It is a pleasure to be speaking to you for the second time, albeit virtually, at your national conference.  I would like to thank Lisa Crossley, Holly Orefice, and Kristen Hinz for their work in coordinating the virtual transmission of the thoughts I have to share today.  Of course, I need to include the standard disclaimer:  the views I express are my own and do not necessarily reflect those of the Commission or my fellow Commissioners.

Conferences and speeches certainly have changed in the time of COVID, as have the challenges you face as compliance officers.  Two years ago, I spoke with you about the important function compliance personnel, including chief compliance officers (“CCOs”), serve in facilitating the work of the Commission.[1]  Since then everything has gotten more complicated.  I built that speech around the seasonal activity of trick-or-treating, something the county in which I live now has directed its residents to avoid.  A frightening sign of the times.  Nobody could have anticipated such a fraught turn of events, and the difficult conditions now facing compliance professionals, whose compliance programs now often have to operate remotely, also were not foreseen.  Compliance professionals, perhaps better than the rest of us, however, adapt to changing circumstances with impressive alacrity and skill.

In an increasingly complex regulatory environment, and with the additional complications caused by the COVID-19 pandemic, a good working relationship between compliance officers at regulated entities and our staff in the Commissions’ Office of Compliance Inspections and Examinations (OCIE) is more important than ever.  Under the leadership of Pete Driscoll, OCIE has sought to deepen that relationship.  Among other things, recognizing the unique difficulties of compliance during a pandemic in which everyone is being asked to function virtually, OCIE has provided relevant guidance.[2]  As new issues arise for which guidance would be useful, please note them for me and the OCIE staff.

Today, though, rather than focusing on compliance during COVID, I would like to focus on a concern that is not new—the question of how to define the parameters of personal liability for compliance officers.  Near the end of my remarks in 2018, I spoke briefly about the role that the Commission’s Division of Enforcement plays with respect to compliance functions.  I noted that I shared the concerns expressed in some quarters that the increasing specter of personal liability could cause talented individuals to forgo a career in compliance, among other negative effects.

Those concerns have increased over the past two years.  Compliance officers’ responsibilities are growing, but the nature of the liability they face in executing those responsibilities remains unclear.  Indeed, this past February, the New York City Bar published a report that distilled many of the concerns, and offered a number of recommendations.[3]  I hope that my remarks today can help to foster feedback from you and your compliance colleagues, which, in turn, can help me better perceive what useful formal guidance on the topic of individual compliance officer liability might look like.

I want to start with an equine hypothetical, one that I am sure that many of you have heard.  It is an old proverb about a nail and a horseshoe—attributed sometimes to a particular person and sometimes to no person in particular, and taking one of a number of forms.[4]  One form goes like this: 

For want of a nail the shoe was lost.
For want of a shoe the horse was lost.
For want of a horse the rider was lost.
For want of a rider the message was lost.
For want of a message the battle was lost.
For want of a battle the kingdom was lost.
And all for the want of a horseshoe nail.[5]

Typically, the proverb is used to illustrate that a seemingly inconsequential event can lead to grave consequences.[6]  A missing nail from a horseshoe leads to a series of bad events and ultimately the downfall of an entire kingdom. 

I would like to look at this story from a slightly different perspective:  who is responsible when the nail fails?  Suppose that the farrier trade is a heavily regulated industry, and the regulator comes calling to determine how the nail failure happened and who, precisely, was at fault.  (I know that some of you are thinking “For want of the kingdom, the kingdom’s regulator was lost,” but we will assume for purposes of this illustration that all that remains standing of the old kingdom is its regulatory bureaucracy.) 

So the regulator, the Royal Farrier Commission, comes calling for a cause exam to investigate the wanting nail matter and to determine whether an enforcement action is warranted.  What happened?  Who is to blame for the missing nail?  Why did it happen?  Was the farrier whose job it was to secure the nail in place at fault?  Did he perform his job badly?  What if he did place the nail properly, but the nail was defective?  What if the nail was not defective, but it was placed in the horse’s hoof in a manner that did not conform to regulatory specifications?  These questions quite naturally lead to second-level questions:  did the farrier’s employer have adequate policies and procedures with respect to the proper way to place the nail in the shoe?  Was there a supervisor regularly checking on the performance of the farrier and his colleagues in the field?  Did the employer have compliance surveillance systems adequately designed to detect the use of defective nails and departures from regulatory specifications?  Why didn’t those systems identify, remediate, and report the nail failure?  Were there any red flags?  And, of course, where was the CCO?  Why didn’t the CCO prevent this failure from happening?

I hope that the Royal Farrier Commission, in my hypothetical, had provided more recent and formal guidance on the subject of CCO liability than the Commission has.  With respect to the SEC, people still point back to a Keynote Address by the then-Director of the Division of Enforcement at your 2015 National Conference.[7]  In that speech, the Enforcement Director identified three broad categories of cases where the Commission has charged chief compliance officers:  (1) cases where the compliance officer participated in the underlying misconduct unrelated to her compliance duties; (2) cases where compliance officers obstructed or misled Commission staff; and, (3) cases where, in the Enforcement Director’s words, “the CCO has exhibited a wholesale failure to carry out his or her responsibility.”[8] 

The first category should not be controversial.  After all, serving in a compliance capacity is not a get-out-of-jail free card for clearly unlawful conduct.  If it were, lots of bad actors would want the compliance officer title to shield them from liability.  So a compliance officer who, outside of her compliance functions, directly violates provisions of the securities laws is liable the same way anyone else would be.  For example, when a person knows that an investment adviser is misappropriating client funds, does nothing to stop it, and participates in a scheme to hide the theft, she is liable for that conduct no matter her compliance functions.[9]  In cases such as these, compliance personnel are liable on the same terms and to the same extent as any other bad actor.  In other words, if you knowingly and intentionally use defective nails or willfully misplace the nails, you are responsible for the thrown shoe, no matter your compliance function.

The second category of cases relates more directly to compliance functions.  These cases typically involve facts where a compliance officer obstructs or misleads the Commission’s staff.  In a recent example, a compliance officer created and backdated compliance memoranda.  When she subsequently provided them to the Commission’s examination staff, she described them as a contemporaneous memorialization of the events, an assertion she knew to be false.[10]  I supported this case.  The Commission’s examination process is essential to its regulatory functions, and conduct that undermines the process must be addressed.  In another recent case, a compliance officer similarly misled the Commission’s examiners and enforcement staff by producing altered documents.[11]  The alteration was material because it created the appearance that the compliance officer had timely performed certain reviews, when she had not.  Again, I supported the case because it evidenced the sort of knowing and intentional misconduct that materially undermines the examination process.

The third category of cases, the ones involving a wholesale failure of a compliance officer is the one that understandably generates the most controversy and is the most challenging area for me.  Typically, in such cases, the Commission charges the compliance officer with aiding and abetting the company’s violations, causing the company’s violations, or both.  The distinctions between these charges matters a great deal.  To establish that a compliance officer aided and abetted the company’s violation, the Commission must show that the compliance officer engaged in reckless conduct.[12]  This standard is not simply negligence on steroids; rather, the evidence must show that there was “a danger so obvious that the [compliance officer] must have been aware of the danger.”[13] 

In contrast, to establish in an administrative cease and desist proceeding that a compliance officer was the cause of a company’s violation, it is only necessary to show that the individual committed an “‘an act or omission the person knew or should have known would contribute’” to the violation.[14]  The phrase “should have known” is “classic negligence language,” and the Commission and courts both have concluded that it sets a negligence standard for liability.[15]  Thus, where a company has committed a violation that does not require scienter—such as failing to have sufficient policies and procedures—a compliance officer can be held to have caused the violation based on her own negligent conduct.[16]  In my example, the Royal Farrier Commission might charge the CCO with causing the company’s failure to have reasonably designed policies and procedures to check for defective nails, because the CCO did not put a rigorous enough nail-checking policy in place.

Rule 206(4)-7, the investment adviser compliance rule, exacerbates the problem.  It supports negligence-based charges against an adviser’s CCO, whom the rule makes “responsible for administering written policies and procedures” that must be “reasonably designed to prevent violation, by you and your supervised persons, of the Act and the rules that the Commission has adopted under the Act.”[17]  As former Commissioner Dan Gallagher pointed out, in practice, however, the rule’s standard has looked more like strict liability.[18]

Just because the Commission can do something under our rules does not mean that we should do it.  I cannot speak to this group without noting that your executive director made a very similar point five years ago in a letter to the Enforcement Director.[19]  Indeed, charging CCOs based on mere negligence could be harmful to our efforts to foster compliance because it dissuades people from taking jobs in compliance and can encourage dishonest efforts to “cover up” failings rather than openly correcting them.  As the National Society for Compliance Professional’s code of ethics makes clear, compliance personnel play an important role in:

encourag[ing] their firms to create and implement appropriate systems of supervision; assist[ing] their firms in the development and documenting of appropriate policies and procedures; participat[ing] in appropriate testing and monitoring of the systems of compliance; assist[ing] their firms in identifying and developing appropriate mechanisms for identifying, reporting, and responding to compliance issues; and striv[ing] to enhance the systems and culture of compliance at their firms.[20]

Compliance personnel are vital to a firm’s compliance efforts, but an overly-aggressive approach to charging CCOs when something goes wrong shifts responsibility for compliance from the firm to the CCO.  In his 2015 speech, the Enforcement Director noted that “it is the business”—not the compliance officers—“that is primarily responsible for compliance with the law.”[21]  I agree. 

Sometimes, however, our enforcement actions send a different message.  Compliance officers—precisely because their roles entail encouraging, assisting in, participating in, and striving for better compliance at their firms—may find themselves second-guessed when there is a compliance failure.  For example, in an enforcement action several months before the Enforcement Director’s speech in 2015, the Commission concluded that because an adviser’s CCO “was responsible for the design and implementation of [the adviser’s] written policies and procedures” and “knew and approved of numerous outside activities” by the advisor’s employees, but nonetheless “did not recommend written policies and procedures to assess and monitor those outside activities and to disclose conflicts of interest,” the CCO “caused [the adviser’s] failure to adopt and implement these policies and procedures.”[22]  In response to that action and another similar one,[23] then Commissioner Gallagher warned that “[a]ctions like these are undoubtedly sending a troubling message that CCOs should not take ownership of their firm’s compliance policies and procedures, lest they be held accountable for conduct that, under Rule 206(4)-7, is the responsibility of the adviser itself.”[24]

Some recent cases—including aiding and abetting, rather than simply causing, charges—raise similar concerns for me.  We have brought cases, for example, when compliance officers have failed to identify and follow-up on “red flags” in connection with firms’ failure to file suspicious activity reports.[25]  Some might categorize these instances as wholesale failures on the part of a compliance officer to carry out her duties, but I worry that applying that label without first taking a step back from the particular violation alleged to consider the lapse in view of all the duties placed on a CCO.  

A common response to concerns about charging CCOs with causing compliance failures at their firms is that it does not happen very often and that the sanctions typically are fairly light.  I am sure that the consequences of violating the rules were harsher under the RFC—Royal Farrier Commission—than under the SEC, but even the SEC’s enforcement actions can be career-ending and are always traumatic events for their subjects.  So questions of CCO liability are important and deserve more discussion.

To date, most of that conversation has centered around enforcement actions, which I know you all watch closely.  Not only the cases that we bring, but also those we do not bring against CCOs, can be instructive.  The New York City Bar report on CCO liability recommended that we do a better job of highlighting facts and circumstances underlying decisions to charge and to not charge CCOs.[26]  Details about why we are charging a CCO can calm the fears of diligent, well-intentioned compliance personnel.  Maybe the CCO being charged participated in the underlying securities violation, and perhaps she did so wearing her non-CCO hat.  These kinds of details matter when you are reading an enforcement action and asking, “What does this mean for me?  Will I be the next CCO featured in an SEC enforcement press release?”  Likewise, by providing sufficient detail when we do not charge a compliance officer, we illustrate what doing the job right looks like.  The Commission has declined to impose personal liability on compliance officers who were ill-equipped for their jobs,[27] who were denied the resources necessary to do their jobs,[28] or who were genuinely over-burdened with other duties.[29]  We also consider steps a CCO took to prevent and remediate failures.  As the New York City Bar report pointed out: “Knowing what regulators believe that compliance officers did correctly in the face of potential misconduct is critical information.”[30]  In short, context matters, and we can provide more of it.

In an attempt to provide some of the missing context around one CCO case, I would be remiss if I did not revisit my comments on the FINRA case that I discussed near the end of my remarks in 2018.  That case, which has garnered some attention, is currently on appeal, so I will not say much.  FINRA imposed sanctions on the CCO partly because he failed “‘meaningfully to implement compliance programs, policies, and procedures,’” a standard which struck the New York City Bar Compliance Committee as a “different, more expansive range of circumstances than a wholesale failure.”[31]  Setting aside for a moment the question of whether there is a material difference between the two standards, it is essential to remember that the Enforcement Director’s 2015 remarks addressed his thinking on when the Commission typically would institute enforcement actions against compliance officers under the statutes and rules the Commission administers .  FINRA administers its own rules, and does not necessarily follow the same path as the Commission.  Moreover, the Commission’s review of FINRA’s disciplinary actions is, by statutory design, limited.[32]  For these reasons, statements in the Commission’s orders reviewing FINRA disciplinary actions do not necessarily reflect the Commission’s view of how it should exercise its own enforcement discretion when enforcing its own statutes and rules.

More generally, we should think about ways to provide guidance to compliance professionals about what a wholesale compliance failure means and how to avoid one.  Some of that guidance comes not from a regulator but organically through what you are doing right now—coordinating and collaborating with your fellow compliance professionals.  Compliance officers occupy a unique position in the corporate constellation—they are not on the business side, but not really on the legal side either, even though many CCOs are lawyers.  There is no state bar association or state board of accountancy setting standards, and duties and obligations of senior executives, as expressed in corporate law principles, do not necessarily apply.  As Professor Jennifer Pacella explained, because “there is currently no governing body or entity, neither state, federal, nor otherwise, that regulates the professional conduct or actions of compliance officers,” a situation that “gives rise to a susceptibility to personal liability because clear expectations and guidelines for professional behavior are altogether lacking.”[33]  The absence of a formal regulatory structure, however, makes room for grass-roots based standards of conduct.  A departure from those standards of conduct is not necessarily a basis for a regulator to impose liability, but compliance personnel can point to adherence to those standards as a reason for why a regulator ought not to impose liability.

For its part, the Commission can provide guidance about when it will bring enforcement actions against compliance officers.  Such guidance, as the New York City Bar report noted, has precedent in other contexts.[34]  A framework detailing which circumstances will cause the Commission to seek personal liability and which circumstances will militate against seeking personal liability would help the compliance community by eliminating uncertainty and inspiring good practices.  Such a framework also would prove useful for me and my colleagues at the SEC to use in deciding whether to charge CCOs.  To further this approach, I am considering developing a draft framework to share with my colleagues.  I welcome your input on what factors you believe are relevant to the decision about whether to charge compliance personnel.

It also is time for us to examine how well the compliance rules under the Investment Advisers and Investment Company Acts are functioning.  As Commissioner Gallagher pointed out five years ago, Rule 206(4)-7 “is not a model of clarity.”[35]  Nothing has happened since then to elucidate the rule.  More generally, I am concerned that we appear to assume that every securities violation we find indicates a problem with the firm’s compliance program.  A firm that has reasonably designed policies and procedures nevertheless can experience a securities violation. 

The most fruitful way to provide greater clarity is through a collaborative effort.  Because we want you to be successful in infusing good compliance practices into your firms, your day-to-day challenges and concerns should inform the way we approach liability for compliance officers.  As for how to move the conversation forward, I believe the New York City Bar Report sets forth some sensible recommendations.  One of those suggestions is the creation of public-private advisory groups “charged with meeting periodically to discuss current and potential regulatory, examination, and enforcement efforts, and to publish guidance and recommendations to compliance officers and regulators reflecting the insight of both regulators and the regulated.”[36]  A law review article several years ago, in making a similar suggestion, explained:

by providing compliance officers with a greater sense of control over their collective destiny, the group could temper the factors, such as the aggregate impact of multiple enforcement actions, and the enhanced law enforcement and regulatory focus on individuals that are contributing to the continued perception of targeting.[37]

While there are myriad complications to that kind of public-private advisory group, the Commission has benefited greatly from its investor, small business, asset management, equity, and fixed income advisory committees.  A similar committee of compliance officers might make sense, even if only on a temporary basis to help produce a draft framework regarding personal liability.  The precise parameters of such a group would need to be carefully considered to maximize its benefits, but the idea is worth pursuing.  Alternatively, to supplement staff meetings with compliance personnel, the Commission could make a habit of conducting periodic public roundtables with compliance officers.  

Thank you for inviting me to address your conference, and I look forward to an ongoing dialogue regarding the essential role of compliance officers in our markets and the measures we can together take to maximize your effectiveness.  In the meantime, I know you will continue to work hard to design and implement compliance systems that help to keep all the nails securely and properly fastened.