Happy New Year and Important Reminders Regarding CCO Liability
January 15, 2016
As we begin a new year, our thoughts turn to our clients and friends who have made our progress possible. We are grateful to our clients for the opportunity to work with them and our friends for their support, counsel and encouragement.
In this spirit, we want to wish everyone a happy, healthy and prosperous New Year and on behalf of clients and friends, make a charitable contribution. While there are many worthwhile charities we looked for one that not only provides financial assistance, but also "thought-leadership" and meaningful guidance to improve the lives of those less fortunate. We chose the Calvert Foundation, a unique organization that partners with entities around the world to promote important initiatives to improve the lives of all of us. This global map highlights many of the true successes the Calvert Foundation has had a hand in.
Back to Compliance: As 2016 begins in force, we would also like to share with you some important insights relating to CCO liability and outsourcing CCO responsibilities that we believe compliance professionals should have at the forefront of their minds in the first days of 2016. Please look for the second installment on this topic to be published in February.
LIABILITYAND OUTSOURCING– IDENTIFYING AND CONTROLLING THE REAL RISKS
Published: NSCP Currents December 2015
The ongoing, industry discussion concerning Chief Compliance Officer ("CCO") liability has recently intensified as evidenced by recent speeches, enforcement cases and risk alerts put forth by the US Securities and Exchange Commission ("SEC"). The thought of a SEC enforcement action against a CCO can often result in many sleepless nights for compliance professionals. In light of current industry activity, most CCOs are re-assessing their personal and professional liability once again.
On November 4th, in a keynote address during the 2015 National Society of Compliance Professional's National Conference, Mr. Andrew Ceresney, Director, Division of Enforcement for the SEC, spoke directly on the subject matter of CCO liability including discussion on recent enforcement actions brought against CCOs. The primary purpose of Mr. Ceresney's speech was to alleviate the collective angst felt by CCO's. Many in the industry wonder if the SEC could be targeting CCOs, and further, if they could be next.
Ceresney used this opportunity to offer clearer guidance of the Division with respect to how the Commission determines whether or not to initiate enforcement actions against adviser CCOs. The Commission has brought more than 8,000 enforcement actions since 2003, and 807 in year 2015 alone. Ceresney emphasized that in the last 12 years, the Enforcement Division has only brought five enforcement actions charging CCOs for failing to do their job. Mr. Ceresney's point was that "these numbers make clear that the Commission only rarely charges CCOs for causing violations of Rule 206(4)-7. There has not been any recent trend toward more enforcement activity involving CCOs in their compliance function."
Mr. Ceresney made a point to note that "Enforcement and the Commission take the question of whether to charge a CCO very seriously and consider it carefully. We think very hard about when to bring these cases. When we do, it is because the facts demonstrate that the CCO's conduct crossed a clear line." Chief Compliance Officers have personal liability with regards to their employer's compliance program. Despite the fact that such liability exists, when a CCO understands the securities laws, is knowledgeable of and involved in the firm's business practices, regularly demonstrates a healthy dose of skepticism and does not become complacent, the liability risk is manageable and can be quantified.
SEC Claims the Regulator does not Target CCOs
When the head of SEC enforcement speaks, it is worthwhile to listen closely. Ceresney offered the industry a large enough chart, albeit lacking some details, that can help CCOs navigate their compliance schooner through the, not always calm, waters.
Mr. Ceresney's remarks addressed several important areas of concern to CCOs, including CCO liability and recent enforcement actions. While Director Ceresney remarks were focused on "enforcement cases that touch compliance personnel," they covered three distinct areas.
First, he discussed "recent cases that emphasize the importance [the SEC] place[s] on compliance personnel receiving the resources, cooperation, and transparency from the firm's business personnel they need to do their job." This is the part of speech where he gave CCOs" the equipment to help navigate, if necessary, the heavy seas, which may result when attempting to convince the captain of the best course.
Mr. Ceresney's second point of discussion was the significance of Rule 206(4)-7 (the "Compliance Rule") and paramount responsibility "on the firm to adopt written policies and procedures reasonably designed to ensure compliance with the Advisers Act". This is the part of his navigational aid that we believe, falls short on practical application. We will offer our perspective, which hopefully provides additional details for the chart legend.
Finally, Mr. Ceresney spoke about the recent enforcement actions that the Enforcement Division has brought against CCOs.
In essence, Ceresney categorized enforcement actions brought against CCOs into three broad categories:
- Cases against CCOs who are affirmatively involved in misconduct that is unrelated to their compliance function (e.g., AlphaBridge Capital Management )
- Cases against CCOs who engage in efforts to obstruct or mislead the Commission staff. (Eg. Wells Fargo Advisors)
- Cases where the CCO has exhibited a wholesale failure to carry out his or her responsibilities.
The third category – when a CCO has exhibited a wholesale failure to carry out his or her responsibilities is of particular concern. It leaves CCOs wondering since it seemingly places liability and directly names CCOs. This area is clearly the one that causes the most uproar in our industry and where we want to focus.
Let's summarize a few cases.
Blackrock Advisors, LLC and Bartholomew A. Battista, CCO.
The SEC charged BlackRock Advisors LLC with breaching its fiduciary duty by failing to disclose a material conflict of interest. An action was brought against both the adviser and the CCO. This marked the first SEC case specifically charging a CCO with violations of Rule 38a-1 for failing to report a material compliance matter to a fund board.
Ultimately, BlackRock and the CCO agreed to settle the charges and pay penalties in addition to the requirement that they engage an independent compliance consultant to conduct an internal review.
"According to the SEC's order instituting a settled administrative proceeding, Daniel J. Rice III was managing energy-focused funds and separately managed accounts at BlackRock when he founded Rice Energy, a family-owned and operated oil-and-natural gas company. Rice was the general partner of Rice Energy and personally invested approximately $50 million in the company. Rice Energy later formed a joint venture with a publicly-traded coal company that eventually became the largest holding (almost 10 percent) in the $1.7 billion BlackRock Energy & Resources Portfolio, the largest Rice-managed fund. The SEC's order found that BlackRock knew and approved of Rice's investment and involvement with Rice Energy as well as the joint venture, but failed to disclose this conflict of interest to either the boards of the BlackRock registered funds or its advisory clients."
"BlackRock violated its fiduciary obligation to eliminate the conflict of interest created by Rice's outside business activity or otherwise disclose it to BlackRock's fund boards and advisory clients," said Andrew J. Ceresney, Director of the SEC's Division of Enforcement. "By failing to make such a disclosure, BlackRock deprived its clients of their right to exercise their independent judgment to determine whether the conflict might impact portfolio management decisions."
The SEC's order also found that BlackRock and its then-chief compliance officer Bartholomew A. Battista caused the funds" failure to report a "material compliance matter" – namely Rice's violations of BlackRock's private investment policy – to their boards of directors. BlackRock additionally failed to adopt and implement policies and procedures for outside activities of employees, and Battista caused this failure. Battista agreed to pay a $60,000 penalty to settle the charges against him."
We would venture to say that most industry CCOs can understand an SEC enforcement action against a firm and CCO for failing to disclose a material conflict of interest to the board. Details in this case and others that appear to cause the most concern for CCOs relate to the desktop-type citing by the SEC for policy and procedure detail oversights.
A robust process to assess risk should flow to the firm's policies and procedures implementing controls. Inadequate policy and procedures often is the direct result of a weak risk assessment. Any CCO who simply limits their policy and procedures to the ten, "at a minimum," elements listed as the Rule 206(4)-7 Release is subject to increased risk.
SFX Financial Advisory Management Enterprises, Inc. and Eugene S. Mason
In the Matter SFX Financial Advisory Management Enterprises, Inc. and Eugene S. Mason, SFX Financial Advisory Management's vice president misappropriated over $670,000 in assets from three client accounts.
"the Securities and Exchange Commission announced fraud charges against a Washington D.C.-based investment advisory firm's former president accused of stealing client funds. The firm and its chief compliance officer separately agreed to settle charges that they were responsible for compliance failures and other violations.
SFX Financial Advisory Management Enterprises is wholly-owned by Live Nation Entertainment and specializes in providing advisory and financial management services to current and former professional athletes. The SEC Enforcement Division alleges that SFX's former president Brian J. Ourand misused his discretionary authority and control over the accounts of several clients to steal approximately $670,000 over a five-year period by writing checks to himself and initiating wires from client accounts for his own benefit.
The SEC separately charged SFX and its CCO Eugene S. Mason, finding that the firm failed to supervise Ourand, violated the custody rule, and made a false statement in a Form ADV filing. The SEC finds that Mason caused some of SFX's compliance failures by negligently failing to conduct reviews of cash flows in client accounts, which was required by the firm's compliance policies, and not performing an annual compliance review. Mason also was responsible for a misstatement in SFX's Form ADV that client accounts were reviewed several times each week. SFX and Mason agreed to pay penalties of $150,000 and $25,000 respectively."
Again, industry fears should be tempered because the SEC is charging policy and procedure violations on top of what appears to be egregious oversights by compliance personnel. In the SFX case, the CCO was responsible for implementing policies and procedures around money transfers, but allegedly did not review them. The absence of such reviews allowed SFX's president to misappropriate over half a million dollars. Scenarios such as this leave CCOs wondering if they could overlook something and be subject to enforcement. CCOs are well advised to be diligent and know where they are deemed responsible.
Following the money should be a top priority for CCOs. Conducting a risk assessment is the first step a CCO should take. It appears that the CCO and/or adviser in this case understood the risk given the ADV disclosure indicated money transfers would be reviewed. If this was not such an egregious oversight, perhaps the SEC would not have brought charges naming the CCO.
Aegis Capital, Circle One Wealth Management, Diane Lamm, David Osunkwo, and Strategic Consulting Advisors
In March 2015, the SEC brought action against Aegis Capital and Circle One Wealth Management, their Chief Operations Officer ("COO") Diane Lamm, and the firm's outsourced CCO, David Osunkwo, along with his firm Strategic Consulting Advisors. The facts of this case involved "grossly" overstated regulatory assets under management ("RAUM") in addition to number of client accounts; RAUM was overstated by more than $119 million on Forms ADV filed in 2010 and 2011, and the total number of actual client accounts was at least 1,000 less than reflected in the ADV.
In this case, Mr. Osunkwo, the outsourced CCO, relied solely on the COO's inputs for the ADV. In addition, it appears that the CCO signed the ADV on behalf of the CIO. There were several other violations indicative of a weak compliance program, such as books and recordkeeping violations. However, the significant take away for CCOs (outsourced or in-house) is that one cannot blindly rely on others internally to provide accurate data. You should have some form of independent verification on the data. It is ok to trust, but your mantra should be "trust, but verify." In addition, you need to be careful when filing the ADV on behalf of a firm that you don't commit forgery.
Quite apparent is that CCO's must set up strong compliance programs with scheduled calendar testing. If the CCO had listed RAUM test as part of a compliance calendar testing program, would the CCO have been named? How can other CCO's be sure that they "trust, but verify" everything? Is the SEC trending towards charging CCOs in enforcement actions for compliance deficiencies after discovery of adviser improprieties?
This particular issue intensifies and justifies the concern CCOs are having when they could potentially be named in an enforcement case for an inadvertent oversight. Regardless of whether one thinks this was a mere oversight by Osunkwo, or whether he should be held to account, all CCO's should be asking questions when they read the SEC's charges. The SEC seems to be saying that you could be named in a case if you rely on information provided by others internally and assume it is accurate.
This case provides lessons for all CCOs. It is really irrelevant that Osunkwo was an outsourced CCO versus a full time employee. These charges against Osunkwo should raise heightened awareness if not concern for all CCOs.
It is fitting given this last case to spend time discussing the recent SEC risk alert on CCO outsourcing. In November 2015, the SEC indirectly affirmed that registered investment advisers and investment companies can outsource their CCO position to an unaffiliated third party and satisfy their 206(4)-7(c) and 38(a)-1(a)(4) obligations. The SEC released a risk alert highlighting their findings from recent examinations of advisers and funds that outsource their CCOs to a third party. Advisers and fund boards have been rapidly turning to third party CCOs, as the number of enforcement actions and the cost of finding well suited CCOs both increase. The SEC risk alert outlined issues surrounding outsourcing such responsibilities to an unaffiliated third party and provides insight into what advisers and fund boards must be aware of when contemplating outsourcing such responsibilities.
Don't Necessarily Write off Outsourcing the CCO Position
We have always been reluctant to push outsourcing the CCO role over providing consulting to help firms with their compliance. We believe the SEC views keeping the title in house is more conservative, and hence a better option. Of course the other side of the argument is that outsourcing provides a greater layer of independence. So while outsourcing the role can potentially put you in a higher risk category with the SEC, you might be able to convince examiners during an exam that it makes sense for your company and actually mitigates risk at your firm. All of this being said, the risk related to picking a CCO relates to the person and their skillsets, and it is irrelevant if you outsource or employ a full time in-house CCO.
Outsourcing does not change the firm's liability. Likewise, the liability for a CCO remains the same whether the CCO is a full time employee or outsourced. Despite the net effect on liability, there are important considerations when determining outsourcing that need to be considered.
The November risk alert highlighted potential weaknesses when hiring outsourced CCOs, but we argue this is not just relevant to outsourced CCOs and all firms should consider the findings when evaluating their CCOs.
The risk alert highlighted the Commission's findings from the examination of adviser and funds that outsource their Chief Compliance Officers and outlines the issues surrounding outsourcing such responsibilities to an unaffiliated third party. The examination included 20 firms composed of both investment advisers and investment companies and was part of the Outsourced CCO Initiative.
As part of the Outsourced CCO Initiative, the staff evaluated the effectiveness of the compliance programs of those firms who had outsourced their CCO to a third party by considering whether:
- The CCO is actively administering the program so that it addresses and supports the goals of all federal securities laws including the Advisers Act and Investment Company Act;
- The compliance program is reasonably designed to prevent, detect, and address violations;
- The compliance program is being carried out with open communication between the firm's internal compliance staff and the third party service provider;
- The compliance program appears to be proactive rather than reactive;
- The CCO appears to have sufficient authority to manage the firm's policies and procedures and has sufficient resources to perform his or her responsibilities; and
- Compliance appears to be an important part of the firm's overall culture.
According to the release, the positive findings describing instances where the outsourced CCO was effective in administering the compliance program as well as fulfilling the other responsibilities that come along with the CCO title revolved around the following:
- regular, often in-person, communication between the CCO and the firm;
- strong relationships established between the CCO and the firm;
- sufficient firm support of the CCO;
- sufficient CCO access to firm documents and information; and
- CCO knowledge about the regulatory requirements and the firm's business.
Whether hiring an outsourced or in-house CCO, advisers and fund boards should assess several key factors when they appoint a CCO.
The results of these examinations outline the inherent risks and potential weaknesses that come with outsourcing the role of CCO. This risk alert reminds advisers with outsourced CCOs to review their business practices to "evaluate whether their business and compliance risks have been appropriately identified, that their policies and procedures are appropriately tailored in light of their business and associated risks, and that their CCO is sufficiently empowered within the organization to effectively perform his/her responsibilities". As with previous examination initiatives, the Commission is essentially "rulemaking" when releasing their findings, and will expect advisers to adapt their policies and procedures to address potential dangers.
What can one extrapolate given the recent discussions around CCO liability and Outsourcing? There are important takeaways given the SEC's recent guidance, speeches and cases. The take aways provide practical compliance program oversight and enhancements to consider.
The Importance of Proper Risk Assessment
In order for any compliance program to adequately insulate advisers and fund boards, as well as CCOs themselves, it must begin with detailed risk assessment and gap analysis. This will lead to the creation of a detailed compliance program, which encompasses current risks.
Any discussion on CCO liability must include the foundation of building one's compliance program, the creation of the policies and procedures. In order to create comprehensive policies and procedures, a CCO must take into account the specific investment adviser broker dealer or investment company's business model, and tailor a program to deal with the risks inherent to the particular model.
As we noted above with the SFX case, if the CCO had conducted a risk assessment and prioritized his time to address the highest risk areas, he likely could have skirted the enforcement action even if there was fraud and he didn't catch it.
The real cause of failure to supervise actions is often insidious where the impetus is a poor process to identify risk.
Section 203(e)-6 of the Advisers Act, in part, reads:
"…no person shall be deemed to have failed reasonably to supervise any person, if--
- there have been established procedures, and a system for applying such procedures, which would reasonably be expected to prevent and detect, insofar as practicable, any such violation by such other person, and
- such person has reasonably discharged the duties and obligations incumbent upon him by reason of such procedures and system without reasonable cause to believe that such procedures and system were not being complied with."
To avail yourself of the safe harbor, subparagraph A requires that the adviser has adequate policies and procedures and subparagraph B requires that you can adequately demonstrate that you "reasonably discharged" your duty to supervise. Too many CCO's focus on subparagraph B and ensure timely compliance work and documentation. However, while the existing compliance procedures may be working well, if certain key risks have not been addressed, the CCO can unknowingly bear significant risk. CCO's who really want to quantify and manage their liability need to focus on ensuring they have the policy and procedures to address the business's risk.
We always advise developing a scheduled process that involves leaders from the business units and the CCO reviewing the business from top to bottom. The process should be thorough and ask broad ranging questions. Each risk should be rated and based on ratings, adequate policies and procedures drafted.
In the SEC's Risk Alert on Outsourcing, the SEC found some concerns with outsourced CCO's ability to communicate firm risk. We would argue this is not correlated with the choice to outsource and all CCO's should be communicating frequently with fund boards and senior management. Assessing firm risk and conflicts of interest should take a team approach.
Fund Board and Management Takeaways
Tone at the Top Really Does Matter
In Malcolm Gladwell's, 2006 New York Times bestseller, Blink, he discusses work conducted researcher John Gottman who can predict, with 95% accuracy, after watching a husband and wife talking for one hour whether the couple will still be married 15 years later. The premise of Blink is that certain quick decisions often prove accurate. During Ceresney's speech, the SEC Director of Enforcement said that "the state of a firm's compliance function says a lot about the firm's likelihood of engaging in misconduct and facing sanctions." Ceresney went on to say that you can "predict a lot about the likelihood of an enforcement action by asking a few simple questions about the role of the company's compliance department in the firm". Examples he provided included:
- Are compliance personnel included in critical meetings?
- Are their views typically sought and followed?
- Do compliance officers report to the CEO and have significant visibility with the board?
- Is the compliance department viewed as an important partner in the business and not simply as a support function or a cost center?
- Is compliance given the personnel and resources necessary to fully cover the entity's needs?
Mr. Ceresney observed that "far too often, the answer to these questions is no, and the absence of real compliance involvement in company deliberations can lead to compliance lapses, which, in turn, result in enforcement issues". Mr. Ceresney reassured the audience of CCOs that "the Commission is in your corner when your work is hindered by uncooperative or obstructionist business personnel, and that a number of our actions have sent the clear message that you must be provided with the resources and support necessary to succeed".
Mr. Ceresney also highlighted a few important points that investment advisers should be sure to remember. Ceresney noted that compliance officers have the full support of the Commission and that the SEC relies on them "as essential partners in ensuring compliance with the federal securities laws" and "will do all we can to help you perform your work". Mr. Ceresney made clear that the SEC will bring enforcement actions against personnel in circumstances where they have deceived or misled, or where their failure to provide compliance professionals with adequate resources and information causes compliance rule violations.
The point he was driving home is that management must support the CCO and provide proper resources.
Last summer, the SEC settled a proceeding brought against Pekin Singer Strauss Asset Management Inc., Ronald L. Strauss, William A. Pekin, and Joshua D. Strauss, its former President, and other principals at the firm where the compliance function was not adequately staffed and not adequately resourced. An independent compliance consultant and the SEC staff subsequently identified a number of compliance violations during an examination of the firm that had not been previously detected by the firm or its Chief Compliance Officer.
Many of the SEC's findings are worth highlighting:
- The SEC found that the President had promoted the CCO to that role, knowing the CCO had limited prior experience and training in compliance; that the CCO still retained his previous functions, including backup trader, backup trade reconciliation, research analyst, and portfolio manager; and that he failed to provide the CCO with sufficient guidance regarding his duties and responsibilities as the new CCO.
- The SEC found that the CCO lacked the experience, resources, and knowledge as to how to adopt and implement an effective compliance program or how to conduct a comprehensive and effective annual compliance program review. Indeed, the firm failed to conduct the required annual compliance reviews several times, and there was a three-year gap between annual reviews.
- Nevertheless, the CCO was able to learn certain aspects of the CCO role from the former CCO and from attending a compliance conference, and he identified certain weaknesses in the firm's compliance program and he began to implement new compliance policies and testing.
- The SEC found the President did not make the compliance program a priority for the firm. He directed the CCO to prioritize his investment research responsibilities over compliance, and also gave him other responsibilities, including naming him CFO.
- Between his research and other responsibilities, the SEC found that the CCO was only able to devote between 10% and 20% of his time on compliance matters.
- The CCO told the President on multiple occasions that he needed help to fulfill his compliance responsibilities, including the annual compliance program review. However, the President told the CCO that the firm's primary responsibility was serving clients, and that they could address any problems that came up in an SEC examination at that time.
- The firm eventually engaged a compliance consultant to assist the CCO, primarily because the firm needed an annual review for the board of a mutual fund that the firm advised, and they needed the compliance consultant to handle the annual review.
- Nevertheless, the President narrowed the scope of the compliance consultant's engagement from a more comprehensive compliance review, in part to reduce the cost of the engagement.
- The compliance consultant issued a report that enumerated several compliance deficiencies at the firm. Shortly thereafter, the SEC exam staff conducted an examination and cited the firm for several compliance deficiencies, most notably the failure to conduct annual compliance program reviews and code of ethics violations surrounding personal trading accounts.
- Subsequently, the CCO stepped down as CCO and remained as CFO. The firm hired a new CCO with compliance and operations experience.
Based on these and other findings, the SEC found the firm willfully violated the Advisers Act, and the firm and certain principals agreed to cease and desist orders and the payment of monetary damages.
The SEC, in agreeing to accept the settlement offer, noted the firm's remedial efforts, which included:
- The firm expanded its relationship with its outside compliance consultant and hired an additional full-time Compliance Director to support the firm's CCO.
- The firm has continued to retain a compliance consultant as an additional compliance resource and to ensure that the consultant will monitor and advise on the firm's annual compliance program reviews.
- The firm hired a new CCO.
While many of the specific factual findings may strike some readers as being egregious, in our experience many firms do struggle in trying to find the right level of experience, resources and independence for their CCOs and their compliance obligations.
It is also common, particularly with smaller advisers, that many CCOs have other, non-compliance roles with substantive and substantial duties.
Many of these "dual hatted" CCOs also have specific expertise in those other, non-compliance areas, and may feel challenged to find the time or acquire the expertise to discharge their compliance duties in the way the SEC and investors would expect.
Another factor in this case that we encounter sometimes is the lack of a "compliance culture", or "tone from the top", which can manifest, as in this case, in a variety of ways, such as failing to appreciate the importance of the compliance function; or prioritizing non-compliance functions over compliance functions; or not allocating appropriate resources to compliance functions.
Another compliance violation that we see frequently is the failure to conduct the required annual compliance review. Whether it is due to time or resource constraints, or having other priorities, it is important for registered investment advisers to remember that the annual compliance review is a legal requirement and there are potentially significant consequences for overlooking this obligation.
Finally, we find it noteworthy that the facts in this case date back a few years. The current regulatory environment emphasizes "broken windows", enforcement actions, record penalties, and "message cases". There is also enhanced focus on CCOs as "gatekeepers", and on CCO liability. We have also previously noted whistleblower awards now being paid out to compliance personnel. Thus, we would not be surprised if the SEC continues to focus on firms" CCOs, and their compliance efforts and resources.
Stay Diligent and Informed
Executives and Boards should keep abreast of current enforcement actions taken by the Commission, especially relating to CCO and executive liability. Such cases include the Ted Urban case and can provide insight for how advisers can avoid coming under fire from the SEC. The seminal Ted Urban case provides that, in addition to executives and directors, CCOs can be held liable for failure to supervise if they are deemed a "supervisor" by a totality-of-the-circumstances review. Knowing what steps the regulators are taking, who they are going after, and for what specifically, will help firms steer clear of enforcement action.
What to look for when choosing a CCO
Given the SEC's recent cases and speeches, advisers should ensure that the CCO has the right experience and background—specifically a background that shows s/he understands all relevant SEC regulations. Advisers should also ask questions and understand the niche experience that is needed to be an effective CCO. Several factors distinguish a well-suited CCO from an inexperienced lower-cost alternative. For example, a suitable CCO will customize a compliance program to the fund's business, interact with service providers and test the compliance program to appropriately identify potential failures.
Another important aspect for advisers to consider when determining whether it is beneficial to hire an outsourced CCO is accountability and time-management skills. This is critical for a CCO because if s/he fails to either cover the ground required or follow through on designated responsibilities, then the adviser could be subject to enforcement action. Ceresney, spoke about how the SEC will charge CCOs in cases where they have failed to carry out their responsibilities. Certain individuals might have exceptional experience and backgrounds and yet lack this basic skill of accountability, Advisers must be diligent to ensure hired CCOs are dependable and reliable.
CCOs must not only ensure that they create the necessary policies and procedures which effectively prevent violations of federal securities laws, they must also take steps to ensure such policies and procedures are properly implemented and tested. The failure to do so allows for impropriety to occur and harms the shareholders, and industry at-large. Ask potential CCO candidates how they will create or manage your policies and procedures. Asking detailed questions will help you identify the best fit candidate.
There is no specific required qualifications to be a CCO. Ideally the best fit is someone who has in house experience as a CCO at several firms coupled with regulatory background. This is niche experience.
It is important to note that CCOs should make it a priority to keep up to date on new and changing securities regulations. In doing so, CCOs will both recognize exactly what rules they are being required to comply with, and can subsequently impart that knowledge to the adviser, providing assurance that they are capable to fulfill the responsibilities delegated to them. Be sure you talk to your CCO and understand his or her continuing education efforts and diligence.
The CCO needs Oversight Too
Advisers should monitor outsourced CCOs the same way they would a full-time CCO. When choosing to outsource compliance duties, executives and directors should make a concerted effort to ensure that they are comfortable with the individual, as well as his/her ability and self-discipline. The adviser can't simply delegate these important responsibilities and walk away. They must remain diligent in their oversight, and stay current with the ever-evolving regulatory environment. The inherent risks and pitfalls that the regulators associate with outsourcing the role of CCO should are to be considered by advisers that don't outsource the position, because the weaknesses found are not so much correlated with the decision to outsource or not; weaknesses are often more consistently related to the specific skills and drive of the CCO.
Not only should management generally be overseeing CCOs to be sure they are actively doing their job, but also to prevent fraud in the extreme cases. There have been several cases where compliance personnel are the perpetrators. For example, the SEC is currently taking action against a compliance associate alleged to have traded on material nonpublic information obtained from his investment bank employer, Goldman Sachs. The SEC asserts that Yue Han misappropriated nonpublic information about impending mergers and traded on this information through undisclosed brokerage accounts in violation of the firm's policies. Failing to monitor the CCO's activities is a common issue we see at many firms.
Compliance Personnel Takeaways
It's pretty much a catch 22. You should consider all the reasons not to include every minute risk and corresponding control in your manual. For example ex- Commissioner Gallagher opined that Rule 206(4)-7 is at the center of the Commissioner's concerns. The rule is "not a model of clarity". It provides, in part, that the adviser is required to adopt "and implement written policies and procedures reasonably designed . . ." to prevent violations of the Act. On its face the rule addresses the adviser – it requires the firm to designate a CCO. While the adviser is responsible for implementation, the SEC interprets Rule 206(4)-7 as if it is directed to CCOs. Yet the neither the Rule itself nor SEC offer guidance on compliance. This, according to Gallagher sends a troubling message: "…that CCOs should not take ownership of their firm's compliance policies and procedures, lest they be held accountable for conduct that, under Rule 206(4)-7, is the responsibility of the adviser itself. Or worse, that CCOs should opt for less comprehensive policies and procedures with fewer specified compliance duties and responsibilities to avoid liability when the government plays Monday morning quarterback. Gallagher is: "…very concerned that continuing uncertainty as to the contours of liability under Rule 206(4)-7 will disincentive a vigorous compliance function at investment advisers." He recommended that the Commission take a hard look at Rule 206(4)-7 and consider whether amendments, or at a minimum staff or Commission-level guidance, are needed to clarify the roles and responsibilities of compliance personnel.
Many argue for shorter pointed compliance manuals separate from desk top procedures or even to avoid desk top policies all together. However, given recent cases and deficiency letters, we would have to argue the other side. A CCO that does not consider every detail to include in their policy and procedure manual may be exposed.
In the Blackrock case, we would argue that most CCOs would be less concerned about the case if it only mentioned the CCO failing to notify the board of a material conflict. However, when that is coupled with violations related to specific details regarding policies and procedures, CCO's get worried.
According to Ceresney, "When we have charged a CCO with causing violations of rule 206(4)-7, we have not second guessed their professional judgment, critiquing the choices they made in the creation of policies; rather, we have brought actions where there was a wholesale failure to develop such policies or to implement them, and where the CCO was properly held responsible for that failure"..
The root of the issue is that you need a risk assessment that flows into the P&P and certain P&P should be desktop. Minimally, consider this in your higher risk areas.
Rule 206 4-7 and Rule 38a-(1) suggests areas minimally where advisers and funds, respectively, should consider adopting P&P. It does not say CCO's should be sure policies and procedures address 1- how to monitor and assess employees for conflicts of interest 2- how to monitor employees who participate in firm-approved outside business activity ("OBA") or 3- how to determine when an employee's OBA should be disclosed to the board or clients.
It is this type of detail cited regarding policies and procedures that causes grave concern for CCOs.
Continue to try to avoid being deemed a supervisor - lessons learned from Ted Urban
Even though Chief Compliance Officer Ted Urban was exonerated from liability, a curious dicta emerged from SEC enforcement action against him. The dicta provided that the CCO was deemed a "supervisor" over an employee, a classification which led to additional liability placed over him, as a "supervisor." Under a totality-of-the-circumstances review, the Administrative Judge had to determine whether, Urban had the "requisite degree of responsibility, ability or authority to affect" one's conduct, despite not being a supervisor in the classical sense.
Despite Urban not having any of the traditional powers associated with a person supervising a firm's employees, the case law found Urban to be classified as the employee's supervisor. Once deemed a "supervisor" one is subject to maintaining reasonable supervision, which extended above and beyond the usual and customary duties of a CCO. Reasonable supervision is determined by whether there is negligence under the reasonably prudent person test. This is an unnecessary hurdle for a CCO when so much liability is inherently built into Rule 206 (4)-7, Rule 38a-1 and the corresponding securities laws. Last, when Urban shares about his case, he emphasizes the need to review your insurance coverage and make sure you are well covered and protected.
Know Your Responsibilities and Be Diligent
The SEC noted in the Risk Alert following the Outsourced CCO Initiative that in many instances, the outsourced CCOs were designated as the individuals responsible for conducting reviews to ensure compliance with was compliant with Rule 206(4)-7 including testing of the existing policies and procedures. The staff observed throughout these examinations a "general lack of documentation evidencing the testing" completed during these reviews. All CCO's should take note of this observation as again, we don't think this is limited to outsourced CCOs.
CCOs must remain proactive when updating the compliance program, and ensure that they stay current with guidance provided by the SEC through recent cases, speeches and risk alerts.
Understand that your duties as CCO are to develop and implement the compliance program, but also understand that you alone are not solely responsible for the implementation and development of a "culture" of compliance. It is imperative that executive management and fund boards work cooperatively with CCOs to efficiently mitigate risks and liabilities particular to their business model. This is essential to proper risk assessment, and creation, implantation and testing of a successful compliance program.
Fund boards, adviser personnel and compliance professionals should be sure to keep up with current regulatory guidance and enforcement cases. Just as we would advise firms to call their lawyers and consultants with questions rather than the SEC, we would also advise firms to understand how the SEC is bringing cases in order to better insulate the firm and personnel from being named in a case. Based on what we are seeing, we can't assume the SEC won't continue to name CCOs for compliance oversights.