Protection for CCOs, Part 1: Ways to Limit Personal Exposure
Consider this chain of events:
In December 2003, the SEC charged the former compliance officer of Heartland Advisors with fraud in connection with her firmís alleged manipulation of bond prices. (The CCO is fighting the charges.)
That same month, the SEC issued the compliance program adopting release, which warned that CCOs would "risk their career" if they fail to fully inform a fundís board of a material compliance failure or fail to aggressively pursue non-compliance at a fundís service provider. The SEC promised to "enhance its scrutiny" of any fund for which such a person later served as CCO.
Then, in May 2004, the SEC permanently barred Thomas Hooker, the former CCO of Strong Capital Management, from the investment management industry. (He was also ordered to pay a $50,000 penalty.) Among other things, the SEC charged Hooker with aiding and abetting Dick Strongís alleged market timing by failing to monitor Strongís trading, as directed by his firmís in-house counsel.
Not surprisingly, the subject of CCOsí personal liability was a hot topic at recent conferences. At the NSCP conference, SEC associate director Robert Plaze explained that the "risking oneís career" discussion in the compliance program adopting release was designed to remind CCOs that they have professional responsibility to identify issues, go to the board of directors (if applicable), and assure themselves that compliance is being followed. "We are counting on you to ĎJust say noí," said Plaze. The discussion in the release was designed to "buck you up" and "remind you that you have a larger responsibility."
Plaze distinguished the SECís enforcement cases against CCOs. In those cases, he said, the CCO was an "enabler" of fraud. "If you want to worry about your own personal liability," added Plaze, "get yourself involved in enabling fraud."
He acknowledged that CCOs are in a very difficult situation, often times having to say "no" to the firmís business people after being presented with a new proposition or relationship that potentially offers significant profits. The CCO, he said, has to be the one saying "Wait a minute." But Plaze indicated that CCOs have risen to the challenge presented by the compliance program rule. He said that he couldnít think of another time in his professional career where heís seen "so many truly talented and skilled people step up to the plate in the compliance community." CCOs, he said, are taking advantage of the compliance program rule and are "really address[ing] the situation."
Similarly, OCIE director Lori Richards, when asked by an NSCP conference attendee to reconcile her characterization of CCOs as "allies" of the SEC with the SECís language in the compliance program adopting release about risking oneís career, replied as follows: "I think that language was really meant to apply to the incompetent, inept compliance officer, the compliance officer who acts in bad faith." She said that the "vast, vast, vast majority of compliance officers" in the industry today do not fit that category. "They are well-intentioned . . . . They want to do the right thing." She said if the "enhanced scrutiny" situation contemplated in the release happened, it would happen only in a "tiny number of situations." Moreover, she noted that SEC actions against compliance officers involved unique fact situations that would not exist in the vast majority of firms. "I really think you should believe me when I say that we do view you as our ally," she added.
Assuming that those remarks only partially reassure you, here are some tips designed to help CCOs do their jobs as carefully as possible. As they say, the best cure is an ounce of prevention. (Also, see the article on insurance coverage and indemnification beginning on page 1.)
Tip #1: Donít sign your firmís ADV. "If you are the [CCO], I would highly recommend that you do not sign it," said Ann Oglanian, managing director of Regulatory Management Group, a San Francisco-based consulting firm. "Itís not your job."
Hereís why: The execution page of the Form ADV requires the signer to personally certify under "penalty of perjury" that the information and statements made in the ADV, including exhibits, are true and correct. The signer also makes that certification on behalf of the firm. (Interestingly, the signer must certify that he signed the ADV "as a free and voluntary act.")
Who should sign it? The firmís CEO, said Oglanian. She pointed out that the CEO "has a different view" when he signs the ADV. "Itís just a change in attitude." Oglanian, speaking at the NRS conference, said that sheís seen instances where, after the signing responsibility has been shifted from the CCO to CEO, the firm quickly adopted a Sarbanes-Oxley-type certification process in which information was rolled-up from below. "Itís a stronger process," she said.
Tip #2: Make sure you have the right reporting structure. "It matters who you report to," said Oglanian. The key, she added, is for the CCO to have direct access to senior management. If the CCO has to "do an end run" to get access to the top management, the reporting structure can actually hamper her from doing her job, she said. Direct and short lines of reporting give the CCO, and the firm, a better chance of meeting both the letter and the spirit of the regulations, she added. If itís not possible to structure a direct reporting relationship, the CCO should schedule and hold periodic (monthly or quarterly) meetings with the CEO or chairman to discuss compliance matters. That, she said, will give the CCO an opportunity "to establish a rapport" with the top brass ó something that will come in handy "when more serious news needs to be reported."
Of course, the SEC has not specified a reporting structure for advisory firm CCOs. At the NSCP conference, Plaze explained that given the vast differences in advisory firms, the SEC didnít assume a particular reporting structure. "One needs to think about that issue in terms of the effectiveness," he said. "If I was a CCO, it would not be good to be reporting to the director of marketing."
Dechert counsel Elizabeth Knoblock agreed. "Reporting to the head of sales or marketing is a really bad idea," she said. "If that suggestion were to arise, the CCO should meet with the adviserís CEO and explain why tying Compliance to Sales is inherently dangerous."
Can the CCO report to a more senior head of compliance? That might be fine, as long as the head of compliance does not prevent the CCO from talking to senior management. At the NRS conference, Peter Maftieu, director of operations of BKD Wealth Advisors, noted that his firmís CCO reports to him. The two of them discuss compliance matters, said Maftieu, but ultimately the CCO decides whether to escalate an issue to senior management.
Can the CCO report to the firmís general counsel? Yes, but see OCIE director Richardsí June 2004 speech, where she said that she "would not automatically assume" that the CCO should be placed within the firmís legal department or report through the firmís GC. Such a structure, she said, could create conflicts in the implementation of the compliance program as well as conflicts during an SEC examination. If the CCO reports to legal, she said, counsel will have to "clearly articulate" instances of privilege and "show great effort" to segregate any dual responsibilities. And, as Knoblock pointed out at the NRS conference, the fact that on an organization chart a CCO reports to a GC does not mean that every communication the CCO has is going to be privileged.
Tip #3: Define your role. You should be able to point to a written job description specifying what you will, and wonít, do. The job description should define whether you have authority over a budget, have the authority to hire outside experts when you deem it necessary, and the extent of your supervisory responsibilities, if any. Make sure you are "crystal clear" about your responsibilities, advised Oglanian. CCOs, she said, should understand what their role is in relation to the firmís legal department, the firmís operations department, and other areas.
Of course, this is a sticky wicket for CCOs who have a "day job" as a portfolio manager, director of operations, or some other pre-existing function. At the NRS conference, LPL Financial Services v.p. of compliance Michelle Jacko recounted that in a former job, she served as general counsel as well as CCO. Her job description specified that "as counsel I do the following, as [CCO] these are my responsibilities."
For CCOs whose other role creates a conflict, such as a dual CCO/portfolio manager (a possibility at some smaller firms), Oglanian recommended that the firm obtain an outside audit of its compliance program. An audit conducted by a third party, she said, can help create a record that the CCOís conflict was examined.
Tip #4: If you arenít experienced, get help from someone who is. "If you donít know it yourself, it means you need a higher level of sophistication of outside help," advised Knoblock. Oglanian agreed. "If you donít have the background yourself, get the advice," she said. "Itís valuable to you and to your firm to recognize when you need some help." She encouraged CCOs to "develop a trust relationship with someone who knows what they are doing." On that note, Oglanian encouraged newly-appointed CCOs to do some soul-searching as to whether they are experienced enough and have the increasingly broad-based skill sets necessary to do the job. "You should not take this job just because somebody else gave it to you," she said. "You can decide just to be a compliance guy in your office. You donít have to take the liability." Barbara Brooke Manning, CCO of Schroder Investment Management, pointed out that the SEC has warned organizations not to simply designate a junior person who lacks the necessary experience and qualifications to be the CCO.
Of course, as Knoblock noted, experienced CCOs may be able to make do with less sophisticated outside help. In some situations, she said, CCOs may already "know the answer" and simply need additional resources to help implement it. But even experienced CCOs might find that they can use some help in particular areas. "If you arenít very well versed in ERISA, get permission from senior management to retain ERISA counsel," suggested ICAA general counsel Karen Barr, adding that "ERISA can be a tricky business."
Tip #5: Make sure that you are knowledgeable about the firmís operations. The CCO doesnít have to be an expert on every functional activity in the firm, much less be able to perform everybodyís job. However, as Knoblock explained, the CCO should have a basic understanding of what each large segment of the advisory firm does.
Getting your arms around different operational areas can be challenging, particularly if you are a new CCO who wears another hat. For example, a head of marketing may not understand what goes on the firmís trading desk. "Itís okay that you donít know, but you have to learn it," said Knoblock. Her advice: "Go sit at the trading desk for a few days and ask a lot of questions."
Tip #6: Spread the risk. "Take that ten pounds" of risk and "spread it around," advised Oglanian.
One effective way to do this: form a compliance committee. Even if you only have twenty people in your firm, she said, a compliance committee makes sense (although it might be as simple as three people who meet informally once a month).
Who should sit on the committee? It depends on the firm. Typically, said Oglanian, the firmís president or CEO "needs to be there." If the firm has a strong HR person, he or she could be very useful, she said, noting that most HR folks "just get this stuff." The committee also could include the firmís chief investment officer and head of operations, IT, and risk management, as well as anyone who has a direct reporting obligation to a board. The compliance committee can be like a "mirror image" of the firmís senior management committee, she said, noting that involving senior management in a compliance committee serves multiple purposes: It creates a forum to vet issues; it forms a record that the firm has taken interest in compliance; and it shares the wealth in terms of decision-making and liability. Most importantly, said Oglanian, the structure of a compliance committee acknowledges that compliance responsibilities exist in all functional area of the firm, "not just with the compliance department."
Oglanian suggested that minutes be taken, even if no compliance issues are raised. "Write down, ĎThere were noneí," she said. The key is to demonstrate to the SEC "that you are focused on [compliance], that you care about it, that you are asking the questions."
She noted that a compliance committee structure will be helpful when there are difficult decisions to be made, such as sanctioning a star portfolio manager who flaunts compliance procedures. She advised CCOs to look for places where they are likely to become the "lightening rod" in their firms. "When your gut tells you ĎUh oh,í those are the issues that you can take to a compliance committee."
Tip #7: Spread the work. Recognize that you do not have to administer the entire compliance program all by yourself. "Be realistic about what you and your staff can do," advised Oglanian. Some compliance officers, she said, may have to fight against their personal tendency to "take on all these responsibilities." Even though you might be "used to carrying that burden," it doesnít mean you have to continue to take responsibility "for all these other jobs." She advised CCOs to consider areas where they additional outside resources are needed, either in terms of people or technology.
Knoblock noted that while CCOs have to administer the program and enforce it, they can and should delegate responsibility to department heads to implement the policies and procedures and supervise employeesí compliance with them. However, make sure to train your delegatees "so they know where the line is and when to bring you into it," added Jacko.
Tip #8: Donít be a supervisor (unless you really are one). Panelists at the NSCP conference agreed that to avoid being a supervisor, generally the only people that the CCO should have responsibility for in terms of setting their salary, hiring or firing, or disciplining is the staff in the compliance department (unless, of course, the CCO wears dual hats and supervises other employees in his other capacity).
"You donít want to be a line supervisor," said Knoblock. For example, CCOs should not have to review every bit of trading information, "because there is someone on the desk" that should be doing that.
Barr suggested that when resolving compliance issues with particular employees, CCOs should involve line supervisors. For example, rather than going directly to the employee, brief the employeeís supervisor, who could then relate the problem to the employee. If the you need to meet with the employee, "draw the supervisor into the meeting," she said.
Oglanian suggested that CCOs obtain written confirmation from the various supervisors in the firm that they are doing their job. "You want to make sure that you have yourself protected where you are not directly supervising people," particularly those who have major obligations. Knoblock agreed, noting that those written confirmations offer additional protection when confronted with an SEC charge of failure of a duty to supervise.
If do you have supervisory responsibility, "make sure that it is clearly delineated," advised Barr. If you donít have supervisory responsibility, "itís not a bad idea to put that in writing." She said that this sort of information could be memorialized in the firmís compliance program policies and procedures, position descriptions, or supervisory controls.
Tip #9: Memorialize your compliance efforts ó carefully. For example, when a problem is uncovered, CCOs should create a factual statement of:
the nature of the problem or issue;
how was it initially detected;
what was the resolution;
how the problem will be prevented in the future; and
how the firmís policies and procedures will be corrected to help ensure the problem doesnít occur again.
Keep in mind the SEC may ask for additional information, such as the date or period of the occurrence, the persons involved, the monetary impact on clients, whether the issue was brought to the attention of the fundís board (if a fund adviser), and for any relevant documentation.
When preparing the report, "stick to the facts," said Christopher Jackson, general counsel of Hansberger Global Investors. Statements along the lines of "What a bum-headed move this guy made" should be avoided. "That type of stuff is superfluous," he said. "Remember, these reports are going to be read by a lot of people for a lot of different reasons."