Gallagher Criticizes SEC Pursuit of CCOs and Calls for Guidance
Chief compliance officers are being unfairly targeted in enforcement actions by the SEC. If it’s not stopped, it could lead to less compliant advisory firms.
That, at least, is the view of SEC commissioner Daniel Gallagher, who on June 18 issued a public statement in the wake of two recent settlements that he voted against. The settlements, he said, "fly in the face of my admonition" to "tread carefully when bringing enforcement actions against compliance personnel."
"Both settlements illustrate a Commission trend toward strict liability for CCOs under Rule 206(4)-7 (the Compliance Program Rule)," he said. "Actions like these are undoubtedly sending a troubling message that CCOs should not take ownership of their firm’s compliance policies and procedures, lest they be held accountable for conduct that, under Rule 206(4)-7, is the responsibility of the adviser itself. Or worse, that CCOs should opt for less comprehensive policies and procedures with fewer specified compliance duties and responsibilities to avoid liability when the government plays Monday morning quarterback."
"The Commission needs to be especially cognizant of the messages it sends to the compliance community, and in particular to CCOs of investment advisers," Gallagher said. "To put it bluntly, for the vast majority of advisers, CCOs are all we have." The role of adviser CCO takes on added weight when one considers that there are nearly three times as many registered advisers as there are broker-dealers, but that the SEC divides its examination resources "roughly" equally between each group. "Given the vitally important role played by compliance personnel, I am very concerned that continuing uncertainty as to the contours of liability under Rule 206(4)-7 will disincentivize a vigorous compliance function at investment advisers."
The Compliance Program Rule
Gallagher attributed "much of the blame" for the Commission’s pursuit of CCOs to Rule 206(4)-7, which he described as "not a model of clarity." The rule "offers no guidance as to the distinction between the role of CCOs and management in carrying out the compliance function." In addition, the SEC has not issued any guidance about how to comply with the rule in the 11 years since it was adopted, leaving only enforcement actions to provide insight into agency thinking – and in some cases these actions "have unfairly contorted the rule." Enforcement actions should not be used to resolve any uncertainty as to what the rule means, he said.
"On its face, Rule 206(4)-7 speaks directly to the responsibility of the adviser, but all too often, the Commission interprets the rule as being directed at CCOs," he said. "The rule expressly states that the firm must designate a CCO to administer [emphasis Gallagher] its compliance policies and procedures. At the end of the day, ultimate responsibility for implementation [emphasis Gallagher] of policies and procedures rests with the adviser itself."
"The Commission must take a hard look at Rule 206(4)-7 and consider whether amendments, or at a minimum staff or Commission-level guidance, are needed to clarify the roles and responsibilities of compliance personnel under the rule so that these individuals are not improperly held accountable for the misconduct of others," Gallagher said. "The status quo will simply not do."
Stroock partner and former SEC Division of Investment Management deputy director Robert Plaze took a different point of view. "If the SEC had attempted to write a rule then stating what the CCO was to do in each case, I suspect commissioner Gallagher would be giving a speech saying that it was too intrusive and complicated."
In any event, he noted, Division of Enforcement director Andrew Ceresney did provide guidance as to when CCOs would be prosecuted in a May 2014 speech. In that address before a Washington, DC audience of legal and compliance professionals, Ceresney said that action would be taken against CCOs "when the Division believes legal or compliance personnel have affirmatively participated in the misconduct, when they have helped mislead regulators, or when they have clear responsibility to implement compliance programs or policies and wholly failed to carry out that responsibility."
"At the end of the day, though, legal and compliance officers who perform their responsibilities diligently, in good faith, and in compliance with the law are our partners and need not fear enforcement action," Ceresney said.
Plaze also noted that members of the Commission may vote against a staff settlement with an adviser if they disagree with it, as Gallagher did in these two cases. "But other members of the Commission voted differently," he said.
Willkie Farr partner and former SEC Division of Investment Management director Barry Barbash, on the other hand, said that "Gallagher makes a point to a degree. Rule 206(4)-7, from the get-go, including during the comment period, was critiqued by the industry as vague." Nor, he said, did the rule as originally adopted seem to contemplate "holding CCOs, trustees and directors, as opposed to registered investment advisers, liable for the implementation of compliance policies and procedures."
While new guidance for Rule 206(4)-7 that provided more specificity to the responsibility of CCOs might be helpful, "it is not likely to happen," he said, as "it could be viewed as a limitation on the SEC’s ability to bring cases. The breadth of the rule as now written is an important enforcement lever."
"Investment advisory firms need to be able to attract the best and brightest to the CCO position," said Investment Adviser Association president and CEO Karen Barr after reading Gallagher’s statement. "While it is certainly appropriate to pursue enforcement action if the CCO is involved in misconduct or misleads regulators, the Commission should take care not to send the wrong message to CCOs with actions that could be perceived to be second-guessing or singling out CCOs as solely responsible for firm violations. The SEC should support CCOs in carrying out their critical functions."
The two cases that Gallagher said spurred his negative vote and statement were a June 15 SEC settlement with SFX Financial Advisory Management Enterprises (ACA Insight, 6/22/15) and an April 20 settlement with BlackRock Advisors (ACA Insight, 4/27/15).
In the SFX settlement, the agency alleged that the CCO caused the firm’s failure to implement its compliance policies, which it said would have detected the alleged theft of client assets by the firm president over several years. The CCO was also charged with failing to conduct the annual review of the firm’s compliance program. The CCO was censured and agreed to pay a $25,000 civil money penalty.
In the BlackRock Advisors settlement, the agency claimed that the CCO caused certain of the fund’s violations in connection with its failure to adopt and implement policies and procedures to address how the outside activities of firm employees would be assessed for conflicts of interest. The SEC also alleged that the CCO did not disclose these problems to the fund’s board of directors. The CCO paid a $60,000 civil money penalty to settle the case.
Gallagher noted that in both of these case, the SEC stated that the CCO was responsible for the implementation of the firm’s policies and procedures, rather than their administration. Implementation would be the responsibility of the firm itself, he said.
Plaze said he found Gallagher’s dissent from the BlackRock Advisors settlement a bit odd, as that case prominently alleges violations not only of Rule 206(4)-7, but of provisions of Investment Company Act Rule 38(a)1, which he said specifically requires the CCO to inform the board of a mutual fund of certain material compliance matters, which the SEC alleged the BlackRock CCO failed to do. "This was not a case with a lot of ambiguities," he said.
Small firms and more
Should the trend of holding CCOs liable continue, Gallagher said, the impact may fall particularly hard on small advisers. "It appears that many such advisers have just one set of policies and procedures covering both compliance and business functions," he said. "At these firms, there is a significant risk that by taking ownership of the implementation of the policies and procedures, CCOs could unwittingly also be taking ownership of business functions, subjecting them to strict liability whenever there is a violation of the securities laws."
While saying that there are, "of course," situations when a CCO should be held accountable for violations, the SEC should try to avoid the "perverse incentives" that come with targeting compliance personnel who "are willing to run into the fires that so often occur at regulated entities. This includes exercising restraint and discretion even at the investigation stage."
"The psychological impact, and in many cases reputational damage, that can come with months or years of testimony, the Wells process, and settlement negotiations can be just as chilling as the scarlet letter of an enforcement violation," he said.