steps or other action deemed to be not “sufficient” (a term used eight times in the order.) But, unfortunately, the order failed to state what steps or other action he actually took, and it failed to allege that he had the actual responsibility, ability or authority to take “sufficient” steps.

And, unfortunately, the order didn’t state why he didn’t take additional steps. Was it because of communications he had with others at the RIA or at the BD? Was it because of legal ambiguity regarding his knowledge, or was it based on something the IAR communicated to him? We don’t know. Finally, we don’t know what the CCO could have done differently. Enforcement actions are to provide “guidance” to market participants,[8] so that other firms and individuals will “do the right thing” in the future, protecting other clients and the marketplace. But the order did not do that. What it does, instead, is to create the appearance that CCOs have targets on their backs and that the SEC will continue to second-guess CCOs’ conduct.

References

[1] https://static1.squarespace.com/static/61a9074028e505179c284c97/t/61e19a0f1d3d656f1cfbbf3c/1642174991168/NSCP+Firm+and+CCO+Liability+Framework+Jan+2022.pdf

[2] https://www.sec.gov/news/statement/sec-cco-settlements-iaa-rule-206-4-7.html

[3] https://www.sec.gov/news/speech/speech-peirce-103018

[4]  See, e.g., New York City Bar Association Compliance Committee, “Framework for Chief Compliance Officer Liability in the Financial Sector,” https://s3.amazonaws.com/documents.nycbar.org/files/NYC_Bar_CCO_Framework.pdf; NSCP’s “Firm and CCO Liability Framework,” https://static1.squarespace.com/static/61a9074028e505179c284c97/t/61e19a0f1d3d656f1cfbbf3c/1642174991168/NSCP+Firm+and+CCO+Liability+Framework+Jan+2022.pdf.

[5] https://www.sec.gov/news/statement/peirce-statement-hamilton-investment-counsel-070122?utm_medium=email&utm_source=govdelivery#_ftn2

[6] https://investingreview.org/firm/hamilton-investment-counsel-llc

[7] https://www.sec.gov/news/speech/spch063004lar.htm

[8] https://www.sec.gov/news/statement/sec-cco-settlements-iaa-rule-206-4-7.html