Section 15 — Control Person Liability
Section 15 of the Securities Act of 1933 and Section 20(a) of the Securities Exchange Act of 1934 impose control person liability on officers, directors, and parent companies that oversee entities engaged in securities violations. A person need not directly participate in the fraud to face joint and several liability — control and failure to supervise are sufficient.
For the anti-fraud rule prohibiting misleading statements, see Securities Fraud. This article covers supervisory liability.
The parent’s dilemma
Suppose a subsidiary issues a 10-K containing a material misstatement about inventory valuation. Investors who relied on that filing sue and establish fraud. The parent company’s CEO and board never affirmatively made the false statement; they may not have even read the subsidiary’s financials. Yet Section 15 and Section 20(a) can hold the parent (and its directors) jointly liable for the damages award — not because they were passive owners, but because they controlled the subsidiary and failed to establish adequate supervision.
This doctrine reflects a tension at the core of corporate law. Shareholders invest in holding companies partly to ring-fence liability and delegate operational control. Yet securities law refuses to treat that delegation as a complete shield. The price of control is supervisory responsibility.
Elements of control person liability
Courts do not require proof that the control person knew of the violation or intended it. Instead, liability turns on three elements: (1) the controlled entity violated securities law; (2) the person exercised actual or apparent authority over the controlled entity; and (3) the person failed to take reasonable steps to supervise or prevent the violation.
Actual authority is straightforward — formal voting control, power to hire and fire, or direct operational decisions. Apparent authority can be subtler: a parent company that publicly represents itself as the strategic and operational overseer of a subsidiary, even if day-to-day management is delegated, may be found to exercise apparent control.
The “failure to supervise” prong is where most litigation centres. What constitutes reasonable supervision? Courts have looked to: (1) whether the control person established reporting systems and internal controls; (2) whether they reviewed financial statements or audit results; (3) whether they monitored compliance programmes; and (4) whether they responded promptly to red flags or complaints. The standard is one of ordinary business care — not perfection, but demonstrable diligence.
The safe harbour — “good faith” defence
Neither Section 15 nor Section 20(a) is absolute. Both statutes provide a safe harbour: a control person is not liable if they acted in “good faith” and took “reasonable precautions” to prevent the violation. This is one of the few places in securities law where good faith is a complete defence.
In practice, this means a parent company that establishes a board-level audit committee, receives regular internal control assessments, and can show it investigated and remedied known weaknesses has a strong defence — even if a subsidiary still commits fraud. The key is affirmative action; passivity, even well-intentioned, will not suffice.
The defence is easier to assert for officers and directors of the controlled entity than for outside investors or passive parent shareholders. A director who attends board meetings, votes on internal control policies, and raises questions during audits can plead good faith and reasonable precautions. A shareholder who holds a large block but takes no interest in governance cannot.
Distinguishing negligence from recklessness
Control person liability applies even where the control person’s conduct is merely negligent. You need not prove that the parent company or executive knew of the violation or recklessly disregarded the risk. This stands in marked contrast to securities fraud claims under Rule 10b-5, which require scienter (recklessness or intent).
However, the standard is not strict liability. Courts have held that control persons are not liable for violations they could not reasonably have discovered, even in hindsight. A parent company cannot be expected to detect every line-item error buried in a subsidiary’s complex financial statements, particularly if the subsidiary has independent auditors and internal controls. But a parent that ignores red flags — a sudden collapse in accounts receivable without explanation, turnover of accounting staff without replacement, or complaints from the subsidiary’s auditor about access restrictions — may face liability even without knowledge of the specific fraud.
Subsidiary vs. agency
Courts distinguish control person liability from ordinary agency principles. An agent acts on behalf of a principal and binds the principal to contracts or represents the principal’s intentions. A subsidiary, by contrast, is a separate legal entity. Its officers and employees are not automatically agents of the parent. This means a parent can escape liability for its subsidiary’s ordinary torts or contracts by maintaining separate corporate formalities — but not for securities violations, where Section 15 and Section 20(a) impose supervisory liability independent of agency.
This distinction matters for parent companies that own multiple unrelated subsidiaries or joint ventures. The parent’s ownership stake does not automatically trigger control person liability; there must be actual or apparent supervisory authority over the specific wrongdoing entity.
Joint and several liability
Control person liability is joint and several. If the subsidiary, the subsidiary’s CEO, and the parent company are all liable for a fraud damages award of USD 50 million, plaintiffs can collect the full amount from any of the three — or split collections across them. The parent cannot say “we were only 30% responsible”; nor can it demand that plaintiffs first exhaust the subsidiary’s assets before suing the parent.
This creates powerful incentive for parents to ensure subsidiaries are adequately capitalised and insured. A judgment against a subsidiary that exceeds its assets automatically shifts enforcement pressure to the parent.
Practical impact on group structure
Control person liability has shaped how large companies structure subsidiaries. Many public groups establish independent audit committees at the subsidiary level, hire external auditors with no relationship to the parent, and maintain arm’s-length governance — all to reduce the apparent control and thereby narrow the parent’s exposure to supervisory liability.
The irony is that this architecture may also reduce the parent’s ability to detect fraud early. A parent that maintains true independence from a subsidiary loses visibility. Section 15 and Section 20(a) thus create a balancing act: exert enough supervision to prevent fraud, but not so much that you become a joint author of the subsidiary’s conduct or expose yourself to discovery of your own knowledge.
See also
Closely related
- Securities Class Actions and the PSLRA — how damages from control person violations are typically recovered
- 10-K — the filing most often at the centre of control person litigation
- Securities Fraud — the underlying violation for which control persons are held responsible
- Rule 10b-5 — the anti-fraud rule that often triggers control person scrutiny
- Audit Committee — the board function courts examine when assessing supervisory adequacy
- Internal Controls — the mechanisms control persons are expected to establish and monitor
Wider context
- Securities and Exchange Commission — enforcement agency for control person violations
- Business Combination Purchase — M&A contexts where control person liability shifts to acquirers
- Public Company — entities subject to heightened disclosure obligations and supervisory scrutiny
- Corporate Governance — the broader framework within which control person duties operate
- Derivative Lawsuit — shareholder claims against boards for failure to oversee