Creating chief compliance officer positions only on paper—what we will call “ghost CCOs”—can cause firms to overlook security law violations and draw harsher penalties if the Securities and Exchange Commission (SEC) establishes wrongdoing.

In three enforcement actions taken by the SEC in recent months, owners of small investment firms who took on the responsibilities of a CCO were cited for violating securities laws. Often, these small investment shop owners held multiple titles. Two of the offending owners had four titles, including CCO; another had five.

In another SEC enforcement case that entered final judgment in late 2019, a small firm’s owner had hired his son, who had no experience in compliance, to be the CCO.

The CCO duties in all the examples were, at best, an added responsibility the owner thought could be handled without additional resources. At worst, having a CCO title in name only or in the hands of an inexperienced employee gave firm owners carte blanche to violate securities laws, with no one to point out violations or take corrective action.

“Whoever wears the CCO hat needs to be competent and to understand the laws and what a good compliance program looks like,” says Carlo di Florio, a former Financial Industry Regulatory Authority (FINRA) and SEC regulator who now serves as global chief services officer with ACA Compliance Group.

The decision of the small investment firm owner to create a CCO title only on paper can have disastrous consequences.

“You wouldn’t put a founder in the role of a general counsel or chief financial officer. Being a CCO is a critical responsibility, which requires extensive experience to do it right.”

Rob Chesnut, Former Chief Ethics Officer, Airbnb

Take the cases of George Taylor and Tamara Steele. Both were the owners and founders of small investment advisory firms for many years. Both took on CCO responsibilities and the title of CCO. And both were slapped with penalties and sanctions by the SEC for making investment decisions on behalf of investors without proper disclosures.

Taylor operated his firm Temenos Advisory of Litchfield, Conn., under several different names since 1992. He and his firm were charged in 2018 for putting $19 million of investor money in “risky, illiquid private securities offerings” and for “illegally acting as unregistered broker-dealers.”

In June, the U.S. District Court for Connecticut issued final judgments against the firm and Taylor, ordering Temenos to pay $768,137 in disgorgement, prejudgment interest of $56,706, and a civil penalty of $775,000. Taylor himself was ordered to pay $321,956 in disgorgement, prejudgment interest of $22,358, and a civil penalty of $179,618.

Temenos’ Website is no longer active, and it has not filed an annual report with the Connecticut Secretary of State since 2018. Neither Taylor nor anyone from Temenos could be reached for comment.

The SEC alleged in its complaint that Tamara Steele and Steele Financial of Pendleton, Ind., sold risky securities to 120 clients without disclosing her firm earned commissions from the sale and then created false invoices and “took other steps to conceal their involvement” in the scheme.

In the SEC’s order, Steele was barred from the securities industry and ordered to disgorge $845,760 and pay a $75,000 civil penalty. “Steele has also agreed to comply with an undertaking to cause Steele Financial to cease operations and terminate the corporation within 90 days of the entry of Final Judgment,” the order said. Steele agreed to the terms of the order without admitting guilt.

Founded in 2000, Steele Financial is still active, with an active Website and up-to-date LLC filings with the Indiana Secretary of State. Neither Steele nor anyone from the firm responded to a request for comment.

Good intentions aren’t good enough

What motivated these small shop owners to appoint themselves as CCO?

In 2004, the SEC implemented a rule (206 (4)-7) requiring investment advisors to “adopt and implement written policies and procedures reasonably designed to prevent violation of the federal securities laws, review those policies and procedures annually for their adequacy and the effectiveness of their implementation, and designate a chief compliance officer to be responsible for administering the policies and procedures.”

For small firms, the rule “requires only that the policies and procedures be reasonably designed to prevent violation of the Advisers Act, and thus need only encompass compliance considerations relevant to the operations of the adviser.”

In most cases, the decisions of small firm owners to take on CCO responsibilities are probably made with the best intentions, di Florio says. A key responsibility of an investment firm CCO is determining when disclosures need to be made, who needs to receive them, and how often. In both cases, there was no one to evaluate the need for disclosures—other than the firm’s owners.

“They probably figure, ‘Hey, it’s my name on the door, I’m responsible for whatever happens with my firm,’” he says. The best person to protect their firm’s brand and reputation is the owner, he said.

“The problem is when they don’t take the role seriously or give it as much attention as it deserves,” di Florio says. Some small firms may hope the SEC will overlook them because of their size, or because the regulator has too many other cases, he says.

In the case of a Maryland-based investment firm owner and CCO who found himself in the SEC’s crosshairs, hiring a real CCO might not have stopped the illegal activity. Conversely, a real CCO might have been compelled to report the firm’s violations of securities law.

Gautam Prakash founded Monsoon Capital LLC, an investment firm based in Bethesda, Md., in 2007. He listed himself as the founder, owner, senior managing director, and CCO.

According to the SEC’s order in the case, Prakash breached his fiduciary duty when he borrowed $1 million in cash from a private fund Monsoon advised “to settle a personal trade.” Over four years, Prakash also submitted $44,000 in “excessive travel reimbursements” to the fund, the SEC said.

Without admitting or denying the findings in the SEC’s order, Monsoon and Prakash “agreed to cease and desist orders and to a joint and several penalty of $100,000. Monsoon also agreed to be censured, and Prakash agreed to a collateral associational bar and investment company prohibition,” the SEC said in a press release.

A receptionist at Prakash’s Bethesda office said Prakash is no longer working in securities and would decline comment.

Same rules apply

Small firm owners who take over CCO responsibilities either by design or necessity need to understand there are consequences for doing the job incorrectly, or not at all.

A CCO for an investment firm has fiduciary responsibilities, says Keith Darcy, a compliance consultant.

Investment advisors need to be watching out for conflicts of interest, for unsuitable investments, and for other issues like misrepresentation, unauthorized transactions, dealing in self-interest, and negligence, Darcy says. CCOs need to make sure everyone in the firm understands the securities laws that apply to their job and write an annual report that details how the firm maintained compliance with the SEC’s rules.

“Fiduciaries have obligations under the law. To be a CCO, you’ve got to do your job,” Darcy says.

Small firm owners should start out with the idea that their leadership sets the ethical example for how the firm will operate.

“At some point, integrity comes from the top,” says Rob Chesnut, former chief ethics officer at Airbnb and author of a new book, “Intentional Integrity.” “Leaders have an outsized role in determining how a company behaves. If they took on this role and have a strong ethical compass, great. But if not, it’s going to go poorly.”

Chesnut says small firms have limited resources and may not have a large staff. That doesn’t excuse shorting a CCO’s responsibilities by creating a position just on paper.

“You wouldn’t put a founder in the role of a general counsel or chief financial officer,” he says. “Being a CCO is a critical responsibility, which requires extensive experience to do it right.”

Firms under the SEC’s microscope for violations that can show they made an effort at compliance, like by hiring a consultant to provide guidance, might be viewed more favorably, says di Florio.

“They’re not looking to penalize people for foot faults,” he says, noting again the SEC rule’s language regarding reasonable intent. People who don’t care about compliance, “who are of the mindset that they can just skate by,” will be treated more harshly, he says.

Experience matters

The story of an Illinois investment advisory firm offers a case study in what could happen when a firm’s chief executive hires a CCO with absolutely no experience in compliance. That person’s loyalty is sure to be with the CEO who hired him/her, and the lack of experience will make it easy to ignore or overlook potentially illegal actions that a legitimate CCO might have caught.

In 2019, the SEC received a favorable ruling in a court action against The Nutmeg Group, a now-defunct advisory firm based in Illinois. A federal court judge said Nutmeg owner and managing partner Randall Goulding used Nutmeg as “his personal piggy bank” in addition to comingling funds and working with poor internal control systems.

Who at the Nutmeg Group would have stopped him? Certainly it was not the firm’s chief compliance officer, David Goulding, whose chief compliance qualification was being Randall Goulding’s son. The court criticized David Goulding’s decision to accept the CCO job at Nutmeg as “extremely reckless” and went on to say he “literally had no idea what he was doing or what he was getting himself into when he decided to go work for Nutmeg.”

The court eventually ruled David Goulding should pay nearly $32,000 in disgorgement and fines. The Nutmeg Group, whose business license with the state of Illinois was revoked in 2014, could not be reached for comment.

CCOs need to be “given the power to enforce the rules, not just monitor them,” says Thomas Ruchti, assistant accounting professor at Carnegie Mellon University in Pittsburgh. If a CCO is beholden to the company CEO for hiring him or her, that CCO could be ineffective because they have no real power, he said.

“They need to have the power to tell people, ‘You need to stop doing this,’ or, ‘You need to disclose these things,’” Ruchti says.