In 1994, Thaddeus North joined Southridge Investment Group LLC (Southridge), a firm subject to US Security Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) regulations. In July 2009, North apparently drew the “short straw” and was appointed as Southridge’s Chief Compliance Officer (CCO) — a position he held until August 2011.
One of North’s duties as CCO was to establish, maintain, review, and, if necessary, modify Southridge’s supervisory procedures governing the review of electronic correspondence. When North assumed the CCO position, he didn’t need to start from scratch because the firm already had supervisory procedures in place. North was also responsible for reviewing the company’s electronic correspondence of its registered representatives.
Unfortunately for North, in December 2010, FINRA began investigating Southridge based on a tip that Leslie King, a Southridge employee in charge of the firm’s Plano, Texas branch, was paying Todd Cowle, a “statutorily disqualified person,” for client referrals and other activities. Despite learning of King’s relationship with Cowle in March 2010, North failed to report these activities to FINRA.
On July 15, 2013, FINRA’s Department of Enforcement charged North with this failure to report as well as his failure to establish and maintain a reasonable supervisory system for review of electronic correspondence and failure to review that correspondence. Despite there being no evidence that North participated in any wrongdoing — other than not performing his duties to FINRA’s satisfaction — FINRA fined North US$40,000 and censured him.
North appealed the FINRA ruling to the SEC in 2017 and lost. He appealed once more to the US Court of Appeals for the District of Columbia, which ultimately upheld the sanctions in an October 2020 opinion.
As those of you in the financial services industry are well aware, North is not the first CCO to be sanctioned for making mistakes on the job. Many others have suffered the same fate. FINRA and the SEC have made it a point to hold CCOs accountable for not doing an effective job in policing their firms.
Not surprisingly, this has caused significant concern in the CCO community — a concern that was shared by Daniel Gallagher (an SEC Commissioner) on June 18, 2015 when he explained his dissent in two settled SEC enforcement actions against CCOs. Gallagher stated:
Both settlements illustrate a Commission trend toward strict liability for CCOs under Rule 206(4)-7. Actions like these are undoubtedly sending a troubling message that CCOs should not take ownership of their firm’s compliance policies and procedures, lest they be held accountable for conduct that, under Rule 206(4)-7, is the responsibility of the adviser itself. Or worse, that CCOs should opt for less comprehensive policies and procedures with fewer specified compliance duties and responsibilities to avoid liability when the government plays Monday morning quarterback.
As a former CCO at several multinational corporations, I share Gallagher’s concerns. More often than not, CCOs have small staffs, tight budgets, and responsibilities that outsize both. In my view, CCOs should not be subject to enforcement actions for the transgressions of others unless they participated themselves in the misconduct or a cover up.
If the SEC or other government agencies wants to put a head on a pike to induce firms to have sound compliance and ethics programs, they should focus on CEOs and boards of directors rather than their subordinates. However, in the meantime, we CCOs will need to take steps to protect ourselves from being second-guessed about how we do our work. The following are a few thoughts about how we might do that:
1. Look before you leap
When interviewing for a CCO position, do your due diligence regarding the firm’s reputation and compliance history. Also, ask the CEO and other senior executives questions to help you get a realistic sense of their support for the compliance function and whether they have taken visible steps in the way they lead the company to build and sustain a strong ethical culture. If you’re not satisfied with their answers, run the other way.
2. Kick the “tires” hard
Once you assume a CCO role, don’t just dive into the job by merely responding to what arrives in your in-box. Take the time necessary to do a comprehensive risk assessment and systems evaluation. Determine the maturity of the compliance management systems you and your team are responsible for. Ask (and make sure you get answers) the following questions:
• Are there effective policies and procedures?
• Do we have sufficient people and resources?
• Is there appropriate governance and oversight?
• Do we have effective training programs?
• Is there adequate monitoring and auditing?
• When compliance issues are identified, are timely corrective actions taken?
• Do we have the right culture in the organization to encourage compliance?
When performing this work, I recommend using a stoplight chart methodology in which red and yellow areas of concern are annotated with bullets detailing compliance management system shortcomings. Once this work is completed, leverage your findings to develop a realistic strategic plan that will get you from where you are to where you need to be and share both the assessment and the plan with your senior management team and your board. If they refuse to provide the resources to execute the plan, get your resume together.
3. Don’t go along to get along
When you detect misconduct, don’t yield to pressure to back off. Years ago, I conducted an investigation that revealed serious misconduct by a number of mid-level company leaders, some of whom we caught lying to our investigators.
Despite fierce opposition from my general counsel regarding our characterization of the misconduct, my team and I stuck to our guns and pulled no punches when we drafted our investigation report and distributed it to the senior management team and the board of directors.
Although my team and I took a lot of heat for the report and our recommendation that several employees be terminated, we called balls and strikes for these company leaders just as we would have done if they were lower-level employees. If you face similar circumstances, you should do the same.
Conclusion
As those of us who have the battle scars to prove it know, being an effective CCO in a large organization ain’t bean bags. Protect both yourself and your company by taking the steps necessary to make sure you’re not your firm’s designated jailee.