The SEC’s determinations about whether to charge a compliance officer are consequential not only for the particular compliance officer, but more generally for the profession. CCOs play a vital role in ensuring that investment advisers, broker-dealers, and other registered entities comply with the securities laws. A good CCO expertly weaves compliance into all of a firm’s activities. Attracting well-qualified people to the profession is important, and fears of facing liability for someone else’s missteps can dissuade excellent candidates from seeking compliance jobs. Accordingly, I have spoken in the past of the importance of thinking carefully about when to impose liability against a CCO.[2] I have underscored that the compliance obligation belongs to the firm, not to the CCO. Reminding firms that compliance is their responsibility helps to ensure that they dedicate adequate resources to, and appropriately defer to the judgment of, their compliance departments.

A case like this offers us a useful example to test how a CCO liability framework might work in practice. The SEC has not adopted such a framework, but the Compliance Committee of the New York City Bar Association (“NYC Bar”) recently proposed one for consideration.[3] An overarching question in that framework is whether charging a CCO in the particular case would “help fulfill the SEC’s regulatory goals.”[4] Here, a charge against the CCO, who was also a principal of the firm, helps fulfill the SEC’s regulatory goals; he had identified weaknesses in the compliance program, was in a position to address them, yet he did not do so. As the NYC Bar notes, typically, the “system designates CCOs as personally responsible for something – securities law compliance at their firms – that is ultimately determined by other human beings whom the CCO cannot control.”[5]Kirkpatrick, by contrast, was both a principal of the firm and the CCO, and therefore clearly had authority to exercise substantial control over his firm’s compliance.

A decision to charge a CCO who is complicit in a fraud is easy, but the framework concentrates much of its attention on the more difficult question of distinguishing conduct that is only “debatably inappropriate” from conduct that is “wildly inappropriate”[6]—or, as it has been called in the past—“a wholesale failure” to carry out compliance responsibilities.

The NYC Bar Framework asks several questions to determine whether such a wholesale failure exists.[7] Below is a list with relevant facts from this matter:

1. Did the CCO not make a good faith effort to fulfill his or her responsibilities?

In addition to serving as CCO, Kirkpatrick was a principal of HIC. As the Order states, he knew or should have known of the inadequacy of the firm’s compliance program since at least December 2019.[8] As principal of the firm, he had adequate authority to address the compliance inadequacies.

2. Did the Wholesale Failure relate to a fundamental or central aspect of a well-run compliance program at the registrant?

The failures in this matter related to the outside business activities of an investment adviser representative (“IAR”), an issue that can give rise to conflicts of interest and investor harm. Moreover, this was not an area of uncertainty for the firm because its own compliance program required disclosure of outside business activities,[9] and the parameters of what constitutes an outside business activity generally are well understood.

3. Did the Wholesale Failure persist over time and/or did the CCO have multiple opportunities to cure the lapse?

The general failure at issue here—failure to address known weaknesses in the compliance program generally and failure to ensure disclosure of outside business activities in particular—persisted for more than a year.[10] The CCO had multiple opportunities to cure the particular issue here—unreported outside business activities by an IAR—because the activity came to the CCO’s attention in different ways multiple times over a substantial period of time.[11] While the CCO ultimately did raise the issue with the broker-dealer with whom the IAR also was associated, he did so almost a year after becoming aware of transfers of client assets to the IAR’s other business.[12]

4. Did the Wholesale Failure relate to a discrete specified obligation under the securities law or the compliance program at the registrant?

This enforcement action is not premised on technical non-compliance with a rule, but on a more fundamental failure to deploy the compliance program effectively to protect firm clients.[13]

5. Did the SEC issues rules or guidance on point to the substantive area of compliance to which the Wholesale Failure relates?

The CCO’s lapses here cannot be tied to an absence of Commission guidance. As noted above, the legal principles at issue here are well-established.

6. Did an aggravating factor add to the seriousness of the CCO’s conduct?

The aggravating factor here was that the broker-dealer with which the IAR was associated flagged certain transactions conducted by the IAR involving transfers of client assets to the IAR’s outside business activity.[14]

Reading the Order Instituting Proceedings in this matter might engender exactly the type of concern that I want to avoid—unjustified liability for CCOs based on the firm’s failings or the failings of others at the firm. Viewed in hindsight through a narrow lens that focuses on one small aspect of a CCO’s job, many CCOs could be deemed to have failed. The CCO’s job is expansive and growing along with our rulebook. In this instance, however, the CCO had the opportunity to improve the compliance program, but did not do so despite frequently recurring reminders that the program was not working effectively to cover outside business activities.

In describing the CCO’s failures to take sufficient steps, the Order refers to “communications related to the OBA” and “notice that certain transactions were conducted by the IAR” without providing much detail regarding the substance of those communications. Our orders provide the greatest value when they include sufficiently detailed information and explanations so that the public can understand the particular facts of a given case and how it fits into any liability framework. Although greater specificity may have been helpful for some purposes, I believe the Order lays out a sound basis for concluding that this CCO’s conduct here fell materially short.

I look forward to continued engagement with compliance personnel on designing a properly calibrated CCO liability framework, including in light of specific fact patterns such as the one at issue in this enforcement action.

ENDNOTES