CCOs Have a Target on Their Backs: The Coming Storm (Part III of III)
I have always played down the issue of CCO liability and prosecutions. I dismiss these concerns often because the reporting of CCO prosecutions are usually exaggerated and meant to instill fear in compliance professionals. In my simplistic approach, I have followed the general rule of thumb – if you do something wrong, you pay the price. In a number of cases involving compliance officer prosecutions, the compliance professional engaged in obvious wrongdoing and “deserved” whatever sanction was meted out. After all, no one can argue that “every” compliance officer is an angel.
Let’s take the case of Meredith Simmons, a former General Counsel of the patent-licensing firm Acacia Research Corporation, and Chief Compliance Officer at Mason Capital. Ms. Simmons was ordered by the SEC to pay a $25,000 penalty for backdating a compliance memorandum, making “multiple inaccurate factual statements” in the memo, and failing to produce all requested records to the SEC during its investigation. Ms. Simmons was barred for one year from practicing before the SEC and for three years from serving as a chief compliance officer in the securities industry. No one can dispute this enforcement action against Ms. Simmons.
Let’s look at another case involving Bonnie M. Haupt, the chief compliance officer, at Gilder Gagnon Howe & Co (“GGHC”), a registered investment adviser and broker-dealer. The SEC charged GGHC and CCO Haupt for failing to conduct reviews of its accounts for excessive commissions and trading as required under its policies and procedures. GGHC was initially cited for its compliance failures by the Financial Industry Regulatory Authority in 2016. In response GGHC adopted policies and procedures to conduct monthly reviews of its accounts through its CCO to examine certain issues and escalate any cited accounts for further review. GGHC and CCO Haupt failed to conduct any reviews as required under its policies and procedures. In fact, CCO Haupt submitted monthly reports to the SEC during an examination that she had altered to give the false impression that she contemporaneously reviewed them. GGHC paid a fine of $1.7 million and was censured. Haupt paid a penalty of $45,000 and was censured. Again, no one should quibble with this enforcement action – the penalty appears commensurate with the misconduct.
I have described these cases to exclude from discussion those cases where gatekeepers engage in unquestioned misconduct and then alter documents and mislead regulators. Frankly, each of these examples could have resulted in criminal prosecutions.
The Regulatory Certification
We have examples of a growing trend by regulatory agencies requiring certifications from responsible persons in compliance. Let me cite a few – The New York Department of Financial Services (“NYDFS”) requires regulated companies to file: an annual cybersecurity compliance certification; and an annual Bank Secrecy Act and Anti-Money Laundering certification. HHS-OIG Corporate Integrity Agreements require subject organizations to file certifications of compliance with the CIA. These certifications are required often from the board, individual board members and an officer of the organization. Regulators impose these certification requirements for a variety of reasons but regulators are seeking accountability and responsibility.
In Sarbanes-Oxley, Congress crafted massive reforms to the audit industry and imposed specific requirements for the CEO and CFO to certify to the accuracy of the company’s financial reports. A certification that includes reports that are false and misleading can result in a criminal prosecution of the CEO and CFO.
The Future Expansion of Certifications
As regulators and Congress have embraced the value of corporate certifications of compliance, we can expect that future regulatory or legislative reforms will increase the number of required certifications. In response to a “new scandal” (e.g. 2000-2001 financial reporting and 2008-2009 financial crisis), Congress will seek a new “solution” to remedy the alleged “causes” of corporate misdeeds. In other words, Congress will seek a new “magic bullet.”
Congress will not have to look very far, and the Biden Administration will be happy to help identify the new remedial response. The government will begin by elevating the importance of ethics and compliance programs, mandating design and implementation requirements and enforcing these requirements through certifications. Congress will create separate enforcement schemes for these requirements and the certification processes.
To draft this legislation, Congress can quickly turn to DOJ’s guidance, regulatory requirements, and the U.S. Sentencing Guidelines. What appears to be mandated in a general requirements – through incentives, guidance and NYSE listing requirements, will quickly turn into mandatory ethics and compliance programs. Of course, the drafting of this legislation will have to take into account the size of an organization, the industry and other requireements.
Who will be responsible for compliance with these new requirements? You guessed it – Chief Compliance Officers. Who will be held accountable for these requirements? You guessed it – Chief Compliance Officers.
CCOs already play a significant role in partnership with law enforcement, and as regulatory requirements increase, CCOs will play even a larger role. But with the increased role, the possibility of government prosecution rises. CCOs will be expected to ensure compliance with specific requirements, possibly even certifying compliance with legal requirements. Once they do so, CCOs will have a target on their backs. CCOs will be on prosecutors’ radar screen.
The implications of this development is far-reaching. CCOs already have responsibilities that flow from their independence and empowerment. If you add in a layer of government certifications and reporting responsibilities, the potential risks multiply exponentially.