In October 2023, SEC Commissioner Mark Uyeda called for the SEC to establish a framework describing scenarios in which a chief compliance officer could be held liable for securities law violations. He noted that the lack of a framework on potential CCO liability “has been the source of a great deal of concern” for compliance officers, particularly in light of the SEC’s regulatory proposals and adoptions that are happening at breakneck speed under Chairman Gensler.
Gurbir Grewal, head of the commission’s Enforcement Division, addressed the issue while speaking at the New York City Bar’s Compliance Institute on October 24. Grewal provided some scenarios in which the SEC may target compliance personnel individually, but stressed that such instances are “exceedingly rare.” Grewal indicated that the Enforcement Division has “no interest” in bringing enforcement actions against compliance personnel who act reasonably and in good faith. However, compliance personnel that: 1) affirmatively participate in misconduct unrelated to compliance, 2) mislead regulators, or 3) have a “wholesale failure” in carrying out their compliance responsibilities, may be subject to an individual enforcement action.
CCO liability standards are not a new issue. In June 2021, the New York City Bar Association (NYC Bar) proposed a framework for CCO liability, as did the National Society of Compliance Professions in January 2022. In July 2022, Commissioner Hester M. Pierce addressed several questions posed by the NYC Bar’s proposal in a statement on In the Matter of Hamilton Investment Counsel LLC and Jeffrey Kirkpatrick (Rel. No. 34-95189, June 30, 2022).
Pierce’s 2022 statement reflected on six individual factors raised by the NYC Bar. The questions are as stated in the NYC Bar’s proposal and restated in the July 1, 2022 statement. Pierce’s responses are summarized.
- Did the CCO not make a good faith effort to fulfill his or her responsibilities? Kirkpatrick was both the CCO and a principal of HIC. Thus, he knew or should have known of the inadequacy of the firm’s compliance program since at least December 2019. He had adequate authority to address the compliance inadequacies as a principal of the firm.
- Did the Wholesale Failure relate to a fundamental or central aspect of a well-run compliance program at the registrant? The failures related to the outside business activities of an investment adviser representative (IAR), which can give rise to conflicts of interest. The firm’s own compliance program required disclosure of outside business activities, the characteristic of which generally are well understood.
- Did the Wholesale Failure persist over time and/or did the CCO have multiple opportunities to cure the lapse? The failure to address known weaknesses in the compliance program generally and failure to ensure required disclosures carried on for more than a year. The CCO had multiple opportunities to cure the issue of unreported outside business activities by an IAR because the activity came to the CCO’s attention repeatedly over a substantial period of time. While the CCO ultimately did raise the IAR’s outside business activities, almost a year had passed since becoming aware of transfers of client assets.
- Did the Wholesale Failure relate to a discrete specified obligation under the securities law or the compliance program at the registrant? The enforcement action was based on a fundamental failure to deploy the compliance program effectively to protect firm clients and not premised on technical non-compliance.
- Did the SEC issue rules or guidance on point to the substantive area of compliance to which the Wholesale Failure relates? The legal principles at issue here are well established and the CCO’s lapses aren’t related to an absence of commission guidance.
- Did an aggravating factor add to the seriousness of the CCO’s conduct? The aggravating factor here was that the broker-dealer with which the IAR was associated flagged certain transactions involving transfers of client assets to the IAR’s outside business activity.
Grewal spoke of other SEC actions that constituted a “wholesale failure by compliance personnel to fulfill their obligations.” An action was settled in September 2023 against a Marcum LLP former practice leader for failing to address deficiencies in the accounting firm’s quality control system. He also referenced the SEC’s action against Two Point Capital Management, Inc. and its CEO and CCO for having failed to develop policies and procedures related to the firm’s business, opting to use a compliance handbook published by a professional organization for 10 years.
Grewal has certainly signaled that the commission does see a need for guidance on CCO liability. In the meantime, it is crucial that CCOs and compliance personnel remain diligent in carrying out their duties and preventing negligence, willful blindness, and misconduct. No one wants to face potential personal liability, even if the likelihood is “exceedingly rare.”