- The U.S. Securities and Exchange Commission (SEC) continues to bring failure-to-supervise cases against registered firms and their senior management – including their chief executive officers – for allegedly not responding reasonably to red flags relating to their representatives’ misconduct.
- Written compliance policies and procedures – especially with respect to onboarding and monitoring high-risk representatives – form the basis of any supervisory program and demonstrate whether a firm and its senior management are fulfilling their oversight responsibilities.
- In a notable takeaway for the compliance industry, the SEC did not bring any charges against the firm’s chief compliance officer (CCO) but instead appears to credit the CCO’s warnings and efforts to address the red flags surrounding the representative’s misconduct.
On Nov. 3, 2022, the SEC announced a consent order against a registered investment adviser (RIA) and its chief executive officer (CEO) for failing to reasonably supervise one of the RIA’s investment adviser representatives (Representative), who misappropriated over $700,000 from clients purportedly for his outside business activities. In the Matter of Horter Investment Management, LLC and Drew K. Horter, SEC Administrative Proceeding File No. 3-20531 (Nov. 3, 2022). Significantly, the SEC did not bring charges against the RIA’s CCO and instead noted the CCO investigated and alerted the RIA and CEO to certain red flag concerns and advised them of the need for additional written policies and procedures.
Given ongoing concerns about compliance officer liability, this enforcement action can provide guidance to CCOs on the actions they can take to try to avoid being charged by the SEC for alleged regulatory failures by their firms and firm representatives. This enforcement action should also demonstrate that the SEC will find senior management liable for failing to reasonably implement an effective compliance program and reasonably respond to red flags with which they are confronted. Ultimately, the allegations in the consent order are instructive on the SEC’s current thinking of supervisory liability and what it believes to be reasonable responses to red flags.
Every adviser must establish, maintain and enforce written compliance policies and procedures that are reasonably designed to prevent violations of applicable law and protect client assets. These procedures must be tailored to each adviser’s specific business issues and must evolve with changes to an adviser’s structure or business concerns. The enforcement of these procedures and supervision of representatives thereunder are ultimately the responsibility of the adviser’s senior management. As further discussed below, it is the failure to create and enforce such procedures that the SEC charged the RIA and CEO in the Horter Investment case.
- Red Flag Identification and Resolution. Advisers and their senior management must reasonably investigate red flags and ensure that such are adequately addressed to protect the adviser and its personnel, representatives and clients. In Horter Investment, the RIA and CEO allegedly ignored multiple red flags that occurred throughout the period that the Representative was being onboarded and employed by the RIA, including (a) FINRA’s inquiry regarding the Representative’s alleged improper conduct as disclosed in the Representative’s Form U5 (discussed further in (2) below); (b) the identification of the Representative as high risk and his need for heightened supervision (discussed further in (3) below); (c) third-party distribution requests pursuant to which the Representative directed the RIA’s client’s funds to the Representative or one of his businesses (discussed further in (4) below); and (d) the Representative’s aggressive capital raises for his outside business activities. According to the SEC, each one of these red flags should have been investigated by the RIA and CEO and, if any one of them had been, the damage caused by the Representative would have been limited if not eliminated.
- Onboarding/Updating Information. Advisers must have written procedures that set out their process of onboarding representatives, including disclosure of outside business activities, prior disciplinary history, and pending or threatened complaints, claims or investigations. All information received must be reviewed, analyzed and resolved prior to onboarding each representative. In addition, advisers must implement procedures for updating information provided during onboarding if it changes. The consent order in Horter Investment alleged that the CEO failed to follow the RIA’s onboarding procedures because he did not take the time to properly vet the Representative or the information regarding the Representative because he:
- Disregarded the disclosure on Representative’s Form U5 alleging that he had used marketing materials not approved by his prior adviser and directed checks be made payable to Representative’s DBA rather than the adviser as required.
- Failed to reasonably investigate or follow up on FINRA’s inquiry regarding the allegations in the Representative’s U5.
- Dismissed the CCO’s belief that the Representative was rushing the onboarding process to try and complete it before any disclosures were added to his public disclosure report in connection with the FINRA inquiry.
- Ignored the CCO’s advice to terminate the Representative for failing the RIA’s onboarding process due to the U5 disclosure and FINRA inquiry and, instead, choosing to accept the Representative’s self-serving explanation with no further verification.
- Failed to obtain the required disclosure and approval of each outside business activity and signoff from the CCO on same.
- Failed to consider whether the Representative’s outside business activities did or could cause potential conflicts or confusion with the RIA’s business.
- High-Risk Representatives and Heightened Supervision. In general, a “high risk” representative is a person who does not have any investment adviser experience or has a prior disciplinary history in the securities industry or certain other industries. A high-risk representative requires heightened supervision to allow an adviser more control and oversight of that representative’s activities until such time as that representative no longer presents a high risk. To effectively handle this issue, an adviser must adopt and implement written policies and procedures to identify high-risk representatives and determine what restrictions or requirements will be placed on each. The consent order in Horter Investment alleged that the RIA had procedures to identify high-risk representatives but, even though an outside consultant and the CCO warned the RIA that such a program was needed, it failed to adopt any program for heightened supervision until after the termination of the Representative. The RIA thus was able to identify the Representative as high risk but allegedly did nothing beyond that to monitor the Representative and ensure client assets were safeguarded.
- Third-Party Distribution Requests. The consent order in Horter Investment alleged that the RIA did not adopt or implement adequate written policies and procedures for distributions of client funds to third parties prior to the termination of the Representative in March 2017. Prior to June 2016, the RIA and CEO considered adopting procedures to increase scrutiny of third-party distributions but ultimately decided not to do so, as they believed the representatives would not like such procedures. However, in June 2016, the RIA mistakenly distributed more than $300,000 from a client’s account to a third party in response to a fraudulent email, and that prompted the RIA to begin requiring its personnel to obtain verbal confirmation from clients as to each third-party distribution and to log each such distribution. The RIA’s personnel were made aware of these requirements, but the RIA and CEO did not establish any written policies and procedures regarding the verbal confirmation process, the information to be collected for the log, or any required review of the log. In fact, the RIA did not adopt any written procedures until October 2017, and the CCO did not begin monitoring the log until December 2017. The failure of the RIA and CEO to provide such written policies and procedures allegedly caused the RIA’s personnel to miscommunicate, misinterpret and not consistently follow the instructions regarding third-party distribution requests, and the failure to implement any oversight of this process permitted the problems to continue unchecked for well over a year.
- Field Visits and Branch Audits. Advisers are required to design and implement written policies and procedures for the oversight and monitoring of advisory services provided at remote or branch offices to ensure all representatives are consistently and adequately supervised regardless of location. Among other things, these procedures must provide for the inspection or audit of each remote, field or branch office by the RIA at regular intervals to ensure compliance with all written policies and procedures and to address any outstanding issues that may be present at a remote, field or branch office. According to the SEC in Horter Investment, the RIA primarily employed representatives that worked from remote, field or branch offices but had no written policies and procedures regarding monitoring and/or inspecting such offices prior to the termination of the Representative. The RIA and CEO allegedly were aware of this issue, as the SEC issued a deficiency letter in December 2014 to the RIA specifically pointing out this failure and an outside consultant recommended that the RIA develop such procedures in March 2015. Yet the consent order alleged that the RIA did not visit or inspect the Representative or his office prior to his termination.
- Delegation of Supervisory Authority. Adviser personnel with supervisory authority may delegate certain supervisory responsibilities in writing that clearly identifies the designee, the capacity of the designee and the details of the authority being delegated. It should be noted that, even if a person delegates supervisory authority to another, the delegating person will still be responsible for monitoring the designee and ensuring the delegated authority is being used properly and is not abused. In Horter Investment, the CEO claimed that he delegated his supervisory authority to other persons, including the CCO and an outside consultant, but he could produce no documentation or other evidence regarding such delegations. Thus, the SEC deemed that no proper delegation occurred and, even if the CEO did delegate his supervisory authority, the CEO failed to supervise or follow up on such delegations.
While it remains to be seen in Horter Investment what consequences the RIA and CEO will suffer for their actions (or lack thereof) in failing to supervise the Representative, it is clear that the SEC will continue to focus on proper supervision of representatives and adequate written policies and procedures. This recent SEC consent order should serve as a warning to advisers and their senior management to not become lax in their supervision or ignore a known concern, and to remain vigilant in delegating supervisory authority and monitoring the delegees. Significantly, this consent order also offers examples of actions compliance officers can take to satisfy their important roles within their firms, including conducting investigations of representatives and red flags, alerting senior management to any concerns, and advising senior management of the need for additional written policies and procedures and the corrective action to take for violations of such procedures.