Dear SEC: The compliance community wants to be a partner, not a target

Compliance officers act as gatekeepers for the SEC, advising their employers daily how to comply with the agency’s regulations not just to keep their firm out of the crosshairs of enforcement actions but because it is the right thing to do. Following the rules is good for customers and investors. It’s also good business.

The SEC is preparing to implement a regulatory agenda that is breathtaking in scope and reach. Among the agency’s proposals under consideration are new rules that would require companies to disclose their greenhouse gas emissions and encourage them to reduce their carbon footprint; increase the diversity of their boards and workforce; improve cybersecurity defenses and how quickly they report data breaches; and prove their environmental, social, and governance (ESG) goals for investment funds are not just talk.

The SEC needs allies—not just to approve its agenda but to implement it. Compliance officers are natural partners for regulators. The SEC should be seeking advice and input from them as it tweaks its proposed rules, from initial comment period to final action.

But communication between the SEC and the compliance community is not happening, or at least not as robustly as compliance practitioners would like. The result is compliance officers are more concerned than ever the SEC will target them in an enforcement action.

So, what can the SEC do to calm the compliance community, alleviate their concerns about chief compliance officer liability, and encourage them to be enthusiastic partners rather than potential enforcement targets?

Create a CCO liability framework or accept one that has already been developed by the compliance community. CCOs want to know exactly how the regulator will view their conduct at firms found to have violated SEC rules and how those rules will be applied. Both the New York City Bar Association and the National Society of Compliance Professionals (NSCP) have released CCO liability frameworks for the SEC to consider.

At the heart of both frameworks is a series of questions CCOs want answered that would help them understand the different scenarios where the SEC would find a CCO liable for wrongdoing that occurred under their watch, for what has previously been termed “wholesale failure” to carry out compliance responsibilities.

SEC Commissioner Hester Peirce recently opined, in a statement regarding a case where the CCO, Jeffrey Kirkpatrick, was punished for wrongdoing committed by an investment adviser representative at his firm, that “the compliance obligation belongs to the firm, not to the CCO.”

“Reminding firms that compliance is their responsibility helps to ensure that they dedicate adequate resources to, and appropriately defer to the judgment of, their compliance departments,” she said. Not doing so discourages qualified compliance professionals from pursuing a career in the field, she said.

Among current and recently departed commissioners, Peirce has been the loudest advocate for the SEC to adopt a CCO liability framework. So far, though, she has been the only one, and as a Republican she is in the minority on the five-member commission. That is more than a little discouraging.

How could the SEC evaluate the CCO liability frameworks that exist and perhaps craft something palatable to both the agency and the compliance community?

The first step would be to create an advisory committee that included compliance practitioners and two SEC commissioners, one Democrat and one Republican. The committee could examine existing CCO liability frameworks and use them as a roadmap to develop their own. In the process, the compliance community could build up its relationship with this SEC, which is beneficial to both sides.

In the interim, the compliance community would like the SEC to offer more information into its decision-making regarding laying charges against a CCO. General guidance could come in the form of risk alerts or statements from agency officials. But information regarding specific cases in which a CCO is charged would be helpful as well.

Brian Rubin and Adam Pollet, partners at law firm Eversheds Sutherland, recently wrote a critique of the SEC’s charges against Kirkpatrick. Rubin is also member of the board of directors of the NSCP.

The article pressed the SEC to provide more information about enforcement actions taken against CCOs. Of particular importance is to understand whether the CCO has the authority, responsibility, or ability within the firm to act if he or she discovers wrongdoing. The case against Kirkpatrick hinges around whether he had the authority to require an independent advisory representative to fill out an outside business activity form. The SEC maintains that he did, and on that point, Peirce agreed.

But Rubin and Pollet argued the SEC did not provide enough evidence to back up that assertion. They also wanted the agency to provide more clarification around what constituted an “inadequately implemented” compliance program; who supervised the independent advisory representative; to explain why certain transactions were deemed to be not “legitimate” and the process the CCO used to address them; and to explain the “insufficient” steps the CCO took to enforce the firm’s policies and procedures.

“Enforcement actions are to provide ‘guidance’ to market participants so that other firms and individuals will ‘do the right thing’ in the future, protecting other clients and the marketplace,” they wrote. “But the order did not do that. What it does, instead, is to create the appearance that CCOs have targets on their backs and that the SEC will continue to second-guess CCOs’ conduct.”

That doesn’t sound like the right way to treat a partner.