Speaking at the annual National Society of Compliance Professionals (NSCP) conference on Monday, SEC Commissioner Mark Uyeda talked about a year of unusually high rulemaking activity by his agency.

In prepared remarks, he observed that the incredible output was not due to any market-wide disruptions or systematic fraudulent activities by public companies and financial intermediaries – it was just the product of an overactive securities regulator.

“Should the Commission complete its full regulatory agenda, compliance professionals will bear the brunt of the immense burdens placed, or to be placed, on regulated entities,” he said. He (of course) reminded attendees that his remarks reflect his individual views as a Commissioner at the SEC and do not necessarily reflect the views of the full Commission or his fellow Commissioners.

Role of compliance

Uyeda mentioned that this coming December will mark 20 years since the adoption of Rule 206(4)-7 under the Investment Advisers Act of 1940 and Rule 38a-1 under the Investment Company Act of 1940. They collectively require the adoption of written policies and procedures reasonably designed to prevent violation of the federal securities laws, an annual review of those policies and procedures, and designation of a chief compliance officer.

Since that time, the importance of the compliance function has only increased, he said.

Of course, many financial services firms had developed compliance functions well before the adoption of the Commission’s compliance rules, he observed, noting that the NSCP itself was formed in 1986 to “support and promote the growing securities industry compliance profession”. 

“Understandably, compliance professionals might be concerned about how the Commission enforces those rules. Are the rules simply an opportunity for an exercise of ‘gotcha’ – that is, another way to make enforcement referrals – especially without having to show any investor harm or evidence of fraud? Or would the SEC see the new rules as an opportunity for funds and advisers to improve compliance and view CCOs as key allies in the effort to protect investors?” Uyeda asked.

“Regulators should clearly describe the circumstances under which a CCO will be held liable for a firm’s violations of the federal securities laws.”

Mark Uyeda, Commissioner, SEC

In the decades that have followed, the Commission has placed increasing responsibility on firms and their compliance personnel, bringing enforcement actions against firms for failing to adopt and implement written compliance policies and procedures and holding CCOs liable under the theory that a firm’s compliance violations were caused by the CCO.

He noted that, according to a recent NSCP survey, nearly three-quarters of respondents were “concerned that regulators have expanded the role of compliance officers and the scope of their responsibilities in imposing personal liability”.

CCO liability

Uyeda gave a nod to his colleague, Commissioner Hester Peirce, describing the lack of a Commission-issued framework for CCO liability, which meant CCOs have too much uncertainty over the SEC’s conception of potential CCO liability and how it will be gleaned from any particular set of facts and conditions.

For her part, Commissioner Peirce applied a framework proposed by the Compliance Committee of the New York City Bar Association to “test how a CCO liability framework might work in practice.” Uyeda noted that the NSCP also has issued its own framework for analyzing CCO liability.

“Regulators should clearly describe the circumstances under which a CCO will be held liable for a firm’s violations of the federal securities laws. Therefore, NSCP’s efforts in this regard are appreciated, and I look forward to continuing to work towards providing more certainty to the hard-working compliance professionals tasked with implementing the Commission’s expanding rulebook,” Uyeda said.

For much of the rest of his remarks, Uyeda listed all of the amended and new rulemakings his agency has undertaken in the past two years. It is a fantastic checklist for compliance officers, as were his reminders of the actual compliance deadlines associated with them. He joked that 2024, especially the summer, were going to be super-busy periods for compliance teams, so get ready.

Implications for compliance programs

This volume of rulemaking, combined with the rapid succession of implementation dates, will stretch the resources of firms, he said. His main worries revolve around requiring and expecting smaller firms to comply at the same deadlines and same pace as larger firms, which could lead to their detriment and even jeopardize their existence in terms of the disproportionate costs and additional barriers that such expectations are likely to place on them.

Last week, an industry publication reported that the rapid pace of rulemakings is “intensifying industry competition for compliance staff … ”The article notes that “many firms are … looking to bring on more operations, administrative and project management staff to ensure compliance with the new rules,” and “[s]ome firms have turned to compliance consultants to supplement staffing shortages and technology functions while they work to hire more staff”.

Uyeda worries that greater reliance on consultant and outsourcing is not exactly what is best for these businesses, when their own teams of professionals know their businesses, risks and business partners best of all.

Unprepared remarks

In conversation right after delivering his prepared remarks, Uyeda sat down with Heather Treager, General Counsel & CCO at Teacher Retirement System of Texas, and returned to the issue of CCO liability. He stressed the fact that most investment advisers are not overly large, even if the SEC sometimes treats them as if they all are.

He said that compliance officers at these businesses can and often do wear multiple hats and that the SEC has yet to truly define how to tell if a CCO is a supervisor, subject to supervisory liability.

And he lamented that what constitutes a large adviser can often just be summed up as “you keep your assets under $100m”.

Many rules, he said, make early compliance mandatory, and a business that might not even need a rule when it’s drafted – such as the recent short-selling one – might need to retune its policies and procedures right now, just to leave the option of participating in short sales on the table. He thought this could be a real drain on valuable time and resources.

Smaller firms can gain

In his view, if the agency had staggered deadlines for compliance, smaller firms would be able to prepare better, plus gain from the insights and wisdom gleaned from watching the larger firms go through the compliance implementation stage.

He reemphasized the need for compliance professionals to be involved and not dependent on consultants because of the need to keep pace with too-robust rulemaking, and that regardless of the need for outside business resources and expertise, the compliance team must focus on outcomes. Are the solutions being proposed suitable for the business?

Uyeda beseeched the audience to contact the SEC with data on the true costs of complying with its directives and the burdens posed to internal and external resources and the cost of new technology needed. He said these costs – especially the internal ones – are likely not assessed well enough by his agency. He said they can do so themselves, plus through their membership associations, like the NSCP.

And since compliance depends on good training and a full understanding of these rules, he said early bad habits can be avoided by seeking clarity early on from the regulator.