Recently, the Securities and Exchange Commission (“SEC”) resolved a pending enforcement action against a financial institution for allegedly failing to supervise a representative’s conduct relating to purported facilitation of manipulative trading through retail accounts. The SEC’s principal charge was that the institution failed to establish clear guidance to its personnel as to how to investigate red flags of potential misconduct (i.e., how to follow up, scope, document, and report the findings thereof), which in the SEC’s view contributed to the institution’s failure to supervise the representative.
Such enforcement interest in the process and procedure of an internal investigation is unusual because typically the process, documentation, and reporting thereof are protected by the attorney-client privilege and attorney work product protections; they are not generally disclosed to third parties or regulators. Additionally, investigations of potential improper market activity are not a “one-size-fits-all” approach; such inquiries are some of the more complex investigations that might occur within a regulated entity and thus the investigative process does not fit neatly into a set pattern. Thus, it might be a challenge to identify the scope and steps of the investigation at the start of an inquiry, especially given the fluid situation that often develops during the course of such inquiries. Nevertheless, this SEC enforcement action should be a reminder for broker-dealers and investment advisers to review and update their internal policies to ensure that they provide appropriate guidance as to how to follow up, document, or report investigations regarding potential improper trading.
We discuss below the relevant obligations that broker-dealers and investment advisers have to reasonably supervise their employees and the procedures that the SEC might expect to be in place to govern internal investigations, based on the recent settlement. We also provide some takeaways and insight to help regulated entities protect themselves from scrutiny when amending their procedures or facing the prospect of an internal inquiry into possible manipulation.
Supervisory Requirements for Broker-Dealers and Investment Advisers
Both the Securities and Exchange Act of 1934 (the “Exchange Act”) and the Investment Advisers Act of 1940 (the “Advisers Act”) contain requirements relating to a firm’s responsibility for supervising its employees. First, broker-dealers and investment advisers must establish reasonable internal policies, procedures, and systems to prevent potential securities law violations. Internal policies should be clear and straightforward, so employees are on notice regarding the bounds of proper and improper conduct. Similarly, broker-dealers and advisers must have appropriate procedures and systems in place to detect potentially problematic conduct (whether intentional or not).
In particular, Section 15(b)(4)(E) of the Exchange Act provides that the SEC may censure broker-dealers (or associated persons) who have “failed reasonably to supervise, with a view to preventing violations of the provisions of [the Exchange Act and other relevant securities statutes, rules, and regulations], another person who commits such a violation, if such other person is subject to his supervision.”
There is a specific carve-out in Section 15(b)(4)(E) providing that a broker-dealer (or associated persons) should not face liability for failure to supervise as long as there are procedures and systems in place that “would reasonably be expected to prevent and detect” securities law violations and the broker-dealer (or associated persons), after reasonably following the requirements of such procedures and systems, had no “reasonable cause” to suspect non-compliance.
Section 203(e)(6) of the Advisers Act contains almost identical language regarding failure to supervise liability and the carve-out for cases in which the investment adviser followed appropriate procedures that were already in place.
The SEC’s View of What Constitutes Appropriate Policies and Procedures
In the recent settlement, the SEC’s principal allegations were that the institution (1) did not document the scope of the internal investigation that resulted from red flags that had been raised to management, legal, and compliance; and (2) had no procedure in place to govern how the results of the investigation were to be documented and reported. Based on the recent settlement, the SEC is likely to expect regulated entities to have policies and procedures in place to guide employees on “how to investigate” suspicious activity and to implement the following procedures:
- Develop a plan to determine when an internal investigation should occur after suspicious activity is identified;
- Determine who within the organization is responsible for the investigation;
- Determine and document the scope of an inquiry;
- Develop a plan to document and report (internally and perhaps externally) the results of the inquiry;
- Maintain accurate records and documentation regarding the actual steps taken in each instance;
- Document the findings of the actual results of the internal investigation and reporting thereof; and
- If an entity determines during an internal investigation that some level of discipline against an employee is necessary, document the results of the investigation, the process of reporting the findings, and the details of the imposed discipline.
However, the issue created by the last three bullets above is that the information and resulting records are likely protected by attorney-client privilege or work product protection, which makes the SEC’s expectation in this regard significantly problematic. While internal records are vitally important to demonstrating a company’s adherence to its policies and procedures, even if the company ultimately opts not to waive the privilege, those same records can be discoverable in follow-on civil litigation or a regulatory action if the privilege is waived. Thus, a company should involve legal counsel in the process early on, even where the compliance department (at the direction of counsel) conducts the investigation. Additionally, for sensitive investigations, it is a best practice to involve outside counsel given the perception that privilege is more easily defined through the use of outside counsel, and the fact that outside counsel can offer an independent perspective and outlook on the facts and conclusions.
Takeaways for Financial Institutions
Of course, when the SEC conducts an inquiry, it has the benefit of hindsight in reviewing facts and circumstances, often without understanding or appreciating the context and circumstances under which the conduct occurred. Unfortunately, this is especially so where the SEC has already identified what it believes to be a primary violation of the securities laws and is attempting to find fault with secondary actors for failing to identify and prevent the conduct. Under such circumstances, the “reasonableness” of the controls and procedures, and steps the company took, will be evaluated, subjectively, by the SEC with 20/20 hindsight.
As a result, companies should consider several factors when adopting or updating their policies and procedures for detecting and preventing potential misconduct, including the following:
- Outline clear steps for any employee to take upon learning of a possible red flag;
- Incorporate procedures to include counsel early in the process;
- Delegate investigatory and/or reporting responsibility to certain parties, especially counsel working with compliance;
- Develop general procedures that indicate who should be responsible for determining how to document the investigative process, what steps to take during the investigation, and when, and to whom, the results should be reported;
- If there is a heightened risk in a particular area, utilize technology and automated processes where possible to reduce the burden on personnel;
- Leverage outside counsel’s involvement and advice, particularly for sensitive, complex, larger, or novel situations;
- Provide general internal and external reporting guidelines; and
- Establish internal controls with some level of independence from the business and legal/compliance functions (where possible and appropriate for the company’s size and resources).
Many of the procedures should be constructed using general terms to allow for flexibility when dealing with investigations, which often confront unique or unforeseen fact patterns and situations. Additionally, it is important to keep in mind that personnel must follow the established internal procedures, and that overly restrictive procedures might create circumstances under which personnel cannot adequately follow procedure given the complexity of the situation. Further, as mentioned, the communications, documentation, scope, and results of any investigation should involve the advice of counsel, and be at the direction of counsel. Accordingly, such information is generally considered privileged and protected, and thus would not typically be disclosed to third parties. Internal procedures must account for and preserve these privileges.