Compliance Officers in SEC Crosshairs

The Securities and Exchange Commission's sweeping insider-trading probe of Wall Street is looking squarely at corporate policies for guarding material, non-public information. Compliance officers should know what that means: The SEC is looking at you.

Inadequate policies in that area recently landed two affiliated New York-based asset management firms and their former chief compliance officer in hot water with the agency. In administrative proceedings against investment adviser Buckingham Capital Management and its broker-dealer parent company, Buckingham Research Group, the SEC said the firms “failed to establish, maintain, and enforce written policies and procedures reasonably designed to prevent misuse of material, non-public information.” The SEC charged Lloyd Karp, the former CCO for both firms, with aiding and abetting and with causing the compliance failures. The Commission also charged Buckingham with supplementing and altering its records prior to turning them over to SEC staff.

Sawicki

The case has the most direct implications for CCOs at broker-dealers and investment advisers, but it also signals an increasing willingness to hold compliance officers at all companies responsible for inadequate compliance programs. “A CCO remains ultimately and personally responsible for the conduct of the staff and for the development, application, and enforcement of compliance policies and procedures,” says Tod Sawicki, a partner with law firm Alston and Bird. “The SEC drove that point home with this action.”

The settlement highlights a major focus of the SEC staff, says Christopher Conte, a former SEC enforcement attorney and now partner at the law firm Steptoe & Johnson. “There's a lot of concern right now about the potential misuse of material non-public information, the relationship between investment advisers, broker-dealers, hedge funds, and the like, and the flow of information,” he says. “Given the SEC's interest in this area, any firm out there can expect to have its policies and procedures evaluated in a particularly careful way.”

In the Buckingham case, all three parties agreed to settle with the SEC. Without admitting or denying the SEC's findings, BRG agreed to pay a $50,000 penalty, BCM agreed to pay $75,000, and Karp agreed to pay $35,000. The firms also agreed to hire an independent consultant to review their compliance policies and procedures.

A spokesman for Buckingham declined to comment beyond a company-issued statement. “We are pleased that we have reached a settlement with the SEC on their findings relating to our past compliance policies and recordkeeping procedures and production,” it said. “It is important to note that no clients were affected.”

The Exchange Act requires brokers and dealers to establish, maintain, and enforce written policies and procedures to prevent the misuse of material, non-public information. In addition, the Investment Advisers Act includes a similar requirement for investment advisers.

Conte

In the Buckingham case, the SEC said that the firms didn't do enough to mitigate the risks of such misuse arising from their close ties. The firms share common office space and management, and BCM's trading accounts for roughly 25 percent of BRG's commission revenue. Those factors called for enhanced controls to prevent the misuse of inside information, which the SEC says BCM and BRG failed to establish. “The SEC order makes it clear that the written policies and procedures in place here didn't adequately address the particular circumstances and quirks associated with the relationship between the investment adviser and the broker-dealer,” Conte says.

The case also serves as a reminder that a “paper compliance program” won't pass muster with regulators and enforcers. “It's not enough to have written policies and procedures on the books,” Conte says. “They have to be reasonably designed and appropriate for the particular business circumstances of the broker-dealer and investment adviser.”

“A CCO remains ultimately and personally responsible for … the development, application, and enforcement of compliance policies and procedures. The SEC drove that point home with this action.”

—Tod Sawicki,

Partner,

Alston and Bird

For example, the SEC order says that although BRG had a written policy to address the misuse of inside information, it didn't follow that written policy in practice. BCM's written policies lacked important compliance procedures until 2007. In some instances, BCM's written procedures were so unclear employees didn't understand their responsibilities; in others, actual practice deviated considerably from written procedures. Those failures led to inadequate implementation and enforcement of the firms' policies. As the chief compliance officer who was responsible for establishing and administering all compliance policies, the SEC says Karp willfully aided and abetted and caused the firms' violations.

The case also serves as a reminder that executives who carry a number of titles need to take care that they are fulfilling the duties inherent in each job. Karp wore a number of hats at Buckingham. Until May 2010, he was the chief compliance officer of both firms. He has also been the chief operations officer of BRG since 2004, is the corporate secretary, treasurer, and a senior vice president of the firm, and has a small direct ownership interest in BRG.

The SEC says his failure to discharge his CCO responsibilities adequately resulted in the firms' violations. “Karp was aware of the compliance weaknesses and failures and either failed to act or failed to correct them,” the order states.

The Commission staff had previously identified deficiencies in BCM's monitoring of employees' personal trading and directed the firm to update its written policies and procedures. BCM, in a written response prepared by Karp, said it would cure the deficiencies by adding certain documentation and review requirements, but didn't fully implement those remedial steps.

BCM also ran afoul of the SEC for falsified records and altered compliance records. While preparing for an SEC examination in 2006, BCM discovered it was missing pre-approval forms for more than 100 employee trades. Instead of producing incomplete records, it created new forms and gave them to the SEC staff along with the existing records without telling the staff what had been done. BCM also replaced incomplete compliance logs with newly created ones.

BRG CASE SUMMARY

The following summarizes the SEC‘s findings in the matter of the Buckingham Research Group, Inc., Buckingham Capital Management, Inc., and Lloyd R. Karp:

1. From at least September 2005, BRG, a registered broker-dealer and institutional equity research firm, and its subsidiary, BCM, a registered investment adviser, failed to establish, maintain and enforce policies and procedures reasonably designed, taking into account the nature of their respective and interconnected businesses, to prevent the misuse of material, non-public information. For 2005, BCM also failed to conduct an annual review of the adequacy of its compliance policies and procedures and the effectiveness of their implementation, as required by the Advisers Act.

2. BRG and BCM‘s policies and procedures were deficient in a number of ways. BRG had a written procedure to address the misuse of material, non-public information, but did not follow its written procedure in practice. Important compliance policies and procedures were not contained in BCM‘s written policies and procedures. Further, in some instances, BCM‘s written policies and procedures were so unclear that employees did not understand their responsibilities. In other instances, the practices BCM employed varied materially from its written policies and procedures. These failures led to inadequate implementation and enforcement of the firms‘ written compliance policies and procedures.

3. BCM also failed to create and maintain records evidencing important supervisory authorizations and compliance reviews. In October 2006, the SEC examination staff began conducting an examination of BCM. In the course of preparing for the examination and collecting records to produce to the SEC staff, BCM discovered that certain compliance-related records were incomplete and that others were missing from its files. BCM personnel altered its records by creating compliance documents, and produced those records to the SEC examination staff without disclosing that those records included “replacements” for incomplete or missing records. This conduct prevented the examination staff from discovering BCM's failure to follow its compliance procedures and violated BCM‘s statutory obligation to make its records available for examination.

4. Karp was the chief compliance officer of both BRG and BCM during the relevant period and was directly responsible for establishing and administering the firms‘ compliance programs, including policies and procedures reasonably designed to prevent misuse of material, non-public information. Karp failed to discharge those responsibilities adequately, which resulted in the violations by BRG and BCM.

Source

SEC Order Against BRG BCM & Karp (Nov. 17, 2010).

Holding CCOs Accountable

Donna Boehme, a principal with consulting firm Compliance Strategists, say it's not unusual to see CCOs individually prosecuted when they're involved in the misconduct, whether in a regulated industry or not. What CCOs are concerned about, she says, is where enforcement agencies seek to hold them more broadly accountable for crimes simply because the misconduct occurred on their watch (which mirrors Britain's approach in the financial services industry). The U.K. Financial Services Authority “can and does hold individual CCOs liable as the first line of defense responsible for stopping misconduct,” she says.

Boehme

The SEC may be holding the CCO individually responsible for having a paper policy in place and not vigorously implementing and enforcing the compliance program, Boehme says. If so, she says it could signal heightened scrutiny of CCOs, particularly in regulated industries, along the lines of the FSA's “gatekeeper” model.   

Rebecca Walker, a partner in the law firm Kaplan & Walker specializing in corporate compliance and governance, agrees. “Past enforcement actions against CCOs have typically involved more active misconduct, as opposed to a failure to implement policies,” she says. “That could indicate that the SEC is going to look at CCOs and their responsibilities more closely.”

Walker

She says the remediation required under the settlements is somewhat more onerous than usual. For instance, the requirement to hire an independent consultant to review and report on the firms' policies and procedures is reminiscent of language often included in corporate criminal deferred prosecution agreements with the Department of Justice. It also echoes the amendments to the U.S. Sentencing Guidelines in terms of the focus on post-misconduct program assessment and remediation, as opposed to just fixing what's broken, Walker says.

Finally, Boehme says the action is a reminder for CCOs of the importance of management support and adequate resources. “If you are a CCO and your firm's policies are not being adequately implemented or enforced, you had better do your job or, if management is the problem, turn in your badge and your gun and go somewhere else that cares about compliance,” she says. “And talk to the board on your way out.”