I’d like to start by returning to a theme that I’ve touched on before, and that is how public trust in our institutions is faltering.[1] No sector is immune from this trend. From Congress to law enforcement to the courts, these levels are at, or below, historic lows.[2] Studies also show that only a small percentage of Americans have any significant level of confidence in banks, technology companies, or big business.[3]

Regardless of whether you are a regulator, financial professional, or an attorney who counsels large entities, you should all be concerned. This decline in trust is bad for everyone. It undermines the investor confidence needed for the fair, efficient, and orderly operation of our markets and for capital formation.

It is simple really. If the public doesn’t think the system is fair, at a minimum, they are not going to invest their hard-earned money. This hurts all those companies, professionals, and other market participants who are playing by the rules and doing the right thing.

Each day, however, the dedicated Enforcement Division staff work tirelessly to enhance that trust, by bringing impactful enforcement actions and meaningful relief to investors. While we have not yet released our 2023 fiscal year-end numbers, I can give you a sneak preview: we had another incredibly productive year on behalf of the investing public.

But it is clear that we cannot reverse those trends and enhance Americans’ trust in our financial institutions through our efforts alone. We need your help to do so. We need to work together to create what I call a culture of proactive compliance.

In many ways, it’s each of you – the compliance professionals, consultants, attorneys, accountants, and others in this space – that serve as the first lines of defense against misconduct.[4]

You are the ones that can work with firms to implement effective policies and procedures to ensure that those firms comply with their legal obligations on the front end, so that, instead of reading about compliance failures, the public understands that organizations like yours are proactively doing what they can to be compliant.

This is by no means easy work. Creating a culture of proactive compliance requires three things: education, engagement, and execution.

First, it requires you to educate yourselves about the law and external developments relevant to your business, particularly emerging and heightened risk areas.

When we recommend a new enforcement action, we put a lot of thought into making sure that our charging documents, whether settled or litigated, clearly telegraph the basis of the misconduct to industry participants.

So when a new action, examination priority,[5] or Commission rule is relevant to your company, you should digest it and examine which segments of your company have exposure to the same or similar issues.

Let me give you an example.

The SEC’s Whistleblower Program is a critical part of our enforcement efforts. Each year we receive thousands of whistleblower tips, and throughout the history of the program those tips have resulted in billions in monetary recovery, a significant portion of which has been returned to harmed investors, and some of which has funded whistleblower awards.^[6]

The Dodd-Frank whistleblower protection rule – Rule 21F-17 – is important to the program’s success. It prohibits entities from taking actions that impede employees from reporting possible securities law violations to the SEC.

This past fiscal year, the Commission brought a number of actions charging firms for using employment agreements that expressly violated the plain language of the rule in various ways, including by:

• requiring employees to attest that they had not filed a complaint against the company with any federal agency;^[7] or
• requiring employees to waive their rights to financial whistleblower awards;^[8] or
• requiring departing former employees to provide notice to the company if they received a request for information from the Commission’s staff.^[9]

The penalties in these cases included $10 million against the investment firm, D.E. Shaw. ^[10] That is the highest penalty on record for a standalone violation of the rule.

Our message through these actions and orders could not be more clear: we take compliance with Rule 21F-17 very seriously, and so should each of you who work in a compliance function or advise companies.

You need to look at these orders and the violative language cited by the Commission and think about how those actions may impact your firms. And if they do, then take the steps necessary to effect compliance.

Another goal of our detailed charging documents is to empower you in the compliance function by publicizing the cost of noncompliance, allowing you to advise your management or clients that proactive compliance is cheaper and better for business than facing a potential enforcement action.

And that leads me to engagement. Proactive compliance also requires you to really engage with personnel inside your company’s different business units and to learn about their activities, strategies, risks, financial incentives, counterparties, and sources of revenues and profits.

You may come across aspects of your firm’s business that you do not completely understand. That’s not an excuse to punt. Take whatever steps are necessary to learn and understand the issues.

Those of you who work in the compliance function are leaders inside your organization and through proactive internal engagement you will be better prepared to discharge your duties. This understanding is critical to designing and adopting meaningful policies and procedures.

In our 21F-17 example, it means working with your firm’s human resource and legal functions to make sure that your employment agreements and policies are up-to-date and not in violation of that rule.

But none of this can be a one-time thing. Your businesses and operations change, risk areas change, and enforcement priorities change. There is also new Commission rulemaking. So education and engagement always needs to be a continuing, ongoing effort.

Finally, adopting meaningful policies and procedures is only part of the battle. Effective execution is equally important.

Time and again, we see firms that have good policies, but fall short on implementation.

Our ongoing off-channel communications sweep to ensure that regulated entities, including broker-dealers and investment advisers, comply with their recordkeeping requirements is a good example.

Since December 2021, it has resulted in charges against 40 firms and over $1.5 billion in civil penalties for failures to maintain and preserve electronic communications.[11]

As the orders in these actions describe, in every case, the firms had policies and procedures in place, but employees nevertheless communicated through unapproved methods. That is because there was widespread failure in implementing those policies. In fact, as detailed in all the orders, the individuals charged with supervising employees to prevent this misconduct were themselves violating the procedures.

What these actions make clear is that adopting the policies is just the first step, not the last. Through leadership, training, constant oversight and the right tone at the top, you need to ensure that the policies are actually implemented and followed.

That’s what proactive compliance requires.

And if despite all of your efforts, you do detect a securities law violation, the best thing to do would be to self-report and cooperate. Because, even as we emphasize robust penalties, we have also aggressively rewarded meaningful cooperation, most notably by recommending that the Commission impose substantially reduced penalties—or even no penalties at all. We did this frequently this past fiscal year.[12]

The Commission’s public orders describe the kinds of steps that companies took to obtain this type of cooperation credit. For example, in our off-channel communications sweep, the penalties the Commission has ordered have, as I think all in this room would agree, been high – record penalties, in fact, for books and records violations. But one recent order was not like any of the others. It detailed Perella Weinberg’s self-report and cooperation.[13] In that case, the Commission ordered a $2.5 million penalty – a very substantial reduction from the penalties imposed on other broker-dealers and advisers.

Other types of behaviors that have resulted in reduced or zero penalties have included:

• preemptively remediating and ceasing the unlawful behavior;
• proactively providing compensation to victims;
• providing detailed financial analyses, explanations, and summaries of factual issues to the staff;
• proactively identifying key documents and witnesses that the staff has not yet identified; and
• facilitating interviews of former employees.

These orders should aid each of you who are counseling companies and individuals deciding between coming forward or sitting back and taking the chance – gamble, really – that we do not discover the violation or that a whistleblower does not report it.

Let me conclude by addressing the proverbial elephant that shows up in any room where a regulator like me is speaking to those working in compliance: when does the Enforcement Division recommend charges against a compliance officer?

The short answer is that we do not second-guess good faith judgments of compliance personnel made after reasonable inquiry and analysis.[14] That is why such actions are rare.

There are really three situations where the Commission typically brings enforcement actions against compliance personnel:[15]

• where compliance personnel affirmatively participated in misconduct unrelated to the compliance function;
• where they misled regulators; and
• where there was a wholesale failure by them to carry out their compliance responsibilities.

The first category is easy: being a member of the compliance function is not a “get-out-of-jail” card, so when compliance officers violate the securities laws in ways that have nothing to do with exercising their compliance responsibilities, they are held accountable just like anyone else.

Here is one example. In June, the SEC charged the chief compliance officer of an international payment processing company with insider trading, alleging that he traded based on material nonpublic information that he surreptitiously obtained from his girlfriend’s laptop about upcoming mergers and acquisitions in which her employer was involved.[16] He then allegedly traded on that information and tipped it to his friends, who also traded.

The second category involves cases where a compliance officer obstructs or misleads the Commission’s staff or provides false information to regulators.

For example, the SEC charged a CCO with aiding and abetting and causing a firm’s books and records violation when she provided backdated and factually inaccurate compliance review memos to the SEC, falsely claiming that she created the memos contemporaneously with the reviews.[17]

In a similar case, the SEC charged a CCO with aiding and abetting a firm’s policies and procedures violations when she provided SEC staff compliance reports that she had falsified to give the misleading appearance that she had timely prepared the reports, when she, in fact, had not.[18]

These cases do not involve the SEC second-guessing good faith judgment calls; they involve deliberate conduct by the CCO intended to thwart the SEC’s ability to exercise effective oversight of the compliance function.

The third category involves wholesale failures by compliance personnel to fulfill their obligations.

Last month, for example, the Commission charged a partner at Marcum LLP, a public accounting firm, with failing to sufficiently address and timely remediate numerous deficiencies in Marcum’s quality control system.[19]

While not a CCO, the partner oversaw the firm’s quality control policies and procedures, and supervised all personnel working within Marcum’s quality control function.

According to the SEC’s order, for several years, the partner knew that the PCAOB had identified various deficiencies in that function and that Marcum’s own inspections had also revealed several deficiencies. Yet, he failed to address them, leading to various compliance failures in the firm. The partner agreed to pay a $75,000 civil penalty to resolve the case and was ordered to have no leadership role at an accounting firm for three years.

In another example from this past fiscal year, the Commission charged the CCO of a registered investment adviser who was responsible for implementing and adopting the firm’s compliance policies and procedures.^[20]

For at least 10 years, instead of adopting policies and procedures that actually related to the firm’s business or even the federal securities laws, the firm adopted a handbook published by a professional trade organization containing standards of practice for candidates preparing for that organization’s examinations. The firm did not tailor the handbook to its actual business. In fact, the handbook did not even mention the applicable federal securities laws. On top of that, the firm also did not conduct any compliance training or annual reviews of its program.

In simple terms, in these cases, there was no education, no engagement and no execution. Rather, there were wholesale failures to carry out compliance responsibilities and to conduct even basic inquiry and analysis.

But cases like these are rare. The Commission has filed well over 1,000 standalone cases since I became Enforcement Director and only a handful have involved charges against compliance officers.

As I have said, we have no interest in pursuing enforcement actions against compliance personnel who undertake their responsibilities in good faith and based on reasonable inquiry and analysis.

We fully recognize that this is challenging work, but there is a way to meet those challenges and it requires, as I have detailed: education, engagement and execution.

Thank you again to the New York City Bar Association for the invitation to address you today.

I look forward to working with each of you towards our shared goal of fostering a culture of proactive compliance, so we can, together, enhance public trust and confidence in our markets and institutions.

And thank you all again for your efforts.

ENDNOTES