The SEC fined and censured the Chief Compliance Officer of a Broker-Dealer for inadequate procedures required by Rule 30(a) of Regulation S-P, which mandates written policies and procedures reasonably designed to protect customer information against unauthorized access and use.  The SEC charges that the firm's policies and procedures were inadequate because they (1) only recited the Rule (in less than one page) without specifying particular safeguards, (2) failed to instruct registered representatives how to protect customer information, (3) lacked follow-up procedures in the event of breach, and (4) failed to appoint a Principal with responsibility for testing the P/P.  The SEC indicated that the CCO failed to enhance the procedures even after two laptop thefts and the misuse of login credentials by a terminated employee.   The SEC also criticizes the CCO for failing to review the adequacy of the P/P in two annual reviews of the WSPs.

 

OUR TAKE: The SEC generally does not hold CCOs strictly liable for every compliance violation.  However, CCOs must take action, including reviewing/enhancing the policies and procedures, once the CCO learns of a compliance issue.