CCO Liability: What You Need To Know
Over the past few years (and perhaps most notably starting with the much publicized Ted Urban Case,)1 the issue of Chief Compliance Officer ("CCO") liability has continued to cause anxiety amongst those who hold that title. Effective February 5, 2004, the U.S. Securities and Exchange Commission ("SEC") required that registered investment advisers (pursuant to Rule 206(4)-7 of the Investment Advisers Act of 1940, 15 U.S.C. § 80b) and investment companies (pursuant to Rule 38a-1 of the Investment Company Act of 1940, 15 U.S.C. § 80a) designate a CCO. The Financial Industry Regulatory Authority ("FINRA") followed suit and required its member firms to designate a CCO. Both regulators expect the CCO to be responsible for administering the firm's policies and procedures that are reasonably designed to detect and prevent violations of securities laws and regulations. It's the ownership and implementation of those procedures that causes potential liability problems for those CCOs.
To help address this sensitive topic, various regulatory guidance has been provided, both through speeches and writings, on how CCOs can identify and take steps to mitigate potential liabilities. For example, on November 4, 2015, during the keynote address at the National Society of Compliance Professionals' National Conference, Andrew Ceresney listed three major areas where CCOs would be at risk.2 He stated that the SEC would bring enforcement actions against a CCO in the following instances:
- Where the CCO is directly engaged in misconduct unrelated to the compliance function;
- Where the CCO attempts to obstruct or mislead the SEC staff; and
- Where the CCO exhibits a wholesale failure to carry out compliance responsibilities.3
Summarily, Ceresney was reiterating a basic theme: if CCOs do their job diligently, then they will avoid liability. This sounds very reasonable, and if taken on face value would eliminate much of the worry. However, it's the interpretation of these three scenarios that causes problems. So much of compliance and regulation in general is a matter of the facts and circumstances of individual cases and firms, that when the regulatory enforcement staff delves into a case, it is their interpretation of those facts and circumstances that can put a target on the back of the CCO.
For instance, consider the Ted Urban case. The SEC's enforcement staff believed that Urban was a supervisor and therefore failed to supervise one of the firm's big producers. However, it was shown that he did all he could within reason. And that is the standard that should be considered: are policies and procedures reasonably designed to prevent violations of securities laws and were "reasonable" actions taken by the firm and its supervisors.
Smaller firms, where only one or two people run the firm, have unique challenges. Oftentimes, one of the business owners is wearing two hats, whereby one minute that person is responsible for client servicing and investments, the next minute that person must serve as the CCO. This scenario is riddled with conflicts if delegation of supervision is not explicitly differentiated from the CCO function.
Other CCOs may be in an office environment whereby the owner, president or CEO has to approve all compliance disciplinary actions and/or exclaims, "don't worry about it, I am taking care of it." During these instances, the CCOs must protect themselves with notes to files or emails or some way to show that they have done what they could - within reason. As with everything else in our industry, if you don't evidence it - it didn't happen.
On June 29, 2015, SEC Commissioner Luis Aguilar stated that CCOs who put investors first and do their jobs competently and in good faith should not have to worry about being targeted by SEC enforcement.4 Notably, he stated:
In the seven years that I have served as a Commissioner, it has been my experience that the Commission does not bring enforcement actions against CCOs who take their jobs seriously and do their jobs competently, diligently, and in good faith to protect investors. I do not believe that these CCOs should fear the SEC.5
Others have cautioned the SEC as to when to bring enforcement actions against compliance personnel. In a speech explaining his dissenting opinions in two recent SEC enforcement cases6 (In the Matter of Blackrock Advisors, LLC (April 20, 2015) and In the Matter of SFX Financial Advisory Management Enterprises, Inc. (June 15, 2015)), former SEC Commissioner Daniel Gallagher stated:
The Commission needs to be especially cognizant of the messages it sends to the compliance community, and in particular to CCOs of investment advisers. To put it bluntly, for the vast majority of advisers, CCOs are all we have. They are not only the first line of defense; they are the only line of defense...the Commission seems to be cutting off the noses of CCOs to spite its face.
With this in mind, the financial industry needs to ensure that CCOs are supported. This means that investment adviser and broker-dealer firms need to provide the necessary funds and personnel to create, support and maintain a vital and aggressive compliance program. If a CCO has repeatedly asked his or her firm for help (whether personnel or financial) and does not get it (and it is documented), and the firm ends up facing an enforcement action, it is the firm, not the CCO, that will usually get fined.7
In addition to having necessary resources, CCOs should, to the extent possible, try not to assume supervisory roles within their organization. The CCO should be an adviser to the business and oversee that the supervisors are actually performing their roles and responsibilities. Consider again the Urban case. The SEC claimed that he was a supervisor and therefore had liability. His defense showed that he was in fact NOT a supervisor and had done all he could to remedy the situation.
Dependent upon your firm and its culture, mitigating against CCO liability can be a complex or simple process. To assist, CCOs should consider the following:
- Do your job diligently.
- Memorialize recommendations to senior management as an advisor to the organization - both for escalation issues and resource needs.
- Document who are the supervisors within your organization
- To the extent the CCO has a supervisory role, frequently document and detail the distinctions between your role as CCO versus your supervisory role.
- Communicate with your other C-Suite officers clearly and concisely.
- Keep up with rule changes and make sure they are reflected in your Policies and Procedures.
For more information about how protect against CCO liability, please contact us.
Author: David M. Sobel, FINRA Specialist; Editor: Michelle L. Jacko, Esq., Managing Partner, Jacko Law Group, PC. JLG works extensively with investment advisers, broker-dealers, investment companies, hedge funds, banks and corporate clients on securities and corporate counsel matters.
This article is for information purposes and does not contain or convey legal advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer.
1 See In the Matter of Theodore Urban, Initial Decision Release No. 402, Adm. Proc. File No. 3-13655 (Sep. 8, 2010).
6 See public statement, "Statement on Recent SEC Settlements Charging Chief Compliance Officers with Violations on Investment Advisers Act Rule 206(4)-7" at https://www.sec.gov/news/statement/sec-cco-settlements-iaa-rule-206-4-7.html.
7 See In the Matter of Pekin Singer Strauss Asset Management, Investment Adviser Release No. 4126 (Jun. 23, 2015).