Fair Warning – SEC sets out trigger factors for acting against CCOs

In a recent speech, Gurbir S. Grewal, Director of the Division of Enforcement for the SEC, laid out the triggers that will see the regulator acting against compliance functions – and gave insight on how to avoid them.

01 November 2023 8 mins read
By Jay Hampshire

In brief:

  • Gurbir S. Grewal, Director, Division of Enforcement for the SEC, delivered an address exploring when the regulator enforces against compliance functions
  • The speech draws on recent examples when the regulator has taken action against non-compliance from CCO’s
  • Grewal also emphasized how ‘education, engagement, and execution’ are integral to creating a culture of compliance

‘Compliance professional’ is, at times, not an enviable job role. Their function is a cycle of being caught between the rock of navigating organizational culture, and the hard place of regulatory enforcement and public opinion. If you yield to one side, you may find yourself firmly in the crosshairs of the other – with hefty consequences.

It’s a difficult position that regulators like the Securities and Exchange Commission (SEC) understand, and, while their raison d’etre means they will hold non-compliance to account every time, they set out their expectations clearly so that compliance teams know where they stand. Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, recently delivered a speech to the  New York City Bar Association Compliance Institute that will leave compliance professionals in no uncertain terms of what will lead the regulator to come knocking.

Position of trust

Grewal’s address contextualized the need for effective compliance around the importance of maintaining public trust:

“Public trust in our institutions is faltering. No sector is immune to this trend … If the public doesn’t think the system is fair … they are not going to invest their hard earned money. This hurts all those companies, professionals, and other market participants who are playing by the rules and doing the right thing”

Grewal’s speech echoes a prevailing sentiment among regulators around firms ensuring they “do the right thing” . This is an admirable ethos (and one we should all aspire to uphold). By adhering to it, compliance teams can play a vital role in ensuring that the public have confidence in a functioning, fair market, and help increase positive perception of the finance industry as a whole.

But it’s a slightly ephemeral goal, and one that is open to interpretation. Fortunately, Grewal’s speech laid out some very actionable insights and left little room for interpretation or doubt as to when the SEC will act on non-compliant compliance functions.

When will the SEC issue charges against a compliance officer?

Grewal addressed the “proverbial elephant” by answering the question “when does the Enforcement Division recommend charges against a compliance officer?”. His explanation reassured compliance professionals that the regulator understands their often-challenging role, and will act (or not act) accordingly where compliance officers have clearly worked in the spirit of ‘doing the right thing’:

“We do not second-guess good faith judgments of compliance personnel made after reasonable inquiry and analysis.”

However, Grewal asserted that merely being a member of the compliance function is not a “get-out-of-jail” card, and that compliance professionals will be held accountable under the following circumstances:

  • Where compliance personnel affirmatively participated in misconduct unrelated to the compliance function
  • Where they misled regulators
  • Where there was a wholesale failure by them to carry out their compliance responsibilities

Grewal illustrates each of these circumstances with recent examples of where the SEC acted against compliance professionals for infractions. The first example is a case where a Chief Compliance Officer was subject to enforcement action for insider trading when he obtained and traded on material non-public information (MNPI) taken from his partner’s laptop.

Grewal gives two examples of where compliance professionals misled regulators; one where a CCO provided falsified compliance review memos, and a second where a different CCO submitted compliance reports that had been falsified to appear as though they had been prepared in a timely fashion when they had not. Unfortunately, situations where regulators are given false information that hampers their ability to enforce and investigate effectively are all too common.

The third instance where the SEC will act is where compliance teams fail to “fulfil their obligations”, with Grewal’s examples including a case against a partner at Marcum LLP for failing to take measures to address quality control deficiencies that led to compliance breaches,  and another enforcement against a CCO who failed to properly implement compliance policies, procedures, and compliance reviews for at least a decade.

While the details of these enforcements serve as a stark reminder of the weight of responsibility that compliance professionals are under, Grewal reminds us that they are comparatively rare:

“The Commission has filed well over 1,000 standalone cases since I became Enforcement Director, and only a handful against compliance officers.”

Grewal also “recognize[s] that this is challenging work” and lays out steps compliance professionals can follow to both mitigate and avoid these challenges: “education, engagement, and execution”.

As easy as E, E, E 

Grewal’s ‘three E’s’ are tools that can be used in “creating a culture of proactive compliance”, and are key to communicating around compliance both internally and externally.

  • Education

For Grewal, it is important that compliance teams “educate [them]selves about the law and external developments relevant to [their] business, particularly emerging and heightened risk areas”. Emerging areas of risk include widescale changes like cryptocurrency, the growth of Artificial Intelligence, and fast-changing communications channels. Grewal also sees the SEC and other regulators contributing to this education by “publicizing the cost of noncompliance” through enforcement actions, enabling CCOs and compliance teams to educate their organization and clients that “proactive compliance is cheaper and better for business than facing a potential enforcement action”.

  • Engagement

Grewal also sees a need for compliance teams to engage with personnel across their organizations to learn about their “activities, strategies, risks” and financial actions. This presents an opportunity to understand where potential risks to compliant operations could stem from – knowing what emerging communications channels teams are adopting so they can be monitored, for example – and to understand if there are any cultural barriers that need to be overcome to build effective compliance. Engaging with teams, and them feeling listened to and ‘seen’, is an effective way of gaining buy-in from staff and fostering compliance from the ground up, as well as ‘from the top down’.

  • Execution

Third and final for Grewal (and arguably most important) is effective execution of compliance strategy and policies. “We see firms that have good policies, but fall short on implementation”, he explains, and the example he draws on is a good one; the SEC’s ongoing campaign against off-channel communications and recordkeeping requirements lapses. He summarizes that:

“In every case, the firms had policies and procedures in place, but employees nevertheless communicated through unapproved methods. That is because there was widespread failure in implementing those policies … [and] the individuals charged with supervising employees to prevent this misconduct were themselves violating the procedures.”

While it is true that having policies and procedures is a step towards effective compliance, if they are not being executed (or are being executed improperly), the result is the same; non-compliance. And having a policy written down, but not enacted, won’t cut it with the regulators when they come calling.

Grewal’s address shows that the SEC is broadly sympathetic to the challenges compliance teams face ensuring their organizations play by the rules. By providing inarguable clarity on when – and why – compliance teams might face regulatory action, Grewal is setting out those rules as fairly and plainly as possible. While the key to fostering compliance might lie in the three E’s of education, engagement, and execution, it will never be easy. But, with the right tools, policies, awareness, and partnerships in place, a “culture of proactive compliance” can certainly exist.

Integral to creating a ‘culture of proactive compliance’ is knowing – and being able to evidence – internal and external communications. Being able to see what employees are saying, when they’re saying it, and who they are saying it to, is vital in being able to spot bad actors and human error, and to take action before it becomes an issue for the regulators. A solid surveillance solution is becoming a regulatory expectation – and finding the right partner can make all the difference to your education, engagement, execution, and effectiveness.