SEC Penalizes a Chief Compliance Officer, Putting Spotlight on Personal Liability

A recent Securities and Exchange Commission proceeding against a Georgia investment advisory firm and its chief compliance officer is prompting renewed concerns about the personal financial liability of CCOs and possibly other C-level officials.

In comparison with some higher-profile investigations, the civil money penalties were a relatively modest $150,000 for Hamilton Investment Counsel LLC and $15,000 for the CCO, Jeffrey Kirkpatrick. Without admitting or denying the findings, both consented to cease-and-desist orders. Kirkpatrick was barred from acting in a supervisory or compliance capacity in the securities industry and can apply for reinstatement after five years.

As CCO for five years through September 2021, according to the June 30 SEC document, Kirkpatrick “knew or should have known” since at least December 2019 that the firm’s compliance program was deficient but did not make sufficient changes to the program’s design and implementation. Specific shortcomings were cited in supervision of an “investment adviser representative’s” outside business activities, legitimacy of transactions and conflicts of interest.

More Burdens

In a broader context, the CCO job description has become increasingly expansive, particularly in line with anti-money laundering, sanctions and other measures targeting illicit transactions, criminality and corruption. The U.S. Department of Justice “raised concerns about potential liability for CCOs” in a policy response to a $1 billion criminal and civil settlement with commodities trading giant Glencore, according to a K&L Gates report (see What the C-Suite and Board Should Know About the New CCO Certification Requirement from DOJ).

Regulators with civil enforcement powers can hold CEOs and others at C-level accountable. For example, the chief risk officer of fallen family office Archegos Capital Management settled SEC and Commodity Futures Trading Commission claims in spring 2022. He and the firm’s founder, chief financial officer, and head trader were also named in a federal criminal indictment.

Besides CCO responsibilities’ being spelled out in U.S. securities regulations, these officers may have reporting lines to CROs and others who might be deemed similarly accountable. In 2020, the Financial Crimes Enforcement Network penalized a former U.S. Bank executive, who held both risk and compliance positions, $450,000 for AML violations.

There are open questions about the potential extent of individual liability, the degree of clarity coming from regulators, and how much assurance or protection is afforded by directors and officers (D&O) insurance. Criminal charges against a former Uber Technologies executive have chief information security officers asking if they could be liable for cybersecurity-breach damages.

Advisory versus Supervisory

The issue for compliance officers came up this year not only in the Kirkpatrick case, but also in a Financial Industry Regulatory Authority notice on “FINRA Rule 3110 as it pertains to the potential liability of chief compliance officers for failure to discharge designated supervisory responsibilities.”

Stating that “the CCO’s role, in and of itself, is advisory, not supervisory,” FINRA said that it “will look first to a member firm’s senior business management and supervisors to determine responsibility for a failure to reasonably supervise.” The self-regulatory agency would assess the responsibilities assigned to the CCO, and then whether the CCO “failed to discharge those responsibilities in a reasonable manner.”

George Tziahanas, Breakwater Solutions

FINRA pointed out that “charges against CCOs for supervisory failures represent a small fraction of the enforcement actions involving supervision that FINRA brings each year.”

George Tziahanas, managing director of Austin, Texas-based risk and data management consulting firm Breakwater Solutions, recalls that at a Securities Industry and Financial Markets Association Compliance and Legal Seminar in March, FINRA and SEC officials stressed that they were not singling out CCOs for liability. Typically, the regulators encourage self-reporting and cooperation from firms being supervised. Tziahanas interpreted the comments as “further signals that legal and compliance leaders are under increased scrutiny.”

“The concern is growing,” says Ethan Corey, senior counsel at Eversheds Sutherland in Washington, D.C. “From a securities law standpoint, there are more groups that are focusing on CCO liability, from the New York City Bar Association to the National Society of Compliance Professionals, to FINRA, to the SEC.”

Framework Under Consideration

In a July 1 statement regarding the Hamilton-Kirkpatrick ruling, SEC Commissioner Hester Peirce said, “A case like this offers us a useful example to test how a CCO liability framework might work in practice. The SEC has not adopted such a framework,” but she called attention to one proposed by the New York City Bar Association’s Compliance Committee.

Hester Peirce of the SEC

“An overarching question in that framework is whether charging a CCO in the particular case would ‘help fulfill the SEC’s regulatory goals,’” Peirce wrote. Jeffrey Kirkpatrick “had identified weaknesses in the compliance program, was in a position to address them, yet he did not do so. As the NYC Bar notes, typically, the ‘system designates CCOs as personally responsible for something – securities law compliance at their firms – that is ultimately determined by other human beings whom the CCO cannot control.’ Kirkpatrick, by contrast, was both a principal of the firm and the CCO, and therefore clearly had authority to exercise substantial control over his firm’s compliance.”

Peirce said she wants to avoid assigning “unjustified liability for CCOs based on the firm’s failings or the failings of others at the firm.” Noting that “the CCO’s job is expansive and growing along with our rulebook,” she said she looked forward to “continued engagement with compliance personnel on designing a properly calibrated CCO liability framework.”

Hindsight Risk?

Corey says that definitive guidance is currently lacking on what constitutes violative conduct and failure to adequately discharge responsibilities.

“There appears to be a concern that regulators will look at a situation that has gone wrong and, with the benefit of hindsight, decide that a CCO failed to discharge their responsibilities,” Corey explains. "Some [including the NYC Bar] have called for the creation of a Compliance Advisory Committee or other formal ongoing communication mechanism between compliance officers and the SEC, or to have periodic public roundtables with compliance officers.”

Ethan Corey of Eversheds Sutherland

Peirce of the SEC in a 2020 speech warned against second-guessing compliance actions and stressed the difference between “something go[ing] wrong” at the firm, and what the CCO is responsible for.

“A reasonably competent and diligent CCO and CRO should have little worry about the SEC’s action in the Hamilton Investment Counsel matter,” says David Bissinger of Bissinger Oshman Williams & Strasburger in Houston, Texas. “In general, CCOs and CROs are paid to ensure their firms have appropriate compliance procedures and risk controls.”

Bissinger says that while D&O insurance can provide protection for larger firms, many advisory firms of Hamilton’s size purchase errors and omissions (E&O) coverage, which typically has more exclusions and, in cases of fraud, may raise coverage disputes with the carrier.

“Rules Should Empower”

Alma Angotti, a partner in the financial services segment at consulting firm Guidehouse, says that regulators and the Department of Justice want to ensure that CCOs have authority, ability and responsibility to do their jobs.

“They are stating that these rules should empower CCOs and give them the necessary resources they need to design and implement an appropriate compliance program,” Angotti says. She believes that insurance coverage for any given disparity may be unclear, but CEOs and CCOs have direct responsibility for the way that compliance is operationalized and staffed, for disclosures to the public and other responsibilities with a direct impact on legal compliance.

“It may depend on what the scope of the CRO’s responsibilities are,” she says. “If compliance reports up to the CRO, it would not be hard to imagine the DOJ or regulators deeming them ultimately responsible for compliance. If they function in more of a risk analysis and advisory role, without decision-making authority, then maybe not.”

An Evaluation Mechanism

Prasad Sabbineni, co-CEO of governance, risk and compliance systems company MetricStream, contends that an SEC framework would set expectations, encourage compliance officers to take their roles and accountability seriously, and would not be an explicit threat of penalization. He sees it as “simply an avenue to openly evaluate compliance leadership performance.”

“Australia, Singapore, the United Kingdom and other countries have, or are considering, similar liability rules, and CCOs are pushing back,” Sabbineni says. “They argue it is impossible to know everything that happens within their organizations.

Prasad Sabbineni, MetricStream

“In my opinion,” he continues, “these personal liability rules run the risk of causing an exodus of qualified compliance professionals, because the job is too risky. This is especially true for smaller firms that lack compliance authority and consistency across the company, or where compliance leadership doesn’t have the same level of expertise found at a larger financial firm. Because of a lack of central authority or point of regulation, they fear being held liable for misconduct they were not, and could not be, aware of, creating a risk they are unwilling to take.”

Sabbineni suggests a balanced approach in which the SEC and compliance professionals work together. He says that this was implied in the Hamilton ruling and points to a path forward.

“The need for compliance and oversight must be in balance with the desire to grow and advocate for compliance leaders,” the MetricStream executive adds. “Without compliance leaders, many organizations will suffer immeasurable harm. If the pendulum shifts too far, we will have even more risk to contend with.”