SEC Action Against CCO Raises Many Questions

Last month, the Securities and Exchange Commission brought a settled enforcement case against a chief compliance officer (CCO) and a registered investment advisor, causing many in the securities industry to scratch their heads and others to quake in their boots.

Regulators have said they would not “second guess” CCOs and would charge CCOs only if there were “wholesale failures.” Here, there was no material failure, but the CCO was booted from the industry, with a five-year bar as supervisor or compliance officer and a $15,000 penalty.

Because of the importance of CCO liability to the financial services industry, various organizations, including the New York City Bar Association (NYCBA) and the National Society of Compliance Professionals (NSCP), have proposed frameworks to assist regulators in the difficult task of assessing the conduct of CCOs.

Indeed, in a separate statement supporting the settlement, Commissioner Hester Peirce addressed some of these issues and attempted to apply the NYCBA’s framework. Unfortunately, applying such standards is difficult because the order omits many facts, raising questions about the role of CCOs and what liability standards the SEC applies.

Had the SEC applied these frameworks, and in particular the NSCP’s framework, it would have addressed issues such as the responsibility, ability and authority of the CCO, as well as viewed this conduct holistically, examining the conduct of the RIA’s management and other parties.

The SEC’s Allegations

The SEC charged the RIA with failing to adopt and implement reasonable written policies and procedures and charged the CCO with aiding and abetting and causing those violations.

The CCO was a firm “principal” and a registered representative with a broker-dealer used by the RIA in its advisory business. The case revolved around an investment adviser representative (IAR) who allegedly failed to disclose his outside business activities (OBAs) to the RIA and failed to comply with the policies of the unaffiliated BD. (The SEC’s order does not state that the IAR has been charged separately.)

Regarding the CCO, the order alleged that he failed to:

• Make sufficient changes to the design and implementation of the RIA’s compliance program.
• Require the IAR to complete and submit the RIA’s OBA form.
• Conduct sufficient review to determine whether the OBA presented conflicts of interest and was adequately disclosed to clients.
• Conduct sufficient review of the IAR’s transactions involving the OBA, which had been flagged by the BD.
• Take sufficient steps to monitor the IAR’s compliance with the BD’s policies after becoming aware that the IAR took some steps to avoid the BD’s compliance program.
• Take sufficient steps to ensure that a second OBA was being properly reported.

For each issue, the order alleged that the CCO took steps or other action deemed not “sufficient,” without providing detail of what he actually did. In addition, the order failed to state what the CCO could have done differently.

Questions About the Order’s Failures

The order’s bare-bones factual findings raise many questions demonstrating that the order omitted material facts relevant for establishing liability. Those facts would have also assisted other CCOs in knowing what conduct is expected and what to do to avoid liability. Had the SEC focused more on the questions presented in the NSCP’s and the NYCBA’s frameworks, answers to those questions would have provided the industry with much-needed guidance.

1.  Inadequate implementation of compliance program

Does the failure by one individual to take certain (unspecified) steps constitute an inadequate implementation of a program, or is that simply evidence that one person (allegedly) failed to perform one aspect of the job adequately?

Did the CCO have sufficient support from firm leadership to affect the violative conduct? (The fact that the SEC chose to charge both RIA and the CCO suggests that that SEC considered the failures to go beyond the CCO’s conduct.)

Did the CCO reasonably believe that others at the RIA or the BD were addressing the issues?

What authority did the CCO have as a “principal”? (In trying to apply the NYCBA Framework, Commissioner Peirce stated that “As a principal of the firm, he had adequate authority to address the compliance inadequacies,” however, the Order never stated that he had “authority,” and public records indicate that he was a minority owner of the RIA.)

2. Failure to control the IAR

Did the CCO supervise the IAR and have actual responsibility, ability, or authority to affect his conduct by requiring the IAR to complete and submit the OBA form? (The Order does not state who supervised the IAR.)

3. Failure to disclose the OBA to clients and review conflicts

Did the CCO have actual responsibility, ability, or authority to change disclosures or to conduct conflict review? (The Order does not state those were his responsibilities.)

4. Transaction review

Did the CCO have actual responsibility, ability, or authority to affect transaction review to determine the legitimacy of the transactions? (The Order does not state those were his responsibilities.)

Why did the BD flag the transactions and what did the BD do about that?

5. The BD’s compliance program

Why is the SEC charging the RIA and its CCO in connection with the unaffiliated BD’s program?

What did the BD do, and was the CCO relying on that action?

Did the steps taken by the IAR to avoid the BD’s compliance program have anything to do with the OBA? (The Order does not state that they did.)

6. The other OBA

What is the connection between the first OBA and the second OBA?

When “OBA” is mentioned subsequently in the Order, which OBA is the Order referring to?

Final Thoughts

The order presents several problems for the industry.

First, there are three missing players in this drama: the “bad guy” who engaged in undisclosed OBA(s) and who hasn’t apparently been sanctioned, the IAR’s supervisor who presumably could have ordered him to complete those missing forms, and the CCO’s supervisor.

Second, it’s not clear how the RIA violated the Advisers Act by failing to adequately monitor compliance with the BD’s policies. The RIA appears to have taken on an unnecessary obligation, and a failure to comply with an unnecessary obligation doesn’t mean that the RIA’s compliance program wasn’t reasonable. Indeed, firms often fail to follow their procedures, and they are not sanctioned. If there were investor protection considerations, presumably, the BD was responsible for enforcing its own policies.

Finally, with regard to the CCO, many questions are unanswered: (1) what steps did the CCO take that were insufficient; (2) did he have the actual responsibility, ability or authority to take “sufficient” steps; (3) why didn’t he take additional steps; and (4) how did the order take into account that the CCO eventually reported the OBA?

Without answers to these questions, we don’t know what the CCO could have done differently.

Enforcement actions should provide guidance to market participants, so that others will “do the right thing” in the future, protecting clients and the marketplace. Instead, the order suggests that CCOs have targets on their backs and that the SEC will continue to second-guess CCOs’ conduct.

---

Brian Rubin and Adam Pollet are partners at Eversheds Sutherland in Washington.