About a month ago, the SEC announced a settlement in a modest little case that has, nevertheless, managed to garner a lot of attention.  This is a result of the fact that one of the respondents was the CCO, i.e., the Chief Compliance Officer, of the co-respondent RIA.  Determining the particular circumstances under which CCOs can be found individually liable is an extremely important analysis, but has been described as challenging, at a minimum.  Especially since, as some have argued,[1] the scope of those circumstances, as evidenced by enforcement actions brought by regulators, is slowly broadening.  Maybe I am in the minority here, but I am unsure, really, what the fuss is about.

Let’s start with some basic propositions that everyone – regulators and industry alike – agree with.  As FINRA[2] recently put it bluntly in Reg Notice 22-10, “[t]he CCO’s role, in and of itself, is advisory, not supervisory.”  As a result, to bring a case against a CCO for any sort of supervisory failure requires that the CCO actually have supervisory responsibility, which does not happen automatically simply by virtue of bearing the CCO title.  That responsibility has to be bestowed upon the CCO, either directly and explicitly, by firm management, or impliedly, as evidenced by ad hoc behavior.  Absent such supervisory responsibility, a CCO cannot be held responsible for even the worst supervisory failure.

Along that same line, as SEC Commissioner Hester Peirce recently stated, “the compliance obligation belongs to the firm, not to the CCO.”  Thus, in most instances, even egregious supervisory cases are brought against the firm only, not the president – who “bears ultimate responsibility for compliance with all applicable requirements unless and until he [or she] reasonably delegates particular functions to another person in that firm, and neither knows nor has reason to know that such person’s performance is deficient” – and not the CCO.  See, for instance, this SEC settlement from last week against Aegis Capital, which imposed a $2.3 million civil penalty, among other things, against the firm only stemming from a number of particular failures “to develop reasonable systems to implement [the firm’s] policies and procedures.”  While some human being was undoubtedly responsible for this, whether Aegis’s president or his designee(s), it remains that the SEC was content only to name the firm.  In my experience, and despite the SEC settlement that I mentioned in the first sentence of this post, this is the norm (particularly for big firms).

These are not particularly controversial pronouncements.  Seems to me that, as a default position, the regulators are hardly looking for ever more opportunities to name CCOs as respondents.  To the contrary, as long as CCOs abide by existing guidance, guidance which I think is pretty clear, and remain on the advisory – not supervisory – side of the line, then they are more or less safe.

So, what is this guidance?  I would say it starts with this nugget from a footnote buried in Notice to Members 01-51:  “NASD Regulation will continue to determine whether a chief compliance officer is acting in a supervisory capacity based on the actual responsibilities and functions that the chief compliance officer performs for the firm.”  Emphasis on the word “actual.”

Next, go to Reg Notice 22-10.  It conveniently outlines the different ways that a CCO may acquire “actual” supervisory responsibilities:

  • The WSPs “assign to the CCO the responsibility to establish, maintain and update written supervisory procedures, both generally as well as in specific areas (e.g., electronic communications)”
  • The WSPs “assign to the CCO responsibility for enforcing the member’s written supervisory procedures or other specific oversight duties usually reserved for line supervisors”
  • “apart from the written procedures, a member firm, through its president or some other senior business manager . . . expressly or impliedly designate[s] the CCO as having specific supervisory responsibilities on an ad hoc basis”
  • “the CCO may be asked to take on specific supervisory responsibilities as exigencies demand.”

Thus, only when there exist circumstances that demonstrate that a firm has expressly or impliedly designated its CCO as having supervisory responsibility will FINRA bring an enforcement action against a CCO for supervisory deficiencies.  The SEC has acted similarly.  Indeed, the Hamilton settlement that prompted this post was predicated on the finding by the SEC that the CCO “was responsible for administering [the RIA’s] compliance program and, as provided in [the RIA’s] compliance manual, for implementing the firm’s compliance policies and procedures.”  (While the SEC used the term “compliance policies and procedures” rather than “supervisory procedures,” that is a function of the fact that Rule 275.206(4)-7 does not use the word “supervisory,” and simply requires RIAs to “[a]dopt and implement written policies and procedures reasonably designed to prevent violation . . . of the Act and the rules that the Commission has adopted under the Act.”)

Again, I don’t see this as being a particularly complicated analysis.  If I was a CCO, and I was looking to avoid becoming a respondent, I would do everything possible to firmly and clearly remain in my “advisory” lane, even if that meant pushing back at efforts from firm management to saddle me with supervisory responsibilities on a short-term basis, or with respect to some discrete area of the firm’s business.

I get that this may be difficult at a small firm, where principals wear many hats, and CCOs may find themselves called on to jump into the supervisory fray.  In that case, the CCO is fair game to be named individually for his or her supervisory lapses.  But, that’s a choice the CCO gets to make: either stay there and accept the supervisory obligations that the job entails, or find another firm that won’t make such demands.  Jobs for CCOs abound.

I also get the disincentive that this provides to CCOs to help their firms with their compliance efforts.  As former SEC Commissioner Daniel Gallagher observed in 2015 (regarding Investment Advisors, not BDs), actions naming CCOs individually “are undoubtedly sending a troubling message that CCOs should not take ownership of their firm’s compliance policies and procedures, lest they be held accountable for conduct that . . . is the responsibility of the adviser itself.”  Again, agreed, dealing with this issue can put a CCO into an awkward position of balancing what’s best for him or her vs. what’s best for his or firm.  But that’s not the issue at hand, which remains: what are the circumstances that permit CCOs to be named.  In short, I think they are clearer than many commentators suggest.

It is worth mentioning that this inquiry – determining whether a CCO had “actual” supervisory responsibilities – is still just step one.  Reg Notice 22-10 makes clear that even if the answer to the threshold inquiry is “yes,” that does not necessarily mean an enforcement action will ensue, as there remain more questions to be answered.

The first is whether the CCO has met the “reasonableness standard.”  This means that “[e]ven when a CCO has been designated as having supervisory responsibilities, FINRA will bring an action under Rule 3110 against the CCO only if the CCO has failed to discharge those responsibilities in a reasonable manner—as it would with any individual who has supervisory responsibility.”  Yes, determining what is and is not reasonable can be a difficult analysis (given that what is “reasonable depends upon the facts and circumstances of a particular situation”), and a difficult argument to win with FINRA, but, importantly, it is no different for CCOs than it is for any supervisor.

The second is whether the case against the CCO should be brought even when his/her conduct is unreasonable.  Again, per Reg Notice 22-10, “not every violation of a FINRA rule results in a formal disciplinary action, so even when FINRA finds that a CCO failed to reasonably perform a designated supervisory responsibility, FINRA will consider whether charging the CCO under Rule 3110 in a formal disciplinary action is the appropriate regulatory response to address the violation.”  And, again, this is true of anyone facing regulatory action for a supervisory failure, not just CCOs.

Helpfully, Reg Notice 22-10 details the factors weighing both in favor of and against charging a CCO (or anyone, really).  I will list them here, for the sake of completeness, but, more importantly, to demonstrate that there is, in fact, a whole bunch of pretty specific guidance in this area, contrary to the arguments made in some of the frantic articles and blog posts I have read on the subject of CCO liability.

Factors that suggest a CCO should be charged:

  • the CCO was aware of multiple red flags or actual misconduct and failed to take steps to address them;
  • the CCO failed to establish, maintain, or enforce a firm’s written procedures as they related to the firm’s line of business;
  • the CCO’s supervisory failure resulted in violative conduct (e.g., a CCO who was designated with responsibility for conducting due diligence failed to do so reasonably on a private offering, resulting in the firm lacking a reasonable basis to recommend the offering to its customers); and
  • whether that violative conduct caused or created a high likelihood of customer harm.

Factors that suggest the CCO should not be charged:

  • the CCO was given insufficient support in terms of staffing, budget, training, or otherwise to reasonably fulfill his or her designated supervisory responsibilities;
  • the CCO was unduly burdened in light of competing functions and responsibilities;
  • the CCO’s supervisory responsibilities, once designated, were poorly defined, or shared by others in a confusing or overlapping way;
  • the firm joined with a new company, adopted a new business line, or made new hires, such that it would be appropriate to allow the CCO a reasonable time to update the firm’s systems and procedures; and
  • the CCO attempted in good faith to reasonably discharge his or her designated supervisory responsibilities by, among other things, escalating to firm leadership when any of (1)–(4) were occurring.

In addition to these factors, the Reg Notice states that FINRA will also consider in determining whether to charge the CCO if there is “another individual at the firm, such as an executive manager or a business line supervisor, who had more direct responsibility for the supervisory task at issue, or who was more directly involved in the supervisory deficiency.”[3]

It should be evident even to casual readers that I do not agree with many of the charging decisions that FINRA makes.  I have lamented many times in these posts the fact that, in my experience, contrary to guidance I have just quoted at length, FINRA basically demonstrates zero flexibility when it comes to meeting the reasonableness standard that governs supervision: that is, any conduct that is not exactly what FINRA expects is deemed unreasonable, which is silly, since the use of such an imprecise standard of conduct essentially invites multiple solutions.  But with that said, there is ample guidance available to help CCOs safely navigate their way through the jungle of rules, regulations and policies and avoid personal liability.

[1] According to “multiple industry-wide surveys focusing on ‘CCO Liability’ and ‘CCO Empowerment’” conducted by the NSCP “with its 2000+ membership of CCOs and other compliance professionals,” “72% of compliance professionals are concerned that regulators have expanded the role of compliance officers and the scope of their responsibilities in imposing personal liability.”  The results of those surveys are discussed here.

[2]  I am well aware that FINRA’s guidance regarding broker-dealers may vary, at least in its specifics, from the SEC’s guidance regarding advisors.  But at the conceptual level, both regulators have said the same basic things about the circumstances under which they will deign to charge a CCO.

[3] FINRA also states that it considers whether “based on the facts and circumstances of a particular case, it is more appropriate to bring informal, as opposed to formal, action against the CCO for failure to supervise.”  But, again, this statement is hardly unique to CCOs.  Theoretically, FINRA undertakes this consideration every time it makes charging decisions.