SEC mandates training for CCO in compliance breach: key lessons

The Securities and Exchange Commission (SEC) has taken action against a family-run wealth management firm, Arcadia, for prolonged non-compliance.

In administrative proceedings, which clearly demonstrate the dangers of burying your head in the sand, Arcadia has been issued with a $90,000 fine, a cease and desist order and censure. As well as this, the company’s CCO has been asked to complete 30 hours of training to align with regulatory expectations.

Regulatory violations

Under Section 206(4) and 206(4)-2 of the Advisers Act, (commonly known as the “Custody Rule”), all funds and securities held by a financial organisation are required to undergo verification through the process of a surprise examination by an independent accountant. This surprise examination should happen annually.

In the case against Arcadia, the SEC found that it had failed to obtain the surprise examination of client funds which were in its custody between 2013 and 2019. Moreover, the SEC found that Arcadia had failed to put in place adequate policies and procedures that would prevent violations of the Custody Rule in the first place.

Too little, too late

Arcadia did eventually run a surprise examination in 2018, however that examination still failed to meet regulatory expectations as the firm did not enter into a formal, written agreement with the accountant who carried out the examination. As well as this, the examination was not sufficient to cover all of the assets in the firm’s custody and the accountant failed to complete the relevant forms to meet regulatory standards.

Reactive compliance

In March 2020, the SEC examined of Arcadia, which spurred the firm  to carry out an adequate surprise examination. At this point, SEC investigators were alerted to Arcadia’s malpractice surrounding the custody rule.

As a result of the failings, the SEC issued a slew of punitive actions and, unusually, demanded that its Chief Compliance Officer complete 30 hours of compliance training relating to the Advisers Act, within one year of the order being issued.

CUBE comment

Over the past few weeks and months, we’ve been tracking a steady and significant amount of regulatory activity taken against individuals. As well as seeing an increase in enforcement action such as that against Arcadia’s CCO, we’ve also seen an increase in hard regulation, as well as calls for greater individual accountability.

This move towards accountability comes as no surprise. For some time, regulators have been pushing for transparency within financial services – whether it takes the form of increasingly transparent disclosure requirements for climate risk or greater transparency around executive pay. Societal shifts and changing investor sentiment are placing access to information high on the list of the well-informed investor.

What is particularly interesting in this instance is the SEC’s approach to the CCO involved. We often see, in instances of negligent non-compliance, that CCOs will face financial penalties. In worst-case scenarios, they are suspended from their roles for varying periods of time. In this instance, the SEC has instead handed out ‘training’ as the remedy. Presumably, this is because the failure to remain compliant with regulatory expectations was not so severe that any damage occurred. There is also the implication that the CCO had simply failed to understand the company’s regulatory requirements.

Either way, this case raises some key lessons that compliance officers at all levels would do well to heed.

1. Know your regulations

This may seem obvious, but in the case of Arcadia’s CCO, it seems there were clear knowledge gaps in what was expected of the firm. Either that or the CCO wasn’t motivated to comply.

The founding principle of any watertight compliance program is a fundamental understanding of the regulations that apply to your business, what they mean, and what your company has to do in order to be compliant. Perhaps this pertains to how long you keep customer records for, or maybe it relates to ensuring you’re meeting the Custody Rule. Whatever it is, firms need to understand their regulatory obligations and implement them across the business.

The good news? Compliance officers don’t have to go this alone – there’s technology that can help (check out our range of RegTech products here 😉).

2. Close your gaps

There’s sometimes a fear about implementing technology for compliance, which is often driven by a fear of the unknown. What if you plug in a RegTech solution that shows that your regulatory inventory is full of gaps, for instance?

With the regulators’ increased focus on transparency has come an increased focus on honesty and integrity. Compliance gaps are far from ideal, but ignoring those gaps is worse. Regulators do not look fondly at compliance officers who failed to act, as the case against Arcadia shows. Where compliance gaps arise, own up to them and take steps to remedy them. Better yet, implement technology that will stop the gaps from appearing.

If, when the SEC came knocking at Arcadia’s doors in 2020, the CCO was able to show that it had failed to comply with the Custody Rule but that it had taken steps to remedy it, the regulatory penalty will likely have been less severe.

3. Don’t wait until it’s too late – proactivity prevents penalties

This is perhaps the most frustrating element of non-compliance. It is also the issue we see most commonly: firms know that their processes don’t stand up to regulatory scrutiny, but fail to act until the regulator gets involved.

In this instance, Arcadia’s CCO failed to take action for five – nearly six – years. It wasn’t until the SEC started an investigation that it enacted the correct regulatory process of surprise examinations. This shows two things: 1) the firm was able to fix the compliance holes that had evolved and 2) it failed to do so until it was too late.

If Arcadia’s CCO had taken proper action in 2018 (or ideally before), the firm would have been watertight when the SEC came knocking in 2020. Had that happened, it would have saved $90,000 as well as its reputation which, when you’re a ‘family firm’, might even be more valuable. Regulators will come knocking eventually, and reactive compliance costs far more than implementing a compliance solution from the outset.

4. Just because your firm is small, does not mean the regulator isn’t watching

We often see headline-grabbing articles about Tier 1 and 2 banks that have failed to comply. There’s no doubt that  household names gain more media attention, but the same isn’t always true when it comes to regulators. In this instance, Arcadia promotes itself as a family-run firm. It has less than 250 clients (mostly individual investors) and $245 million in assets under management.

Smaller firms often believe that they can operate regulatory compliance in a manual, piecemeal way because they will likely fly under the radar. As this case shows, that isn’t a true reflection. Regulators are looking at how firms comply whether they’re family-run, a burgeoning FinTech or a huge, global banks. Every organisation has regulatory requirements and will be expected to meet those requirements. More than that, they will be expected to have adequate processes and technology in place to ensure they’re able to comply. When it comes to regulatory scrutiny, size doesn’t matter.