In an unprecedented move, the U.S. Securities and Exchange Commission (SEC) released guidance on several platforms in a 30-day period in 2020 regarding certain views on the important role and potential liability risks of chief compliance officers (CCOs). The SEC’s focus on the role of compliance is not new but sometimes the SEC’s support for compliance has not appeared to extend beyond the SEC’s Office of Compliance Inspections and Examinations (OCIE). In this article, we analyze the guidance provided by each source.
October 19, 2020, SEC Commissioner Hester M. Peirce Remarks before the National Society of Compliance Professionals
Commissioner Peirce focused on “the question of how to define the parameters of personal liability for compliance officers,” noting that “the nature of the liability they face in executing [their] responsibilities remains unclear.” The most recent guidance on the issue from the SEC’s perspective, she observed, dates back to 2015, when then‒Enforcement Director Andrew Ceresney “identified three broad categories of cases where the Commission has charged chief compliance officers.” While the first two (instances in which the officer participated in the misconduct or obstructed or misled the Commission) are generally uncontroversial, the third – “cases where … ‘the CCO has exhibited a wholesale failure to carry out his or her responsibility’” – is more problematic. Commissioner Peirce stated, “typically, in such cases, the Commission charges the compliance officer with aiding and abetting the company’s violations, causing the company’s violations, or both.” While aiding and abetting requires proof of reckless conduct, causing violations only require a showing of negligence. “Thus, where a company has committed a violation that does not require scienter – such as failing to have sufficient policies and procedures – a compliance officer can be held to have caused the violation based on her own negligent conduct.”
According to Commissioner Peirce, “Rule 206(4)-7, the investment adviser compliance rule, exacerbates the problem” because, although “[i]t supports negligence-based charges against an adviser’s CCO, [in practice] the rule’s standard has looked more like strict liability.” But, she argued, “an overly aggressive approach to charging CCOs when something goes wrong shifts responsibility for compliance from the firm to the CCO.” Additionally, she reasoned, “charging CCOs based on mere negligence could be harmful to … efforts to foster compliance because it dissuades people from taking jobs in compliance and can encourage dishonest efforts to ‘cover up’ failings rather than openly correcting them.”
She further cautioned against heavy reliance on arguments that “causing” charges against compliance officers are fairly rare and tend to carry light sanctions, acknowledging that “even the SEC’s enforcement actions can be career-ending and are always traumatic events for their subject.” Thus, she recognized the need for greater transparency regarding why the SEC does and does not bring actions against compliance professionals: “In short, context matters, and we can provide more of it.” She also encouraged general discussion “about ways to provide guidance to compliance professionals about what a wholesale compliance failure means and how to avoid one,” appreciating that compliance officers are not governed by a “formal regulatory structure.”
Thus, Commissioner Peirce concluded that developing “[a] framework detailing which circumstances will cause the Commission to seek personal liability and which circumstances will militate against seeking personal liability would” both “help the compliance community by eliminating uncertainty and inspiring good practices” and “prove useful for … the SEC to use in deciding whether to charge CCOs.” Moreover, she argued, “[i]t also is time for us to examine how well the compliance rules under the Investment Advisers and Investment Company Acts are functioning” and “to provide greater clarity” to those roles. To do so, she suggested the creation of a “public-private advisory group” and generally encouraged greater dialogue between the SEC and compliance professionals.
November 19, 2020, Risk Alert ‒ OCIE Observations: Investment Adviser Compliance Programs
The OCIE Compliance Risk Alert generally provides guidance regarding the compliance programs of investment advisers. It also specifically addresses the role and duties of the CCO:
… the Compliance Rule [Rule 206(4)-7] requires each adviser to designate a [CCO] to administer its compliance policies and procedures. An adviser’s CCO should be competent and knowledgeable regarding the Advisers Act and should be empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the firm. The CCO should have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.
The Risk Alert continues by listing examples of notable deficiencies or weaknesses identified by OCIE staff. Importantly, the first two focus on CCOs. The first is titled “Inadequate Compliance Resources,” and the first point under this subheading describes the SEC’s and OCIE’s longstanding concern with CCOs wearing “multiple hats.” It specifically describes this deficiency/weakness as follows:
CCOs who had numerous other professional responsibilities, either elsewhere with the adviser or with outside firms, and who did not appear to devote sufficient time to fulfilling their responsibilities as CCO. While CCOs may have multiple responsibilities, OCIE observed instances where such CCOs did not appear to have time to develop their knowledge of the Advisers Act or fulfill their responsibilities as CCO.
OCIE titled the next deficiency/weakness “Insufficient Authority of CCOs” and went into greater detail to describe this deficiency/weakness:
Insufficient Authority of CCOs. OCIE staff observed CCOs who lacked sufficient authority within the adviser to develop and enforce appropriate policies and procedures for the adviser. For example:
- Advisers that restricted their CCOs from accessing critical compliance information, such as trading exception reports and investment advisory agreements with key clients.
- Advisers where senior management appeared to have limited interaction with their CCOs, which led to CCOs having limited knowledge about the firm’s leadership, strategy, transactions, and business operations.
- Instances where CCOs were not consulted by senior management and employees of the adviser regarding matters that had potential compliance implications.
As our readers know, we recommend that firms take the guidance in OCIE’s Risk Alerts very seriously, as OCIE staff and staff from the Division of Enforcement apply the guidance in OCIE’s Risk Alerts to their examinations and investigations.
OCIE Director Phil Driscoll’s Opening Remarks at the National Investment Adviser/Investment Compliance Outreach 2020
OCIE Director Driscoll’s November 19, 2020, speech seeks to strike a somewhat different tone than the enforcement-focused tone of Commissioner Peirce’s speech and the examination deficiencies and weaknesses discussed in the OCIE Compliance Risk Alert. After opening remarks regarding the impacts of the pandemic on firms, OCIE Director Driscoll turned to this topic under the heading “Empowering Chief Compliance Officers” and a subheading, “Empowerment, seniority and authority.”
He started by reciting constructive points consistent with the OCIE Compliance Risk Alert, but then he turned and raised the following points to attempt to empower and encourage firms and CCOs:
- OCIE observes good practices where CCOs are routinely included in business planning and strategy discussions and brought into decision-making early-on, not for appearances, but for their meaningful input.
- OCIE notices CCO access and interaction with senior management, prominence in the firm, and when they are valued by senior management.
- OCIE Director Driscoll pointed out that a good CCO can be a true “value-add” to the business; by keeping up with regulatory expectations and new rules, they can assist in positioning their firms not only to avoid costly compliance failures, but also provide pro-active compliance guidance on new or amended rules that may provide advisers with additional business options.
OCIE Director Driscoll concluded his speech by discussing the similarities between OCIE and CCOs:
Compliance officers are on the front lines to help ensure that registrants meet their obligation under applicable securities laws and regulations. We too are on the front lines and with a similar mission, and in many ways examiners and compliance officers and personnel are two-sides of the same coin. We cannot overstate a firm’s continued need to assess whether its compliance program has adequate resources to support its compliance function. Resources means a lot of different things, including training, automated systems and adequate staff to support firm growth, but perhaps most importantly, it means “empowerment.” Compliance must be integral to an adviser’s business and part of its senior leadership.
Although it is still unclear whether or how quickly the guidance discussed in this article takes hold, Commissioner Peirce’s observations and acknowledgements of the unique challenges compliance professionals face are encouraging. Similarly, OCIE Director Driscoll’s efforts to empower firms and CCOs regarding compliance programs and to emphasize the important role of the CCO are commendable. As we anticipate a Democrat-appointed Chair and more aggressive agendas for both the SEC’s enforcement and examination programs, firms and CCOs should heed this guidance and engage in any remedial efforts in this important area as soon as is reasonably practicable. That said, unfortunately none of this guidance addresses the historical and current opaque nature of the federal securities laws applicable to CCO potential liability.
This blog post was condensed from the December 1, 2020, edition of Faegre Drinker’s Enforcement Highlights. Read the entire article at https://enforcementhighlights.com/2020/the-secs-cco-guidance-month/.