FINRA Sanctions Two Compliance Officers
Corporate compliance officers are always interested in regulatory enforcement actions against one of their own, so today let’s take a close look at an enforcement action against two compliance officers handed down earlier this week for poor oversight of their firm’s compliance program.
The enforcement action came from FINRA, the regulator for broker-dealer firms. The agency sanctioned Diane Daly, the now-former chief compliance officer of Canaccord Genuity (a broker-dealer firm based in Canada with about $42.7 billion in assets under management in North America); and Nicholas Lorenzo, her now-former deputy, who managed Canaccord’s trading compliance group.
FINRA had accused Daly and Lorenzo of failing to implement an effective anti-money laundering compliance program from 2017 through 2022. The charges against Daly were that she “failed to reasonably supervise” Canaccord’s transaction surveillance program, which is a violation of FINRA rules 3110 and 2010; and that she failed to develop and implement an AML compliance program reasonably designed to comply with the Bank Secrecy Act. Daly was fined $10,000 and banned from AML compliance roles for one year.
FINRA accused Lorenzo of shirking his supervisory responsibilities by delegating the review of surveillance reports to subordinates without “reasonably following through” to confirm the reviews were being conducted. He also failed to investigate red flags that some of the reviews were not being performed. Those are also violations of FINRA rules 3110 and 2010, so Lorenzo was fined $5,000 and barred from compliance officer roles for nine months.
Daly and Lorenzo neither admitted nor denied FINRA’s allegations, which arose from FINRA regulatory examinations of Canaccord’s compliance program. Both will be able to re-apply for compliance officer roles after their suspensions end.
Enforcement actions against compliance officers are always news because compliance officers have an abiding fear that somehow they might be held personally liable for inadequate programs foisted onto them by cheapskate management teams. In practice, however, that’s pretty much never the case. Either the CCO was involved in the misconduct directly (no sympathy for you there), or the allegations paint very unflattering pictures of negligent performance.
Still, phrases like “failing to reasonably supervise” or “without reasonably following through” are terribly subjective terms. So let’s take a close look at FINRA’s allegations against Daly and Lorenzo to see what triggered the agency’s ire.
Allegations Against Daly
FINRA’s first accusation against Daly was that she failed to reasonably supervise Canaccord’s surveillance of its securities trading. For background here, let’s note that Canaccord did a brisk business trading penny stocks — that is, low-price securities (typically under $1), where the risk of money laundering, market manipulation, and other suspicious activity is high. Canaccord had a four-person team trading compliance team responsible for monitoring that risky activity, and did so by reviewing more than 150 surveillance reports (most of which were generated daily).
As chief compliance officer, Daly was responsible for assuring that surveillance personnel were properly qualified by virtue of experience or training. Except, according to FINRA, the three most senior members of the surveillance team left Canaccord by early 2017. Then Daly restocked the team with more junior, inexperienced people, “despite knowing of staff concerns about its workload and promoted one of those then-recent hires, who lacked management experience [that is, Lorenzo], to head the trading compliance group in early 2017.”
Once that inexperienced team was in place, it sent almost no suspicious activity alerts to Daly for review: two instances in 2017, one in 2018, four in 2019, and finally 13 in 2020 — that is, a only a handful of alerts, despite Canaccord doing billions of dollars’ worth of penny-stock transactions every year.
So FINRA’s real complaint here is that Daly should have known the surveillance team wasn’t doing a good job, by dint of not receiving enough alerts from them. In FINRA’s own words, “the absence of escalations should have alerted Daly to the group’s failures to perform surveillance of Canaccord’s trading activities.”
FINRA also accused Daly of failing to implement a reasonably designed AML compliance program. Daly had been Canaccord’s designated AML compliance officer since 2007, and she knew that multiple times throughout the 2010s that FINRA examiners had warned the firm to implement automated transaction monitoring and improve its review of suspicious trading activity.
Still, Daly delegated the design of Canaccord’s AML surveillance reports to personnel in the trading compliance group who had no prior experience in AML trade surveillance. Those staffers (led by Lorenzo) ended up designing exception report criteria that were decidedly not reasonable given the risks inherent in penny stock trading. For example, the team excluded securities with low trading volumes so they could reduce the number of alerts that would need review; but stocks with low trading volume can be a haven for fraudsters looking to keep a low profile.
FINRA also faulted Daly for other missteps, such as inadequate training for those junior compliance personnel; and inadequate testing of the AML compliance program, where Daly had consultants perform an annual independent audit (good) but the audits included inaccurate descriptions of Canaccord’s business and trade surveillance system (bad).
You can see the picture painted here: a chief compliance officer disengaged from the actual compliance activities of her team, and that team was also inadequate to the compliance tasks at hand given Canaccord’s business model.
Allegations Against Lorenzo
FINRA’s allegations against Lorenzo are a bit more specific, but broadly are along the same lines as the charges against Daly: that he delegated too much responsibility to junior compliance staffers, and didn’t fulfill his supervisory duties.
For example, Lorenzo assigned more than 100 surveillance report types to various individual group members for review, but he didn’t document those assignments in writing. “As a result, over time, the firm was unable to determine which members of the group were responsible for reviewing particular reports,” FINRA said.
Nor did Lorenzo “take reasonable steps” to assess the quality of the reviews his group was doing. For example, FINRA said, he didn’t access Canaccord’s systems to review audit trails, which would have shown whether his compliance staffers actually did access and review reports.
So, right off the bat, now we know: FINRA expects compliance supervisors to review audit trails from time to time, to double-check your team’s work. That step is part of reasonable oversight of the compliance program.
Illuminating CCO Liability
Taken together, both enforcement actions give us a better sense of how FINRA, at least, defines reasonable steps to design and supervise your compliance program. Much of the issue here seems to be basic, block-and-tackle stuff: hiring qualified people with experience in the task at hand; documenting the roles and responsibilities you assign to your team; going through the records to double-check that your team really is doing the work it claims (or to confirm that any work going undone is what your team says, and not even worse).
Of course, FINRA’s settlements with Daly and Lorenzo only offer FINRA’s version of events. For all we know, they might have faced other pressures or constraints from management not mentioned here in these cases against them. Regardless, these cases do help us understand what terms like “reasonably designed” and “reasonably supervised” look like in practice, and that’s insight any compliance officer can use.