Liability and Outsourcing – Identifying and Controlling the Real Risks Part 2 of 2: Choosing a CCO

The roles and responsibilities undertaken by Chief Compliance Officers (“CCOs”), whether in house or outsourced, is a significant point of interest for the Commission. Given the recent SEC feedback on CCO outsourcing and recent enforcement actions generally, advisers are well advised to ensure that proper controls are in place to limit liability. In this article, originally published in the February edition of NSCP Currents, SEC3 continues the discussion on liability and outsourcing.  In this Part 2 of 2, SEC3 provides key takeaways for compliance officers and management. (Part 1 was published in December 2015)

Individual liability is quickly rising to the forefront of the radar of the Securities and Exchange Commission. In fact, over the last five years, 80% of SEC enforcement cases have involved charges being brought against individuals. In a recent speech, Andrew Ceresney explained this increased focus stating “Holding individuals accountable for their wrongdoing is critical to effective deterrence and, therefore, the Division considers individual liability in every case.”

In a separate speech also highlighting individual liability, Mr. Ceresney noted that many of the recent enforcement cases brought against individuals make it clear that the SEC will “aggressively pursue business line personnel and firms who mislead or deceive.”

Recent SEC enforcement cases have shown that the SEC is willing to bring cases for compliance oversights even when there is no harm to clients. We bring this to the attention of investment advisers, fund boards and CCO’s so that they stay alert and informed.  A vast majority of such enforcement actions can easily be avoided with proper oversight.

Improving your Compliance Program

The Importance of Proper Risk Assessment

In order for any compliance program to adequately insulate advisers, fund boards and CCOs, it must begin with a detailed risk assessment and gap analysis.  This will lead to the creation of a detailed compliance program that encompasses all risks.

Any discussion on CCO liability must begin with the foundation of building one’s compliance program, the adoption of the policies and procedures.  In order to create comprehensive policies and procedures, a CCO must take into account the specific investment adviser, broker dealer or investment company business model, and tailor a program to deal with the risks inherent to the particular model.

As noted in the SFX case, if the CCO conducted a risk assessment and prioritized his time to address the highest areas of risk, he likely could have avoided enforcement action even in light of fraudulent activity personnel.

The real cause of failure to supervise actions is often insidious where the impetus is a poor process to identify risk. 

Section 203(e)-6 of the Advisers Act, in part, reads:

“…no person shall be deemed to have failed reasonably to supervise any person, if–

  1. there have been established procedures, and a system for applying such procedures, which would reasonably be expected to prevent and detect, insofar as practicable, any such violation by such other person, and
  2. such person has reasonably discharged the duties and obligations incumbent upon him by reason of such procedures and system without reasonable cause to believe that such procedures and system were not being complied with.”

To avail yourself of the safe harbor, subparagraph A requires that the adviser has adequate policies and procedures, and subparagraph B requires that you be able to adequately demonstrate that you “reasonably discharged” your duty to supervise. Too many CCO’s focus on subparagraph B and ensure timely compliance work and documentation.  However, while the existing compliance procedures may be working well, if certain key risks have not been addressed, the CCO can unknowingly bear significant risk.  CCO’s who wish to quantify and manage their liability need to focus on ensuring they have the policies and procedures to address the business’s risk. 

We always advise developing a scheduled process that involves the CCO and executive management team working together to conduct a review of the business from top to bottom.  The process should be thorough and involve a broad range of questions. Each risk should be identified and rated, and based on ratings, adequate policies and procedures drafted.

In the SEC’s Risk Alert on Outsourcing, the SEC found some concerns with outsourced CCO’s ability to communicate firm risk. However, such a concern is not limited to outsourced CCO’s – all CCO’s should be communicating frequently with fund boards and senior management. Assessing firm risk and conflicts of interest should always involve a team approach with open communication.

Fund Board and Management Takeaways

Tone at the Top Really Does Matter                     

In Malcolm Gladwell’s, 2006 New York Times bestseller, Blink, he discusses work conducted researcher John Gottman who can predict, with 95% accuracy, after watching a husband and wife talking for one hour whether the couple will still be married 15 years later.  The premise of Blink is that certain quick decisions often prove accurate.  During Mr. Ceresney’s speech, the SEC Director of Enforcement stated that “the state of a firm’s compliance function says a lot about the firm’s likelihood of engaging in misconduct and facing sanctions.” Mr. Ceresney also specifically noted that you can “predict a lot about the likelihood of an enforcement action by asking a few simple questions about the role of the company’s compliance department in the firm.” Such questions included:

  • Are compliance personnel included in critical meetings?
  • Are their views typically sought and followed?
  • Do compliance officers report to the CEO and have significant visibility with the board?
  • Is the compliance department viewed as an important partner in the business and not simply as a support function or a cost center?
  • Is compliance given the personnel and resources necessary to fully cover the entity’s needs?


Mr. Ceresney observed that “far too often, the answer to these questions is no, and the absence of real compliance involvement in company deliberations can lead to compliance lapses, which, in turn, result in enforcement issues.” Mr. Ceresney reassured the audience of CCOs noting that, “the Commission is in your corner when your work is hindered by uncooperative or obstructionist business personnel, and that a number of our actions have sent the clear message that you must be provided with the resources and support necessary to succeed.”

Mr. Ceresney also highlighted a few important points that investment advisers should be sure to remember. Mr. Ceresney noted that compliance officers have the full support of the Commission and that the SEC relies on them “as essential partners in ensuring compliance with the federal securities laws” and “will do all we can to help you perform your work.” Mr. Ceresney made clear that the SEC will not hesitate to bring enforcement actions against personnel in circumstances where they have deceived or misled, or where their failure to provide compliance professionals with adequate resources and information causes compliance rule violations.

The point he was driving home is that management must support the CCO and provide proper resources.

Last summer, the SEC settled a proceeding  brought against Pekin Singer Strauss Asset Management Inc., Ronald L. Strauss, William A. Pekin, Joshua D. Strauss, its former President, as well as other principals at the firm.  The proceedings were initiated when it was determined the compliance function within the firm was not adequately staffed and not adequately resourced. An independent compliance consultant along with SEC staff subsequently identified a number of compliance violations during an examination of the firm that had not been previously detected by the firm or its Chief Compliance Officer.

Many of the SEC’s findings are worth highlighting:

  • The SEC found that the President had promoted the CCO to that role, knowing the CCO had limited prior experience and training in compliance; that the CCO still retained his previous functions, including backup trader, backup trade reconciliation, research analyst, and portfolio manager; and that he failed to provide the CCO with sufficient guidance regarding his duties and responsibilities as the new CCO.
  • The SEC found that the CCO lacked the experience, resources, and knowledge as to how to adopt and implement an effective compliance program or how to conduct a comprehensive and effective annual compliance program review. Additionally, the firm failed to conduct the required annual compliance reviews several times, and there was a three-year gap between annual reviews.
  • Nevertheless, the CCO was able to learn certain aspects of the CCO role from the former CCO and from attending a compliance conference. He was thus able to identify certain weaknesses in the firm’s compliance program and began to implement new compliance policies and testing procedures.
  • The SEC found the President did not make the compliance program a priority for the firm. He directed the CCO to prioritize his investment research responsibilities over compliance, and also gave him other responsibilities including naming him CFO.
  • Between his research and other responsibilities, the SEC found that the CCO was only able to devote between 10% and 20% of his time on compliance matters.
  • The CCO told the President on multiple occasions that he needed help fulfilling his compliance responsibilities, including the annual compliance program review. However, the President told the CCO that the firm’s primary responsibility was serving clients, and that they could address any problems that came up in an SEC examination at that time.
  • The firm eventually engaged a compliance consultant to assist the CCO, primarily because the firm needed to conduct an annual review for the board of a mutual fund that the firm advised, and they needed the compliance consultant to handle the annual review.
  • Nevertheless, the President narrowed the scope of the compliance consultant’s engagement from a more comprehensive compliance review, in part to reduce the cost of the engagement.
  • The compliance consultant issued a report that enumerated several compliance deficiencies at the firm. Shortly thereafter, the SEC exam staff conducted an examination and cited the firm for several compliance deficiencies, most notably the failure to conduct annual compliance program reviews and code of ethics violations surrounding personal trading accounts.
  • Subsequently, the CCO stepped down as CCO and remained as CFO. The firm hired a new CCO with compliance and operations experience.

Based on these and other findings, the SEC found the firm willfully violated the Advisers Act, and the firm eventually settled with cease-and-desist orders and payment of monetary damages.

The SEC, in agreeing to accept the settlement offer, noted the firm’s remedial efforts, which included:

  • The firm expanded its relationship with its outside compliance consultant and hired an additional full-time Compliance Director to support the firm’s CCO.
  • The firm has continued to retain a compliance consultant as an additional compliance resource and to ensure that the consultant will monitor and advise on the firm’s annual compliance program reviews.
  • The firm hired a new CCO.

While many of the specific factual findings may strike some readers as being egregious, in our experience many firms do struggle in trying to find the right level of experience, resources and independence for their CCOs and compliance obligations.

It is also common, particularly with smaller advisers, that many CCOs have other, non-compliance roles with substantive and substantial duties.

Many of these “dual hatted” CCOs also have specific expertise in those other, non-compliance areas, and may feel challenged to find the time or acquire the expertise to discharge their compliance duties in the way the SEC and investors would expect.

Another factor in this case that we encounter sometimes is the lack of a “compliance culture,” or “tone from the top,” which can manifest in a variety of ways, such as; failing to appreciate the importance of the compliance function, prioritizing non-compliance functions over compliance functions or not allocating appropriate resources to compliance functions.

Another compliance violation that we see frequently is the failure to conduct the required annual compliance review. Whether it is due to time constraints, resource constraints or having other priorities, it is important for registered investment advisers to remember that the annual compliance review is a legal requirement and there are potentially significant consequences for overlooking this obligation.

Finally, we find it noteworthy that the facts in this case date back a few years. The current regulatory regime emphasizes “broken windows,” enforcement actions, record penalties, and “message cases.” There is also enhanced focus on CCOs as “gatekeepers,” in addition to CCO liability. We have also previously noted whistleblower awards now being paid out to compliance personnel. Thus, we would expect the SEC to continue to focus on firms’ CCOs and their compliance efforts and resources.

Stay Diligent and Informed

Executives and fund boards should keep abreast of current enforcement actions taken by the Commission, especially relating to CCO and executive liability. Such cases include the Ted Urban case and can provide insight for how advisers can avoid coming under fire from the SEC. This seminal case provides that, in addition to executives and directors, CCOs can be held liable for failure to supervise if they are deemed a “supervisor” by a totality-of-the-circumstances review. Knowing what steps the regulators are taking, who they are going after, and for what specifically, will help firms steer clear of enforcement action.

 What to look for when choosing a CCO

Given the SEC’s recent cases and speeches, advisers should ensure that the CCO has the right experience and background — specifically a background that shows s/he understands all relevant SEC regulations. Advisers should also ask questions and understand the niche experience that is needed to be an effective CCO.  Several factors distinguish a well-suited CCO from an inexperienced, lower-cost alternative. For example, a suitable CCO will customize a compliance program to the fund’s business, interact with service providers and test the compliance program to appropriately identify potential failures.

Another important aspect for advisers to consider when determining whether it is beneficial to hire an outsourced CCO is accountability and time-management skills.  This is critical for a CCO because if s/he fails to either cover the ground required, or follow through on designated responsibilities, then the adviser could be subject to enforcement action. Mr. Ceresney spoke  about how the SEC will charge CCOs in cases where they have failed to carry out their responsibilities. Certain individuals might have exceptional experience and backgrounds and yet lack this basic skill of accountability, Advisers must be diligent to ensure hired CCOs are dependable and reliable. 

CCOs must not only ensure that they create the necessary policies and procedures to effectively prevent violations of federal securities laws, they must also take steps to ensure such policies and procedures are properly implemented and tested.  The failure to do so allows for impropriety to occur and harms the shareholders, and industry at-large.  Ask potential CCO candidates how they will create or manage your policies and procedures. Asking detailed questions will help you identify the best fit candidate.

There are no prerequisite qualifications to be a CCO. Ideally, the best fit is someone who has in-house experience as a CCO at several firms coupled with regulatory background.  This is niche experience.

It is important to note that CCOs should make it a priority to keep up to date on new and changing securities regulations. In doing so, CCOs will recognize exactly what rules they are being required to comply with and can subsequently impart that knowledge to the adviser, providing assurance that they are capable to fulfill the responsibilities delegated to them. Be sure you communicate with your CCO and understand his or her continuing education efforts and diligence.

The CCO needs Oversight Too

Advisers should monitor outsourced CCOs the same way they would a full-time CCO. When choosing to outsource compliance duties, executives and directors should make a concerted effort to ensure that they are comfortable with the individual, as well as his/her ability and self-discipline. The adviser can’t simply delegate these important responsibilities and walk away. They must remain diligent in their oversight, and stay current with the ever-evolving regulatory environment.  The inherent risks and pitfalls that the regulators associate with outsourcing the role of CCO should be considered by all advisers, even ones that do not outsource the position. This is because the weaknesses found are not necessarily correlated with the decision to outsource or not, but are often related to the specific skills and drive of the individual CCO.

Not only should management generally be overseeing CCOs to be sure they are actively doing their job, but also to prevent fraud in the extreme cases. There have been several cases where compliance personnel are the perpetrators. For example, the SEC is currently taking action against a compliance associate alleged to have traded on material nonpublic information obtained from his investment bank employer, Goldman Sachs.  The SEC asserts that Yue Han misappropriated nonpublic information about impending mergers and traded on this information through undisclosed brokerage accounts in violation of the firm’s policies.  Failing to monitor the CCO’s activities is a common issue we see at many firms.

Compliance Personnel Takeaways

Go Desktop?

Recent SEC deficiency letters emphasize that the policies and procedures need to be detailed and explain your overall operations. This can present a conundrum where you might be increasing your liability exposure which such over-disclosure. You should conversely be mindful of the many reasons to not include every minute risk and corresponding control in your manual. 

For example, former Commissioner Gallagher opined that Rule 206(4)-7 is at the center of the Commissioner’s concerns. The rule is “not a model of clarity.” It provides, in part, that the adviser is required to adopt “and implement written policies and procedures reasonably designed . . .” to prevent violations of the Act. On its face the rule addresses the adviser – it requires the firm to designate a CCO. However, while the adviser is responsible for implementation, the SEC has shown an interpretation of Rule 206(4)-7 as if it is directed to CCOs.

Yet neither the Rule itself, nor the SEC offer guidance on compliance. According to Gallagher, this sends a troubling message, “…that CCOs should not take ownership of their firm’s compliance policies and procedures, lest they be held accountable for conduct that, under Rule 206(4)-7, is the responsibility of the adviser itself. Or worse, that CCOs should opt for less comprehensive policies and procedures with fewer specified compliance duties and responsibilities to avoid liability when the government plays Monday morning quarterback. Gallagher stated he is “…very concerned that continuing uncertainty as to the contours of liability under Rule 206(4)-7 will disincentive a vigorous compliance function at investment advisers.” He recommended that the Commission take a hard look at Rule 206(4)-7 and consider whether amendments, or at a minimum staff or Commission-level guidance, are needed to clarify the roles and responsibilities of compliance personnel.

As a result of this uncertainty, many argue for shorter, pointed compliance manuals separate from desktop procedures, or even suggest avoiding desktop policies altogether.  However, given recent cases and deficiency letters, we are of the opinion that a CCO who does not consider every material detail to include in their policy and procedure manual may be exposing their firm to liability.

According to Mr. Ceresney, “When we have charged a CCO with causing violations of rule 206(4)-7, we have not second guessed their professional judgment, critiquing the choices they made in the creation of policies; rather, we have brought actions where there was a wholesale failure to develop such policies or to implement them, and where the CCO was properly held responsible for that failure.”

The root of the issue is that you need a risk assessment that flows into the policies and procedures and certain policies and procedures should therefore be desktop. This should be considered one of the higher risk areas in your compliance program.

Rule 206(4)-7 and Rule 38a-(1) suggests areas minimally where advisers and funds, respectively, should consider adopting policies and procedures. It does not provide specific instruction on how policies and procedures should address; 1) how to monitor and assess employees for conflicts of interest, 2) how to monitor employees who participate in firm-approved outside business activity (“OBA”) or, 3) how to determine when an employee’s OBA should be disclosed to the board or clients. 

It is this type of detail cited regarding policies and procedures that causes grave concern for CCOs.

Continue to try to avoid being deemed a supervisor – lessons learned from Ted Urban

Even though Chief Compliance Officer Ted Urban was exonerated from liability, a curious dicta emerged from SEC enforcement action against him.  The dicta provided that Urban was deemed a “supervisor” over an employee, a classification which led to additional liability placed over him.  Under a totality-of-the-circumstances review, the administrative judge had to determine whether Urban met the classification of “supervisor.”  The court reviewed whether Urban had the “requisite degree of responsibility, ability or authority to affect” one’s conduct, despite not being a supervisor in the classical sense. 

Despite Urban not having any of the traditional powers associated with a person supervising a firm’s employees, the case law found Urban to be classified as the employee’s supervisor. Once deemed a “supervisor” one is subject to maintaining “reasonable supervision,” which extends above and beyond the usual and customary duties of a CCO.  Reasonable supervision is determined by whether there is negligence under the reasonably prudent person test. This is an unnecessary hurdle for a CCO when so much liability is inherently built into Rule 206 (4)-7, Rule 38a-1 and the corresponding securities laws. The Ted Urban case also emphasizes the need to review your insurance coverage and make sure you are well covered and protected shielded from liability.

Know Your Responsibilities and Be Diligent

The SEC noted in the Risk Alert following the Outsourced CCO Initiative that in many instances, the outsourced CCOs were designated as the individuals responsible for conducting reviews to ensure compliance met the requirements of Rule 206(4)-7. This included testing of the existing policies and procedures. However, the staff observed throughout these examinations a “general lack of documentation evidencing the testing” recorded by the firms.  CCO’s should take note of this observation, as again, this is not limited solely to outsourced CCOs.

CCOs must remain proactive when updating the compliance program, and ensure that they stay current with guidance provided by the SEC through recent cases, speeches and risk alerts. 

Understand that your duties as CCO are to develop and implement the compliance program, but also understand that you alone are not solely responsible for the implementation and development of a “culture” of compliance.  It is imperative that executive management and fund boards work cooperatively with CCOs to efficiently mitigate risks and liabilities particular to their business model.  This is essential to proper risk assessment, and the creation, implantation and testing of a successful compliance program.

Fund boards, adviser personnel and compliance professionals should be sure to keep up with current regulatory guidance and enforcement cases.  This is not just best practice; this should be the only practice for any staff tasked with compliance oversight.  CCOs now find themselves more and more often coming under the SEC’s crosshairs for issues related to the compliance programs they oversee.  This presents additional risks that are largely unnecessary but based on recent history, it stands to reason that the SEC will continue naming CCOs for compliance oversights.