For an enforcement priority that allegedly is pretty low on the pecking order, personal liability for chief compliance officers seems be getting an awful lot of attention lately.

The latest volley was fired on June 18, when Dan Gallagher, commissioner at the Securities and Exchange Commission, blasted the agency for imposing sanctions against CCOs twice this spring. “I have long called on the Commission to tread carefully when bringing enforcement actions against compliance personnel,” Gallagher said. “These recent actions fly in the face of my admonition.”

The first enforcement action occurred in April, when the SEC charged Bartholomew Battista, the former CCO of BlackRock Advisors, with failing to ensure that the firm had compliance policies and procedures to monitor the outside activities of employees and to disclose conflicts of interest to fund boards and advisory clients. The second happened in June, when the SEC charged Eugene Mason, the CCO of SFX Financial Advisory Management Enterprises, with failing to detect the theft of client assets by Brian Ourand, the former president of the firm. In both cases, the SEC faulted the CCOs for failing to implement the firms’ policies and procedures.

Gallagher scorched the SEC’s broad interpretation of Rule 206(4)-7 of the Investment Company Act and the Investment Advisers Act. That rule states—vaguely, Gallagher would argue—that registered investment advisers must “[a]dopt and implement written policies and procedures reasonably designed to prevent violation[s]” of the Advisers Act and its rules.

The problem, Gallagher noted, is that the Commission never issued any guidance distinguishing the CCO’s role from that of business unit managers in carrying out compliance policies and procedures. “On its face, Rule 206(4)-7 speaks directly to the responsibility of the adviser, but all too often, the Commission interprets the rule as being directed at CCOs,” he said.

“I have long called on the Commission to tread carefully when bringing enforcement actions against compliance personnel. These recent actions fly in the face of my admonition.”
Daniel Gallagher, Commissioner, SEC

According to Gallagher, Rule 206(4)-7 “expressly states” that CCOs must only administer the firm’s compliance policies and procedures. “At the end of the day, ultimate responsibility for implementation of policies and procedures rests with the adviser itself,” he said.

BlackRock and SFX did not return requests for comment.

The point Gallagher was trying to make, says Amy Lynch, founder of FrontLine Compliance, is that particularly at large financial firms, “business line managers need to take more responsibility for the implementation side of the compliance program.” They are the ones who do the day-to-day operational and supervisory work, she says, not the chief compliance officer. “The CCO cannot be the scapegoat.”

At small investment advisory firms (those with a staff of 20 or fewer) the CCO often does wear two hats, both administering and implementing policies and procedures, “but while you might be able to say that the CCO does not implement procedures, it is the CCO’s function to ensure that proper compliance policies and procedures have been implemented,” says Jeff Groves, president of consulting firm ComplianceWorks and former CCO at Helix Trading. “The CCO at any firm is the gatekeeper to ensure proper policies and procedures are in place to prevent breaches of compliance regulation.”

Troubling Trend

Those in the investor adviser community share Gallagher’s worry that holding CCOs accountable for the conduct of advisers sets a dangerous precedent. “Who is going to want to be in that position?” says Joshua Horn, a partner and co-chair of the securities industry practice at law firm Fox Rothschild.


Below CW writer Jaclyn Jaeger provides details on the SEC's case against the former president of registered investment adivser Pekin Singer.
The Securities and Exchange Commission suspended for one year the former president of an investment advisory firm over claims that he consistently dedicated insufficient resources to the firm’s chief compliance officer, which contributed substantially to various compliance failures.
As part of the settlement, Ron Strauss, president of registered investment adviser Pekin Singer until last year (he is now a senior adviser to the firm), will pay a civil penalty of $45,000. In addition, the firm will pay a $150,000 civil penalty, while two of its former executives will pay a penalty of $45,000 each.
According to the SEC’s June 23 order, “Pekin Singer failed to conduct timely annual compliance program reviews in 2009 and 2010 and failed to implement and enforce provisions of its policies and procedures and Code of Ethics during this same period.”
Even though Strauss knew that the CCO had little compliance experience when he filled the role in 2006, Strauss failed to provide the CCO with staff to assist him with compliance responsibilities, “other than the prior CCO, who was then part-time and was serving in an advisory capacity,” the SEC stated. 
The SEC also faulted Pekin Singer for failing to conduct annual compliance program reviews, even after the CCO alerted Strauss that the compliance program and testing needed further improvement. The CCO, himself, “lacked experience, resources, and knowledge as to how to adopt and implement an effective compliance program or how to conduct a comprehensive and effective annual compliance program review,” the SEC order stated.
According to the SEC, Strauss chose not to make compliance a priority. Instead, he directed the CCO to focus on his investment research and other non-compliance responsibilities instead.
Pekin Singer did not engage a compliance consultant to assist the CCO until 2011. After that time, the SEC discovered that “several violations of Pekin Singer’s policies and procedures and Code of Ethics” had occurred between 2009 and 2011 that were not detected until the compliance consultant and an SEC staff examination assessed Pekin Singer’s compliance program.
—Jaclyn Jaeger

“We’re hearing similar concerns among CCOs at investment adviser firms—and not just from CCOs, but also from senior management,” says Karen Barr, president and CEO of the Investment Adviser Association, a non-profit group that represents the interests of SEC-registered investment adviser firms (RIAs).

“The CCO role is a critically important function at investment adviser firms, and senior management want to be able to hire the best and the brightest,” Barr says. “They don’t want folks to be turned off from this kind of a position for fear of liability or targets on their backs.”

In his statement, Gallagher said he’s “especially worried” about what effect the trend of strict liability could have on small advisers, many of which have just one set of policies and procedures covering both compliance and business functions. At these firms, by taking ownership of the implementation of policies and procedures, he said, “CCOs could unwittingly also be taking ownership of business functions, subjecting them to strict liability whenever there is a violation of the securities laws.”

From a practical standpoint, the majority of CCOs at RIAs would fall under the strict liability umbrella, given that most RIAs are small firms. According to a recent report conducted by the Investment Adviser Association and National Regulatory Services, 57 percent of more than 10,000 RIAs reported having 10 or fewer full-time and part-time non-clerical employees in 2014; 88 percent reported having 50 or fewer such employees.

As mandated by the Dodd-Frank Act, however, the SEC only regulates investment advisers with more than $100 million in assets under management. Investment advisers that don’t meet this threshold generally are regulated by the state securities agency where the firm’s principal place of business is located.

As concerning as the strict liability trend may be for small firms, it’s equally worrisome for compliance officers of large investment firms. “If you look at the cases [Gallagher] pointed out, BlackRock is certainly no tiny entity,” Lynch says. According to BlackRock’s website, the firm manages more than 7,700 portfolios, with $4.77 trillion in assets under management. It has more than 12,000 employees in 30 countries around the world. 

“CCO liability in small firms is more acute, as the compliance program’s effectiveness tends to be centered around one, or a couple, of people,” Groves says. In larger organizations, “it is the organization as a whole that is responsible for ensuring compliance, with the CCO being the primary tool to effect that policy.”

Broader Ramifications

The personal liability of compliance officers is not limited to the investment adviser world. The SEC’s enforcement actions against Battista and Mason are analogous, Horn says, to what we’re seeing in the broker-dealer context, where the SEC has started to pursue compliance and legal professionals for the actions of others.

Many may recall that in 2010 the SEC pursued a controversial case against Theodore Urban, then-general counsel of former brokerage and investment bank Ferris Baker Watts, over allegations that he failed to supervise a rogue broker involved in a stock manipulation scheme. The Urban case injected fear into compliance and legal executives in the securities industry, who argued that the SEC’s overly broad view of who qualifies as a “supervisor” made them potential targets of an SEC enforcement action.

“It seems a bit draconian to nail a chief compliance officer who is not involved in whatever the securities violation is,” Horn says.

“For the most part you will not see the same ‘rule’ in other regulatory systems, but the approach in terms of protecting clients and what information they are given is in many ways similar,” Groves says. “This similarity results in similar documentation practices and adopting similar supervisory practices for various aspects of a compliance program.”

For an enforcement action to be brought against a compliance officer in any situation, “the punishment needs to fit the crime,” Lynch says. Gross negligence or actual participation in misconduct may indeed be grounds for charges, she says. It’s a whole other story if that CCO acts in good faith while others at the firm engage in risky behavior and then try to “throw the CCO under the bus,” she says.

Barr stresses that it’s “very important” that compliance officers structure their roles in such a way that they are not acting in a supervisory role over employees in the business units carrying out those policies and procedures. At small firms particularly, “you need to be very careful about which role you’re playing and which hat you’re wearing at any given time,” she says.