The Controversy Over Compliance Officer Liability: SEC Judge Sides With the Compliance Profession

I. Background on Compliance Officer Liability

A debate has been raging over whether the Securities and Exchange Commission has been too harsh in its enforcement actions involving compliance officers. This debate began a few years ago, when the SEC charged the general counsel of a broker-dealer under a failure to supervise theory of liability. On October 19, 2009, the SEC instituted an administrative proceeding against Theodore Urban, the former general counsel of a broker-dealer, alleging that he had “failed to supervise” a registered representative of the firm. ¹In re Theodore W. Urban, Administrative Proceeding File No. 3-13655 (Oct. 19, 2009). Urban was alleged to have been alerted to possible wrongdoing by a registered representative of the firm, to have tried to investigate and to stop any misconduct, but to have done too little. On first glance, it is difficult to identify a theory of liability under which Urban could be charged. He did not commit illegal acts, did not aid and abet or cause others to commit illegal acts, and was not the line supervisor of any wrongdoer. Nonetheless, the SEC asserted a theory of liability first articulated two decades ago under which a legal or compliance officer holding a senior position within the firm can be held liable for a failure to take affirmative action to investigate and to prevent misconduct that such officer had reason to suspect was taking place. ²In re John Gutfreund, 51 S.E.C. 93, Release No. 34-31554, 1992 WL 362753, *15-16 (1992). On January 26, 2012, the case was finally resolved, but without in any way clarifying the theory under which legal and compliance officers can be held liable. ³https://www.sec.gov/litigation/admin/2012/34-66259.pdf. Instead, the SEC dismissed the case because all but two of the Commissioners had recused themselves, and the two remaining Commissioners were split in their views. Urban was vindicated, but with legal and compliance officers left with no clear guidance as to the standard of liability that applies to their conduct. ⁴However, on September 30, 2013, the SEC’s Division of Trading and Markets released “Frequently Asked Questions about Liability of Compliance and Legal Personnel at Broker-Dealers,” attempting to clarify the issues raised by Urban. https://www.sec.gov/divisions/marketreg/faq-cco-supervision-093013.htm.

Three recent cases have heightened the concerns about the potential liability of compliance officers. In a recent litigated administrative proceeding, the Judge found that a firm’s CEO had not been sufficiently aware of misconduct by others to be held liable, while a compliance officer was found to have “caused” violations by others. ⁵In the Matter of Thomas R. Delaney II and Charles W. Yancey, Administrative Proceeding File No. 3-15873 (Initial Decision, March 18, 2015). In this case, the Judge found Delaney, the CCO of a broker-dealer, liable for causing violations of the securities laws by a business unit within his firm. Specifically, despite evidence that the business unit leaders involved understood their obligations under the securities laws, the CCO was held liable for “causing” the violation because, in essence, the compliance officer failed to detect soon enough that the business unit was violating short selling rules. Significantly, in this case, where the underlying violation did not require scienter, the Judge concluded, in hindsight, that the CCO’s negligent failure to identify problematic activities early enough was itself the “cause” of a violation.

In a settled enforcement action a few weeks later, the SEC found that a firm had failed adequately to disclose conflicts of interests created when one of its star portfolio managers had taken steps to start an energy company while simultaneously managing funds in the energy sector. ⁶In the Matter of BlackRock Advisors, LLC, Administrative Proceeding File No. 3-16501 (April 20, 2015). The SEC also charged the firm’s CCO, the only individual charged in this action, with causing the firm’s Rule 206(4)-7 violations based upon a failure to ensure that the firm had appropriate compliance policies and procedures to assess and monitor the outside activities of employees and to disclose conflicts of interest to fund boards and advisory clients. He was also charged with causing a Rule 38a-1 violation by failing to report to the fund board an alleged material compliance matter related to the portfolio manager’s failure to comply with the firm’s private investment policy.

Finally, in an even more recent enforcement action, a chief compliance officer was charged with causing a misappropriation despite, upon learning of the possible violation, he “promptly [conducting] an internal investigation” resulting in the offender’s termination, and reporting the matter to law enforcement. ⁷In the Matter of SFX Financial Advisory Management Enterprises, Inc., Administrative Proceeding File No. 3-16591 (June 15, 2015). Instead of crediting what ordinarily would be seen as prompt remedial steps taken by the compliance officer, the SEC charged him with causing the violation on the theory that the CCO “was responsible for implementation of the policies and procedures,” and that, upon reflection, those procedures were not reasonably designed to prevent the misappropriation of client funds.

These recent actions prompted Commissioner Gallagher to release a rare public dissent from the two recent settled enforcement actions. ⁸Statement on Recent SEC Settlements Charging Chief Compliance Officers With Violations of Investment Advisers Act Rule 206(4)-7, Commissioner Daniel M. Gallagher (June 18, 2015), http://www.sec.gov/news/statement/sec-cco-settlements-iaa-rule-206-4-7.html. In this dissent he argued that:

• [t]he Commission must take a hard look at Rule 206(4)-7 and consider whether amendments, or at a minimum staff or Commission-level guidance, are needed to clarify the roles and responsibilities of compliance personnel under the rule so that these individuals are not improperly held accountable for the misconduct of others. The status quo simply will not do. As it stands, the Commission seems to be cutting off the noses of CCOs to spite its face.

Commissioner Gallagher’s dissent then promptly two public rebuttals, one from Commissioner Aguilar ⁹The Role of Chief Compliance Officers Must be Supported ,Commissioner Luis A. Aguilar (June 29, 2015), http://www.sec.gov/news/statement/supporting-role-of-chief-compliance-officers.html. and another from Chair White. ¹⁰Opening Remarks at the Compliance Outreach Program for Broker-Dealers, Chair Mary Jo White (July 15, 2015), http://www.sec.gov/news/speech/opening-remarks-compliance-outreach-program-for-broker-dealers.html. In a rare public defense of his support for the recent enforcement actions against compliance officers, Commissioner Aguilar attempted to summarize the cases:

• The vast majority of these cases involved CCOs who “wore more than one hat,” and many of their activities went outside the traditional work of CCOs, such as CCOs that were also founders, sole owners, chief executive officers, chief financial officers, general counsels, chief investment officers, company presidents, partners, directors, majority owners, minority owners, and portfolio managers. Many of these cases also involved compliance personnel who affirmatively participated in the misconduct, misled regulators, or failed entirely to carry out their compliance responsibilities.

Commissioner Aguilar attempted to reassure compliance officers that “CCOs are vital to the protection of investors and the integrity of the capital markets. To that end, the Commission works to support CCOs who strive to do their jobs competently, diligently, and in good faith—and these CCOs should have nothing to fear from the SEC.”

Chair White also recently spoke directly to the standards the SEC applies in deciding to charge a compliance officer:

• it is not our intention to use our enforcement program to target compliance professionals. We have tremendous respect for the work that you do. You have a tough job in a complex industry where the stakes are extremely high. That being said, we must, of course, take enforcement action against compliance professionals if we see significant misconduct or failures by them. Being a CCO obviously does not provide immunity from liability, but neither should our enforcement actions be seen by conscientious and diligent compliance professionals as a threat. We do not bring cases based on second guessing compliance officers’ good faith judgments, but rather when their actions or inactions cross a clear line that deserve sanction.

The question Chair White’s speech leaves unanswered is where this “clear line” of liability lies.

II. The Wolf Case

Against this highly charged public debate about the SEC’s recent enforcement actions against compliance officers, a decision by Administrative Law Judge Elliot provides striking support for compliance officers. ¹¹In the Matter of Judy K. Wolf, Administrative Proceeding File No. 3-16195 (Initial Decision, Aug. 5, 2015). The case involves Judy Wolf, who was a compliance officer, but not the chief compliance officer, of a large firm that is registered as a broker-dealer and investment adviser. In September 2010, Wolf was asked to review the trading of a registered representative at her firm to determine whether insider trading had occurred. Wolf created a document memorializing her review, concluding that insider trading had not occurred. This turned out to be incorrect. The registered representative was later sued by the SEC for insider trading and found liable. In late 2012, the SEC began to investigate Wolf’s conduct and, in connection with this investigation, Wolf allegedly altered her 2010 document to make it appear that her September 2010 review was more thorough than it actually was. The altered document was produced to the SEC staff without mention of its alteration and Wolf at first claimed that the expanded document had been prepared in 2010, although she later admitted this was not the case. The case was tried and decided on August 5, 2015 by Judge Elliot.

In his decision, Judge Elliot found that the Division of Enforcement had proven all of the alleged violations. In particular, Judge Elliot found that Ms. Wolf had altered the compliance log in 2012 and had testified falsely about her conduct when initially questioned about this. Judge Elliot specifically found that Ms. Wolf had acted with scienter. Judge Elliot also found there was a legal basis for imposing a sanction against Mr. Wolf. Nonetheless, Judge Elliot declined to impose any sanction upon Ms. Wolf and dismissed the case against her.

Although Judge Elliot noted that Ms. Wolf’s conduct was isolated, she was unlikely to reenter the financial service industry, and her ability to pay a large fine is limited, the primary basis for Judge Elliot’s dismissal of the case against Ms. Wolf is a policy argument – the fact that Ms. Wolf was a compliance officer. In striking and forceful language, Judge Elliot stated that:

• [t]here is one additional consideration: the fact that Wolf worked in compliance. Obviously, compliance professionals are subject to the securities laws like everyone else. But Wolf is correct to complain that in compliance, “the risk is much too high for the compensation.” Tr. 439. In my experience, firms tend to compensate compliance personnel relatively poorly, especially compared to other associated persons possessing the supervisory securities licenses compliance personnel typically have, likely because their work does not generate profits directly. But because of their responsibilities, compliance personnel receive a great deal of attention in investigations, and every time a violation is detected there is, quite naturally, a tendency for investigators to inquire into the reasons that compliance did not detect the violation first, or prevent it from happening at all. The temptation to look to compliance for the “low hanging fruit,” however, should be resisted. There is a real risk that excessive focus on violations by compliance personnel will discourage competent persons from going into compliance, and thereby undermine the purpose of compliance programs in general. That is, “we should strive to avoid the perverse incentives that will naturally flow from targeting compliance personnel who are willing to run into the fires that so often occur at regulated entities.” Comm’r Daniel M. Gallagher, Statement on Recent SEC Settlements Charging Chief Compliance Officers With Violations of Investment Advisers Act Rule 206(4)-7 (June 18, 2015)

This forceful language is particularly striking coming from one of the SEC’s own Administrative Law Judges. It has been widely reported that the SEC is bringing more of its cases before its administrative law judges, rather than filing them in federal district court, because the SEC’s success rate before administrative law judges is much higher than its success rate before federal district judges. ¹²“SEC Wins with In-House Judges,” Wall Street Journal, May 6, 2015, http://www.wsj.com/articles/sec-wins-with-in-house-judges-1430965803. Indeed, in recent years, the SEC has been winning over ninety percent of its cases before administrative law judges and less than sixty-nine percent of its cases before federal district judges. If the SEC cannot win a case it has successfully proven before one of its own administrative law judges, as the Wolf case illustrates, it seems unlikely it will enjoy greater success before a federal district judge.

Even more striking is the policy argument upon which Judge Elliot based his decision. Judge Elliot is correct that compliance officers are often poorly paid and that their firms often do not adequately support their efforts. He is also correct that in many cases, and certainly in the case against Ms. Wolf, compliance officers do not participate in or assist wrongdoing and do not profit from the wrongdoing of others. Rather, they strive to prevent wrongdoing, although their efforts do not always succeed in spite of their best efforts. Judge Elliot is also correct that ”[t]here is a real risk that excessive focus on violations by compliance personnel will discourage competent persons from going into compliance, and thereby undermine the purpose of compliance programs in general.”

II. Protecting Compliance Officers from Liability

Although the Wolf case offers hope that prosecutions against compliance officers may decline, this is not necessarily the case. The Division of Enforcement can still appeal Judge Elliot’s decision in the Wolf case and other cases can be filed against compliance officers. In light of this uncertainty, compliance officers would be well advised to take prudent steps to protect themselves in the current enforcement environment. Some possible steps are outlined below.

A. Develop a clear job description and a clear mission statement for the compliance group.

Since the compliance function can be interpreted in different ways at different firms, it is important to specify the responsibilities of individual compliance officers and the compliance department. For example, recent SEC guidance has suggested that compliance may have a role in cybersecurity. ¹³“In the staff’s view, funds and advisers should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks. Funds and advisers could also mitigate exposure to any compliance risk associated with cyber threats through compliance policies and procedures that are reasonably designed to prevent violations of the federal securities laws. For example, the compliance program of a fund or an adviser could address cybersecurity risk as it relates to identity theft and data protection, fraud, and business continuity, as well as other disruptions in service that could affect, for instance, a fund’s ability to process shareholder transactions. Accordingly, funds and advisers may wish to consider reviewing their operations and compliance programs and assess whether they have measures in place that are designed to mitigate their exposure to cybersecurity risk. Because funds and advisers are varied in their operations, they should tailor their compliance programs based on the nature and scope of their businesses. Additionally, because funds and advisers rely on a number of service providers in carrying out their operations, funds and advisers may also wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers.” IM Guidance Update, April 2015, http://www.sec.gov/investment/im-guidance-2015-02.pdf. While this is certainly a function compliance officers can assume if they have the necessary expertise and resources, they are not obligated to do so and should not do so if they lack the necessary expertise and resources. Thus, by way of example, it can be important to specify, in advance of any problem, that compliance officers are not responsible for overseeing their firm’s cybersecurity efforts.

B. Document clear lines of supervision within the firm.

Failure to supervise liability is generally imposed upon persons who are deemed to be supervisors of others who commit wrongdoing. ¹⁴As noted above, failure to supervise liable has also been imposed upon persons who are not traditional line supervisors but hold significant management positions in their firms. This theory of supervisory liability was first asserted in In re John Gutfreund, 51 S.E.C. 93, Release No. 34-31554, 1992 WL 362753, *15-16 (1992), where the SEC stated in dictum that a firm’s chief legal counsel, who directly supervised the firm’s CCO, could be disciplined for a failure to supervise based on the misconduct of employees for whom he was not the direct supervisor but where the CLO/CCO had knowledge of possible misconduct and the authority to intervene to prevent it. Gutfreund represents an expansion of traditional failure to supervise claims to non-line supervisors. This theory was most clearly and forcefully advocated in a 1993 speech by then SEC Commissioner Mary Schapiro, who said “the facts and circumstances which may make you ‘become’ a supervisor vis-a-vis a particular employee, when formerly you were not, are (1) your knowledge and awareness of allegedly improper conduct, and (2), being so situated within a firm that you have some ability to affect the conduct at issue.” Mary L. Schapiro, Commissioner, U.S. Securities and Exchange Commission, SIA Compliance and Legal Seminar: Broker-Dealer Failure to Supervise: Determining Who is a “Supervisor”, at 15 (Mar. 24, 1993). A person is deemed to be a supervisor when he or she has the power to hire, fire, discipline, or set the compensation of another person. ¹⁵“A person’s actual responsibilities and authority, rather than, for example, his or her ‘line’ or ‘non-line’ status, determine whether he or she is a ‘supervisor’ for purposes of Exchange Act Sections 15(b)(4) and 15(b)(6). Among the questions to consider in this regard:

• Has the person clearly been given, or otherwise assumed, supervisory authority or responsibility for particular business activities or situations?
• Do the firm’s policies and procedures, or other documents, identify the person as responsible for supervising, or for overseeing, one or more business persons or activities?
• Did the person have the power to affect another’s conduct? Did the person, for example, have the ability to hire, reward or punish that person?
• Did the person otherwise have authority and responsibility such that he or she could have prevented the violation from continuing, even if he or she did not have the power to fire, demote or reduce the pay of the person in question?
• Did the person know that he or she was responsible for the actions of another, and that he or she could have taken effective action to fulfill that responsibility?
• Should the person nonetheless reasonably have known in light of all the facts and circumstances that he or she had the authority or responsibility within the administrative structure to exercise control to prevent the underlying violation?”

Frequently asked questions about liability of compliance and legal personnel (Sept. 30, 2013), https://www.sec.gov/divisions/marketreg/faq-cco-supervision-093013.htm. If a person is deemed to be the supervisor of another person, the supervisor can be liable for failure to supervise if the supervised person violates the law. All the SEC needs to assert in such a claim is that a person was the supervisor of another person who violated the law. The burden of proof then shifts to the supervisor to prove that he or she exercised reasonable supervision over the wrongdoer.

While it is often clear who a person supervises, there can be ambiguous situations. The best way to resolve these ambiguities is clearly to specify the lines of supervision in advance of any violations. In general, compliance officers need not supervise business persons within their firms and generally should not do so. ¹⁶“Question 1.Is a chief compliance officer or any other compliance or legal personnel a supervisor of broker-dealer business personnel solely by virtue of the compliance or legal position?Answer:No. Compliance and legal personnel are not ‘supervisors’ of business line personnel for purposes of Exchange Act Sections 15(b)(4) and 15(b)(6) solely because they occupy compliance or legal positions. Determining if a particular person is a supervisor depends on whether, under the facts and circumstances of a particular case, that person has the requisite degree of responsibility, ability or authority to affect the conduct of the employee whose behavior is at issue.” Frequently asked questions about liability of compliance and legal personnel (Sept. 30, 2013), https://www.sec.gov/divisions/marketreg/faq-cco-supervision-093013.htm.

C. Review the firm’s policies and procedures. Repeal any that are not being followed.

Compliance officers are often criticized when their firm adopts policies and procedures that are not followed. ¹⁷In re SFX Financial Advisory Management Enterprises, Inc., Admin Pro. No. 3-16591 (June 15, 2015)(“SFX’s compliance policy required, among other things, that there be a review of “cash flows in client accounts.” SFX and Mason did not effectively implement this provision for the client accounts used for bill-paying services. In addition, SFX did not have a reasonable basis to believe, after due inquiry, that custodians were providing clients with bank statements.”); In re Monness, Crepsi, Hardy & Co., Admin. Pro. No. 3-16025 (Aug. 20, 2014)(“MCH failed to enforce two of its written compliance procedures, which required MCH to maintain a restricted list and required employees to submit a report of their securities transactions.”). This sometimes arises from inattention and sometimes because policies or procedures are simply copied from a template with little consideration given to how to follow them. This can give rise to liability for the compliance officer. To avoid this problem, the CCO should periodically review the firm’s policies and procedures and repeal any that are not being followed.

D. Continue all required compliance testing and reviews, even during emergencies.

In the recent SFX case, a compliance officer was sued for (among other violations) failing to conduct the annual compliance review while distracted by an investigation of serious misconduct. ¹⁸“In the midst of an internal investigation following the discovery of Ourand’s misappropriation, SFX did not conduct an annual review of its compliance program in 2011. Mason was responsible for ensuring the annual review was completed and was negligent in failing to conduct the annual review.” In re SFX Financial Advisory Management Enterprises, Inc., Admin Pro. No. 3-16591 (June 15, 2015), http://www.sec.gov/litigation/admin/2015/ia-4116.pdf. The SEC apparently gave no recognition to the unique emergency the compliance officer faced. The lesson is that there is no excuse for failing to conduct required testing and reviews, even during emergencies.

E. Respond to all red flags of possible misconduct. Pay particular attention to whistleblower reports.

Compliance officers are frequently sued when they fail to respond to warnings of possible misconduct. The SEC has set forth the following standard for responding to “red flags,” or warnings of possible misconduct:

• “The ‘supervisory obligations imposed by the federal securities laws require a vigorous response even to indications of wrongdoing.’ In re John H. Gutfreund, Exchange Act Release No. 31554, 1992 SEC LEXIS 2939, at *34 (Dec. 3, 1992). Thus, supervisors must respond not only when they are ‘explicitly informed of an illegal act,’ but also when they are ‘aware only of ‘red flags’ or ‘suggestions’ of irregularity.’ See id. at *34-35. In addition, ‘[e]ven where the knowledge of supervisors is limited to ‘red flags’ or ‘suggestions’ of irregularity, they cannot discharge their supervisory obligations simply by relying on the unverified representations of employees.’ Id. at *35. ‘Red flags and suggestions of irregularities demand inquiry as well as adequate follow-up and review.’ In re Edwin Kantor, Exchange Act Release No. 32341, 1993 SEC LEXIS 1240, at *16 (May 20, 1993).” ¹⁹In the Matter of George M. Lintz, Exchange Act Rel. 43961 (Feb. 14, 2001).

F. Address the “two hats” problem.

In his recent statement on compliance officer liability, Commissioner Aguilar noted that many cases involving compliance officers arise where they performed other functions in addition to the compliance role.

Addressing this problem can be difficult. In some cases, it may be possible for compliance officers to abandon their other responsibilities. When this is not possible, someone can be brought in to oversee the compliance officer’s other, noncompliance activities, thereby providing independent compliance oversight over all aspects of the firm’s businesses. If this is not possible, it may be prudent to disclose the arrangement to the firm’s clients, although this may be an imperfect solution to the problem.

G. Escalate all material issues to senior management.

Compliance officers do not control their firms and do not have the authority to correct all violations that are detected. Rather, they depend on senior management to run the firm effectively. The SEC has expressly said that when a compliance officer detects possible misconduct, this must be escalated to senior management:

• “Once a person in [the general counsel’s] position becomes involved in formulating management’s response to the problem, he or she is obligated to take affirmative steps to ensure that appropriate action is taken to address the misconduct. For example, such a person could direct or monitor an investigation of the conduct at issue, make appropriate recommendations for limiting the activities of the employee or for the institution of appropriate procedures, reasonably designed to prevent and detect future misconduct, and verify that his or her recommendations, or acceptable alternatives, are implemented. If such a person takes appropriate steps but management fails to act and that person knows or has reason to know of that failure, he or she should consider what additional steps are appropriate to address the matter. These steps may include disclosure of the matter to the entity’s board of directors, resignation from the firm, or disclosure to regulatory authorities.” ²⁰In re John Gutfreund, 51 S.E.C. 93, Release No. 34-31554, 1992 WL 362753, *15-16 (1992) (emphasis added).

Thus, in all cases in which serious violations of law are suspected, the issues should be escalated to senior management.

H. Request permission to obtain advice from independent legal counsel if there is a disagreement with senior management.

The Gutfreund standard expressly contemplates that a compliance officer will not simply defer to senior management. Rather, the compliance officer must make an independent effort to resolve the issue. Consultation with independent counsel retained by the compliance officer can help to resolve issues when the compliance officer is not fully comfortable with the resolution by senior management. This also offers a middle ground from the more draconian measures of resignation or report to the SEC in cases in which the compliance officer feels uncomfortable with the response from senior management.

I. Resign if management will not address serious concerns.

The Gutfreund case contemplates resignation as a possible alternative if management does not respond to the compliance officer’s concerns. Although this is clearly a last resort response, it must be considered as an option.

J. Obtain adequate indemnification and insurance protection.

If the compliance officer’s conduct is investigated, defense may be costly. The Urban matter was litigated through trial and appeal at a cost of millions of dollars. Very few compliance officers have the resources to pay for such defense efforts without assistance. To ensure adequate resources are available if there is a need to defend an investigation, compliance officers need to be protected with both indemnification rights, so that their employer will pay appropriate defense costs, and insurance coverage, so that even if their employer cannot afford to honor its indemnification obligations there are adequate resources available to pay for defense efforts.