Behind the SEC's Recent Crackdown on Compliance Officials

The SEC claims that BlackRock ' and specifically its CCO, Bartholomew Battista ' failed to disclose this conflict of interest to either the boards of the BlackRock registered funds or its advisory clients. Most noteworthy, in addition to blaming BlackRock for these alleged lapses, the SEC specifically cited Battista for failing to put into place policies and procedures to assess and monitor outside business activities like Rice's, even though he regularly approved them. In the end, the parties agreed to a settlement with the SEC wherein BlackRock agreed to pay a $12 million fine and Battista agreed to pay $60,000. As noted by the SEC in its April 2015 press release announcing the settlement, this was the first SEC case to charge violations of an Investment Company Act requirement that funds must report material conflicts of interest to their boards of directors (see http://tinyurl.com/p68zjv3).

The second case cited by Commissioner Gallagher concerned former professional boxer Mike Tyson's adviser, SFX Financial Advisory Management Enterprises, which provides advisory and financial management services to current and former professional athletes. In addition to alleging that former SFX Financial's President Brian Ourand misused his authority over several accounts to steal approximately $670,000 from clients, the SEC separately charged SFX for failing to supervise Ourand, violating the custody rule, and making a false statement in a Form ADV filing. The SEC also charged SFX CCO Eugene Mason with causing SFX's compliance problems by negligently failing to conduct reviews of cash flows in client accounts, which was required by the firm's compliance policies, and by not performing an annual compliance review. Additionally, the SEC specifically cited Mason as being responsible for a misstatement in SFX's Form ADV that client accounts were reviewed several times each week. The SEC eventually agreed to a settlement with SFX and Mason wherein SFX agreed to pay a penalty of $150,000 and Mason agreed to a $25,000 fine.

FinCEN Case Against CCO

The SEC is not the only organization to recently target CCOs for alleged failures to ensure that companies abide by compliance policies and procedures. In December 2014, the Financial Crimes Enforcement Network (FinCEN) issued a $1 million civil penalty against Thomas Haider, former CCO of MoneyGram International, Inc. (MoneyGram). FinCEN claimed that during his oversight of compliance for MoneyGram, Haider failed to adequately respond to thousands of customer complaints regarding schemes that utilized MoneyGram to defraud consumers.

According to FinCEN, Haider, the CCO from 2003 to 2008, became aware of complaints received by the company's fraud department regarding numerous alleged fraud schemes. FinCEN charged Haider with being personally responsible for MoneyGram's failure to meet its legal obligations under the Bank Secrecy Act, as well as for its failures to implement and maintain an effective anti-money laundering (AML) compliance program, and to timely file Suspicious Activity Reports.

Difficulty in Determining if CCOs Have Legal Exposure

As noted by Commissioner Gallagher, perhaps the most disturbing aspect of this recent trend is that the SEC policy regarding what constitutes wrongdoing on the part of CCOs is now primarily being determined by Enforcement actions rather than through SEC rules. As Commissioner Gallagher pointed out, the SEC rule (Rule 206(4)-7 of the Investment Advisers Act of 1940) intended to delineate the responsibility of CCOs merely states that registered investment advisers are required to “[a]dopt and implement written policies and procedures reasonably designed to prevent violation[s]” of the statute, but offers no guidance as to the distinction between the role of CCOs and management in carrying out the compliance function. Also, in the 11 years since the rule was adopted, the SEC has not issued any guidance on how to comply with it.

Without further elucidation of this rule, CCOs are forced to attempt to “read the tea leaves” of Enforcement actions to determine where and when they may have exposure. From BlackRock, they may understand that exposure may occur if they fail to take action in a case of what the SEC deems an obvious conflict of interest. From SFX Financial , one could expect the SEC to take action if a CCO made a misstatement on an ADV or similar document, and/or failed to perform annual compliance reviews. But it is difficult, if not impossible, to know which future factual circumstance the SEC will determine is a basis for liability on the part of an individual like a CCO.

2014 SEC Speech from the SEC Enforcement Director

If CCOs are forced to learn their regulatory responsibilities and exposure levels from Enforcement cases, it is helpful to attempt to understand the priorities of the Enforcement Division in this area. To that end, it is worth analyzing a May 20, 2014, speech in which SEC Director of Enforcement Andrew Ceresney discussed the circumstances when the SEC would seek sanctions against compliance personnel. Director Ceresney's speech contained a short discussion of the SEC's position on the duties of CCOs. He emphasized that the SEC will take action against compliance officers: 1) if they actively participated in the misconduct; 2) if they have helped mislead regulators; or 3) when they have clear responsibility to implement compliance programs or policies and wholly failed to carry out that responsibility.

As an example, Director Ceresney cited a case where the CCO not only knew about the firm's decision to violate the rules, but also participated in the violations by, among other things, failing to implement procedures for which he was responsible that would have brought the firm into compliance, and then concealing those violations from regulators. Director Ceresney also gave an example of a situation where the CCO was considered by the SEC to have wholly failed to carry out his compliance responsibilities by failing to adopt or implement adequate compliance programs after being notified repeatedly of deficiencies by the examination staff.

What Should CCOs Do Going Forward?

Director Ceresney's speech provides some elucidation, but it could be contended that the factual circumstances in the BlackRock and SFX Financial cases, both of which resulted in Enforcement actions that post-dated the speech, reflected less egregious situations than the criteria provided by Director Ceresney as being triggers for Enforcement actions against CCOs. This is the danger discussed above, wherein individuals or firms must rely upon Enforcement cases rather than rules and regulations in determining the extent of their liability. Enforcement cases, by their nature, are fact-specific. It is not easy to determine the appropriate standard of liability from analyzing SEC decisions to bring charges in an Enforcement context.

Therefore, going forward, CCOs should ensure that basic compliance requirements are followed and should understand that as part of their roles, they are personally responsible and potentially liable for these requirements. CCOs must also be wary of imposing too many “paper” rules where they are unsure if the rules can be followed fully every year. In addition, CCOs must carefully document decisions they make so that even if an SEC Enforcement attorney disagrees with the decision, it will be clear that the decision was a reasoned one rather than simple neglect of regulatory responsibilities. Finally, CCOs must have ownership of their compliance programs and demand ownership from their subordinates as well.

Who Else Could Be Targeted?

The SEC's recent crackdown on CCOs is part of a larger focus by regulators on individual liability. Much of this effort comes from the perceived failure by regulatory agencies to prosecute individuals for alleged civil and criminal conduct arising out of the financial crisis. Whether it is the Department of Justice (DOJ), SEC, FinCEN, or entities such as the Commodity Futures Trading Commission (CFTC) or Financial Industry Regulatory Authority (FINRA), there is increased pressure to bring charges against individuals. The often overlapping and confusing jurisdictions of these regulators complicate the matter further.

Depending on their exact role, general counsels may face potential liability for failures to identify or act on supposed “red flags,” failures to respond to numerous complaints alleging the same issue or concern, or where firms fail to correct deficiencies that the regulator believes should have been remedied immediately. Moreover, as at some small firms, the CCO/general counsel position is combined and may face extra scrutiny. In addition, members of an audit committee may face potential exposure for what is deemed to be egregious or even negligent failure to fulfill their duties.

Accordingly, individual officers with legal, compliance, or oversight duties should scrutinize Enforcement actions brought by the myriad regulatory agencies that impact the businesses in which they work. These officers should redouble efforts to ensure not only that their part of the company has the required policies and procedures in place, but also that they can demonstrate that these policies and procedures are being implemented actively and appropriately under their supervision.

H. David Kotz presently serves as a managing director at Berkeley Research Group, a global expert services and consulting firm, where he focuses on internal investigations and serves as an expert witness in securities and fraud-related litigations. Mr. Kotz previously served for over four years as inspector general of the SEC. He recently completed a book, Financial Regulation and Compliance: How to Manage Competing and Overlapping Regulatory Oversight, to be published by John Wiley & Sons. T he opinions expressed here are those of the author and do not represent the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates. The information provided by this article should not be construed as financial or legal advice. The reader should consult with his or her own advisers.

Recent comments by Securities and Exchange Commission (SEC) Commissioner Daniel Gallagher were noteworthy for both their candor and the subject he raised. On June 18, 2015, Gallagher wrote in a statement placed on the SEC website (http://tinyurl.com/nnatjpw) that the SEC was sending a “troubling message”: Chief compliance officers (CCOs) should not take ownership of their firms' compliance policies and procedures, lest they be held accountable for conduct that is not really their responsibility. He explained his dissents in two recent Enforcement actions brought by the SEC against CCOs and derided as not a “model of clarity” an SEC rule that requires investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of laws and regulations. He also expressed concern that the SEC's current approach would actually disincentivize a vigorous compliance function at investment advisers.

The Two Recent SEC Cases Referenced by Gallagher

The two recent Enforcement actions referenced by Commissioner Gallagher, who is leaving the SEC soon, are worth exploring. The first case cited involved BlackRock Advisers, a registered investment advisory firm with approximately $452 billion assets under management. According to the SEC, BlackRock first knew of and approved an investment of $50 million into the company made by Daniel Rice III, who was the general partner of Rice Energy, a family owned-and-operated oil and natural gas company; and second, a joint venture that Rice Energy later formed with a publicly traded coal company. It eventually became the largest holding (almost 10%) in the $1.7 billion BlackRock Energy & Resources Portfolio, the largest Rice-managed fund.

The SEC claims that BlackRock ' and specifically its CCO, Bartholomew Battista ' failed to disclose this conflict of interest to either the boards of the BlackRock registered funds or its advisory clients. Most noteworthy, in addition to blaming BlackRock for these alleged lapses, the SEC specifically cited Battista for failing to put into place policies and procedures to assess and monitor outside business activities like Rice's, even though he regularly approved them. In the end, the parties agreed to a settlement with the SEC wherein BlackRock agreed to pay a $12 million fine and Battista agreed to pay $60,000. As noted by the SEC in its April 2015 press release announcing the settlement, this was the first SEC case to charge violations of an Investment Company Act requirement that funds must report material conflicts of interest to their boards of directors (see http://tinyurl.com/p68zjv3).

The second case cited by Commissioner Gallagher concerned former professional boxer Mike Tyson's adviser, SFX Financial Advisory Management Enterprises, which provides advisory and financial management services to current and former professional athletes. In addition to alleging that former SFX Financial's President Brian Ourand misused his authority over several accounts to steal approximately $670,000 from clients, the SEC separately charged SFX for failing to supervise Ourand, violating the custody rule, and making a false statement in a Form ADV filing. The SEC also charged SFX CCO Eugene Mason with causing SFX's compliance problems by negligently failing to conduct reviews of cash flows in client accounts, which was required by the firm's compliance policies, and by not performing an annual compliance review. Additionally, the SEC specifically cited Mason as being responsible for a misstatement in SFX's Form ADV that client accounts were reviewed several times each week. The SEC eventually agreed to a settlement with SFX and Mason wherein SFX agreed to pay a penalty of $150,000 and Mason agreed to a $25,000 fine.

FinCEN Case Against CCO

The SEC is not the only organization to recently target CCOs for alleged failures to ensure that companies abide by compliance policies and procedures. In December 2014, the Financial Crimes Enforcement Network (FinCEN) issued a $1 million civil penalty against Thomas Haider, former CCO of MoneyGram International, Inc. (MoneyGram). FinCEN claimed that during his oversight of compliance for MoneyGram, Haider failed to adequately respond to thousands of customer complaints regarding schemes that utilized MoneyGram to defraud consumers.

According to FinCEN, Haider, the CCO from 2003 to 2008, became aware of complaints received by the company's fraud department regarding numerous alleged fraud schemes. FinCEN charged Haider with being personally responsible for MoneyGram's failure to meet its legal obligations under the Bank Secrecy Act, as well as for its failures to implement and maintain an effective anti-money laundering (AML) compliance program, and to timely file Suspicious Activity Reports.

Difficulty in Determining if CCOs Have Legal Exposure

As noted by Commissioner Gallagher, perhaps the most disturbing aspect of this recent trend is that the SEC policy regarding what constitutes wrongdoing on the part of CCOs is now primarily being determined by Enforcement actions rather than through SEC rules. As Commissioner Gallagher pointed out, the SEC rule (Rule 206(4)-7 of the Investment Advisers Act of 1940) intended to delineate the responsibility of CCOs merely states that registered investment advisers are required to “[a]dopt and implement written policies and procedures reasonably designed to prevent violation[s]” of the statute, but offers no guidance as to the distinction between the role of CCOs and management in carrying out the compliance function. Also, in the 11 years since the rule was adopted, the SEC has not issued any guidance on how to comply with it.

Without further elucidation of this rule, CCOs are forced to attempt to “read the tea leaves” of Enforcement actions to determine where and when they may have exposure. From BlackRock, they may understand that exposure may occur if they fail to take action in a case of what the SEC deems an obvious conflict of interest. From SFX Financial , one could expect the SEC to take action if a CCO made a misstatement on an ADV or similar document, and/or failed to perform annual compliance reviews. But it is difficult, if not impossible, to know which future factual circumstance the SEC will determine is a basis for liability on the part of an individual like a CCO.

2014 SEC Speech from the SEC Enforcement Director

If CCOs are forced to learn their regulatory responsibilities and exposure levels from Enforcement cases, it is helpful to attempt to understand the priorities of the Enforcement Division in this area. To that end, it is worth analyzing a May 20, 2014, speech in which SEC Director of Enforcement Andrew Ceresney discussed the circumstances when the SEC would seek sanctions against compliance personnel. Director Ceresney's speech contained a short discussion of the SEC's position on the duties of CCOs. He emphasized that the SEC will take action against compliance officers: 1) if they actively participated in the misconduct; 2) if they have helped mislead regulators; or 3) when they have clear responsibility to implement compliance programs or policies and wholly failed to carry out that responsibility.

As an example, Director Ceresney cited a case where the CCO not only knew about the firm's decision to violate the rules, but also participated in the violations by, among other things, failing to implement procedures for which he was responsible that would have brought the firm into compliance, and then concealing those violations from regulators. Director Ceresney also gave an example of a situation where the CCO was considered by the SEC to have wholly failed to carry out his compliance responsibilities by failing to adopt or implement adequate compliance programs after being notified repeatedly of deficiencies by the examination staff.

What Should CCOs Do Going Forward?

Director Ceresney's speech provides some elucidation, but it could be contended that the factual circumstances in the BlackRock and SFX Financial cases, both of which resulted in Enforcement actions that post-dated the speech, reflected less egregious situations than the criteria provided by Director Ceresney as being triggers for Enforcement actions against CCOs. This is the danger discussed above, wherein individuals or firms must rely upon Enforcement cases rather than rules and regulations in determining the extent of their liability. Enforcement cases, by their nature, are fact-specific. It is not easy to determine the appropriate standard of liability from analyzing SEC decisions to bring charges in an Enforcement context.

Therefore, going forward, CCOs should ensure that basic compliance requirements are followed and should understand that as part of their roles, they are personally responsible and potentially liable for these requirements. CCOs must also be wary of imposing too many “paper” rules where they are unsure if the rules can be followed fully every year. In addition, CCOs must carefully document decisions they make so that even if an SEC Enforcement attorney disagrees with the decision, it will be clear that the decision was a reasoned one rather than simple neglect of regulatory responsibilities. Finally, CCOs must have ownership of their compliance programs and demand ownership from their subordinates as well.

Who Else Could Be Targeted?

The SEC's recent crackdown on CCOs is part of a larger focus by regulators on individual liability. Much of this effort comes from the perceived failure by regulatory agencies to prosecute individuals for alleged civil and criminal conduct arising out of the financial crisis. Whether it is the Department of Justice (DOJ), SEC, FinCEN, or entities such as the Commodity Futures Trading Commission (CFTC) or Financial Industry Regulatory Authority (FINRA), there is increased pressure to bring charges against individuals. The often overlapping and confusing jurisdictions of these regulators complicate the matter further.

Depending on their exact role, general counsels may face potential liability for failures to identify or act on supposed “red flags,” failures to respond to numerous complaints alleging the same issue or concern, or where firms fail to correct deficiencies that the regulator believes should have been remedied immediately. Moreover, as at some small firms, the CCO/general counsel position is combined and may face extra scrutiny. In addition, members of an audit committee may face potential exposure for what is deemed to be egregious or even negligent failure to fulfill their duties.

Accordingly, individual officers with legal, compliance, or oversight duties should scrutinize Enforcement actions brought by the myriad regulatory agencies that impact the businesses in which they work. These officers should redouble efforts to ensure not only that their part of the company has the required policies and procedures in place, but also that they can demonstrate that these policies and procedures are being implemented actively and appropriately under their supervision.

H. David Kotz presently serves as a managing director at Berkeley Research Group, a global expert services and consulting firm, where he focuses on internal investigations and serves as an expert witness in securities and fraud-related litigations. Mr. Kotz previously served for over four years as inspector general of the SEC. He recently completed a book, Financial Regulation and Compliance: How to Manage Competing and Overlapping Regulatory Oversight, to be published by John Wiley & Sons. T he opinions expressed here are those of the author and do not represent the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates. The information provided by this article should not be construed as financial or legal advice. The reader should consult with his or her own advisers.