An increasing number of enforcement actions against CCOs for their organizations’ misconduct has focused attention on their duties and responsibilities. The authors address this subject, giving an overview of the role of CCOs, recent enforcement actions against them, and theories of liability in the cases. They close with specific actions CCOs are advised to take to mitigate such risks.
Copyright © 2018 by RSCR Publications LLC. ISSN: 0884-2426. All rights reserved. Reproduction in whole or in part prohibited except by permission. For permission, contact Copyright Clearance Center at www.copyright.com. The Review of Securities & Commodities Regulation does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions, or for the results obtained from the use of such information. Reprinted here with permission.
Today’s fast-growing and complex business reality has raised great concerns about corporate integrity and ethics. Regulators have promulgated numerous regulations and rules to ensure that businesses are operating within the legal boundaries, and enforcement actions have been taken against wrongdoers who have crossed the line. A particular role, the chief compliance officer (CCO), has been created to serve as a watchdog to meet corporate compliance needs. While traditionally compliance officers are seen as “partners” of enforcement authorities, an increasing number of enforcement actions against CCOs has indicated that the watchdogs are being watched too, generating CCOs’ fear of personal liability for their organizations’ misconduct.
This article gives an overview of the role of CCOs, reviews the recent trend in enforcement actions against CCOs, examines the circumstances under which CCOs are held liable for corporate misconducts, and provides advice to CCOs to protect against exposure to personal liability.
What Does It Mean to be a CCO?
The CCO of a company is the officer primarily responsible for overseeing and managing regulatory compliance issues within an organization. The CCO, as a “watchdog,” plays an important role in ensuring corporate integrity and ethics in conducting business. CCOs have been tasked with a number of responsibilities, such as developing and implementing policies and procedures for the organization to meet regulatory requirements, investigating disclosures of noncompliance and suspected misconducts, assessing noncompliance risks, and reporting misconduct to senior management and the government (when necessary).
Historically a company’s general counsel performed many of the duties of the compliance officer. Today it is increasing practice that their functions are distinct and roles are independent of each other. The general counsel provides legal advice, while the CCO designs the systems and processes to ensure that the company has a program in place designed to prevent noncompliance.
Regulatory Regime Requiring a Particular Compliance Officer Role
The genesis of the CCO position is generally traced back to 2002 when the Sarbanes-Oxley Act of 2002 was passed in response to a series of corporate and accounting scandals. In the same year, Cynthia A. Glassman, a then-Commissioner of the Securities and Exchange Commission, encouraged the companies to designate “an officer with ownership of corporate compliance and ethics issues.”1 Since then, regulators have promulgated a number of rules making it mandatory for companies in certain industries to designate a compliance officer.
For instance, Rule 206(4)-7, promulgated by the SEC under the Investment Advisers Act of 1940, requires each SEC-registered advisory firm to appoint a CCO to administer the firm’s compliance policies and procedures.2 The Department of Treasury has issued a regulation implementing the Anti-Money Laundering (AML) program mandated by the Bank Secrecy Act (BSA), under which money-services businesses are required to appoint “a person to assure day to day compliance with the program.”3 The Financial Industry Regulatory Authority, the primary self-regulatory organization for broker-dealers, also requires its member firms to establish and maintain a supervision system and written supervisory procedures to achieve compliance, and to designate a CCO or multiple CCOs to oversee and implement the firm’s compliance program.4 Additionally, the Commodity Futures Trading Commission has adopted rules regarding the internal business conduct standards of futures commission merchants, swap dealers, and swap participants under the Dodd-Frank Act, which requires the designation of a CCO.5 More recently, on August 21, 2018, the CFTC amended its CCO regulations, providing clearer guidance as to its registrants’ CCOs’ duties, harmonizing CFTC’s requirements and parallel provisions adopted by the SEC, and at the same time “enabl[ing] greater accountability and improv[ing] overall compliance.”6
Watchdogs Being Watched
While CCOs have constantly been referred to by law enforcement officials as “key partners,”7 there has been a perception that CCOs are becoming targets of government investigations, and the enforcement authorities seem to take an aggressive posture in holding compliance officers accountable for corporate wrongdoings.8 The SEC’s pursuit of the former CCO of a clearing firm in 2014 seems to be one of the early cases that sparked the controversial enforcement trend.9 At the time of that case, then-SEC Enforcement Director Andrew Ceresney, when delivering a keynote address at 2014 Compliance Week, made it clear that the SEC had brought and would continue to bring actions against legal and compliance officers when appropriate.10
This trend not only affects CCOs in the securities industry. As illustrated below, enforcement actions against CCOs in the banking and finance industry for corporate violations of BSA and AML regulations are also increasing.11 Not only does the SEC play an active role, but the Department of Justice, the Financial Crimes Enforcement Network (FinCEN), and FINRA have also sought to hold CCOs liable for organizational misconduct. Some of these cases are discussed below.
Recent Enforcement Actions Involving CCOs
On May 16, 2018, the SEC entered into a settlement with the CCO of a registered broker-dealer, who was found to have failed to perform his duties under the firm’s AML policies, including duties to investigate potential red flags related to fraudulent transactions, to monitor trading for suspicious patterns, and to file suspicious activity reports (SARs). The CCO agreed to pay civil penalties of $15,000 and agreed to be barred from the securities industry and the penny stock business with the right to apply after three years.12
Similarly, in March 2018, the SEC found that a broker-dealer violated an SEC financial recordkeeping and reporting rule by failing to meet AML obligations to file SARs on numerous suspicious transactions that were potentially related to the market manipulation of low- priced securities.13 The SEC also instituted two separate proceedings against two former AML compliance officers for aiding and abetting the firm’s violations. One CCO settled with the SEC without admitting or denying its findings, agreeing to pay a penalty of $20,000 and a prohibition from serving in a compliance or AML capacity in the securities industry with a right to apply after 18 months.14 The other CCO, who initially planned to contest the allegations,15 eventually reached a settlement with the SEC. Without admitting or denying its findings, he agreed to a civil penalty of $20,000 and continued proceedings on the record to determine what (if any) remedial action would be appropriate in the public interest.16
Another recent noteworthy case against a CCO for BSA/AML violations is the settlement entered into by the former CCO of a financial services company with the Department of Treasury on May 3, 2017. The CCO admitted and accepted responsibility for failing to implement and maintain an effective AML program, and to take action when a number of reports of consumer fraud had accumulated. The CCO agreed to pay a civil penalty of $250,000 and accepted a three-year ban on acting in a compliance capacity at a money transmitter.17
In March 2017, the Federal Deposit Insurance Corporation closed its investigation against the former CCO of a major U.S. bank’s subsidiary after reaching a regulatory resolution with the CCO. The CCO was ordered to pay a civil money penalty of $70,000 and prohibited from further participation in the conduct of the affairs of any financial institution.18 The FDIC took this action in parallel with an investigation conducted by the DOJ against the subsidiary company. The subsidiary agreed to forfeit nearly $1 million to the federal authorities for its willful failure to maintain an effective AML compliance program while processing over 30 million remittance transactions to Mexico with a total value of over $8.8 billion; the DOJ agreed to enter into a non-prosecution agreement with the subsidiary and its U.S. parent company.19
To meet the regulatory requirement of an appointment of a CCO, and to deal with the expertise required and costs associated with such appointment, there has been a growing trend in outsourcing compliance activities to third parties.20 Consequently, we have seen enforcement actions against outsourced CCOs as well. On August 15, 2017, the SEC announced a settlement order against an outsourced CCO for two investment advisers.21 The SEC found that the outsourced CCO’s conduct (both actions and inactions) directly violated the Advisers Act, and caused these two investment adviser firms’ failures to file timely and accurate Form ADV amendments. Under the settlement, the CCO agreed to a penalty of $30,000 and a bar from holding any position in the securities industry for 12 months.
Theories Regarding CCOs’ Personal Liability
As a result of the increasing number of enforcement actions against CCOs, there is a concern that such actions will deter qualified people from pursuing a career as a CCO. Realizing that such a concern is real, law enforcement and regulatory officials have made public statements that they will take actions against a CCO only when “facts demonstrate that the CCO’s conduct crossed a clear line.”22 Of course, such “clear lines” are often only in the eyes of the beholders.
In his keynote speech at the National Conference of the 2015 National Society of Compliance Professionals, former Director Ceresney stated that the SEC actions against CCOs generally fall into three categories: (1) CCOs who are affirmatively involved in misconduct; (2) CCOs who engage in efforts to obstruct or mislead the SEC staff; and (3) CCOs who have exhibited a wholesale failure to carry out their responsibilities.23 Ceresney’s categorization also reflects the major theories under which other agencies have held CCOs personably liable, which can be summarized into the following three types: (1) primary liability for directly participating in the misconduct; (2) liability for secondary violations; and (3) liability for failing to supervise appropriately.
There is no doubt that when a CCO has directly engaged in corporate wrongdoing, like any other high-level executive, the CCO will be personally liable for the violations. In such enforcement actions, the focus is not on the violator’s role and function as the CCO, but on the CCO’s actual conduct, as with other direct violators. This category is not a major concern for most the CCOs and usually involves their wearing multiple hats other than the CCO’s hat.24 A typical example, as cited by former Director Ceresney, is the SEC’s 2015 sanction against the CCO of an investment adviser, who affirmatively and willfully made untrue statements to the fund administrator and auditor.25 Additionally, in the recent SEC enforcement action against the outsourced CCO discussed above, the claim that the CCO made untrue statements on Form ADVs on behalf of the adviser firms also falls in this category.26
Section 20(e) of the Securities Exchange Act and Section 209(f) of the Advisers Act provide for “aiding and abetting” liability of a secondary violator, who “knowingly or recklessly provides substantial assistance to another person” in violation of the securities laws. When a CCO has the knowledge or should have the knowledge of the violations but still actively assists (e.g., altering documents to deceive) or disregards the red flags, it is likely that the CCO will be held liable for the corporation’s violations as a secondary violator.
For instance, the SEC alleged that a former compliance officer of a large investment adviser firm altered her review document to make it appear that she performed a more thorough review than she actually did before providing it to the SEC during an insider trading investigation.27 An administrative law judge supported the SEC’s finding that the former compliance officer willfully aided and abetted, and caused her firm’s violations of the Exchange Act and the Advisers Act.28
While a compliance officer’s active engagement in efforts to “obstruct or mislead the SEC staff” constitutes “aiding and abetting,” the SEC has said that a compliance officer’s inaction can also be deemed as “aiding and abetting,” and liability for the secondary violator should be imposed. For instance, in an SEC administrative order released in March 2018, the SEC found that the former compliance officer of a broker-dealer had failed to file SARs on behalf of his firm despite receiving AML red flags identified by a clearing firm in his firm’s low-priced securities transactions. The SEC also found that the compliance officer did not produce any written analysis or otherwise demonstrate that he had considered filing SARs for these transactions. The SEC further accused the compliance officer of not investigating why the firm’s internal personnel or surveillance system had not raised such alerts to his attention.29 Based on the compliance officer’s actual knowledge of the firm’s noncompliance practice and failure to take any action, the SEC claimed that the compliance officer willfully aided and abetted and caused his firm’s violation of the Exchange Act and brought an enforcement action. On July 6, 2018, the compliance officer changed his original plan of litigating the matter and reached a settlement with the SEC.30
It would be interesting to see how the administrative judge would determine the CCO’s liability if this case went to trial. Under the Exchange Act, to charge a person for “aiding and abetting” liability for a securities law violation, the government must prove: (1) the existence of a securities law violation by the primary party; (2) knowledge of this violation on the part of the aider and abettor; and (3) substantial assistance by the aider and abettor in the achievement of the primary violation.31 As many of the SEC enforcement cases have been settled, whether a CCO’s failure to act will constitute “substantial assistance,” as the case mentioned in the preceding paragraph, remains to be litigated.
Failing to Supervise Appropriately/Causing
As mentioned previously, regulators have placed mandatory requirements on enterprises in certain industries to establish and maintain a supervisory system to achieve compliance with applicable laws, regulations, and rules. When CCOs exhibit “a wholesale failure to carry out their responsibilities,” e.g., failure to develop compliance policies or to implement them, they can be sanctioned for such failures.32
FinCEN’s investigation into the former CCO of a financial services company exemplifies the “failing to supervise” liability.33 The CCO, in his position, had direct oversight over the company’s Fraud Department and AML Compliance Department, and had the authority to direct the termination or discipline of high-risk agents and business units. However, according to FinCEN, the CCO failed to carry out any responsibilities under such roles. FinCEN and the U.S. Attorney’s Office identified the CCO’s five major failures: (1) failure to implement a discipline policy; (2) failure to terminate problematic agents/business units; (3) failure to file timely SARs; (4) failure to conduct effective audits of agents/business units; and (5) failure to conduct adequate due diligence on agents/ business units.34 All such failures caused the financial services company to violate the BSA, and the FinCEN determined that the CCO should be penalized for such losses.
The FDIC’s enforcement action against the former CCO of a major U.S. bank’s subsidiary mentioned previously is another example.35 The CCO constantly disregarded routine reports regarding the subsidiary’s inadequate remittance transaction monitoring from his subordinates, failed to address the reported concerns, failed to enhance its transaction monitoring controls, and failed to investigate suspicious activities as required by the BSA.
The CCOs in the foregoing two cases, though not directly involved in the misconduct, or possibly even not aware of the actual illegal activities, by failing to perform their duties to supervise their organizations’ businesses, faced fines and industry bars. In such cases, when investigating the “failing to supervise appropriately/causing” liabilities of the CCOs, the enforcement agencies tend to examine the actual role and authority of the CCO empowered by his/her organization, the specific compliance requirements and duties imposed on the CCO by the applicable regulatory framework and the organizational policies, and whether and how such duties have actually been carried out.
Mitigating Risks of Enforcement Actions
Based on the foregoing discussion, it is revealing that a risky area where CCOs may be exposed to personal liability arises out of their inaction, such as ignoring red flags, failing to file SARs, failing to address or investigate potential problems, failing to implement compliance policies and programs, etc. Therefore, CCOs should not adopt an ostrich policy and must be proactive to avoid liability. As then-SEC Chair Mary Jo White said, compliance officers should not fear enforcement actions if they “perform their responsibilities diligently, in good faith, and in compliance with the law.”36 However, if they fail to perform their duties properly, CCOs will face enforcement actions. Listed below are specific actions CCOs are advised to take to mitigate such risks.
Compliance officers should familiarize themselves with all regulatory schemes and compliance requirements applicable to their organizations. For instance, as part of the supervisory system required by FINRA for broker-dealers, written supervisory procedures must be designed; and filings of SARs are mandatory for financial institutions, broker-dealers, money services businesses, etc. Lack of knowledge or ignorance of the law is not a defense.
Compliance officers are also advised to keep track of the enforcement climate, and regularly examine the guidelines, programs, comments, and major decisions issued by relevant enforcement authorities. For example, the DOJ released a guidance document entitled Evaluation of Corporate Compliance Programs in March 2017, which set forth the topics that the Fraud Section of the DOJ may focus on in evaluating corporate compliance programs in the context of a criminal investigation.37 Risk Alerts issued by the Office of Compliance Inspections and Examinations of the SEC also serve as good sources of information. Review of such materials will enable compliance officers to learn and adopt best practices so as to quickly adapt themselves to the constantly changing enforcement environment.
Enforcement authorities also expect that CCOs will have a strong and comprehensive understanding of their companies’ businesses, organizational structure, key employees, corporate systems and governance, and the risks faced by their organizations.38 With such knowledge, CCOs will be able to tailor the entities’ compliance policies and programs to the particular business needs of their organization, and easily identify and take measures against non-compliant activities.
Finally, the following are suggested actions for CCOs to ensure an effective working compliance program: (1) establishing and implementing a comprehensive set of compliance policies and procedures; (2) regularly monitoring, assessing, and updating the policies and procedures; (3) clarifying their supervisory duties under the policies and procedures; (4) developing internal reporting systems regarding suspected wrongdoing; (5) making sure red flags are addressed in a timely manner; and (6) carrying out internal investigations when necessary. CCOs are also encouraged to keep good written records of such measures, which may be used as proof of diligent governance when facing examinations or investigations.
1 Cynthia A. Glassman, former Commissioner of the SEC, Speech by SEC Commissioner: Sarbanes-Oxley and the Idea of “Good” Governance (September 27, 2002), available at https://www.sec.gov/news/speech/spch586.htm.
2 17 C.F.R. § 275.206(4)-7.
3 31 C.F.R. § 1022.210.
4 FINRA Rule 3110 and Rule 3130.
5 17 C.F.R. § 3.3.
6 Statement of CFTC Chairman J. Christopher Giancarlo Regarding the Final Rule on Chief Compliance Officer Duties and Annual Report Requirements for Futures Commission Merchants, Swap Dealers, and Major Swap Participants (August 21, 2018), available at https://www.cftc.gov/Press Room/SpeechesTestimony/giancarlostatement082118.
7 Andrew Ceresney, Director of the Division of Enforcement of the SEC, Keynote Address at the National Conference of the 2015 National Society of Compliance Professionals (November 4, 2015), available at https://www.sec.gov/ news/speech/keynote-address-2015-national-society-compliance-prof-cereseney.html.
8 According to Thomson Reuters 2017 Annual Cost of Compliance Survey, almost half of the respondents considered personal liability for compliance officers a continued concern, available at https://risk.thomsonreuters.com/content/dam/openweb/ documents/pdf/risk/report/cost-of-compliance-2017.pdf.
9 In the Matter of Thomas R. Delaney II and Charles W. Yancey, Rel. No. 34-72185 (2014).
10 Andrew Ceresney, Director of the Division of Enforcement of the SEC, Keynote Address at Compliance Week 2014 (May 20, 2014), available at https://www.sec.gov/news/speech/2014-spch052014ajc.
11 Jay B. Sykes, Legislative Attorney, Trends in Bank Secrecy Act/Anti-Money Laundering Enforcement, Congressional Research Service Report 7-5700 (January 12, 2018) , available at https://fas.org/sgp/crs/misc/R45076.pdf.
12 In the Matter of Jerard Basmagy, Rel. No. 34-83252 (2018).
13 In the Matter of Aegis Capital Corporation, Rel. No. 34-82956 (2018).
14 In the Matter of Kevin McKenna and Robert Eide, Rel. No. 34-82957 (2018).
15 In the Matter of Eugene Terracciano, Rel. No. 34-82958 (2018).
16 In the Matter of Eugene Terracciano, Rel. No. 34-83604 (2018).
17 FinCEN and Manhattan U.S. Attorney Announce Settlement with Former MoneyGram Executive Thomas E. Haider, FinCEN News Release (May 4, 2017), available at https://www.fincen.gov/news/news-releases/fincen-and-manhattan-us-attorney-announce-settlement-former-moneygram-executive.
18 In the Matter of Donald Noseworthy, individually, and as an institution-affiliated party of Banamex USA, FDIC-16-0148e; FDIC-16-0149k (February 14, 2017).
19 The Non-Prosecution Agreement re: Banamex USA Criminal Investigation, U.S. Department of Justice Criminal Division (May 18, 2017), available at https://www.justice.gov/opa/ press-release/file/967871/download.
20 The Office of Compliance Inspections and Examinations, Examinations of Advisers and Funds That Outsource Their Chief Compliance Officers, National Exam Program Risk Alert, November 9, 2015, available at https://www.sec.gov/files/ocie-2015-risk-alert-cco-outsourcing.pdf.
21 In the Matter of David I. Osunkwo, Rel. No. 34-81405 (2017).
22 Supra note 7.
25 In the Matter of Alphabridge Capital Management, LLC, Thomas T. Kutzen, and Michael J. Carino, Rel. No. 40-4135 (2015).
26 Supra note 21.
27 In the Matter of Judy K. Wolf, Initial Decision Rel. No. 851, Admin. Proc. File No. 3-16195 (August 5, 2015).
28 In the Matter of Judy K. Wolf, Rel. No. 34-75969 (2015).
29 Supra note 15.
30 Supra note 16.
31 SEC v. DiBella, 587 F.3d 553, 558 (2d Cir. 2009).
32 Supra note 7.
33 Supra note 17, as noted, this investigation was closed in 2017 as a result of settlement.
34 Complaint, U.S. Dep’t of Treasury v. Haider, No. 15-CV-01518 (D. Minn. Dec. 18, 2014), ECF No. 1.
35 Supra note 19.
36 Mary Jo White, former Chair of the SEC, Remarks at National Society of Compliance Professionals National Membership Meeting (Oct. 22, 2013), available at https://www.sec.gov/ news/speech/2013-spch102213mjw.
37 Evaluation of Corporate Compliance Programs, the Department of Justice, Criminal Division Fraud Section, available at https://www.justice.gov/criminal-fraud/page/file/937501/download.
38 Andrew J. Donohue, Chief of Staff of the SEC, New Directions in Corporate Compliance: Keynote Luncheon Speech, at the Rutgers Law School Center for Corporate Law and Governance Camden, New Jersey (May 20, 2016), available at https://www.sec.gov/news/speech/donohue-rutgers-new-directions-corporate-compliance-keynote.html.
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.