On March 17, 2022, FINRA issued Regulatory Notice 22-10 (“Notice”), which reminds FINRA member firms and their associated persons of the scope of supervisory liability for Chief Compliance Officers (“CCO”). The Notice discusses this liability in the context of FINRA Rule 3110, which among other things, requires FINRA member firms to establish and maintain a system (including written procedures) to supervise the activities of each associated person in a manner that is reasonably designed to achieve compliance with applicable securities laws, regulations, and FINRA rules. The Notice covers the scope of individual liability under Rule 3110, the role of a CCO within a member firm, and the factors used by FINRA in assessing liability against a CCO under Rule 3110. In recognizing that CCOs play a key role in helping to promote strong compliance practices for the protection of investors, the market, and their firms, FINRA indicated that:
- The responsibility to meet the supervisory obligations of Rule 3110 rests with a member firm’s business management and supervisors;
- A compliance officer’s role is advisory, not supervisory;
- FINRA will first look to a firm’s business management and supervisors to determine responsibility for a failure to supervise charge;
- FINRA will not bring an enforcement action against a CCO unless the firm conferred supervisory responsibilities on the CCO and that CCO failed to reasonably discharge those responsibilities (based on a fact-intensive assessment); and
- Charges against CCOs for failures to supervise represent a small fraction of supervision-related FINRA enforcement actions.
Much like a train carrying potentially liable passengers under Rule 3110 for failure to supervise, the Notice maps different “train stops” along the way—based on individual facts and circumstances in combination with the factors discussed in the Notice—that may allow those passengers to exit the train before it reaches the destination of a formal enforcement action.
INDIVIDUAL SUPERVISORY LIABILITY UNDER FINRA RULE 3110
Rule 3110 imposes obligations on a member firm to reasonably supervise its activities and the activities of its associated persons in order to achieve compliance with federal securities laws, regulations, and FINRA rules. Under Rule 3110, member firms must have a supervisory system in place, including written procedures, and must designate a registered principal(s) to carry out these supervisory responsibilities. The Notice indicates that whether, and to what extent, an individual will be held liable under Rule 3110 depends upon the supervisory responsibility assigned to that individual, either express or implied. All individuals who are “supervisors” must investigate “red flags” of potential misconduct and act “reasonably” based upon the facts and circumstances of the particular situation in order to address those red flags. Under Rule 3110, FINRA may bring an enforcement action against any supervisor who fails to reasonably discharge those responsibilities.
The Notice states that supervisory obligations begin with the member firm’s president (or its equivalent), not its CCO. The president bears ultimate responsibility for fulfilling the firm’s supervisory obligations, which flow down by delegation to the firm’s supervisors.
THE CCO’S ROLE
FINRA states in its Notice that a CCO’s role is advisory, not supervisory. Citing NASD (FINRA’s predecessor) Notice to Members 99-45, the Notice explains that written compliance guidelines are separate and distinct from written supervisory procedures. Notice 22-10 at 2. The former establishes rules and procedures to follow and practices that are prohibited, while the latter sets forth a supervisory system to ensure that the compliance guidelines are followed.
While a CCO serves as the “primary advisor to the member on its overall compliance scheme and the particularized rules, policies and procedures that the member adopts” (FINRA Rule 3130, Supplementary Material .05), this function does not, by itself, impose supervisory obligations on a CCO. In certain circumstances, however, a CCO may hold other positions at the firm, including CEO, that may confer supervisory responsibility under Rule 3110. If an individual acts only as the CCO, however, the Notice indicates that a “more extensive assessment of liability under Rule 3110 may be needed.” Notice 22-10 at 3.
ASSESSING CCO LIABILITY UNDER RULE 3110
The Notice is limited to Rule 3110 and does not apply to other supervisory requirements under the federal securities laws. See id. at 6 n.2. The Notice also only focuses on CCOs and does not cover anti-money laundering compliance personnel or scenarios where CCOs are involved in misconduct unrelated to supervisory responsibilities. See id. at 6 n.3.
According to the Notice, FINRA will only bring an action against a CCO for failure to supervise if: 1) the firm has assigned to the CCO supervisory responsibilities; and 2) the CCO has failed to discharge those responsibilities in a reasonable manner. Id. at 4. FINRA emphasizes in the Notice that a CCO is not liable under Rule 3110 because of their compliance position alone.
Train Stop #1: Under the first part of the liability test, an assignment of supervisory authority may occur if:
- The firm’s written procedures assign the CCO the responsibility to establish, maintain, and update those procedures;
- The procedures give the responsibility of enforcing the procedures to the CCO or give the CCO other specific oversight duties typically reserved to line supervisors;
- A firm, through its president or other senior business manager, expressly or impliedly delegates to the CCO specific supervisory responsibilities on an ad hoc basis or as exigencies demand, such as reviewing trading activity in customer accounts or overseeing associated persons; or
- The CCO holds another position within the firm, such as CEO, that confers supervisory authority. at 3.
In Scottsdale Capital Advisors, et al., Exchange Act Release No. 93052 (Sept. 17, 2021), the Commission set aside FINRA’s liability findings and sanctions against a CCO under NASD Rule 3010 (the predecessor to FINRA Rule 3110). The Commission found that the CCO had no responsibility for his firm’s compliance with Section 5 of the Securities Act and he never drafted or updated the firm’s procedures manual for Section 5. Id. at 16. The Commission recognized that the firm’s procedures were updated to place the responsibility for Section 5 compliance and procedures on the “General Principal,” not the CCO. Id. at 17. Since the written policies did not assign that supervisory responsibility to the CCO and there was “consistent and uniform testimony” that the CCO was not responsible for Section 5 compliance procedures or establishing and maintaining such procedures, the Commission set aside the finding that the CCO violated NASD Rule 3010. Id.
Train Stop #2: Assuming the scenario at hand passes the first part of the liability test and the passenger cannot exit the train at stop #1, FINRA will then consider whether the CCO failed to discharge those responsibilities in a “reasonable manner.” Notice 22-10 at 4. This inquiry “depends upon the facts and circumstances of a particular situation” and whether the conduct “was reasonable in terms of achieving compliance with the federal securities laws, regulations, or FINRA rules.” Id.
The Notice states that FINRA may weigh factors in favor of charging a CCO in a formal disciplinary action including, but not limited to:
- The CCO being aware of multiple red flags or actual misconduct and failing to take steps to address them;
- The CCO failing to establish, maintain, or enforce a firm’s written procedures related to the firm’s line of business;
- The CCO’s supervisory failure resulting in violative conduct; and
The violative conduct causing or creating a high likelihood of customer harm. Id.
Some enforcement actions cited in the Notice help illustrate application of these factors:
- In Dep’t of Enforcement v. Cantone Research, Inc., No. 2013035130101, 2019 FINRA Discip. LEXIS 5, at *99-100 (NAC Jan. 16, 2019), the CCO, who was also the firm’s vice president, was found liable for failing to supervise the firm’s president in connection with a series of private placements. Under the firm’s written supervisory procedures, the CCO was tasked with reviewing emails and correspondence, maintaining the written supervisory procedures, and ensuring that her representatives “conducted thorough due diligence.” at *99. The CCO became “aware of numerous red flags” during the offerings but failed to address them and thus was found liable for failing to supervise in violation of FINRA Rule 2010 and NASD Rule 3010, the predecessor to FINRA Rule 3110. Id. at *99-100. The CCO also had previously been suspended and fined by FINRA for failure to reasonably supervise a registered representative who had sold fraudulent investments and misappropriated $1.6 million of customers’ funds. Id. at *116. Based on these actions and prior disciplinary history, the CCO was suspended for two years in any principal or supervisory capacity and fined $73,000. Id. at *117. This decision is on appeal to the Commission. See Order Extending Time to Issue Decision, In the Matter of Application of Cantone Research, Inc., Exchange Act Release No. 94407 (Mar. 14, 2022).
- More recently, FINRA settled an action against a CCO under Rule 3110 for failing to establish any procedures related to collateralized mortgage obligations or the suitability of their recommendations. There, the firm’s written supervisory procedures required the CCO to establish and maintain a reasonable and supervisory system and written supervisory procedures for the firm’s business. See Ryan Carlson et al., Letter of Acceptance, Waiver, and Consent, at 4 (FINRA Case No. 2018060267902) (Mar. 29, 2021). The CCO also “was aware of red flags” regarding a representative but “did not follow up on these red flags and took no action to address” them even though he was required to do so under the firm’s written supervisory procedures. at 5. As a result, FINRA imposed a $10,000 fine, suspended the CCO from association with any FINRA member firm in any principal capacity for 60 days, and required 20 hours of continuing education concerning supervisory responsibilities. Id. at 7.
Per the Notice, factors that may weigh against formally charging a CCO include, but are not limited to:
- The CCO having insufficient support in terms of staffing, budget, training, or otherwise to reasonably fulfill the supervisory responsibilities;
- The CCO being unduly burdened with competing functions and responsibilities;
- The CCO’s supervisory responsibilities being poorly defined, or being shared by others in a confusing or overlapping way;
- The firm joining with a new company, adopting a new business line, or making new hires, such that it would be appropriate to allow the CCO a reasonable time to update the firm’s systems and procedures; and
- The CCO attempting in good faith to reasonably discharge his or her designated supervisory responsibilities by, among other things, escalating to firm leadership when any of the above were occurring. Notice 22-10 at 5.
The Notice cites Thaddeus North, Exchange Act Release No. 84500, 2018 SEC LEXIS 3001(Oct. 29, 2018), aff’d, 828 F. App’x 729 (D.C. Cir 2020), where the SEC upheld FINRA’s findings that a CCO failed to perform supervisory duties assigned to him under his firm’s procedures. As part of its liability analysis, the North decision cited cases illustrating scenarios where compliance officers were not liable for failing to supervise. For example, sanctions were set aside against a compliance director who failed to timely respond to six letters requesting information sent by the NASD staff. See Richard J. Rouse, Exchange Act Release No. 32658, 1993 WL 276149 (July 19, 1993). The Commission declined to impose sanctions because the “failures at issue were caused by extraordinary demands” on the compliance director and the compliance group, which included 16-18 hour days and mass exits of compliance personnel in the wake of receiving and responding to numerous government and regulatory inquiries. Id. at *2, 5. The Commission also noted that the compliance director remained at the firm and improved its compliance procedures “and generally sought to maintain good relations with the NASD and other regulatory authorities.” Id. at *5. Proceedings were also dismissed against a general counsel with compliance responsibilities who allegedly caused his firm to violate securities laws because another official at the firm was tasked with overseeing the relevant activities and the general counsel was never asked to evaluate the relevant regulatory issues. See Scott G. Monson, Investment Company Act Release No. 28323, 2008 WL 2574441, at *5 (June 30, 2008); see also James Arthur Huff, Exchange Act Release No. 29017, 1991 WL 296561, at *4 (Mar. 28, 1991) (dismissing proceedings against a respondent with compliance responsibilities whose conduct “was less than exemplary” because the regulatory issue “had apparently been resolved to his superior’s satisfaction prior to his arrival” and “there were no new developments that raised substantial questions”).
Train Stops #3 & #4: Finally, the Notice indicates that FINRA may consider charging the firm or other individuals with more direct supervisory responsibility such as the president, executive manager, or business line supervisor, in lieu of the CCO (train stop #3). The Notice also states that FINRA can bring an informal action against the CCO by issuing a Cautionary Action Letter, particularly if it is the CCO’s first time violating Rule 3110 (train stop #4).
This Notice emphasizes that as advisors, not supervisors, CCOs are not automatically subject to supervisory liability. FINRA reminds its members that a firm’s business management and supervisors, not its CCO, are the primary focus under Rule 3110. Nevertheless, CCOs can still be liable based on an individualized, fact-intensive analysis of the CCO’s supervisory role (if any) within the firm, including if the firm’s written procedures confer supervisory authority on the CCO and if the CCO was aware of multiple red flags within the firm but failed to undertake steps to address them.
Compliance, supervisory, legal, and business functions should review the Notice to better understand the parameters of supervisory liability for CCOs under Rule 3110.