The debate has intensified over when, and how, compliance officers may find themselves the subject of an enforcement action by the Securities and Exchange Commission.
Recent statements by commissioners include Chairman Mary Jo White assuring CCOs they are not being targeted, Luis Aguilar suggesting there is “unwarranted fear,” and Daniel Gallagher citing actions against Blackrock Advisors and SFX Financial Advisory Management Enterprises to suggest that “the SEC is overreaching” with its application of the Investment Advisers Act when punishing compliance personnel at those firms.
Now, in a letter delivered to the SEC’s Director of Enforcement Andrew Ceresney, copied to sitting commissioners, the National Society of Compliance Professionals, a trade group for compliance professionals, is seeking assurances that only intentional and reckless behavior is grounds for action against a CCO.
The group says it appreciates the fact that a rogue compliance officer may intentionally violate or participate in a violation of the securities laws. “In such instances, there is no reason to differentiate a compliance officer from any other defendant,” Executive Director Lisa Crossley wrote, stressing that “compliance officers are already highly motivated as crucial instruments of investor protection and do not need the threat of enforcement action to do their jobs well.”
A fundamental policy question is whether enforcement actions against compliance officers “will motivate them to greater vigilance or risk a demoralizing belief that even exercising their best judgment will not protect them from the risk of a career ending enforcement action,” the NSCP wrote. The latter scenario may have the result that “many of the best compliance officers will choose to leave the profession rather than face the risks.”
NSCP suggests that the SEC, as a matter of policy, decline to bring a proceeding based on simple negligence and act only if a CCO acted intentionally or recklessly to facilitate the underlying violation.
“We are particularly troubled by the liability exposure for compliance officers when, after the fact, someone reviewing an ex post record concludes that they should have known that better procedures or better judgments could have prevented the primary violation.,” Crossley wrote. “In this context, a negligence standard is so amenable to liability by hindsight that we are concerned compliance officers will face the rigors of an enforcement investigation, and potentially career-altering liability, for simple mistakes or errors of judgment which could somehow be connected to a primary violation committed by others.”
NSCP has suggestions for what the SEC should consider when deciding whether to pursue an enforcement action against a compliance officer. Fundamentally, it says, there must be an understanding that CCOs may administer policies and procedures, but they do not implement them, management does. “Compliance officers are staff functions, not line functions,” Crossley wrote. “Ultimate responsibility to implement policies and procedures rests with the business and not the compliance officer. Considering their staff role, holding compliance officers accountable for a negligent miss that conceivably could be linked to an implementation failure by the firm fails to reflect the realities and limitations of a compliance officer’s responsibilities.”
Crossley questions how, absent affirmative misconduct, a compliance officer can be seen as truly “causing” a violation. “The notion of a compliance officer causing the violation is often inconsistent with common sense,” she wrote. “By definition, the most a compliance officer can do is take steps through monitoring and testing, and subsequent escalation to management, to mitigate a violation that already has been committed.”
Unless tempered by prosecutorial discretion, a decision to charge a compliance officer with causing a violation “unduly places compliance officers in harm’s way for real-time judgments of a type that they must routinely make,” Crossley argued, adding that charging a compliance officer for designing what, with the benefit of hindsight, turns out to be a less than perfect policy and procedure fails to acknowledge that they are rarely perfect and controls are limited in nature.
Assessing liability based on negligence may also be inconsistent with policy statements articulated by Commission members and staff, Crossley said, referencing remarks Ceresney made at the Compliance Week 2014 conference that CCOs should not face liability unless they affirmatively participated in the misconduct, helped mislead regulators, or had a clear responsibility to implement compliance policies and procedures and wholly failed to carry out that responsibility.
While a theory of “causing” liability is available to the SEC’s enforcement staff, the letter recommends internal guidelines based upon a standard for aiding and abetting that includes a primary securities law violation, knowing or extremely reckless conduct, and substantial assistance to the primary violator.