Adapted from Robin Burton’s Article in the Anti-Corruption Report, November 11, 2020
Since the passing of Sarbanes-Oxley in 2002, I have noticed that Boards of Directors have become more focused on governance, risk, and compliance (GRC), and of course, personal liability. So it should not be surprising the roles of the Chief Audit Executive and recently the Chief Compliance Officer have gained greater importance and power within organizations.
“With great power there must also come great responsibility and increased personal liability” JTM
Personal liability is something most Chief Audit Executive and now Chief Compliance Officer’s think about when they are put in a compromising situation. Especially today, because the regulators now have a better understanding of their roles and have been pushing the enhancement of internal audit and compliance programs as they are part of the Ecosystem.
On October 19, 2020, SEC Commissioner Hester M. Peirce (“Peirce”) gave a speech, speaking on her own behalf, before the National Society of Compliance Professionals (NSCP), entitled “When the Nail Fails.” As the title suggests, the speech includes a proverb about a nail and a horseshoe that Peirce explained is typically “used to illustrate that a seemingly inconsequential event can lead to grave consequences. A missing nail from a horseshoe leads to a series of bad events and ultimately the downfall of an entire kingdom.” Peirce, however, looked at that story from a slightly different perspective, asking, “Who is responsible when the nail fails?” She then used that proverb as a jumping-off point for analyzing when CCOs should be held personally liable.
Compliance During the Pandemic
Peirce acknowledged that, although the coronavirus pandemic has created “difficult conditions,” compliance professionals “adapt to changing circumstances with impressive alacrity [brisk and cheerful readiness] and skill.” In an increasingly complex regulatory environment, together with the additional complications caused by the pandemic, a good working relationship between CCOs at regulated entities and staff in the SEC’s Office of Compliance Inspections and Examinations (OCIE) is more important than ever, she said.
Under Pete Driscoll’s leadership, OCIE has sought to deepen that relationship, Peirce asserted. For example, “among other things, recognizing the unique difficulties of compliance during a pandemic in which everyone is being asked to function virtually, OCIE has provided relevant guidance,” she observed.
Personal Liability of CCOs
Reminiscing about her remarks before the NSCP in 2018, she noted that she had “shared the concerns expressed in some quarters that the increasing specter of personal liability could cause talented individuals to forgo a career in compliance, among other negative effects” – and she warned that “[t]hose concerns have increased over the past two years.”
“Compliance officers’ responsibilities are growing, but the nature of the liability they face in executing those responsibilities remains unclear,” Peirce observed. “Indeed, this past February, the New York City Bar published a report that distilled many of the concerns, and offered a number of recommendations.”
For guidance from the SEC on CCOs’ personal liability, “people still point back to a Keynote Address by [Andrew Ceresney] the then Director of the Division of Enforcement at [the NSCP’s] 2015 National Conference. In that speech, the Enforcement Director identified three broad categories of cases where the Commission has charged chief compliance officers,” Peirce observed.
1) CCOs Participated in Underlying Misconduct Unrelated to the Compliance Function
“The first category should not be controversial. After all, serving in a compliance capacity is not a get-out-of-jail-free card for clearly unlawful conduct. If it were, lots of bad actors would want the compliance officer title to shield them from liability,” Peirce remarked. “So, a compliance officer who, outside of her compliance functions, directly violates provisions of the securities laws is liable the same way anyone else would be.”
For example, if a CCO knows that an investment adviser is misappropriating client funds, does nothing to stop it, and participates in a scheme to hide the theft, the CCO is liable for that conduct no matter his or her compliance functions, posited Peirce. In those cases, “compliance personnel are liable on the same terms and to the same extent as any other bad actor. In other words, if you knowingly and intentionally use defective nails or willfully misplace the nails, you are responsible for the thrown shoe, no matter your compliance function,” she concluded.
2) CCOs Obstructed or Misled SEC Staff
The second category of cases relates more directly to compliance functions and typically involves facts where a CCO obstructs or misleads the SEC’s staff, Peirce said. In a recent example – and a case that Peirce supported – a compliance officer created and backdated compliance memoranda. When she subsequently provided them to OCIE staff, she described them as “a contemporaneous memorialization of the events, an assertion she knew to be false.”
“The Commission’s examination process is essential to its regulatory functions, and conduct that undermines the process must be addressed,” explained Peirce. “In another recent case, a compliance officer similarly misled the Commission’s examiners and enforcement staff by producing altered documents. The alteration was material because it created the appearance that the compliance officer had timely performed certain reviews when she had not.” Again, Peirce supported that case because it evidenced the sort of “knowing and intentional misconduct that materially undermines the examination process.”
3) CCOs Exhibited Wholesale Failures to Carry Out Their Duties
“The third category of cases, the ones involving a wholesale failure of a compliance officer is the one that understandably generates the most controversy and is the most challenging area for me,” Peirce commented. “Typically, in such cases, the Commission charges the compliance officer with aiding and abetting the company’s violations, causing the company’s violations, or both. The distinctions between these charges matter a great deal.”
“To establish that a compliance officer aided and abetted the company’s violation, the Commission must show that the compliance officer engaged in reckless conduct,” continued Peirce. “This standard is not simply negligence on steroids; rather, the evidence must show that there was ‘a danger so obvious that the [compliance officer] must have been aware of the danger.’”
In contrast, to establish that a compliance officer was the cause of a company’s violation, Peirce explained that “it is only necessary to show that the individual committed an ‘an act or omission the person knew or should have known would contribute’ to the violation.” The Commission and courts both have concluded that the “should have known” language sets a negligence standard for liability, she added. “Thus, where a company has committed a violation that does not require scienter – such as failing to have sufficient policies and procedures – a compliance officer can be held to have caused the violation based on her own negligent conduct,” she concluded.
Rule 206(4)‑7 under the Investment Advisers Act of 1940 (Advisers Act), the investment adviser’s compliance rule, exacerbates the problem, Peirce said. “It supports negligence-based charges against an adviser’s CCO, whom the rule makes ‘responsible for administering written policies and procedures’ that must be ‘reasonably designed’” to prevent violations of the Advisers Act and the rules adopted under it, she noted. In practice, however, the rule’s standard has looked more like strict liability.
“Just because the Commission can do something under our rules does not mean that we should do it,” Peirce cautioned. “Indeed, charging CCOs based on mere negligence could be harmful to our efforts to foster compliance because it dissuades people from taking jobs in compliance and can encourage dishonest efforts to ‘cover-up’ failings rather than openly correcting them.”
“In an attempt to provide some of the missing context around one CCO case, I would be remiss if I did not revisit my comments on the FINRA case that I discussed near the end of my remarks in 2018,” Peirce said. In that case, which is currently on appeal, FINRA imposed sanctions on the CCO partly because he failed “meaningfully to implement compliance programs, policies, and procedures.”
She stressed that FINRA administers its own rules and does not necessarily follow the same path as the SEC. “Moreover, the Commission’s review of FINRA’s disciplinary actions is, by statutory design, limited,” she added. “For these reasons, statements in the Commission’s orders reviewing FINRA disciplinary actions do not necessarily reflect the Commission’s view of how it should exercise its own enforcement discretion when enforcing its own statutes and rules.”
Consequences of Aggressively Charging CCOs
“Compliance personnel are vital to a firm’s compliance efforts, but an overly aggressive approach to charging CCOs when something goes wrong shifts responsibility for compliance from the firm to the CCO,” remarked Peirce. In Ceresney’s 2015 speech, he noted that “it is the business” – not the compliance officers – “that is primarily responsible for compliance with the law.” Peirce agreed with that sentiment.
Sometimes, however, the SEC’s enforcement actions send a different message, Peirce admitted. “Compliance officers . . . may find themselves second-guessed when there is a compliance failure,” she warned. For example, in an enforcement action several months before Ceresney’s speech, she noted that the SEC concluded that an adviser’s CCO “caused [the adviser’s] failure to adopt and implement these policies and procedures” because the CCO:
- “was responsible for the design and implementation of [the adviser’s] written policies and procedures”; and
- “knew and approved of numerous outside activities” by the advisor’s employees; but
- “did not recommend written policies and procedures to assess and monitor those outside activities and to disclose conflicts of interest.”
Peirce observed that then-Commissioner Daniel M. Gallagher warned that “[a]ctions like these are undoubtedly sending a troubling message that CCOs should not take ownership of their firm’s compliance policies and procedures, lest they be held accountable for conduct that, under Rule 206(4)‑7, is the responsibility of the adviser itself.”
Certain recent cases – including aiding and abetting, rather than simply causing, charges – raise similar concerns for Peirce. “We have brought cases, for example, when compliance officers have failed to identify and follow-up on ‘red flags’ in connection with firms’ failure to file suspicious activity reports,” she said. “Some might categorize these instances as wholesale failures on the part of a [CCO] to carry out her duties, but I worry that applying that label without first taking a step back from the particular violation alleged to consider the lapse in view of all the duties placed on a CCO.”
“A common response to concerns about charging CCOs with causing compliance failures at their firms is that it does not happen very often and that the sanctions typically are fairly light,” Peirce commented. She noted, however, that “the SEC’s enforcement actions can be career-ending and are always traumatic events for their subjects. So, questions of CCO liability are important and deserve more discussion.”
New York City Bar Report
To date, most of that conversation has centered around enforcement actions – not only the cases that the SEC brings but also those it does not bring against CCOs, Peirce observed. The New York City Bar Report on CCO liability recommends that the SEC do a better job of highlighting facts and circumstances underlying decisions to charge and to not charge CCOs. “Details about why we are charging a CCO can calm the fears of diligent, well-intentioned compliance personnel. Maybe the CCO being charged participated in the underlying securities violation, and perhaps she did so wearing her non‑CCO hat,” Peirce said. “Likewise, by providing sufficient detail when we do not charge a compliance officer, we illustrate what doing the job right looks like.”
For example, Peirce pointed out circumstances in which the SEC declined to impose personal liability on CCOs, including when CCOs: were ill-equipped for their jobs, were denied the resources necessary to do their jobs; or, were genuinely over-burdened with other duties.
The SEC also considers steps a CCO took to prevent and remediate failures, added Peirce. As the New York City Bar report points out, “Knowing what regulators believe that compliance officers did correctly in the face of potential misconduct is critical information.” Peirce added, “In short, context matters, and we can provide more of it.”
Need for More Guidance and Clarity
“[W]e should think about ways to provide guidance to compliance professionals about what a wholesale compliance failure means and how to avoid one. Some of that guidance comes not from a regulator but organically through what you are doing right now – coordinating and collaborating with your fellow compliance professionals,” Peirce commented. “Compliance officers occupy a unique position in the corporate constellation – they are not on the business side, but not really on the legal side either, even though many CCOs are lawyers.”
Although there is currently no governing body or entity that regulates the professional conduct or actions of CCOs, Peirce argued that “the absence of a formal regulatory structure, however, makes room for grass-roots based standards of conduct.” A departure from those standards of conduct is not necessarily a basis for a regulator to impose liability, but she noted that “compliance personnel can point to adherence to those standards as a reason for why a regulator ought not to impose liability.”
Peirce acknowledged that “the Commission can provide guidance about when it will bring enforcement actions against compliance officers.” For instance, a framework detailing which circumstances will cause the SEC to seek personal liability and which circumstances will militate against personal liability would help the compliance community by “eliminating uncertainty and inspiring good practices.”
That type of framework would also aid the SEC’s staff in deciding whether to charge CCOs, Peirce noted. “To further this approach, I am considering developing a draft framework to share with my colleagues,” adding that she welcomes input on what factors are relevant to the decision about whether to charge compliance personnel.
Peirce also recommended examining how well the compliance rules under the Advisers Act and the Investment Company Act of 1940 are functioning. “As Commissioner Gallagher pointed out five years ago, Rule 206(4)‑7 ‘is not a model of clarity.’ Nothing has happened since then to elucidate the rule,” she commented. “More generally, I am concerned that we appear to assume that every securities violation we find indicates a problem with the firm’s compliance program. A firm that has reasonably designed policies and procedures nevertheless can experience a securities violation.”
“The most fruitful way to provide greater clarity is through a collaborative effort. Because we want you to be successful in infusing good compliance practices into your firms, your day-to-day challenges and concerns should inform the way we approach liability for compliance officers,” Peirce remarked. “As for how to move the conversation forward, I believe the New York City Bar Report sets forth some sensible recommendations.” One of those suggestions, she noted, is the creation of public-private advisory groups “charged with meeting periodically to discuss current and potential regulatory, examination, and enforcement efforts, and to publish guidance and recommendations to compliance officers and regulators reflecting the insight of both regulators and the regulated.”
“Although there are myriad complications to that kind of public-private advisory group, the Commission has benefited greatly from its investor, small business, asset management, equity, and fixed income advisory committees,” Peirce observed. “A similar committee of compliance officers might make sense, even if only on a temporary basis to help produce a draft framework regarding personal liability. The precise parameters of such a group would need to be carefully considered to maximize its benefits, but the idea is worth pursuing.”
She suggested that the SEC could make a habit of conducting periodic public roundtables with compliance officers as an alternative. I think this is a great idea and I hope a few competent practitioners are included in those discussions.
Lastly, do the right thing from day one and liability is diminished!
Stay safe and be well!
Attribution and Sources:
Robin L. Barton, Anti-Corruption Report, November 11, 2020
See “DOJ, SEC Offer Dialogue, Understanding as Enforcement Continues During Pandemic” (May 27, 2020).
See “‘A Slap on the Wrist’: Former Cognizant COO Settles SEC Bribery Charges for $50,000” (Oct. 2, 2019).
See “When Is an Individual ‘Substantially’ Involved in a Crime?” (Feb. 6, 2019).
See “Broken Windows, Admissions and Stale Conduct: The State of Enforcement at the SEC” (Nov. 15, 2017).
See “Government and Defense Attorneys Discuss Hot-Button SEC Issues” (Nov. 18, 2018).
See “Ceresney and Caldwell Remarks Highlight New SEC Self-Reporting Policy, Cooperation, Remediation and Transparency” (Dec. 2, 2015) and “Ceresney and Yates Continue to Stress Individual Accountability, Voluntary Reporting, and Cooperation” (Dec. 7, 2016).