CCOs seek liability protections

One of the many things that can keep a CCO up at night is becoming subject to potential liability for failing to catch a compliance misstep at the firm. We explore how you can rest easier. 

In 2012 the Securities and Exchange Commission (SEC) finally dropped a three-year case against Theodore Urban, general counsel at Ferris Baker Watts, a Washington, DC-based brokerage and investment bank. Going back to 2003, Urban had detected bad behavior by one of the top brokers at the firm and recommended he be fired. But the board backed the broker – who was ultimately jailed for stock manipulation. The SEC alleged that Urban had a supervisory role, and that reporting his concerns to management was insufficient and was charged with “failure to supervise” the bad actor.

Ever since that case, private equity chief compliance officers have been seeking more clarity – from their firms, from their colleagues, and from regulators – on how they can best fulfill their obligations to the law and to their employers, without hanging themselves out to dry.

While Urban was ultimately exonerated of any wrongdoing (and in that CCOs can take some solace) compliance professionals may find it ominous that before his stint with brokerage firm Ferris Baker Watts, he had been with the SEC as well as with the Commodity Futures Trading Commission. No one is above suspicion, but if a former regulator can’t get the benefit of the doubt, then who can?

During and after the Urban case there was considerable consternation among CCOs, and efforts to put the findings into best practices. Then things quieted down a bit, but several recent enforcement actions by the SEC have put the issue back on the front burner, says Lisa Roth, president of risk-management and consulting firm Monahan & Roth, in San Diego. “There is a chilling effect,” she states. “There is only so much that insurance can do for you, you have to do as much as you can to protect yourself.”

The essential challenge, Roth explains, is timing and context. “Regulators always have the benefit of hindsight. They can look at a chain of events and decide you should have done something differently at one time or another and it will be difficult for you to establish the context in which your decisions were made at the time.”

Not shrinking from plain language, Roth concludes, “the horrifying aspect of the standard of reasonableness is that it is really undefined. Anything in regulation and law that is undefined is scary, because context changes.”

That said, Roth is quick to add that, “most CCOs know their job and do it well. They have well detailed programs. They use progressive testing and oversight. But the trick remains supervision within the compliance program. That is what causes knees to knock. That expression, ‘failure to supervise’ is the one that keep people up at night.”

Roth notes the two-sided challenge: there can be a failure of the system, or a failure to use the system. If a CCO designs a good system, but there is a lapse in supervision or execution, the best program in the world is no protection. Conversely, a poorly designed system is not much good even if it is rigorously supported.

If the challenge is dual, then the solution has to be as well, Roth suggests. “You’ve got to have a routine, but you have also got to check in with regulatory guidance. It is very important to codify your program, formalize who is and who is not a supervisor. Put everything in writing. That is how you can establish context.”

She also recommends comprehensive risk assessment. “You have many kinds of risk, regulatory, operational, personnel, and financial among them. Write everything down, showing both the likelihood of problems and the potential impact of a problem. Set your priorities. That will establish your thinking and decision-making process. It shows what you knew about, and what you did to address it. It proves your process was careful, informed, and above all: reasonable. It does not have to be perfect, it just has to be reasonable given what you knew at the time,” says Roth.

As a last piece of guidance she urges, “keep your head in the game. Rules will change and enforcement actions will shed new light on both new and old rules. Keep current with regulators, and with your colleagues.”

It is axiomatic among CCOs that enforcement actions and litigation are the best sources of information – that is unless they are happening to you. “These challenges are not new,” says Brian Rubin, partner and head of securities litigation and enforcement practice at Sutherland Asbill & Brennan in Washington, DC. Rubin has written frequently on the topic, and both he and Roth have spoken at recent industry events. Rubin focuses on “the supervision business,” paying special attention to “who is aware of what, and when, who is responsible for what, and what is the obligation to follow up personally or simply to inform.”

One of Rubin’s perspective on the Urban Case, as well as other recent litigation and enforcement actions, is that regulators themselves find it difficult to establish clear rules and discriminators. Rubin in particular cites an address made last February by SEC Commissioner Daniel Gallagher which has become known for his reference, some would say admission, of “murky” regulations.

Gallagher recapitulated several recent actions, then focused on the supervisory role. “The Commission’s failure-to-supervise cases, including the one I just discussed, have provided some modicum of clarity on the responsibilities of a person deemed to be a supervisor. As the Commission stated in Gutfreund, ‘It is not sufficient for [a supervisor] to be a mere bystander to events that occurred.’ Instead, a person deemed to be acting in a supervisory role must either discharge those responsibilities or know that others are taking appropriate action.

“In Gutfreund,” Gallagher continued, “the Commission explained that an in-house lawyer can be deemed a supervisor when other members of senior management “involve him as part of management’s collective response to the problem.” What Gutfreund and similar proceedings make clear is that once a person becomes involved in formulating management’s response to a problem, he or she is obligated to take affirmative steps to ensure that appropriate action is taken.

“The question of what makes a legal or compliance officer a supervisor, however, remains disturbingly murky,” Gallagher stated plainly. “In searching for clarity on the issue, however, we must be mindful of the importance of the legal and compliance role and, critically, the ability of legal and compliance personnel to carry out their responsibilities.”

In that last caveat, some CCOs find sound footing. “The most important thing is to create a culture of compliance,” says John Malfettone, senior managing director, COO, and CCO at private equity firm Clayton Dubilier & Rice, in New York. He suggests that the culture of compliance can be more meaningful than the rules, and more supportive to a CCO. “The company can print whatever rules it wants, but if the culture is all about how to bend them, then you are going to have problems.”

Malfettone adds that “the CEO has to lead by example. Not only in following the rules himself, but by making it clear that in following the rules is how the company flourishes. It’s not because the regulators say this is what you should do, but because this is what your colleagues and your employees and your shareholder or investors want. It is what your suppliers and bankers want.”

With a slightly heretical tone in his voice, Malfettone offers a fresh perspective on the growing regulatory burden for CCOs. “I know people will disagree, but I really don’t see it as overly burdensome. If you have a system, if you set it up well, if it is as clear and simple and automatic as it can be, if you train and communicate, if you make it realistic, if you test it, then in the end you should be okay. Your company will have a good track record, you will be known by regulators as someone who knows the rules and applies them. A good record and a good reputation are an advantage in our business, with regulators, with prospective employees, with all stakeholders.”