Compliance officers have reason to feel uneasy. They have been tasked with an increasing number of responsibilities, asked to manage a complex variety of compliance risks, and often wear multiple hats within an organization. With the business and regulatory environment becoming more complex in the post Dodd-Frank world, CCOs are expected to deliver better information to help executive management identify and manage organizational risks. Finally, and notably, the SEC recently imposed personal fines against two high-profile CCOs in response to their alleged failure to implement the firm’s policies and procedures.
The enforcement actions against Blackrock Advisors LLC, SFX Financial Advisory Management Enterprises Inc., and their respective compliance officers were surprising. These actions sparked a public debate between two sitting SEC commissioners who seemingly disagree on merits and potential unintended consequences arising from how rule 206(4)-7 of The Investment Company Act of 1940 is enforced. In a sign that this issue has struck a nerve, SEC Chairman Mary Jo White even felt compelled to weigh in during a recent speech to a group of compliance professionals, seeking to ease any fears that these recent actions were indicative of any new enforcement trend or SEC stance with respect to the roles and responsibilities of CCOs.
BlackRock & SFX
In BlackRock, the CCO was made aware (along with other senior executives) that the managing director of energy sector assets had entered into a joint venture between his personal trust and an energy company in which one of the funds he managed had a large interest. Indeed, the energy company represented the largest position in that fund. In addition, positions in the energy company were held in separate client accounts that were the responsibility of this managing director as well. BlackRock pointed out potential conflicts of interest to the managing director, and denied his request to take a board seat in the joint venture. However, Blackrock also allowed him to continue his personal investing activities and portfolio management responsibility despite all the noted conflicts of interest. Blackrock’s failure to make appropriate disclosure of the managing director’s potential conflicts to the energy sector fund boards and separate account clients violated both 40 Act disclosure requirements for CCOs and BlackRock’s internal private investment policy for which violations also need to be reported.
In SFX, the President of the firm misappropriated assets from his client’s accounts for which he had power to withdraw and deposit assets in addition to discretionary trading authority, powers which would always pose a risk for the exact type of fraud that ultimately occurred. Representations in SFX’s Form ADV filed with the SEC for the benefit of investors stated “Client cash account used specifically for bill paying is reviewed several times each week by senior management for accuracy and appropriateness.” As it turned out, no one other than the President who perpetrated the fraud actually ever reviewed the accounts over which he had access. The SFX CCO both failed to conduct the annual compliance review prescribed by the 40 Act and was responsible for the inaccurate ADVs.
Administration versus Implementation
The central issue that makes these recent enforcement actions notable is the apparent interpretation by the SEC of a CCO’s responsibility to not only administer an adviser’s compliance program, but to also be held personally responsible for the implementation of such program.
CCO responsibility for administration was relatively clear from section 206(4)-7 of The Investment Advisor Act of 1940. The previously issued guidance with respect to how to comply with 40 Act rule 206(4)-7 included overarching responsibility of the adviser firm to adopt and implement written policies designed to prevent violations of federal securities laws, but was specific about the need to “designate a CCO to be responsible for administering the policies.” Until recently, implementation has been interpreted as a duty that falls on the adviser entities themselves.
In both the BlackRock and SFX examples it would be hard to argue that the registered advisers involved were treated unfairly. The breakdown in controls led to alleged violations in which there was a pretty clear breach of fiduciary duty to their investors.
Agreeing that the BlackRock and SFX situations are difficult, the question nevertheless remains: is it fair for the SEC to single out CCOs out under Rule 206(4)-7 while offering no guidance as to the distinction between the role of CCOs and management in carrying out the compliance function? In the absence of formal guidance to clarify this issue, market participants must turn to enforcement actions to glean the standard that they will be held to. In any case, CCOs must continue to be vigilant as they will continue to be held to a very high standard in a rapidly evolving and challenging field regardless of segregation of duties.
If enforcement actions going forward broadly commingle the responsibilities of adviser entities and CCOs with respect to both administering and implementing policies and procedures, then it starts to look as if there is a trend towards strict liability for CCOs, making them accountable for compliance failures they cannot control.
Implications for CCOs under Dodd-Frank
We recently reached the five year anniversary of Dodd-Frank Act, which repealed the “private adviser” exemption under the 40 Act. During the last five years, several thousand private equity and hedge fund managers were brought under the umbrella of SEC registration. They are all grappling with increased regulatory oversight & requirements, increased investor demands for quality compliance, and the need to appoint a CCO.
At many of these newly registered firms the CCO role has been taken on by individuals who also maintain significant other duties within the organization. It is worth noting that a majority of enforcement actions brought against CCOs have involved firms where the individual taking on the compliance function was also a founder, CEO, CFO, General Counsel, CIO, President, Partner, Portfolio Manager or some other senior role within the firm.
Protecting Chief Compliance Officers
In addition to doing their jobs well and with a high level of diligence, here are some practical steps CCOs can take to mitigate their risk of personal liability:
- Work with an expert to conduct a thoughtful review of the adequacy and design of your firm’s Directors & Officers Liability Insurance. Be sure to understand
- Who is covered?
- What instances or acts trigger coverage?
- Does the CCO fall within the definition of Insured Person or do they need to be specifically named on the policy? (Employee vs. Contractor)
- How much limit is available for various insured parties?
- Is the limit shared with other types of coverage such as E&O or Employment Practices Liability which could erode limits available for other types of claims?
- Is there excess Broad Form Side A (covers claims against individuals not indemnified elsewhere) in place to deal with scenarios whereby the Adviser entity is either unable or unwilling to indemnify the CCO?
- Have your firm’s bylaws and corporate documents reviewed to better understand what remedies are available to a CCO if personally named as a co-defendant in a suit against his or her employer, or pursued directly by a regulatory agency.
- Obtain a personal indemnification agreement. If you already have one, ensure that the form is still “state-of-the-art.” What is considered cutting edge in the world of indemnification agreements changes over time.
- Perhaps the best line of defense against an SEC enforcement action remains adequate resources, experience and overall attention given to this compliance function. Also, ensure that the CCO is adequately independent and has direct access to senior executives and the board.
The SEC’s enforcement push against CCOs might be troubling; it’s also addressable with the correct combination of thoughtful proactive controls as well as a well-brokered D&O insurance policy.
Questions? Comments? Contact Jacob Decker at firstname.lastname@example.org or 206.262.7464.
SEC Charges BlackRock Advisors With Failing to Disclose Conflict of Interest to Clients and Fund Boards, SEC Rel. No. 2014-71 (Apr. 20, 2015), available at http://www.sec.gov/news/pressrelease/2015-71.html.
Investment Advisory Firm’s Former President Charged With Stealing Client Funds, SEC Rel. No. 2015-120 (June 15, 2015), available at http://www.sec.gov/news/pressrelease/2015-120.html.