CORPORATE RESPONSIBILITY FOR OVERSEEING COMPLIANCE EXECUTIVES
18 May 2016, Bachir El Nakib (CAMS) Senior Consultant Compliance Alert LLC
In a case that goes to the heart of corporate responsibility for overseeing compliance executives, the U.S. Securities and Exchange Commission has barred two principals of an investment adviser for failing to supervise their company’s chief compliance officer. The now-former CCO has been separately indicted for customer asset misappropriation.
The case highlights the obligation SEC-registered firms have in confirming and actively assessing how well their compliance officers are meeting the firm’s compliance program responsibilities under federal securities laws.
The SEC alleged that James Budden and Alexander Budden, principals of Professional Investment Management (PIM), a third-party provider of administrative and investment advice services to around 15 retirement plan clients, failed to regulate the work of their chief compliance officer at the time, Douglas Cowgill, who has been charged with misappropriating more than $840,000 from the firm’s customers.
As noted in its two April 27 cease-and-desist orders – one against the Buddens and the other against PIM -- the commission revoked the registration of Ohio-based PIM, capping off a saga that goes back two years and involves employee malfeasance, deficient internal controls to prevent misconduct and a lack of oversight over a key person with significant discretion in the business.
Background
PIM had about $125 million in assets under management and provided third-party administrative and investment advisor services to about 15 retirement plan clients. Those clients consisted of 325 participants who owned about 425 individual retirement accounts that PIM advised. In addition, PIM provided advisory services to 25 individual clients for non-retirement accounts. The firm maintained custody of client assets.
James and Alexander Budden were co-owners of PIM, with James owning the majority share. Both Buddens supervised several employees, including Cowgill.
Cowgill joined the firm in 1981 and held several positions before becoming the CCO in 2004.
The SEC brought a civil action against the firm and Cowgill in April 2014 in the U.S. District Court for the Southern District of Ohio, which led to revocation of the adviser's registration.
PIM was registered with the SEC from 1978 until September 30, 2013, when it withdrew its registration. PIM never subsequently registered with the state of Ohio, despite telling commission staff that it would, and "is now operating illegally without Commission (or state) registration," the SEC’s complaint said.
In the April 2014 action, the SEC contended that from at least December 2010 to December 2013, PIM had reported in its account statements to clients that they collectively held approximately $7.7 million in a money-market fund, when the fund actually held only approximately $6.9 million. The SEC also said that PIM disguised the shortfall by issuing falsified reports to commission staff.
The discrepancy was discovered when the SEC conducted an examination of the firm to verify the existence of client assets after the agency questioned the firm’s custody-rule adherence and decided to investigate the matter.
During this time, the SEC said, Cowgill tried to disguise the shortfall from examiners in client accounts by entering fake trades in PIM’s account records.
“[Cowgill] also later transferred funds from a cash account at another financial institution to eliminate the shortfall in the money market fund account,” the SEC said. The transfer simply “moved the shortfall from one asset holding to another in an effort to avoid detection,” the SEC said, calling it “a shell game.”
After the federal court issued its judgment by consent against Cowgill in September 2014, the SEC barred Cowgill from the securities industry.
Criminal charges followed for Cowgill in March 2015. He pled guilty to five counts of wire fraud, 19 counts of theft or embezzlement from an employee benefit plan, and 21 counts of perjury, according to a court-issued amended judgment.
He was sentenced to four years in prison and ordered to pay more than $840,000 in restitution. Cowgill’s criminal matter is ongoing.
The SEC banned James Budden for three years and fined him $125,000, while Alexander received a two-year ban and a $75,000 fine.
The April 27 cease-and-desist orders from the SEC represent the agency’s settlement agreements with the Buddens and PIM that formally revoked the adviser’s registration after operating under a court-appointed receiver since May 15, 2014.
CCO individual liability
In discussing the topic of individual liability and CCOs, the SEC's enforcement division director, Andrew Ceresney said last November that the commission will bring such charges only in "egregious circumstances," and he outlined those circumstances.
They are:
The latter category has been deemed by some in the industry and some overseeing it -- like former SEC Commissioner Daniel Gallagher -- to be too ill-defined and harsh. In a June 2015statement, Gallagher warned that such cases "fly in the face of my admonition" to "tread carefully when bringing enforcement actions against compliance personnel."
Furthermore, within this category, the SEC has charged CCOs with failing to meet the requirements of Rule 206(4)-7, the Compliance Program Rule, mandating that registered investment advisers to designate a chief compliance officer, adopt and implement written policies and procedures reasonably designed to prevent violations of the Investment Advisers Act of 1940, and review at least annually the adequacy of those policies and procedures.
The Compliance Program Rule undergirds the two proceedings against Cowgill, the criminal aspect of which is still winding its way through the courts.
Failure to supervise
The SEC said that the Buddens "failed to adopt or implement any policies or procedures regarding their supervision of Cowgill." Instead, they "merely confirmed, without ever confirming, that Cowgill performed his responsibilities in compliance with the federal securities laws."
The co-chief executives failed to ensure that Cowgill satisfied the firm’s compliance program obligations, namely, performing custody exams and compliance reviews.
The Buddens "failed to adopt or implement any policies or procedures regarding their supervision of Cowgill," the SEC said. They "merely assumed, without ever confirming, that Cowgill performed his responsibilities in compliance with the federal securities laws."
The agency alleged that the Buddens' failure to supervise Cowgill led to violations of 206(4)-7 and the Custody Rule (Rule 206(4)-2).
As the SEC noted, the CEOs never provided any funding, training or resources to support Cowgill in his CCO efforts.
They took no steps to assure that Cowgill or anyone else conduct compliance reviews at least annually, or to engage an independent accountant to conduct an annual surprise examination to verify all client assets of which PIM had custody.
They also failed to ensure that PIM had established policies and procedures -- and the controls necessary to ensure their effectiveness -- which could have prevented client assets from being misappropriated.
The SEC observed that the Buddens learned from the accounting firm in 2013 that Cowgill had not engaged it since 2011 to perform audits, and discovered he had not used any other firm, but took no disciplinary action against him.
To the contrary. In July 2013, each of the men executed a stock purchase agreement in which they agreed to sell all of their interest in PIM to Cowgill.
In its settlement with the Buddens the SEC charged the men with failing to reasonably supervise Cowgill within the meaning of Rule 203(e)(6), plus caused PIM to violated the Compliance Program and Custody rules.
Lessons
From the facts of the case, it appears the Buddens were prepared to sell their business to Cowgill.
Prior to sale, however, their actions also appear to show an abandonment of their regulatory obligations to ensure their business maintained and enforced an effective compliance program designed to protect their clients.
The issues in this enforcement speak volumes about the importance of compliance programs that are tailored to the business and that connect people and processes through a written set of guidance and specific procedures.
An effective compliance program offers such guidance based on the work the firm performs, types of customers it has, locations it operates, and business suppliers it uses. That way, employees know their responsibilities, which procedures are supposed to be followed, and what questions should be asked to safeguard against regulatory violations.
SEC Rule 206(4)-7 under the Advisers Act and new rule 38a-1 under the Investment Company Act require registered investment advisers and each fund to adopt and implement compliance programs that conform to its rules.
Officials from the SEC’s Office of Inspections and Examinations (OCIE) have urged advisers not to buy an "off-the-shelf" compliance manual. They have stated on numerous occasions that if they find compliance manuals that are not specific to the adviser’s business, they will assume that compliance is not well-respected by these firms, determine that these firms are at high risk of violations, and will likely conduct a top-to-bottom, in-depth review of the firm's entire operations.
Next, while the SEC certainly expects an investment adviser to develop a compliance manual that meets all of the requirements of the Advisers Act, it is the development of a culture of compliance that actually drives SEC examination and enforcement policies.
An adviser's compliance manual is but one step in the development of a culture of compliance. Advisers must also develop compliance procedures to implement such policies; monitor and enforce compliance policies and procedures; review and update compliance policies and procedures; and maintain effective book- and record-keeping of compliance policies and procedures.
No compliance program will be effective unless the controls designed to operate independent of those who designed them actually operate; that is, those controls in the firm that detect possible violations must exist and work as designed.
There are few more serious breaches of trust than those involving the custody of client assets.
The firm should have a procedure for selecting and screening those who will have with access to client assets and require that all of the processes for accessing assets for any reason are well-documented.
The firm should require dual authorization for movement of assets within, and withdrawals and transfers from, a client’s account, and changes to account ownership information.
And the firm should limit the number of employees permitted to interact with custodians and segregate the duties of advisory services from those of custodial services, ensuring clear independence with regard to who maintains the custody of client assets.
Firms must take seriously the annual surprise examination of custodial assets by an independent public accountant as mandated by the rule and enter into a written agreement with the accountant that memorializes this fact.
The adviser must inform the SEC of the nature and scope of this examination and notify the SEC within one business day of any finding of material discrepancies during the course of the examination.
The case highlights the obligation SEC-registered firms have in confirming and actively assessing how well their compliance officers are meeting the firm’s compliance program responsibilities under federal securities laws.
The SEC alleged that James Budden and Alexander Budden, principals of Professional Investment Management (PIM), a third-party provider of administrative and investment advice services to around 15 retirement plan clients, failed to regulate the work of their chief compliance officer at the time, Douglas Cowgill, who has been charged with misappropriating more than $840,000 from the firm’s customers.
As noted in its two April 27 cease-and-desist orders – one against the Buddens and the other against PIM -- the commission revoked the registration of Ohio-based PIM, capping off a saga that goes back two years and involves employee malfeasance, deficient internal controls to prevent misconduct and a lack of oversight over a key person with significant discretion in the business.
Background
PIM had about $125 million in assets under management and provided third-party administrative and investment advisor services to about 15 retirement plan clients. Those clients consisted of 325 participants who owned about 425 individual retirement accounts that PIM advised. In addition, PIM provided advisory services to 25 individual clients for non-retirement accounts. The firm maintained custody of client assets.
James and Alexander Budden were co-owners of PIM, with James owning the majority share. Both Buddens supervised several employees, including Cowgill.
Cowgill joined the firm in 1981 and held several positions before becoming the CCO in 2004.
The SEC brought a civil action against the firm and Cowgill in April 2014 in the U.S. District Court for the Southern District of Ohio, which led to revocation of the adviser's registration.
PIM was registered with the SEC from 1978 until September 30, 2013, when it withdrew its registration. PIM never subsequently registered with the state of Ohio, despite telling commission staff that it would, and "is now operating illegally without Commission (or state) registration," the SEC’s complaint said.
In the April 2014 action, the SEC contended that from at least December 2010 to December 2013, PIM had reported in its account statements to clients that they collectively held approximately $7.7 million in a money-market fund, when the fund actually held only approximately $6.9 million. The SEC also said that PIM disguised the shortfall by issuing falsified reports to commission staff.
The discrepancy was discovered when the SEC conducted an examination of the firm to verify the existence of client assets after the agency questioned the firm’s custody-rule adherence and decided to investigate the matter.
During this time, the SEC said, Cowgill tried to disguise the shortfall from examiners in client accounts by entering fake trades in PIM’s account records.
“[Cowgill] also later transferred funds from a cash account at another financial institution to eliminate the shortfall in the money market fund account,” the SEC said. The transfer simply “moved the shortfall from one asset holding to another in an effort to avoid detection,” the SEC said, calling it “a shell game.”
After the federal court issued its judgment by consent against Cowgill in September 2014, the SEC barred Cowgill from the securities industry.
Criminal charges followed for Cowgill in March 2015. He pled guilty to five counts of wire fraud, 19 counts of theft or embezzlement from an employee benefit plan, and 21 counts of perjury, according to a court-issued amended judgment.
He was sentenced to four years in prison and ordered to pay more than $840,000 in restitution. Cowgill’s criminal matter is ongoing.
The SEC banned James Budden for three years and fined him $125,000, while Alexander received a two-year ban and a $75,000 fine.
The April 27 cease-and-desist orders from the SEC represent the agency’s settlement agreements with the Buddens and PIM that formally revoked the adviser’s registration after operating under a court-appointed receiver since May 15, 2014.
CCO individual liability
In discussing the topic of individual liability and CCOs, the SEC's enforcement division director, Andrew Ceresney said last November that the commission will bring such charges only in "egregious circumstances," and he outlined those circumstances.
They are:
- When a CCO is "affirmatively involved in misconduct" unrelated to his or her compliance function.
- When a CCO engages in efforts "to obstruct or mislead" the Commission staff, or
- When a CCO has exhibited a "wholesale failure to carry out his or her responsibilities."
The latter category has been deemed by some in the industry and some overseeing it -- like former SEC Commissioner Daniel Gallagher -- to be too ill-defined and harsh. In a June 2015statement, Gallagher warned that such cases "fly in the face of my admonition" to "tread carefully when bringing enforcement actions against compliance personnel."
Furthermore, within this category, the SEC has charged CCOs with failing to meet the requirements of Rule 206(4)-7, the Compliance Program Rule, mandating that registered investment advisers to designate a chief compliance officer, adopt and implement written policies and procedures reasonably designed to prevent violations of the Investment Advisers Act of 1940, and review at least annually the adequacy of those policies and procedures.
The Compliance Program Rule undergirds the two proceedings against Cowgill, the criminal aspect of which is still winding its way through the courts.
Failure to supervise
The SEC said that the Buddens "failed to adopt or implement any policies or procedures regarding their supervision of Cowgill." Instead, they "merely confirmed, without ever confirming, that Cowgill performed his responsibilities in compliance with the federal securities laws."
The co-chief executives failed to ensure that Cowgill satisfied the firm’s compliance program obligations, namely, performing custody exams and compliance reviews.
The Buddens "failed to adopt or implement any policies or procedures regarding their supervision of Cowgill," the SEC said. They "merely assumed, without ever confirming, that Cowgill performed his responsibilities in compliance with the federal securities laws."
The agency alleged that the Buddens' failure to supervise Cowgill led to violations of 206(4)-7 and the Custody Rule (Rule 206(4)-2).
As the SEC noted, the CEOs never provided any funding, training or resources to support Cowgill in his CCO efforts.
They took no steps to assure that Cowgill or anyone else conduct compliance reviews at least annually, or to engage an independent accountant to conduct an annual surprise examination to verify all client assets of which PIM had custody.
They also failed to ensure that PIM had established policies and procedures -- and the controls necessary to ensure their effectiveness -- which could have prevented client assets from being misappropriated.
The SEC observed that the Buddens learned from the accounting firm in 2013 that Cowgill had not engaged it since 2011 to perform audits, and discovered he had not used any other firm, but took no disciplinary action against him.
To the contrary. In July 2013, each of the men executed a stock purchase agreement in which they agreed to sell all of their interest in PIM to Cowgill.
In its settlement with the Buddens the SEC charged the men with failing to reasonably supervise Cowgill within the meaning of Rule 203(e)(6), plus caused PIM to violated the Compliance Program and Custody rules.
Lessons
From the facts of the case, it appears the Buddens were prepared to sell their business to Cowgill.
Prior to sale, however, their actions also appear to show an abandonment of their regulatory obligations to ensure their business maintained and enforced an effective compliance program designed to protect their clients.
The issues in this enforcement speak volumes about the importance of compliance programs that are tailored to the business and that connect people and processes through a written set of guidance and specific procedures.
An effective compliance program offers such guidance based on the work the firm performs, types of customers it has, locations it operates, and business suppliers it uses. That way, employees know their responsibilities, which procedures are supposed to be followed, and what questions should be asked to safeguard against regulatory violations.
SEC Rule 206(4)-7 under the Advisers Act and new rule 38a-1 under the Investment Company Act require registered investment advisers and each fund to adopt and implement compliance programs that conform to its rules.
Officials from the SEC’s Office of Inspections and Examinations (OCIE) have urged advisers not to buy an "off-the-shelf" compliance manual. They have stated on numerous occasions that if they find compliance manuals that are not specific to the adviser’s business, they will assume that compliance is not well-respected by these firms, determine that these firms are at high risk of violations, and will likely conduct a top-to-bottom, in-depth review of the firm's entire operations.
Next, while the SEC certainly expects an investment adviser to develop a compliance manual that meets all of the requirements of the Advisers Act, it is the development of a culture of compliance that actually drives SEC examination and enforcement policies.
An adviser's compliance manual is but one step in the development of a culture of compliance. Advisers must also develop compliance procedures to implement such policies; monitor and enforce compliance policies and procedures; review and update compliance policies and procedures; and maintain effective book- and record-keeping of compliance policies and procedures.
No compliance program will be effective unless the controls designed to operate independent of those who designed them actually operate; that is, those controls in the firm that detect possible violations must exist and work as designed.
There are few more serious breaches of trust than those involving the custody of client assets.
The firm should have a procedure for selecting and screening those who will have with access to client assets and require that all of the processes for accessing assets for any reason are well-documented.
The firm should require dual authorization for movement of assets within, and withdrawals and transfers from, a client’s account, and changes to account ownership information.
And the firm should limit the number of employees permitted to interact with custodians and segregate the duties of advisory services from those of custodial services, ensuring clear independence with regard to who maintains the custody of client assets.
Firms must take seriously the annual surprise examination of custodial assets by an independent public accountant as mandated by the rule and enter into a written agreement with the accountant that memorializes this fact.
The adviser must inform the SEC of the nature and scope of this examination and notify the SEC within one business day of any finding of material discrepancies during the course of the examination.