SEC case against outsourced CCO highlights personal liability risk

NEW YORK (Thomson Reuters Regulatory Intelligence) - A recent case brought by the U.S. Securities and Exchange Commission against an outsourced chief compliance officer over alleged failures to verify information is a stark demonstration of how the risk of personal liability has become one of the top concerns compliance professionals face in their careers.

A worker adjusts a light bulb while posing for a photo at a store in Tokyo's Akihabara district July 31, 2007.

Annual surveys performed by Thomson Reuters confirm this concern; 48 percent of respondents to the 2017 Thomson Reuters Cost of Compliance Survey(here) expected to see an increase in the risk of personal liability and 87 percent of respondents from Global Significant Financial Institutions (G-SIFIs) said the regulatory focus on culture and conduct risk would increase personal liability risk of senior managers.

Regulators in the U.S. have not been shy about holding senior managers and particularly chief compliance officers, (CCOs) personally accountable in 2017 as there have been a number of cases where names were named, and individuals were fined, suspended, or barred for their alleged failures or missteps.

This zeroing in on compliance officer failures can be seen in cases from virtually all financial regulators however, the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC) have been at the forefront of most of the cases.

The case brought and settled by the SEC against a contract CCO for an advisory firm offers an opportunity to review sound practices for firms and compliance personnel related to the growing risk of personal liability.


The settlement in the SEC case involving a chief compliance officer and alleged reporting failures and misstatements was announced on August 15(here). It was based on events from 2009 to 2011 which ultimately resulted in a 2015 order against investment adviser Aegis Capital LLC(here), Circle One Wealth Management LLC, (two now defunct investment advisers), their chief compliance officer, David I Osunkwo, and chief operating officer, Diane W. Lamm.

Aegis Capital, LLC is a North Carolina limited liability company with its principal place of business in Mount Pleasant, South Carolina. It is unrelated to Aegis Capital Corp, which is a New York based broker-dealer and is not referred to in this article.

The FBI had brought a criminal case charging Lamm and John R. Lakian of orchestrating two multi-million dollar fraud schemes involving the firms(here). Both pleaded guilty in February 2016(here).

According to the SEC, Osunkwo reported to Lamm beginning in October 2009. Lamm was designated as the firm’s COO in the last filing made on its Form ADV in April 2012.

Osunkwo served in 2010 and 2011 as the compliance chief at Aegis Capital and Circle One Wealth Management. The firms had outsourced CCO duties to a third-party provider called Strategic Consulting Advisors, where Osunkwo was a principal. Osunkwo was tasked with preparing a consolidated 2010 year-end Form ADV for Circle One that would reflect its merger with Aegis under the same parent company, Capital L Group LLC.

The SEC said in the settlement order that Osunkwo submitted inaccurate information in a filing for the two investment advisory companies, and Osunkwo listed the chief investment adviser as having certified the figures when, in fact, he had not.

According to the SEC, Osunkwo reviewed information on Aegis Capital’s and Circle One’s investment management business and Osunkwo relied on estimates provided to him by the CIO.

The SEC said the CIO sent Osunkwo an email that stated:

“David – … I believe AUM was as follows on 12/31 Funds: $36,800,000 Schwab/Fidelity: $96,092,701 (1,179 accounts) (not sure how many customers) Circle One: probably higher than $50m, but hopefully [another employee] told you a number today Total is in the $182.89m range …”

The SEC said Osunkwo relied on these imprecise estimates from the email sent by the CIO and did not bother to verify their accuracy.

In reality the combined AUM of Aegis Capital and Circle One was only $62,862,270.28. The Form ADV overstated the AUM by 190 percent. The Form ADV also overstated the total client accounts by at least 1,000 accounts, which was off by 340 percent, according to the SEC.

Osunkwo also “misstated that the CIO had also certified the contents to be true and correct,” according to the SEC order.

The SEC held Osunkwo liable for the failings, fined him $30,000, and suspended him for one year from holding any position in the securities industry. Osunkwo, a New York-licensed attorney, did not admit or deny any wrongdoing. His company, Strategic Consulting Advisors, has closed, the SEC said.


After a handful of cases where CCOs were held personally accountable, then-SEC Commissioner Daniel Gallagher in 2015 voiced opposition(here) to holding CCOs accountable. The issue of CCO culpability was further clarified by the agency's enforcement director at the time, Andrew Ceresney, in a speech to industry participants(here).

Although, Ceresny left the SEC in December 2016, he addressed several important concerns of CCOs particularly CCO liability and recent enforcement actions.

Ceresney categorized enforcement actions brought against CCOs into three broad categories:

--Cases against CCOs who are affirmatively involved in misconduct that is unrelated to their compliance function.

--Cases against CCOs who engage in efforts to obstruct or mislead agency staff.

--Cases where the CCO has exhibited a wholesale failure to carry out responsibilities.

This third category, failure to carry out responsibilities – raised concerns in the industry and left many questioning whether it might be a slippery slope for CCOs. It was seen as a shift by the SEC to place liability on and directly blame CCOs for failures.

Osunkwo’s case likely falls in the last category as the agency pointed out his failure to verify the AUM numbers, which is not a difficult task. Therefore, his failure on the surface simply appears to be failing to carry out his responsibilities. However, considering the magnitude of fraud that also allegedly occurred, and to which two of his superiors pleaded guilty, perhaps these other factors were also considered by the SEC. The SEC does not comment on such cases and attempts to contact Osunkwo were unsuccessful.

The action against Mr. Osunkwo should not come as a surprise to CCOs and industry watchers -- the regulator is far from breaking new ground here in holding CCOs accountable for failures.


Compliance officers should respond to all red flags of possible misconduct and thoroughly document their investigations or responses. Keeping a personal file to document steps is always a good idea.

Particular attention must be given to reports of misconduct or whistleblower reports. All materials must be escalated to senior management such as the general counsel or board of directors.

CCOs should request permission to obtain advice from independent outside legal counsel if there is a disagreement with senior management.

With regards to supervisory responsibilities and issues the SEC has issued guidance(here) and provided a list of questions to ask when considering whether a person is a supervisor, including:

--Has the person clearly been given, or otherwise assumed, supervisory authority or responsibility for particular business activities or situations?

--Do the firm’s policies and procedures, or other documents, identify the person as responsible for supervising, or for overseeing, one or more business persons or activities?

--Did the person have the power to affect another’s conduct?

--Did the person, for example, have the ability to hire, reward, or punish that person?

--Did the person otherwise have authority and responsibility such that he or she could have prevented the violation from continuing, even if he or she did not have the power to fire, demote, or reduce the pay of the person in question?

CCO’s should be careful to document clear lines of supervision and be sure that clear job descriptions and mission statements are in place for compliance departments.

CCOs should also not have supervisory responsibilities over business-line activities. Rather, an appropriate person in each area should perform supervisory responsibilities. CCOs should meet regularly with these designated supervisors to verify whether proper oversight is taking place.

Lastly CCOs should always be reminded that information provided to regulators in any filing such as a Form ADV must be accurate and truthful and ultimately by placing their signature on such a filing they are attesting as such.

(This article has been updated from the version initially posted to the Financial Regulatory Forum to clarify that Aegis Capital LLC is unrelated to Aegis Capital Corp.)

(Todd Ehret is a Senior Regulatory Intelligence Expert for Thomson Reuters Regulatory Intelligence. He has more than 20 years’ experience in the financial industry where he held key positions in trading, operations, accounting, audit, and compliance for broker-dealers, asset managers, and hedge funds.)