The trends in compliance enforcement are increasing and can be very costly for firms that are not prepared—not just in monetary fines, but in personal and professional reputation. Regulators—to make their point in as visceral a way as possible—have increasingly been targeting and fining chief compliance officers (CCO) and senior executives directly for non-compliance and lack of proper preparation and diligence. This is especially an issue for small to mid-sized advisory firms where a designated CCO is, in many cases, an executive with multiple job duties. And it’s not just the SEC that is focusing on investment advisors and senior executives as state regulators have been more active in the space as well.
The Institute for Innovation Development reached out to Institute member Bo Howell of CCO Technology—a FinTech software-as-a-service (SAAS) company focused on supporting small and middle-sized advisory firms with regulatory compliance—to get his practical and engaged perspective on this issue and discuss the growing need for developing a detailed, comprehensive and defendable compliance strategy.
Bill Hortz: You warn about the personal liability risks within compliance enforcement actions in your firm’s materials. To what extent is the Chief Compliance Officer, or other executives in the firm, personally liable for regulatory actions versus just the firm?
Bo Howell: Generally, the SEC goes after CCOs and other executives if they participate in wrongdoing, hinder an SEC examination or investigation, or oversee the wholesale failure of a compliance program. For example, in the Temenos Advisory case that was filed in 2018, the CCO was also the Founder and Advisor Representative. He placed his clients in unsuitable investments and neglected his duties as a CCO—he didn’t perform any due diligence on the investments; he failed to disclose to clients known issues with the investments and his conflict of interest; and he overcharged many clients.
In other cases, the CCO had incomplete or inaccurate compliance documentation at the start of an examination so they “fixed” the documents and submitted them to the SEC, but the documents did not accurately show the state of the compliance program at the time under review. Rather, it created a fiction in response to an SEC exam.
Wholesale failures usually occur when the adviser has been hit with a deficiency in one or more examinations and the CCO fails to take the remedial action that he submitted to the SEC. A case in point is the Southwind Associates case from 2017 where the SEC’s Office of Compliance, Inspections, and Examination (“OCIE”) conducted three exams of the adviser over a ten year period and each exam resulted in deficiencies that were not corrected. Additionally, the SEC will sanction a CCO if he fails to follow-up on red flags, as was the case in the Chardran matter filed in May 2018.
As these actions illustrate, major lapses in a compliance program can result in a CCO and other senior executives being fined by the SEC or even suspended or barred from the financial services industry.
Hortz: What have you seen as best practices to defend against personal regulatory action?
Howell: The best defense is a good offense, which means ensuring your compliance program addresses all your business operations and it is documented. As Commissioner Pierce noted, a CCO that continually implements and updates their compliance program in response to business and regulatory developments should be in good standing with the SEC and investors. Of course, this means the CCO is actually following the written policies and procedures and addressing red flags or weaknesses as they are discovered. Ultimately, the best practice is to have the right person in the CCO position, implement the right processes for your business, and document everything.
Hortz: Based on your experiences and discussions, what do you see as the biggest challenges for managing compliance at a smaller advisory firm?