Most securities regulations, by design, create a gray world where compliance is not crystal-clear, but, rather, subject to interpretation. After all, what you think constitutes “reasonable” supervision and what FINRA or the SEC think is reasonable may very well be two extremely different things. Indeed, it is the existence of subjective standards of conduct like this that, ultimately, put food on my table, as people and firms hire me to advocate on their behalves that they have met such standards. (When the issue is black-and-white, alas, I am reduced to arguing what the appropriate remedial sanctions ought to be.) Sometimes I win, sometimes not, but there is always plenty of room to accommodate the discussion.
That is not the case, however, in those relatively rarer instances where a rule is plain and simple enough that the issue of compliance vs. non-compliance cannot generate any legitimate debate. When a rule is like that, and articulates a specific standard in clear, precise language, there is no real excuse for violating it. Yet…somehow, perhaps inexplicably, firms can still be counted upon to get it wrong.
Guggenheim Securities discovered this hard truth a week or so ago, as reflected in this short-and-sweet SEC settlement. The facts, blessedly, are awfully straightforward:
- One of the explicit purposes of the Dodd-Frank Act was “to encourage whistleblowers to report possible securities law violations.”
- To help fulfill this Congressional purpose, the SEC created Rule 21F-17, which provides that “[n]o person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.”
- That rule became effective in 2011.
- Despite the existence of that rule, from at least April 15, 2016 to July 2020, Guggenheim’s Compliance Manual included a section called “Communications with Regulators,” which stated, in relevant part: “Employees are also strictly prohibited from initiating contact with any Regulator without prior approval from the Legal or Compliance Department. This prohibition applies to any subject matter that might be discussed with a Regulator . . . . Any employee that violates this policy may be subject to disciplinary action by the Firm.”
- In 2018 and 2019, as part of its annual compliance training, Guggenheim reminded its employees that they were “prohibited from initiating contact with any regulator without prior approval from Legal or Compliance.”
- While Guggenheim’s majority indirect owner, Guggenheim Capital, LLC, maintained a Code of Conduct that provided it “should not be interpreted to restrict or interfere with any employee’s rights, free speech, or any whistleblower protections under applicable laws, regulations and requirements,” Guggenheim’s Compliance Manual provided that in the event its policies were “more restrictive” than a Guggenheim Capital policy, Guggenheim “personnel should follow the more restrictive of the policies or procedures, absent explicit direction to the contrary.”
When the SEC discovered this, and apparently brought the problem to the attention of the firm, Guggenheim promptly revised the offending language to remove the impediment to any employee who might be interested in blowing the whistle. Somehow, it seems that the SEC gave Guggenheim credit for this remedial action. (In many, probably most, cases, to get any kind of real credit for taking remedial action, you need to do it BEFORE the SEC points out your problem. But, who am I to argue with this?) But, it still cost Guggenheim the (strangely specific) sum of $208,912 in a civil penalty. Small potatoes on a day when Robinhood just paid $70 million, but, still, enough to get your attention.
The lesson from this settlement seems pretty obvious to me. And it’s not too different from Ferris Bueller’s observation that “Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.” The same goes for rules – especially new rules – and your WSPs and Compliance Manual: you have to pay attention when new rules are created that impose new requirements, and make sure that you are timely and appropriately updating your internal documentation to comport with those requirements. It is inexcusable to continue to have a prohibition in your Compliance Manual that is at odds with a rule that was implemented, say, five years earlier.
I actually got to thinking about this not too long ago when I happened across Reg Notice 21-16. That was issued in April 2021 to remind people about FINRA Rule 2268, which dictates – in very precise language – what must (and must not) be included in a pre-dispute arbitration clause in a customer agreement. That rule first became effective in 1989, and has existed pretty much in the same format ever since. Yet, over 20 years after the rule came out, FINRA claims it felt compelled to issue this Reg Notice because it “has become aware that customer agreements used by some member firms contain provisions that do not comply with FINRA rules.” Apparently – and I say “apparently” because FINRA cites no actual Enforcement cases that it brought recently involving this rule – FINRA found firms using arbitration clauses that wrongfully (1) dictated the hearing location, (2) attempted to shorten an applicable statute of limitations, (3) limited a customer’s right to pursue a class action in court, (4) prohibited a customer from seeking punitive damages, and (5) included indemnity language.
Rule 2268 is super easy to comply with. I mean, the rule actually spells out the exact verbiage that you have to use in an arbitration clause. Compliance with the rule could not be easier. It literally is a matter of accurately cutting-and-pasting. And, yet, if you believe FINRA, firms still manage to blow it. I just don’t get it.
The good news, I suppose, is that the SEC did not name anyone individually, and clearly it could have. Someone was responsible for the care and feeding of the firm’s Compliance Manual. FINRA Rule 3130(b) requires that annually, the CEO certify that the firm “has in place processes to establish, maintain, review, test and modify written compliance policies and written supervisory procedures reasonably designed to achieve compliance with applicable FINRA rules, MSRB rules and federal securities laws and regulations, and that the chief executive officer(s) has conducted one or more meetings with the chief compliance officer(s) in the preceding 12 months to discuss such processes.” In light of this requirement, and Guggenheim’s five-year failure to figure out that its Compliance Manual conflicted with the SEC Rules, it is easy to see how the CEO could have been implicated here. So, take this case as the warning it is meant to be: Pay Attention!