Key Takeaways

• According to Grewal, firms need to create a culture of proactive compliance that includes education, engagement and execution.
• If a securities law violation is discovered, the SEC rewards self-reporting and meaningful cooperation.
• CCO cases are rare, said Grewal, but being a member of the compliance function is not a “get-out-of-jail” card.

On October 24, SEC Enforcement Director Gurbir Grewal addressed compliance professionals at the New York City Bar Association’s 2nd Annual Compliance Institute.[1] His remarks focused on three topics: creating “a culture of proactive compliance,” the importance of self-reporting and cooperation, and chief compliance officer (CCO) liability.

Creating a Culture of Proactive Compliance

Grewal highlighted the importance of creating a culture of proactive compliance to “enhance public trust and confidence in our markets and institutions.” He pointed to three components essential to building a culture of proactive compliance: “education, engagement and execution.”

Grewal noted that proactive compliance first requires compliance professionals to educate themselves not only on the law but also on external developments relevant to their business. “So when a new action, examination priority or Commission rule is relevant to your company, you should digest it and examine which segments of your company have exposure to the same or similar issues,” Grewal remarked. As an example, Grewal referenced the number of actions the SEC has brought against firms for alleged violations of the Dodd-Frank whistleblower rule during the past fiscal year. Grewal stated that these actions show how seriously the SEC takes compliance with Rule 21F-17, and compliance officers should review them, consider how they may impact their firms, and take the steps necessary to effect compliance.

Grewal then noted that engagement requires compliance personnel to interact with different units within the business and learn “their activities, strategies, risks, financial incentives, counterparties, and sources of revenue and profit.” This internal engagement is critical to designing and adopting meaningful policies and procedures. In his Dodd-Frank whistleblower rule example, Grewal explained that engagement means working with the company’s human resources and legal departments to ensure that employment agreements and policies are up to date and not in violation of the rule. Grewal also emphasized that engagement must be ongoing and consider new SEC rulemaking and changes in business operations, risk areas and SEC enforcement priorities.

Finally, Grewal stated that adopting meaningful policies and procedures is not enough – “[e]ffective execution is equally important.” Grewal noted that “[t]ime and again, [the SEC sees] firms that have good policies, but fall short on implementation.” To drive this point home, Grewal referenced the SEC’s “ongoing off-channel communications sweep” that, since December 2021, has resulted in charges against over 40 firms for failure to maintain and preserve electronic communications. According to Grewal, these “firms had policies and procedures in place, but employees nevertheless communicated through unapproved methods. That is because there was widespread failure in implementing those policies.”

Cooperation

Grewal stated that “[i]f despite all of your efforts, you do detect a securities law violation, the best thing to do would be to self-report and cooperate. Because, even as we emphasize robust penalties, we have also aggressively rewarded meaningful cooperation, most notably by recommending that the Commission impose substantially reduced penalties—or even no penalties at all.” In addition to self-reporting and cooperation, actions that companies took that resulted in reduced or zero penalties included preemptively remediating and ceasing unlawful behavior; proactively providing compensation to victims; providing detailed financial analyses and explanations; proactively identifying key documents and witnesses; and facilitating interviews of former employees.

CCO Liability

Grewal closed his presentation by addressing the “proverbial elephant in the room” – CCO liability.

Grewal noted that the SEC does “not second-guess good faith judgments of compliance personnel made after reasonable inquiry and analysis.” Instead, the SEC may bring enforcement actions against compliance personnel where: (i) they affirmatively participated in misconduct unrelated to compliance; (ii) they misled regulators; or (iii) there was a “wholesale failure” by them in carrying out their compliance responsibilities.

Regarding the first category, Grewal referenced a case where the SEC charged a CCO with insider trading. Grewal noted that “when compliance officers violate the securities laws in ways that have nothing to do with exercising their compliance responsibilities, they are held accountable just like anyone else.”

With respect to misleading regulators, Grewal highlighted a case where the SEC charged a CCO with aiding and abetting and causing a firm’s books and records violations by providing SEC staff with backdated and factually inaccurate compliance review memos. The issue, according to Grewal, was not second-guessing a good faith judgment call, but rather “deliberate conduct by the CCO intended to thwart the SEC’s ability to exercise effective oversight of the compliance function.”

Finally, Grewal explained that the “wholesale failure” category involves cases where there was no education, engagement or execution, but rather “wholesale failures to carry out compliance responsibilities and conduct even basic inquiry and analysis.” As examples, Grewal referenced a case against a former practice leader at an accounting firm for allegedly failing to address deficiencies with the firm’s quality-control system, despite knowing about the deficiencies for several years, and one against a CCO of an investment advisory firm for adopting a handbook published by a professional organization containing standards for candidates preparing for that organization’s examinations without tailoring the handbook to the firm’s business.

Conclusion

While Grewal said cases against compliance officers are rare, he also emphasized how actively the SEC pursues enforcement actions. So compliance officers should remain vigilant and avoid falling into any of the categories where the SEC typically brings enforcement actions against compliance personnel. An effective way to accomplish this is focusing on Grewal’s three pillars for creating a culture of proactive compliance:

• Stay educated on Commission rulemaking, public orders, and other developments, consider how they impact your firm, and make any necessary adjustments to your compliance program.
• Engage with your different business units and corporate functions to learn about their risk areas and design meaningful and practical policies and procedures that are tailored to those risks.
• Execute your compliance program by ensuring that your firm’s policies and procedures are implemented and followed, including by training, oversight and setting the right tone at the top.

When compliance officers observe control deficiencies or red flags, they should promptly follow up and attempt to remediate the problems. And given Grewal’s emphasis on the potential benefits for self-reporting and cooperation, compliance officers should also ensure that their firms maintain robust whistleblower, anti-retaliation and internal investigation procedures to put the company in the best position to determine on an expedited basis whether to self-disclose misconduct to maximize cooperation credit.

[1] Patrick Campbell served as co-chair of the Institute and John Carney spoke on a panel at the Institute about making compliance programs more effective.

[View source.]