The US Securities and Exchange Commission has just sent brokerage CEOs a subtle warning: we could hold you legally liable for failing to supervise your chief compliance officer. The message was tucked in the final pages of US regulatory agency’s ruling on October 28 upholding a fine and suspension imposed by the Financial Industry Regulatory Authority (FINRA) to Thaddeus North, the former chief compliance officer of Southridge Investment Group from July 2009 to August 2011 where he was located in the firm’s headquarters of Ridgefield CT. North has been chief compliance officer of Kuhns Brothers Securities in Lakefield, CT since January 2013.
Chief executive officers shouldn’t find the SEC’s stance all that surprising considering that the regulatory agency has repeatedly called for individual accountability. CEOs now have to worry about is how they can prove they reviewed their CCOs sufficiently.
In its opinion in late October on the case involving North the SEC says that one of the implicit responsibilities of CEOs is to monitor their CCOs. The regulatory agency notes that it was troubled that North might have abdicated his duties as CCO without his CEO’s knowledge. “The Commission’s discussion of the CEO’s duty to follow-up on whether the CCO is doing his or her job strongly suggests that CEOs can be held liable for failure to supervise where there are ongoing compliance failures that could have been identified by a reasonable system of follow-up and review,” explains Greg Barrentine, a partner at the law firm of Winston Strawn in New York.
The SEC and FINRA will likely be hesitant to penalize CEOs for any wrongdoing unless they can prove they were complicit or didn’t follow the advice of their CCOs. However, as Barrentine points out, CEOs should at a minimum expect more questions from examiners about how they are monitoring their CCO’s performance to ensure that the firm’s employees are following regulatory and firm requirements. Those questions include what actions they took beyond accepting their CCOs’ claims. Did the CEO also meet with risk managers, legal counsel and internal auditors to discuss any potential red flags with the firm’s compliance program or reviewing results from monitoring applications. Were any external audits done and if so, what were their results?
None of the dozen CEOs of US brokerage firms contacted by FinOps Report were willing to discuss any metrics they use to monitor their CCOs, what questions they had been asked during any regulatory audits or whether they would change their oversight methdology in the wake of the SEC’s ruling about North. In emailed responses to questions. All claimed they “meet regularly” with their CCOs and request that they notify them of any problems and corrective steps taken to avoid breaking any regulatory requirements.
In 2015 FINRA found that North had violated its regulations by failing to establish a reasonable supervisory system to review electronic correspondence, failing to reasonably review that correspondence himself and failing to report a reglationship with a statutorily disqualified person. The broker-dealer regulatory agency then gave North a two months suspension in all principal and supervisory capacities and fined him US$40,000.
North himself admitted that from July 2009 through August 2011 he reviewed emails only six times and there were periods ranging from three to five months where he failed to review any emails. Southridge did have a system operated by Smarsh Inc. which allowed the firm to store and review emails.. However, Southridge’s written procedures in 2008 and updated in 2010 did not provide the CCO any guidelines for how often to check emails or which methodology to use. They only called for a “random sampling.” About eighty percent of Southridge’s emails relied on Bloomberg messages and chats.
North appealed FINRA’s decision to its National Adjucatory Council which eased some of the initial penalties. In March 2017 NAC reversed FINRA’s initial ruling that North violated Rule G-17 of the Municipal Securities Rulemaking Board prohibiting brokers from engaging in deceptive conduct. FINRA’s NAC did agree with the remainder of FINRA’s findings, but reduced the time for suspension to 30 days and the fine to US$10,000.
In rejecting North’s further appeal to the SEC in 2017, the regulatory agency earlier this year said that North’s failure to establish and follow adequate written supervisory procedures was egregious. The SEC didn’t buy North’s argument that he didn’t understand how the Smarsh system worked sufficiently to know that he had to search a separate repository to review Bloomberg’s communications. The SEC also didn’t agree wth North’s contention that he should not be penalized because Smarsh lacked the ability to archive Southridge’s emails and did not host or control the underlying technology required to produce reports.
“The underlying emails, however, are not the basis for North’s liability as North’s failure to conduct any review of the firm’s Bloomberg communications was plainly not reasonable,” says the SEC which also dismissed North’s claims that Smarsh and FINRA had conspired to illegally intercept and fabricate emails as unsubstantiated and irrelevant to the case.
After explaining the rationale for its ruling, the SEC focuses the remainder of its opinion on the obligations of CEOs. The SEC says point blank that the CEO of a brokerage firm is responsible for complying with all regulatory rules, unless he or she delegates particular functions to another person in the firm and neither knows or has any reason to know a problem as arisen.
Can a CEO claim he or she had no reason to know anything was wrong? Not unless he or she has done plenty of homework. For starters, CEOs will need to ensure that CCOs have clearly stated their firms’ policies and procedures in their compliance rulebook. CEOs will then need to grill their compliance officers about how they have verified that all of the firm’s employees are following the firm’s compliance manual.
CCOs can’t be expected to know exactly what every employee is doing every hour of the day. However, they can set up a risk-based method for monitoring employees that focuses on the types of services offered by the brokerage firm and the potential for wrongdoing at different business lines, according to Jane Shamanesh, managing partner at New York-based Adherence LLC.
That’s the same risk-based approach CEOs should use to monitor their CCOs. The higher the potential for fraud, embezzlement or simple ineptitude the higher the number of questions and the more frequent the number of internal and external audits.
Software systems can easily be used to track any deviations from the firm’s written policies and procedures. Of course, the CEO also needs to make certain that the CCO has reviewed any results generated by the software packages and have the IT department tweak the rules when necessary.
“If a CCO relies on the accuracy of software that isn’t tested periodically for accuracy, he or she can’t rely on any glitches as a get out of jail free card if there is a problem.” says Shahmanesh. “Chief compliance officers also need to get used to answering questions trom third-party auditing firms hired to test their work through random sampling.” Adherence and other compliance consultancies offer compliance audits or mock regulatory exams.
Guy Talarico, chief executive of Alaric Compliance Services, a New York-firm which also conducts compliance audits recommends that regardless of the brokerage firm’s services, CEOs should at at least pay close attention to whether their CCOs are fulfilling their minimal responsibilities. “Monitoring personal trading, cybersecurity protection, customer onboarding and email correspondence are the responsibilities of every chief compliance officer at every brokerage firm regardless of the brokerage’s specialty” says Talarico. “In the case of e-mail correspondence, all the CEO has to do is look into any monitoring system to determine the frequency the CCO has checked emails over a period of time and what the system uncovered in anomalies.”
Once a CEO has found the CCO has failed in overseeing just one of his or her responsibilities, it stands to reason he or she may be falling down on the job in others, suggests Talarico. “If the CCO failed to review something as simple as email correspondence, its a clear sign for the CEO to ask more questions about other areas.”
Even if it appears that CCOs are doing their best, CEOs need to pay closer attention to the possibility of inadequate staffing. “If the CCO had escalated a staffing problem to the CEO and the CEO didn’t provide additional resources, the CCO would have effectively shifted liability to the CEO,” says Shahmanesh. “Regulators have made it cery clear that not providing adequate resources to a compliance function can lead to liability.”
The size of a brokerage’s fim’s business will likely play a factor in how CEOs monitor their CCOs and their potential liability. The larger the number of business lines involved the more likely the CEO is to rely on advice from others. Therefore, there is higher possibility to catching the CCO’s failings and avoiding further regulatory scrutiny.
“The CEOs of the largest brokerages can more easily argue that they were incorrectly briefed on the effectiveness of their CCOs by their legal counsels and chief risk officers,” says Barrentine. “By contrast, the CEOs of the smallest firms would be expected to meet with their CCOs on a more regular basis.”
CEOs in the mid-tier brokerage firms might have the most to worry about when it comes to potential liability, cautions Barrentine. They might not have set up any process to keep track of their CCOs because they don’t have enough time to do any review or their firms don’t have deep enough pockets to pay for external audits.
Regardless of how a CEO decides to monitor a CCO it all comes down to following common sense to ensure accountability. Examiners don’t want to hear that a CEO was too busy courting clients to pay attention to what the CCO is doing.
“When a CCO says everything is fine, that’s the red flag for a CEO to start to worry,” says Talarico. “The CEO also shouldn’t just take the CCO’s word that any problem was minor and has been fixed. How is the operative follow up question. Trust but verify.”