In a review of a FINRA disciplinary proceeding, the Securities and Exchange Commission (the “Commission”) recently issued an opinion (the “Opinion”) that provides important guidance on liability standards relating to Chief Compliance Officers (“CCO”). Significantly, the Opinion also goes out of its way to state that CEOs of brokerage firms have a duty of “follow-up and review” with respect to the fulfillment by CCOs of their responsibilities and to advance the position that brokerage firms should be held responsible for regulatory failures by employees and other firm representatives in the absence of “effective staffing, sufficient resources and a system of follow-up and review.” See In the Matter of the Application of Thaddeus J. North for Review of Disciplinary Action Taken by FINRA, Release 34-84500 (Oct. 29, 2018) (available here). While the Opinion is focused on activity involving the CCO of a brokerage firm, the Opinion’s liability analysis would seem equally applicable to registered investment advisers and municipal advisors and their CCOs and, possibly, their CEOs.

The Opinion involved the Commission’s review of a FINRA disciplinary action against Thaddeus J. North (“Mr. North”), the CCO of brokerage firm Southridge Investment Group LLC (“Southridge”). FINRA had found that Mr. North violated a number of FINRA, NASD, and MSRB rules on account of his failure (i) to establish and maintain a reasonable supervisory system for the review of electronic correspondence and to reasonably review that correspondence and (ii) to report a representative’s ongoing business relationship with a statutorily disqualified individual. In reviewing and ultimately upholding FINRA’s findings, the Commission had an opportunity to discuss principles applicable to CCO liability determinations, the CEO’s duty to “follow-up and review” Mr. North’s exercise of his authority, and Southridge’s responsibilities.

The Opinion begins its discussion of the principles applicable to CCO liability by characterizing compliance officers as playing “a vital role” in the Commission’s regulatory framework while also acknowledging that the CCO role has “increased in complexity” and may present “difficult challenges.” The Opinion then referenced two principles as uppermost in the Commission’s CCO liability determinations. These principles consist of “the protection of investors and the public interests” together with the “principles of fairness and equity.”

The Opinion next referenced a number of Commission cases that provided guidance favorable to compliance officers and, presumably, served as examples of the principle of fairness and equity in this context. These include:

  • the fact that legal and compliance personnel “do not become ‘supervisors’ . . . solely because they occupy those positions” – citing John H. Gutfruend, Release 34-31554, 1992 WL 362753, at *15 (Dec. 3, 1992);
  • the fact that proceedings alleging supervisory failures by a compliance official have been dismissed where “the respondent conducted his own independent investigation in response to indications of wrongdoing and recommended responsive action” – citing James Arthur Huff, Release 34029017, 19091 WL 296561, at *4 (Mar. 28, 1991);
  • similarly, the dismissal of proceedings against “an individual with compliance responsibilities” for causing a firm’s securities laws violations “where another official at the firm had responsibility for overseeing the relevant activities and the respondent was never asked to evaluate the relevant regulatory issues” – citing Scott G. Monson, IA-28323, 2008 WL 2574441, at *5 (June 30, 2008); and
  • a finding that “a compliance director’s failure to respond to a regulator’s request for information was mitigated by the ‘extraordinary demands on the compliance group’ during the relevant time” – citing Richard J. Rouse, Exchange Act Release No. 32658, 1993 WL 276149, at *5 (July 19, 1993).

The Opinion characterized the forgoing decisions as reflecting “the principle that, in general, good faith judgements of CCOs made after reasonable inquiry and analysis should not be second guessed.” The Opinion also stated that “indicia of good faith or lack of good faith are important factors in assessing reasonableness, fairness and equity in the application of CCO liability.”

Next, the Opinion listed a number of “matter types” that generally made determinations of individual liability “straightforward.” Pointing towards liability, these included, “when a CCO engages in wrongdoing, attempts to cover up wrongdoing, crossing a clearly established line, or fails meaningfully to implement compliance programs, policies, and procedures for which he or she has direct responsibility.” Pointing away from liability, the Opinion stated that “disciplinary action against individuals generally should not be based on an isolated circumstance where a CCO, using good faith judgment makes a decision, after reasonable inquiry, that with hindsight, proves to be problematic.”

Turning to the facts at hand, the Opinion found that Mr. North’s failure to fulfill his own responsibilities was “egregious” and that he “ignored red flags and repeatedly failed to perform compliance functions for which he was directly responsible.” Under those facts and circumstances, the Opinion found that FINRA’s disciplinary action “was clearly appropriate.”

Having reached a finding upholding FINRA’s disciplinary action, the Opinion continued into a discussion of the duty of a CEO to oversee the compliance function and an inquiry into why FINRA did not bring charges against Southridge. Significantly, the Commission’s discussion of these points can be characterized as what is known in the legal profession as dicta, that is, text in an opinion that does not directly address the specifics of the case at hand, i.e., Mr. North’s possible liability, but rather serves some other purpose, which in this case would appear to be both a notice to CEOs as to the Commission’s expectations with respect to their oversight of the compliance function and a public “suggestion” to FINRA that it should, as a matter of course, also consider the firm’s liability where the firm’s agents have failed to perform their delegated functions.

In discussing the Commission’s expectations regarding CEOs, the Opinion begins by stating that the Commission has “held repeatedly” that the “chief executive officer of a brokerage firm is responsible for compliance with all of the requirements imposed on his firm ‘unless and until he reasonably delegates particular functions to another person in the firm and neither knows nor has reason to know’ that a problem has arisen.” Citation omitted. While the foregoing standard may not appear to place any duty on the CEO to make inquiry or follow-up regarding a CCO’s fulfilment of his or her delegated responsibilities, allowing the CEO to rest in blissful ignorance until he or she actually “knows [or] has reason to know” that a problem has arisen, the Opinion makes it clear that, to the contrary, CEO’s have “the additional duty to follow-up and review that delegated authority to ensure that it is being properly exercised.” Citing Castle Sec. Corp., Release 34-39523, 1998 WL 3456, at *4 (Jan, 7, 1998). The Opinion then states that the record before the Commission did not indicate whether the CEO took steps to monitor the CCO’s compliance with the responsibilities that the CCO failed to perform and that the Commission was “troubled by the possibility that Mr. North could have abdicated his own responsibilities” without the CEO knowing.

The Commission’s discussion of the CEO’s duty to “follow-up and review” the CCO’s exercise of his or her delegated authority strongly suggests that brokerage firm CEOs can be held liable for failure to supervise where there are ongoing compliance failures that could have been identified by a reasonable system of follow-up and review. Moreover, and of perhaps of more significance, the inclusion of this discussion strongly suggests that the Commission expects its enforcement program, as well as those of FINRA and the other self-regulatory organizations, to inquire, in appropriate cases, as to whether the CEO fulfilled his or her duty and, if not, to bring failure to supervise charges against the CEO.

An increased focus on brokerage firm CEOs would be consistent with the Commission’s stated goal of prioritizing actions against “individuals” and, in particular, senior officers. As Steven Peikin, Co-Director of Enforcement, in his Keynote Address to the UJA Federation (May 15, 2018) (available here) stated, he viewed “individual accountability as perhaps the most effective general deterrent tool in [the Commission’s] arsenal, because it can have a broad effect on corporate culture in a way that immeasurably benefits individual investors, preventing misconduct before it starts.” Indeed, a “focus on individual accountability” was one of five core principles listed by the Co-Directors of Enforcement in their testimony before the United States House of Representatives, Committee on Financial Services, Subcommittee on Capital Markets, Securities and Investments (May 16, 2018) (available here).

The Opinion also stated that it was “not clear from the record why FINRA did not charge Southridge” and then emphasized the importance of holding firms responsible in order to make “it clear to firms . . . that it is in their interest to have effective, diligent compliance officers to help them remain in compliance with their obligations.” The Opinion also stated that broker-dealers must “provide effective staffing and sufficient resources and,” similar to what was said with respect to CEOs, must have “a system of follow up and review to determine that any responsibility to supervise delegated to compliance officers, branch managers and other personnel is being diligently exercised.” Citing Stuart K. Patrick, Release 34-32314, 1993 WL 172847, at *3 (May 17, 1993).

The Commission’s pointing to both the CEO and the firm as having a duty to “follow up and review” the CCO raises questions as to the necessary scope and frequency of any such follow-up and review. While the Opinion offers no guidance on this point, the answer in any particular case is likely to be highly dependent upon the relevant facts and circumstances. Expectations regarding the review and follow-up with regard to an established CCO is likely to be less than when the CCO is new and unproven. Similarly, the expected review and follow-up are likely to be less with respect to a program that has operated without problem for several years, as opposed to a program that seems to lurch from problem to problem. In any event, it is recommended that firms and their CEOs be able to document a “reasonable review” of compliance staffing needs and effectiveness and whether compliance responsibilities are being met. At a minimum, while such review should include any required compliance reviews and reports, e.g., in the case of a broker-dealer, the annual compliance reports required under FINRA Rules 3110, 3120, and 3130, it is suggested that firms and CEOs consider means of obtaining more frequent and detailed status reports, particularly as to problem areas, areas of high risk, or that raise other, significant concerns. Firms and CEOs may also consider use of internal or external resources to audit or test whether compliance is meeting its objectives.

While the Opinion’s analysis arises out of activities involving a brokerage firm, its analysis with respect to the liability of the CCO and the firm would seem to be equally applicable to investment advisers and municipal advisors as well as their CCOs. As to CEOs, an argument can be made that the Opinion’s reliance on a delegation theory for CEO liability means that the Opinion’s analysis as to CEO liability should not apply to CEOs of investment advisers on account of the fact that the designation required under Investment Adviser Act Rule 206(4)-7(c), which requires investment advisers to designate a CCO that is “responsible for administering” an adviser’s compliance policies and procedure, is, in substance, not a delegation by the CEO. Without addressing the merits of this view, at the very least, the Opinion’s analysis regarding CEO liability should be understood to reflect a heightened interest on the part of the Commission in holding CEOs of registered financial service companies to a higher standard than may previously have been the case.