Chief Compliance Officers: Best Practices for Self-Protection
Protect yourself from a chief compliance officer’s ultimate nightmare.
That nightmare, which has some variants, goes something like this: The CCO discovers wrongdoing at his firm. He reports the problem up the chain, ultimately reaching the chief executive officer. The CEO chooses to either ignore the issue or simply does not agree with the CCO’s assessment or proposed actions. The problems continue and are ultimately discovered by the SEC, which brings charges against the firm, as well as the CCO, since he failed to stop the problem. Both the firm and the CCO are censured, barred from the securities business, forced to pay a steep financial penalty, receive lots of bad press, and lose their credibility.
Don’t let this happen to you.
Problems typically occur when there is an issue that the CCO and the firm see differently, said Stradley Ronon partner Lawrence Stadulis. "The CCO may think a certain action is a violation, but upper management may think there is legal wiggle room to do so. Or the parties agree that something wrong happened but differ on how to address and paper trail it," such as both agreeing that there was a compliance policy violation but only the CCO seeing the violation as a material one that, with respect to mutual fund managers, must be reported to the board under Rule 38a-1, he said. "There understandably is a tension between the parties under these circumstances. They both want to do the right thing but genuinely disagree on how to handle the situation."
Of course, as some SEC cases have shown, there are situations where firms have done the wrong thing and been charged for doing so – and the CCO was either charged as a participant, or charged with not following through on compliance policies and procedures, or with having inadequate policies and procedures.
Ultimately, of course, a CCO can self-report to the SEC, but this should be a last step after attempts to report up the chain have failed, said Eaton & Van Winkle partner Paul Lieberman. The agency’s recent whistleblower awards to two compliance professionals, as well as its action against a firm that retaliated against a whistleblower, may make this a somewhat more attractive option to CCOs frustrated by a lack of response from upper management.
Steps to take
Consider the following:
Report up. There should be a clear reporting roadmap so that the CCO does not have difficulty with reporting issues. "There should be no need to struggle over decisions, such as, should I report to the CEO, the CFO or go straight to the SEC," said Stadulis. Don’t skip a rung or go to someone not designated in the reporting chain. "That is likely to cause resentment and confusion, and could also irreparably damage the whole reporting process down the road." Lieberman noted that there is a degree of self-protection in reporting up. By doing so, he said, "the CEO cannot come back later and ask, ‘How did you let this happen?’"
Make a detailed written report. While you can simply have a conversation with whoever you report up to, a written report may be more effective because it will provide particulars, Lieberman said. "Have all your evidence and supporting documents pulled together." But make sure that you know who will be reading the report. "Reporting violations to the portfolio managers or traders may not be the best initial step in those instances where they may be the most likely culprits. Moreover, the reporting chain should not end at the top of a subsidiary of another company," Stadulis said. CCOs would also be wise to "talk things out before putting them in writing. It is difficult taking back an email asserting that there was a violation and management took no action when this turns out not to be the case. Understand that not every compliance issue is the same. Fraud and misappropriation are very serious allegations that require immediate attention and careful scrutiny. The failure to comply with the technical aspect of a compliance policy on a one-time basis should not."
Create and keep written records. These records should be of actions you took and conversations you had that addressed the problem. Emails, memorandums, written reports – keep copies of all of them, Lieberman said. "Not every record can be contemporaneous, but at some point the recordkeeping has to start." Without those records, you have no evidence, should you ever need it.
Consider your own qualifications. This is particularly true at small firms, where the CCO may not have a background in the area where the problem is occurring. If that expertise is lacking, consider tapping third-party counsel or an outside consultant. "Do some preparatory work on the problem before reporting up, so you know what you are talking about and can answer all questions," Lieberman said. Large firms may have both compliance and legal departments. It helps if they take a unified position, so they can present a united plan of action, he said.
Open lines of communication. These should be with others at the adviser who are committed to compliance. The more allies you have, the more effective you are likely to be. "Try to work things out collaboratively in a manner that is in everyone’s best interests," said Stadulis.
Third-party counsel and self-reporting
Speaking with outside counsel can occur under a variety of circumstances. One is whether you are speaking with the firm’s outside counsel or your own outside counsel. Let’s look at several possibilities.
Help writing the report. This may be the case when the CCO needs to tap the firm’s outside counsel for expertise in a particular area, such as custody. Outside counsel would work with the CCO to create a detailed and thorough report that would later make its way up the firm’s chain of command as directed by the firm’s policies. Upper management should be told that outside counsel will be part of this process.
Help convincing upper management. In situations where upper management or, in smaller firms, the owner does not agree there is a problem or simply refuses to deal with it, an outside attorney working in conjunction with the CCO can make a strong argument for action, perhaps in a conference call or in a personal meeting, Lieberman suggested.
Self-reporting. If a CCO is convinced that he has tried every possible course of action to persuade upper management and is getting nowhere, he may consider self-reporting to the SEC. Given that this is a risky step, it probably would be wise to seek independent outside counsel, rather than rely on the firm’s outside counsel. Those who do self-report usually "get some credit" from the SEC for doing so, said Lieberman. The alternative, letting the problem remain, which would be a form of cover-up, "would be a disaster," he said.
But, hopefully, a CCO can effectively resolve compliance issues within the firm. "In my experience, 99 times out of 100, the parties work these things out amicably and satisfactorily, as long as there are open lines of communication and mutual respect," said Stadulis. "In fact, this is the hallmark of a good compliance program. A great CCO understands the importance of this and does not view himself or herself as a lone wolf in the wilderness."