The SEC’s CCO Guidance Month
In a 30-day period, the U.S. Securities and Exchange Commission (“SEC”) has released guidance in three ways regarding certain views on the important role and potential liability risks of chief compliance officers (“CCOs”). SEC Commissioner Hester M. Peirce first raised these topics in a speech to the National Society of Compliance Professionals, advocating for greater clarity regarding the SEC’s decisions to impose individual liability on compliance professionals and challenging the wisdom of charging chief compliance officers “based on mere negligence.” Hester M. Peirce, When the Nail Fails—Remarks before the National Society of Compliance Professionals (Oct. 19, 2020). Book-ended thirty days later, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a “Risk Alert” titled OCIE Observations: Investment Adviser Compliance Programs (“OCIE Compliance Risk Alert”). That same day, OCIE Director Peter Driscoll gave a speech that served as the Opening Remarks at National Investment Adviser/Investment Company Compliance Outreach 2020, titled The Role of the CCO – Empowered, Senior and With Authority, Peter Driscoll (Nov. 19, 2020). It is unprecedented for the SEC to discuss this important topic utilizing several platforms in such a short period. Taking notice of this, below we analyze the guidance provided by each. We also observe that the SEC’s focus on the role of compliance is not new but that sometimes the SEC’s support for compliance has not appeared to extend beyond OCIE. Cf. Lori Richards’ (then-OCIE Director) October 2007 Speech “Working Towards a Culture of Compliance: Some Obstacles in the Path” (observing that an effective compliance program required management support, a “seat at the table” for the CCO, adequate compliance staffing relative to the size and risks of the firm’s business, and “tone at the top” from the CEO down); with Luis A Aguilar’s (then SEC Commissioner) June 2015 Speech “The Role of the Chief Compliance Officers Must be Supported” (defending recent SEC enforcement actions against CCOs and explaining that those CCOs acting in “good faith” should not fear the SEC).
Commissioner Peirce’s Speech
Commissioner Peirce focused on “the question of how to define the parameters of personal liability for compliance officers,” noting that “the nature of the liability they face in executing [their] responsibilities remains unclear.” The most recent guidance on the issue from the SEC’s perspective, she observed, dates back to 2015, when then-Enforcement Director Andrew Ceresney “identified three broad categories of cases where the Commission has charged chief compliance officers.” While the first two (instances in which the officer participated in the misconduct or obstructed or misled the Commission) are generally uncontroversial, the third — “cases where … ‘the CCO has exhibited a wholesale failure to carry out his or her responsibility’” — is more problematic. Commissioner Peirce stated, “[t]ypically, in such cases, the Commission charges the compliance officer with aiding and abetting the company’s violations, causing the company’s violations, or both.” While aiding and abetting requires proof of reckless conduct, causing violations only require a showing of negligence. “Thus, where a company has committed a violation that does not require scienter — such as failing to have sufficient policies and procedures — a compliance officer can be held to have caused the violation based on her own negligent conduct.”
According to Commissioner Peirce, “Rule 206(4)-7, the investment adviser compliance rule, exacerbates the problem” because, although “[i]t supports negligence-based charges against an adviser’s CCO, … in practice, … the rule’s standard has looked more like strict liability.” But, she argued, “an overly-aggressive approach to charging CCOs when something goes wrong shifts responsibility for compliance from the firm to the CCO.” Additionally, she reasoned, “charging CCOs based on mere negligence could be harmful to … efforts to foster compliance because it dissuades people from taking jobs in compliance and can encourage dishonest efforts to ‘cover up’ failings rather than openly correcting them.”
She further cautioned against heavy reliance on arguments that “causing” charges against compliance officers are fairly rare and tend to carry light sanctions, acknowledging that “even the SEC’s enforcement actions can be career-ending and are always traumatic events for their subject.” Thus, she recognized the need for greater transparency regarding why the SEC does and does not bring actions against compliance professionals: “In short, context matters, and we can provide more of it.” She also encouraged general discussion “about ways to provide guidance to compliance professionals about what a wholesale compliance failure means and how to avoid one,” appreciating that compliance officers are not governed by a “formal regulatory structure.”
Thus, Commissioner Peirce concluded that developing “[a] framework detailing which circumstances will cause the Commission to seek personal liability and which circumstances will militate against seeking personal liability would” both “help the compliance community by eliminating uncertainty and inspiring good practices” and “prove useful for … the SEC to use in deciding whether to charge CCOs.” Moreover, she argued, “[i]t also is time for us to examine how well the compliance rules under the Investment Advisers and Investment Company Acts are functioning” and “to provide greater clarity” to those roles. To do so, she suggested the creation of a “public-private advisory group” and generally encouraged greater dialogue between the SEC and compliance professionals.
The OCIE Compliance Risk Alert
The OCIE Compliance Risk Alert generally provides guidance regarding the compliance programs of investment advisers. It also specifically addresses the role and duties of the CCO:
… the Compliance Rule [Rule 206(4)-7] requires each adviser to designate a [CCO] to administer its compliance policies and procedures. An adviser’s CCO should be competent and knowledgeable regarding the Advisers Act and should be empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the firm. The CCO should have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.
The OCIE Compliance Risk Alert continues by listing examples of notable deficiencies or weaknesses identified by OCIE staff. Importantly, the first two focuse on CCOs. The first is titled “Inadequate Compliance Resources,” and the first point under this subheading describes the SEC’s and OCIE’s longstanding concern with CCOs wearing “multiple hats.” It specifically describes this deficiency/weakness as follows:
CCOs who had numerous other professional responsibilities, either elsewhere with the adviser or with outside firms, and who did not appear to devote sufficient time to fulfilling their responsibilities as CCO. While CCOs may have multiple responsibilities, OCIE observed instances where such CCOs did not appear to have time to develop their knowledge of the Advisers Act or fulfill their responsibilities as CCO.
OCIE titled the next deficiency/weakness “Insufficient Authority of CCOs” and went into greater detail to describe this deficiency/weakness:
Insufficient Authority of CCOs. OCIE staff observed CCOs who lacked sufficient authority within the adviser to develop and enforce appropriate policies and procedures for the adviser. For example:
Advisers that restricted their CCOs from accessing critical compliance information, such as trading exception reports and investment advisory agreements with key clients.
Advisers where senior management appeared to have limited interaction with their CCOs, which led to CCOs having limited knowledge about the firm’s leadership, strategy, transactions, and business operations.
Instances where CCOs were not consulted by senior management and employees of the adviser regarding matters that had potential compliance implications.
As it routinely does, OCIE closed this Risk Alert with its boilerplate language generally encouraging firms to review policies and procedures, to review their implementation, and to ensure that they are tailored to the advisers’ businesses. As our readers know, we recommend that firms take the guidance in OCIE’s Risk Alerts very seriously, as OCIE staff and staff from the Division of Enforcement apply the guidance in OCIE’s Risk Alerts to their examinations and investigations.
OCIE Director Driscoll’s Speech
OCIE Director Driscoll’s speech seeks to strike a somewhat different tone than the enforcement-focused tone of Commissioner Peirce’s speech and the examination deficiencies and weaknesses discussed in the OCIE Compliance Risk Alert. After opening remarks regarding the impacts of the pandemic on firms, OCIE Director Driscoll turned to this topic under the heading “Empowering Chief Compliance Officers” and a subheading titled “Empowerment, seniority and authority.” He started by reciting constructive points consistent with the OCIE Compliance Risk Alert, but then he turned and raised the following points to attempt to empower and encourage firms and CCOs:
OCIE observes good practices where CCOs are routinely included in business planning and strategy discussions and brought into decision-making early-on, not for appearances, but for their meaningful input.
OCIE notices CCO access and interaction with senior management, prominence in the firm, and when they are valued by senior management.
OCIE Director Driscoll pointed out that a good CCO can be a true “value-add” to the business; by keeping up with regulatory expectations and new rules, they can assist in positioning their firms not only to avoid costly compliance failures, but also provide pro-active compliance guidance on new or amended rules that may provide advisers with additional business options.
OCIE Director Driscoll concluded his speech by discussing the similarities between OCIE and CCOs:
Compliance officers are on the front lines to help ensure that registrants meet their obligation under applicable securities laws and regulations. We too are on the front lines and with a similar mission, and in many ways examiners and compliance officers and personnel are two-sides of the same coin. We cannot overstate a firm’s continued need to assess whether its compliance program has adequate resources to support its compliance function. Resources means a lot of different things, including training, automated systems and adequate staff to support firm growth, but perhaps most importantly, it means “empowerment.” Compliance must be integral to an adviser’s business and part of its senior leadership.
Other Industry Guidance and Feedback
Both before and after the recent SEC initiatives, various groups have sought to bring attention to the personal liability of CCOs. For example, in February 2020, the New York City Bar Committee on Securities Regulation issued a report titled “Chief Compliance Officer Liability in the Financial Sector,” in which it analyzed recent regulatory enforcement actions against CCOs in their individual capacities, highlighted the need for enhanced understanding of the CCO role by regulators, and clarified the approach to enforcement toward more consistent liability outcomes without sacrificing the achievement of regulatory goals. Since these initiatives, other trade groups have taken up Commissioner Peirce’s request for more guidance, as the National Society of Compliance Professionals has formed a working group to provide the Commission with greater guidance on cases of CCO liability.
Although it is still unclear whether or how quickly the guidance in these speeches and this Risk Alert takes hold, Commissioner Peirce’s observations and acknowledgements of the unique challenges compliance professionals face are encouraging. Similarly, OCIE Director Driscoll’s efforts to empower firms and CCOs regarding compliance programs and to emphasize the important role of the CCO are commendable, particularly his charge for firms to take responsibility for compliance programs starting at the top, not just with the CCO. As we anticipate a Democratic-appointed Chair and more aggressive agendas for both the SEC’s enforcement and examination programs, firms and CCOs should heed this guidance and engage in any remedial efforts in this important area as soon as is reasonably practicable. That said and unfortunately though, none of this guidance addresses the historical and current opaque nature of the federal securities laws applicable to CCO potential liability. For more information on this topic and managing the risk of supervisory liability as it pertains to CCOs and in-house attorneys, please see the article previously published in the National Society of Compliance Professionals periodical Currents “Best Of” edition.