In a recent public statement, Commissioner Daniel Gallagher continued his call for “the Commission to tread carefully when bringing enforcement actions against compliance personnel.” He suggested that several recent enforcement actions “fly in the face” of his admonition and may actually “disincentivize a vigorous compliance function.”
He specifically referenced recent cases against BlackRock and SFX. In the BlackRock case, the SEC charged the former CCO of BlackRock Advisers LLC with violations relating to conflicts of interest resulting from the activities of a portfolio manager. The SEC alleged that the CCO did not report the conflicts to the fund boards. In the SFX case, the SEC charged the firm’s former president with stealing client funds. Additionally, the SEC faulted the firm’s CCO for failure to supervise, violations of the custody rule, making a false statement on the firm’s ADV, failure to follow the firm’s compliance policies, and failure to conduct an annual review. Gallagher took issue with the cases because each “order states that the CCO was responsible for the implementation of the firms’ policies and procedures.”
Gallagher argued that “[a]ctions like these are undoubtedly sending a troubling message that CCOs should not take ownership of their firm’s compliance policies and procedures, lest they be held accountable for conduct that, under Rule 206(4)-7, is the responsibility of the adviser itself. Or worse, that CCOs should opt for less comprehensive policies and procedures with fewer specified compliance duties and responsibilities to avoid liability when the government plays Monday morning quarterback.” Gallagher feels that the effects are particularly acute with small advisers where one set of policies and procedures may cover both compliance and business functions and “CCOs could unwittingly also be taking ownership of business functions, subjecting them to strict liability whenever there is a violation of the securities laws.”
He also takes issue with rule 206(4)-7, the Investment Advisers Act analogue to rule 38(a)-1, which he notes “is not a model of clarity.” The rule “offers no guidance as to the distinction between the role of CCOs and management in carrying out the compliance function.” Further, he complains that the Commission has not offered any guidance since the rule’s adoption about how to comply other than through enforcement actions, “which in some cases have unfairly contorted the rule to treat the compliance function as a new business line, with compliance officers assuming the role of business heads.” Gallagher argues that 206(4)-7 states that a firm “must designate a CCO to administer its compliance policies and procedures” and that “[a]t the end of the day, ultimate responsibility for implementation of policies and procedures rests with the adviser itself.” He suggests that the “Commission must take a hard look at Rule 206(4)-7 and consider whether amendments, or at a minimum staff or Commission-level guidance, are needed to clarify the roles and responsibilities of compliance personnel under the rule so that these individuals are not improperly held accountable for the misconduct of others.”
Gallagher urged the Commission to be careful of the message it is sending to the compliance community because in many cases CCOs “are not only the first line of defense, they are the only line of defense.” He argued that the SEC “should strive to avoid the perverse incentives that will naturally flow from targeting compliance personnel who are willing to run into the fires that so often occur at regulated entities.” He encouraged “restraint and discretion even at the investigation stage” when dealing with compliance personnel because “[t]he psychological impact, and in many cases reputational damage, that can come with months or years of testimony, the Wells process, and settlement negotiations can be just as chilling as the scarlet letter of an enforcement violation.”
Commissioner Luis Aguilar pushed back on some of Gallagher’s assertions in his own public statement. He sought to correct “the impression that the SEC is taking too harsh of an enforcement stance against CCOs, and that CCOs are needlessly under siege from the SEC.” Aguilar suggested that such an assertion create “unwarranted fear” and “is unhelpful, sends the wrong message, and can discourage honest and competent CCOs from doing their work.” He noted that, in his experience, “the Commission does not bring enforcement actions against CCOs who take their jobs seriously and do their jobs competently, diligently, and in good faith to protect investors. I do not believe that these CCOs should fear the SEC.”
Aguilar suggested that the number of cases against CCOs rises and falls with the number cases brought against advisers and investment companies and has ranged between 6% and 19% between 2009 and 2014, largely coinciding with the growth in the number of registered investment advisers. According to Aguilar, most CCOs charged in these cases performed the function part time in addition to another role within the organization and that only eight cases have been brought against full-time CCOs since the adoption of Rule 206(4)-7, and only five of those cases were for actual Rule 206(4)-7 violations. Two of these five cases served as Gallagher’s examples in his statement. Aguilar argued that many of the cases “involved compliance personnel who affirmatively participated in the misconduct, misled regulators, or failed entirely to carry out their compliance responsibilities.”
Aguilar asserted that the cases represent “egregious misconduct” by CCOs and that the SEC is careful that it “strikes the right balance between encouraging CCOs to do their jobs competently, diligently, and in good faith, and bringing actions to punish and deter those that engage in egregious misconduct.” He argued that the SEC has properly used its discretion to not bring actions against CCOs in certain instances and “has used its Whistleblower program to protect and reward CCOs who did the right thing.” He similarly noted several recent actions in which firms’ senior management were faulted for failing to dedicate adequate resources to compliance and CCOs were not charged.