Expect more enforcement actions on compliance officers, says Usman Sheikh, litigation partner at Gowlings in Toronto.
“Compliance officers […] are seen to play a […] critical gatekeeper function in the industry, and, as a result, regulators are heightening their focus […] on [them],” Sheikh says, citing several U.S. and Canadian enforcement cases against compliance officers. He spoke at a symposium on Thursday hosted by the Investment Industry Association of Canada.
CCOs under the microscope
In these cases, chief compliance officers (CCOs) are typically involved in the misconduct, or they mislead staff or demonstrate wholesale failures.
These “wholesale failures” include a failure to:
- manage conflicts where the CCO or staff wear multiple hats;
- address clear and obvious risks;
- address multiple red flags; or
- address a firm’s numerous and persistent compliance issues.
To stay in the regulators’ good books, Sheikh suggests performing habitual risk assessments in areas of potential failure, for example where red flags come up like the filing of a whistleblower report.
He also recommends implementing detailed, firm-tailored policies and regularly updating them. “We’ve seen a number of cases where policies were not repealed,” he says, “and enforcement staff would hold those dealers to those policies.”
Read: How to blow the whistle
More power to the regulators
There’s a rise in regulators’ aggressive use of the “conduct contrary to the public interest” power, which allows regulators to sanction conduct even though there’s no technical breach of the Securities Act, says Sheikh. “A […] similar power is exercised by IIROC as the ‘conduct unbecoming’ power.”
To maintain compliance, registrants should abide by both the letter and spirit of the law. “One [… has] to keep oneself updated on recent cases [and] enforcement notices, which offer that prophetic view […] as to what conduct will be taken issue with by the regulators.”
Larry Boyce, senior vice-president at Sutton Boyce Gilkes in Toronto, acknowledges that these powers are useful where an instance of misconduct is not codified. “If you can pass a clear rule that tells people they have to do something, you should do it, and not rely on fuzzy guidance and […] general ‘conduct unbecoming’ rules,” he says.
How can small firms manage regulatory grey zones?
Referring to services, Boyce says small firms should “keep it simple,” despite potential competitive disadvantages, so that they know their businesses top to bottom. Further, “leverage every opportunity […] to understand [regulation]” through industry organizations, working groups and resources.
“It’s getting very hard to tell what’s guidance and what’s a rule,” he says, citing IIROC’s voluntary risk-based cybersecurity framework. “Don’t believe anything’s voluntary. Read it all very carefully, because you’re […] expected to follow it.”