Compliance Officers in the SEC’s Crosshairs

Compliance officers are in the Securities and Exchange Commission’s crosshairs. The SEC’s Director of Enforcement, Andrew Ceresney, said in a keynote speech during the Compliance Week 2014 conference, “I need to be clear that we have brought – and will continue to bring – actions against legal and compliance officers when appropriate.” ¹Director Andrew Ceresney, Keynote Address at Compliance Week 2014, Washington, DC (May 20, 2014), available at http://www.sec.gov/News/Speech/Detail/Speech/1370541872207. The troubling aspect of those comments is not that the SEC will continue to bring enforcement actions against compliance officers —the SEC historically has targeted compliance officers who actively engage in wrongdoing. Rather, it is the undefined and amorphous “when appropriate” standard that is giving compliance officers consternation. As Commissioner Stein recognized at the same conference, the SEC has not defined what the “right behavior” is for compliance officers or when the SEC will deem it “appropriate” to bring enforcement actions against compliance officers. ²Commissioner Kara M. Stein, Keynote Address at Compliance Week 2014, Washington, DC (May 20, 2014), available at http://www.sec.gov/News/Speech/Detail/Speech/1370541857558. Commissioner Stein acknowledged that this lack of guidance “creates uncertainty, which I believe is at the heart of the concerns that I’ve heard about CCO liability.” ³Id. Addressing this void would provide much needed clarity to compliance officers and their employers.

The SEC’s stated intention to increase the number of enforcement actions against compliance officers while also recognizing that it has not defined the “right behavior” for compliance officers justifiably causes concern. It is like playing a game in which one player can make up the rules as the game is played. In the absence of rules, one can only attempt to discern what the SEC considers to be the “right behavior” by analyzing situations where the SEC has identified the “wrong behavior.” This is not an effective way to implement governing principles for compliance officers.

The SEC has brought enforcement actions against compliance officers in a broad range of situations. There are the traditional situations where the SEC has pursued compliance officers who have participated in securities law violations or have provided misleading information to regulators. See, e.g., In re Wolf̧ Exchange Act Release No. 73350 (Oct. 15, 2014) (compliance officer altered a document summarizing her review of trading that was produced to the SEC). Most do not take issue with the SEC imposing sanctions in these types of situations.

Of more concern are situations where the SEC has pursued actions against compliance officers not because they engaged in wrongdoing, but because, in the SEC’s view, they did not sufficiently follow their firms’ procedures. For example, in In re Meade, Advisers Act Release No. 3855 (June 11, 2014), the SEC sanctioned a Chief Compliance Officer for aiding and abetting his firm’s violations (based on an employee’s insider trading) by, among other things, not reviewing certain reports as required by the firm’s policies and procedures, and not placing securities on a “watch list.” There is a fine line between a compliance officer not doing his or her job as well as expected and being a respondent in an SEC enforcement action. Where that line is drawn is not always clear.

What really keeps compliance officers up at night, however, are instances where the SEC has sanctioned CCOs who actually followed up on red flags but in doing so, as Commissioner Stein has described, were “not asking the tough questions, and not demanding answers.” For example, in In re Rizzo, Exchange Act Release No. 67479 (July 20, 2012), the SEC brought an enforcement action against the CCO in connection with an employee’s misappropriation of $7 million in clients’ funds. Although the CCO noticed the withdrawals and asked the employee about them, the SEC did not think the CCO’s actions were sufficient because, in the SEC’s view, the CCO “routinely accepted, without further inquiry, whatever explanation” the employee provided. The SEC further criticized the CCO for failing to contact the employee’s clients, accepting “incredible excuses” from the employee, and failing to inquire about several checks that the employee had bounced. Notably, the SEC did not accuse the CCO of completely ignoring red flags or failing to conduct any inquiries. Instead, without the pressures of having to act in real-time, and with the benefit of more complete information, the SEC subjectively concluded that the CCO should have done more. Compliance officers often must make judgment calls without the benefit of perfect information. Not knowing when and how the SEC will second-guess those judgment calls is a real concern for compliance officers.

Adding to CCOs’ concerns, the SEC has taken an aggressive approach in charging compliance officers with failing to supervise individuals outside of their reporting chains. On Sept. 30, 2013, the SEC issued a frequently asked question stating its view that a compliance officer can become a supervisor “even if he or she did not have the power to fire, demote or reduce the pay of the person in question,” if they “otherwise have the authority and responsibility such that he or she could have prevented the violation from continuing.” This is not a useful standard because once a compliance officer begins reviewing an issue, it may be theoretically possible for the compliance officer to prevent many types of subsequent wrongdoing other than perhaps conscious and calculated misconduct. Such an approach has the perverse effect of providing a disincentive for compliance officers to do more than what is specifically required by their firm’s policies and procedures.

Compliance officers’ jobs are extraordinarily difficult, and effectively forcing them to be constantly looking over their shoulders and being worried about their own personal liability creates an unnecessarily antagonistic relationship with regulators. Will becoming too involved in a situation establish supervisory liability? Will not being involved enough result in the SEC claiming that the compliance officer did not ask sufficient questions? These types of practical concerns create the very real risk of driving talented people away from the compliance field and into other areas where the risk-reward ratio is more balanced and the standards of conduct are better defined.

Though there are no clear-cut rules for compliance officers to avoid becoming the subject of an enforcement action, certain practical steps can minimize that risk.

Document the Periodic Reviews and Assessments of the Policies and Procedures.

Compliance officers should document the steps taken to periodically review and assess the effectiveness of the firm’s policies and procedures. With good documentation, the compliance officer will be more effectively able to contest an assertion by the SEC that a securities law violation was due to the lack of reasonable policies and procedures.

Document Any Exceptions to the Policies and Procedures.

It is critically important to tailor the policies and procedures to how the firm actually operates. Avoid creating unnecessary obligations that are unlikely to be followed, as that gives the SEC easy ammunition to use against a compliance officer. Although compliance officers should generally follow the policies and procedures, exceptions inevitably arise. As it is impossible to anticipate every conceivable scenario, a compliance officer may determine that it is more effective in a specific circumstance to deviate from a particular policy or procedure. When a compliance officer decides it is necessary to pursue a different approach, the reason for the exception should be contemporaneously documented. If the SEC later questions why the policies and procedures were not followed, such documentation will be important evidence in demonstrating that the deviation was not due to ignorance or disregard of the policies and procedures, but instead was well thought out and reasonable under the circumstances.

Document the Follow-Up to Red Flags.

One of the frequent bases the SEC cites for bringing enforcement actions against compliance officers is that the compliance officer ignored warning signs of improper conduct and/or did not follow-up vigorously enough. As Commissioner Stein emphasized, when there are red flags, the SEC expects compliance officers to as “tough questions” and demand answers. It is imperative that compliance officers not only follow-up on red flags, but document the actions they take and the reasons why they believe those actions are sufficient. Such documentation can be critical in demonstrating how they fulfilled their responsibilities.

A common thread for minimizing the possibility of an enforcement action is being vigilant in documentation. SEC investigations are inevitably viewed through the lens of hindsight, often years after the relevant events. In the absence of documentation, the only evidence of why certain actions were or were not taken may be faded memories. Without documentation, the SEC will likely view the compliance officer’s justifications with skepticism.

Compliance officers are on the front lines of trying to detect and prevent misconduct, and the SEC (and other regulators) should be trying to empower them. SEC actions against compliance officers are frequently based on subjective after-the-fact assessments without clear standards as to how the SEC will make those assessments. Until the SEC provides greater clarity, compliance officers live in an uncertain world with respect to being potential subjects of enforcement actions. By adhering to the mantra, document, document, document, compliance officers can reduce the risk that the SEC will second-guess their real-time judgments.