Not Even Trying To Be Compliant

I don’t like compliance officers being dragged into enforcement actions. If they are involved in the wrongdoing or are just a wholesale failure at compliance, I understand why.

Elliot Daniloff a/k/a Ilya Olegovich Danilov was the chief compliance officer of ED Capital Management, LLC, and its managing member and owner. The firm was a registered investment adviser. The parties consented to the SEC Order,

According to the SEC’s order, from fiscal years 2012 through 2016, the firm failed to distribute annual audited financial statements prepared in accordance with Generally Accepted Accounting Principles, to the investors in the largest private fund that it advised. Without the audited financial statements, the firm was repeatedly violating the Custody Rule.

It’s not that the firm didn’t try. It had engaged a PCAOB-registered firm for a few years to conduct an audit. The auditor couldn’t complete the audit and stated that it was “not able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion” and therefore did “not express an opinion” on whether the fund’s financial statements were prepared in accordance with GAAP. A disclaimer of opinion does not constitute the performance of an audit in accordance with Generally Accepted Auditing Standards and therefore doesn’t meet the compliance obligations of the Custody Rule.

The firm didn’t want to flag that deficiency in its Form ADV by failing to check the box that it sent out audited financial statements. The SEC’s order finds that Daniloff, on behalf of ED Capital, signed and filed annual Forms ADV that falsely stated that ED Capital did distribute audited financial statements to the fund’s investors.

The SEC’s order also finds that ED Capital failed to have written policies and procedures reasonably designed to prevent violations and failed to conduct the requisite annual reviews of its written policies and procedures. It’s not clear if it had any.

The mention to Daniloff as CCO is in part because he was also the firm’s principal and wearing more than one hat. It seems like he should have given the CCO hat to someone else.

Sources:

Compliance Officer Barred for Audit Failures

Regulatory actions against compliance officers catch my attention. I don’t think compliance should be the target unless compliance engaged in the wrongdoing. I saw the action against Joseph Storms, identified as a “compliance associate” and dove in.

Mr. Storms entered the securities industry as a compliance intern in 2005 with FINRA member firm Raymond James & Associates, Inc. I’m not sure what happened during the next ten years, but he is identified as being a compliance associate and was registered with Raymond James as a general securities representative and general securities principal from November 19, 2015 to March 24, 2017.

He was terminated and Raymond James filed the Form U5 in April 2017 reporting that it had discharged Storms for “improperly editing internal branch audit documents.” It took two years, but FINRA filed a complaint in January 2019.

During his time as a compliance associate, Storms’s primary responsibility was to audit branch offices and to perform any follow-up work that resulted from the audits. He would sent out online questionnaires and follow-up with the person depending on the answers.

An example given in the decision is an undisclosed outside business activity. If the response was yes, Storms had to find out more and make sure the firm approved it.

Apparently, that was too much work for Mr. Storms. He would dump the questionnaire responses into a spreadsheet and change the data. He changed 524 questions from 145 registered representatives for 60 branch audits. Instantly, he was caught up on his work.

Apparently his supervisor was not so easily fooled and questioned Mr. Storms about the altered data. I assume that lead to termination.

FINRA followed up with a possible disciplinary action. Apparently it was also too much work for him to respond to FINRA.

This all paints Mr. Storms in a bad light. He failed to even bother defending himself. I’m not sure there is a good defense.

Sources:

CCO Liability and Identity Theft

I’ve gotten worked up about CCO liability cases. Many have been sloppy about using consistent standards. A recent case case caught my eye because the CCO was charged because of identity theft.

At first I thought the case might be an aggressive position to charge the CCO because a cybersecurity breach resulted in identity theft at the firm. I opened the case and was ready to be angry. Then, I discovered it was very strange case.

The CCO was the one who had stolen identity information. So that bad activity clearly fall into the “CCO is involved in the wrongdoing” standard for CCO liability.

The reasons he stole employee identities?

From November 2011 through June 2015, [the CCO] forged the signatures of ten Firm employees and used their confidential personal information to create false online bidding accounts at three auction houses in their names, and to participate in 26 auctions, without the employees’ authorization. [the CCO] engaged in this conduct after the auction houses prohibited him from participating in auctions, because he had previously failed to pay for or collect items he had won at auction.

Definitely a case where the CCO was involved in the wrongdoing. Employees were harmed. Liability is clearly appropriate.

[Updated to remove the CCO name after a request and a review of remediation]

Sources:

Thaddeus North and CCO Liability

At a recent event, an official with the Securities and Exchange Commission tried to give some comfort to a room full of compliance officers that the SEC was not trying to saddle compliance officers with potential liability. He pointed us to the opinion in the matter of Thaddeus North.

The case was the Commission’s review of a FINRA disciplinary action. Mr. North was the Chief Compliance Officer of Southridge Investment Group. FINRA found Mr. North had been (1) failing to establish a reasonable supervisory system for the review of electronic correspondence, (2) failing to reasonably review electronic correspondence, and (3) failing to report a relationship with a statutorily disqualified person.

In Thaddeus North opinion, the SEC cites several cases of CCO liability. The Commission used those decisions to delineate that:

[I]n general, good faith judgments of CCOs made after reasonable inquiry and analysis should not be second guessed. In addition, indicia of good faith or lack of good faith are important factors in assessing reasonableness, fairness and equity in the application of CCO liability.

The North opinion cites four areas where a CCO could have liability:

  1. CCO engages in wrongdoing
  2. CCO attempts to cover up the fraud
  3. CCO crosses a clearly established line
  4. CCO fails meaningfully to implement compliance programs, policies, and procedures for which he or she has direct responsibility,

The third one is a new iteration. Frankly, I don’t know what it means. It’s not mentioned otherwise in the opinion.

In contrast to those four areas of liability the Commission opines that “disciplinary action against individuals generally should not be based on an isolated circumstance where a CCO, using good faith judgment makes a decision, after reasonable inquiry, that with hindsight, proves to be problematic “

Apparently, everything in between is a matter-specific analysis that should involve informed judgment by the Commission.

The SEC found North in the middle ground and found him liable. The opinion states that “North failed to make reasonable efforts to fulfill the responsibilities of his position.” That is a not one of the four listed areas of CCO liability. The Commission adds in that North’s actions were egregious and he repeatedly failed to perform some compliance functions.

I find the opinion frustrating if it’s trying to allay concerns about CCO liability. The SEC states the four areas, then says that North did something that was not in one of those four areas. The Commission uses the “failed to make reasonable efforts” standard on liability for North, instead of the fourth area’s “fails meaningfully to implement.”

Would it have been too hard for the Commission to use the same standard just set forth in the prior paragraph? That would have made me feel better about CCO liability instead of creating a broader standard for CCO liability.

Sources:

Commissioner Peirce on CCO Liability

Enforcement actions by financial regulators can cause compliance professionals to rethink their career choice.

In the majority of cases the SEC brings against CCOs, (1) the compliance officers are involved in misconduct that is unrelated to their compliance function or (2) the CCOs have engaged in efforts to obstruct or mislead the investigation. Typically in these cases, the targeted compliance officers wore more than one hat.

But not always. Take a look at the Southwind Case.

Court E. Golumbic, a Participating Managing Director and the global head of Financial Crime Compliance for the Goldman Sachs Group, Inc. put it this way:

“Regardless of the cause, the resulting ‘chilling effect’ on financial sector compliance officers should raise an alarm. The level of ensuing ‘brain drain’ could diminish significantly the efficacy of financial sector compliance programs, and the integrity of the industry more generally.”

http://www.hastingslawjournal.org/wp-content/uploads/Golumbic-69.1.pdf

SEC Commissioner Hester Peirce tried to assuage fears at the National Membership Conference of the National Society of Compliance Professionals. She agreed that the SEC should tread carefully when bringing enforcement actions against compliance personnel and should not pursue enforcement actions based on strict liability for CCOs under Rule 206(4)-7.

Sources:

CCO Liability for Wholesale Failure

A few years ago, the SEC had expressed an unwillingness to prosecute CCOs, except in three extreme circumstances:

  1. Participating in the wrongdoing
  2. Hindering the SEC examination or investigation
  3. Wholesale failure

Some of the past actions imposing CCO liability have left me uncertain that these are the correct standards.

A COO liability case that I missed does a better job of showing a case of “Wholesale failure.”

Anthony LaPeruta was the CCO of Southwind Associates of NJ Inc. (d/b/a Villafranco Wealth Management). From the facts laid out in the enforcement order, he did a bad job as CCO. Bad enough to be considered “wholesale failure” leading to a bar from acting in a supervisory or compliance capacity at any SEC registered entity.

Southwind was subject to OCIE exams in 2003, 2006 and 2013. It was the last one that lead to the enforcement action.

Southwind had hired a consultant in 2011 to review the compliance program. Based on that review, the firm published a new compliance manual. The consulatant reported 59 action items that the firm had to fix. Southwind failed to timely implement the majority of the consultant’s action items.

Custody can be tough at the margins. Southwind’s failure was not at the margins. The firm failed to have the required surprise exam for the accounts that Southwind had custody. For the pooled investment vehicles that Southwind managed, the firm failed to distribute audited financial statement to comply with the Custody Rule. When it finally did, it chose an independent accountant that was not subject to regular inspection by the PCAOB and, therefore, was not qualified to perform audits for purposes of Rule 206(4)-2(b)(4).

Southwind failed to preserve required electronic communication. One attempt was to have its IT specialist send all sent and received client communication to a Gmail account. Even if this could have worked, the firm lost access to the account when the IT specialist left the firm. Some other information was on hard drives that ended up damaged.

Southwind failed to implement privacy safeguards to comply with Regulation S-P. Sending all that email to Gmail was considered putting the information at risk.

La Peruta never engaged in any annual review of Southwind’s written policies and procedures as required by the Compliance Rule.

All of these rules violations were identified by the compliance consultant and Southwind failed to fix the problems. LaPeruta as the CCO was the one who was responsible for these problems and failing to fix them.

I would agree that this was a “wholesale failure.” The SEC failed to use this language instead it said: “LaPeruta willfully aided and abetted and caused Southwind’s violations of Sections 204(a) and 206(4) of the Advisers Act and Rules 204-2(a)(7), 206(4)-2, and 206(4)-7 thereunder and Rule 30(a) of Regulation S-P, 17 C.F.R. § 248.30(a).”

I guess that means “willfully aiding and abetting and causing” a rules violation is a wholesale failure.

Sources:

Another CCO Liability Case and the SEC Complains about “May” Instead of “Will”

The SEC’s complaint against Temenos Advisory, Inc. and George L. Taylor paints a very bad picture for the firm and its Chief Compliance Officer. In this case, the CCO is also the CEO, founder and majority owner of Temenos.

A few years ago, the SEC had expressed an unwillingness to prosecute CCOs, except in three extreme circumstances:

  1. Participating in the wrongdoing
  2. Hindering the SEC examination or investigation
  3. Wholesale failure

The Temenos case falls clearly in category 1. The CCO participated in the alleged wrongdoing. I’m not going to lose any sleep over this case.

And the picture painted by the SEC is one of blatant wrongdoing. Taylor concealed from clients that he and the firm were pocketing high commissions from the sales of the investment recommendations. Taylor is also accused of misleading clients about the risks and prospects of the investments. To top things off, the SEC alleges that Temenos grossly overbilled some of their advisory clients using an inflated value for the investment.

It’s not wrong for advisers to take commissions from the sale of products. But it needs to be disclosed to clients. In the complaint, the SEC once again expresses its displeasure of an adviser saying it “may” receive a commission from the sale of a product. The SEC claims that Temenos should have told its clients that it was routinely receiving fees for investments in the private placement offerings and that the fees were many times larger than the advisory fees the clients were paying for advice.

I thought this “may” versus “will” was killed with the Robare case. The ruling stayed away from the distinction between “may” and “will” by pointing out that the disclosure was inadequate to explain the fee sharing arrangement and how it could influence Robare to recommend one fund over another.

According to the complaint, Temenos did disclose the commission scheme in some instances, but not others, and in some cases understated the commission.

Of course, if you are going to get paid a commission, you need to be registered as a broker-dealer. Temenos was not. According to the complaint, Temenos was not conducting the basic level of diligence required by broker-dealers when selling private investment products.

Temenos also had a valuation problem. The firm carried the private placement interests at the cost of the original investment and never adjusted the value up or down. Of course, a firm can do that if it’s disclosed to investors and it’s part of its policies and procedures. The SEC states that the Temenos policy was to value a hard-to-price or illiquid securities at $0.

According to SEC complaint Temenos went ever further down the fraud curve and used values based on overstated cost. In one instance, the statement said the client had made a $200,000 investment when she had only made a $100,000 investment.

Sources:

Follow Up on the Osunkwo CCO Liability

I was quite bothered by the Osunkwo CCO liability case that, on its face, sanctioned a CCO for misstating a firm’s assets under management. A few years ago, the SEC had expressed an unwillingness to prosecute CCOs, except in three extreme circumstances:

  1. Participating in the wrongdoing
  2. Hindering the SEC examination or investigation
  3. Wholesale failure

None of those were indicated in the administrative order against Mr. Osunkwo.

I had gone through the SEC filings to see if I could find something that more devious that make me feel less uneasy about this sanction against a CCO for errors on the Form ADV.

In the Diamond CCO liability case earlier this year, that CCO was also sanctioned for mistakes on a Form ADV filing. Ms. Diamond had stated that the private fund was subject to annual GAAP audits by a third party auditor to comply with the custody rule. In fact, the fund was not and was a fraud. Investors lost money because the CCO did not do her job.

I thought the SEC did a poor job in the administrative order by not lining up the pieces to state that there was a wholesale failure and investors lost money because of that failure. But at least the fraud was mentioned in that order.

There was no indication of fraud in the Osunkwo administrative order. There is a mention that Aegis Capital and Circle One are no longer registered as investment advisers.

indicted for stealing investor money that was supposed to be used to fund the acquisition and consolidation of small to mid-sized RIAs. Those principals, John Lakian and Diane Lamm are accused of diverting some of that money for personal uses.

I have not had time to pull together all of charges, but it looks like the SEC is placing liability on Osunkwo for indirect losses. I have not found any documents that accuse anyone of pilfering money from the investment adviser clients at the firms that Osunkwo was CCO. Instead, it’s the losses from the investors in the RIA holding company that lead to the CCO liability.

I assume that the holding company was valuing an acquired RIA at $X per AUM. By overstating the AUM in the RIA, Osunkwo was allowing the holding company to overstate the value of its holdings. Investors and and lenders to the holding company sustained losses indirectly because of the Form ADV overstatement of AUM.

I don’t like this expansion of CCO duties and expansion of CCO liability. It’s stretching the obligations of the CCO to not only protect the clients of an investment adviser, but the investors in the owner of the investment adviser.

Sources:

CCO Sanctioned for Incorrect Form ADV Filings

According to the Securities and Exchange Commission, David I. Osunkwo failed as a CCO for incorrectly stating the amount of AUM and the number of clients for two affiliated investment advisers. Mr. Osunkwo relied on estimates provided to him by the Chief Investment Officer. For that, he was fined $30,000 and suspended for a year from certain jobs related the investment adviser and securities industry. Unfortunately, this is another instance of the SEC publishing a case that increases the potential liability for CCOs.

Osunkwo served in 2010 and 2011 as the chief compliance officer at Aegis Capital LLC and Circle One Wealth Management LLC. The firms had outsourced CCO duties to a third-party provider called Strategic Consulting Advisors LLC, where Osunkwo was a principal. As part of the outsourcing, Osunkwo was designated CCO of both firms. Osunkwo was tasked with preparing a consolidated 2010 year-end Form ADV for Circle One that would reflect its merger with Aegis under the same parent company, Capital L Group LLC.

According to the SEC, Osunkwo reviewed information of Aegis Capital’s and Circle One’s investment management business and client accounts including 2009 year’s ADV. For 2010 AUM and account information, Osunkwo relied on estimates provided to him by the CIO.

The SEC said the CIO sent Osunkwo an email that stated:

David – . . . I believe AUM was as follows on 12/31 Funds: $36,800,000 Schwab/Fidelity: $96,092,701 (1,179 accounts) (not sure how many customers) Circle One: probably higher than $50m, but hopefully [another employee] told you a number today Total is in the $182.89m range . . . .

I assume that Osunkwo could not show that he relied on anything other than this email.

The problem is that the actual combined AUM of Aegis Capital and Circle One was only $62,862,270.28. The Form ADV overstated the AUM by 190%  The Form ADV also overstated the total client accounts by at least 1,000 accounts, which was off by 340%.

The SEC does not lay out any facts in the order that shows Osunkwo knew the statements were incorrect. On its face, the SEC is imposing liability on a CCO solely related to the compliance operations of a CCO, with no evidence of fraud.

The SEC did not point out that any investors were harmed. This is in contrast to the Diamond CCO liability case where her firm was involved in fraud and her actions effectively covered up that fraud.

The parallel case against Aegis Capital and Circle One Wealth is all about recordkeeping and filing violations. There is no indication of harm to the clients.

At one point the SEC had expressed an unwillingness to prosecute CCOs except in three extreme circumstances:

  1. Participating in the wrongdoing
  2. Hindering the SEC examination or investigation
  3. Wholesale failure

In the case against Mr. Osunkwo, I don’t see any of these three circumstances. Nor does the SEC state or imply that any of these circumstances had occurred. Nor is there any allegation of fraud or harm to clients.

On the face of the order, Mr. Osunkwo relied on the CIO for information included on the Form ADV and as a result he was sanctioned. That leaves all CCOs having to wonder how far they must go to verify information on Form ADV filings. This case tells me that I can’t rely on information from senior firm employees when preparing a Form ADV. Add in the Diamond case, I have to be concerned about what information the SEC thinks I should have known when filling out the Form ADV.

Sources:

CCO Liability: What Risks Remain and What You Can Do to Minimize Them

IA Watch produced an informative webinar on CCO Liability. These are my notes.

  • Carl Ayers (Moderator)  Publisher, Regulatory Compliance Watch
  • Brian Moran, Executive director and CCO Sterling Capital Management
  • Joseph McGill, J.D., Chief Compliance Officer Lord, Abbett & Co.
  • Kelley Howes, Counsel Morrison Foerster
  • Heidi Vonderheide of Ulmer & Berne LLP

First up was Heidi. Her firm is working on two CCO liability cases: the Robare case and the Blue Ocean Case with Jim Winkelmann.

These cases are on hold waiting for the Supreme Court to rule on the constitutionality of ALJ system.

The Robare discuss is a disclosure case. There was no evidence that there was any harm to customers.

Will the new leadership of the SEC change the CCO liability equation? It’s probably unlikely. Any case we see has likely been in the works for awhile. So any trend will take a while to show itself.

Kelley tackled what the SEC expects of CCOs. The number one item is to focus on the fiduciary duty of an investment adviser. A CCO should show a clear understanding of the firm’s business and associated risks. The CCO needs to now the regulations and how it integrates into the firm’s operations and disclosures.

The CCO should be in a position to be effective by having some independence and respect in the organization.

The SEC recognizes that the CCO role is hard and only wants to go after CCOs involved in wrongdoing or are asleep at the switch.

That being said, some of the SEC’s CCO cases don’t seem to follow the statements of the SEC.

Joseph emphasized the need for a conflicts matrix that gets reflected in the polices and procedures. The number one thing to focus on is not fixing a deficiency noted in a prior exam.

Brian highlighted the issues that arise when the CCO has other responsibilities. (A jack of all trades; a master of none.) He pointed out that many of the CCO case involved CCOs who wore more than one hat.  Most of the cases involved compliance personnel who affirmatively participated in the misconduct, misled regulators or failed to carry their responsibilities.

What about D&O insurance? It would be usual for a CCO to not be covered. A CCO is an officer of the firm. There is likely a fraud exclusion. There may be a question of whether it covers all of the enforcement and litigation costs.