In a speech on October 24, 2023, the director of the Securities and Exchange Commission’s (SEC’s) Enforcement Division, Gurbir Grewal, described the scenarios in which the commission would bring an enforcement action against a compliance officer.
In remarks to the New York City Bar Association Compliance Institute, Grewal emphasized that enforcement actions against compliance officers are “exceedingly rare” because the commission has “no interest” in pursuing actions against compliance personnel who act reasonably or in good faith. He explained, however, that the Enforcement Division may recommend that the commission charge a compliance officer when the individual:
- Affirmatively engages in misconduct unrelated to their compliance function.
- Purposely misleads regulators.
- Entirely fails to carry out their compliance responsibilities.
The first and second categories are relatively non-controversial. The third category — compliance officers who allegedly have not done enough to prevent violations by others in the organization — has been the subject of considerable discussion and uncertainty, however, particularly given that the SEC has not provided formal guidance as to how it will evaluate a compliance officer’s conduct in such situations.
Affirmative Misconduct Unrelated to Compliance Duties
Grewal said the Enforcement Division will recommend charges against compliance officers who violate the securities laws in ways that are unrelated to their compliance responsibilities. These are “easy” cases, he said, in which officers willfully violate securities laws and thus must be “held accountable just like anyone else.” Grewal pointed to a case in which the SEC charged a chief compliance officer (CCO) of an international payment processing company with insider trading after he allegedly traded based on nonpublic information he secretly obtained from his girlfriend.
Purposely Misleading Regulators
Grewal also said the Enforcement Division will charge compliance officers who mislead or provide false information to regulators. Here, Grewal stressed that these cases do not involve the SEC second-guessing good faith judgment calls. Instead, the focus is on deliberate conduct by the officer that was intended to undermine the commission’s ability to exercise its oversight functions.
As an example, Grewal mentioned a case in which the SEC charged a CCO with aiding and abetting for, among other things, providing factually inaccurate compliance review memos to the commission. This conduct also resulted in a suspension under Rule 102(e) of the SEC’s Rules of Practice, barring the CCO from appearing or practicing before the commission in her capacity as a lawyer.
Failure To Carry Out Compliance Obligations
Finally, Grewal said the Enforcement Division may charge a compliance officer when the SEC believes he or she has completely failed to exercise their compliance responsibilities in a particular area, where the officer is aware of deficiencies in their organization’s compliance policies and procedures and fails to take appropriate remedial actions or conduct basic inquiry and analysis.
Grewal noted, as an example, the case of a national partner in a large accounting firm who, while not a CCO, was responsible for quality controls across the firm’s assurance practice, including those relevant to compliance with Public Company Accounting Oversight Board (PCAOB) quality control and audit standards. The respondent allegedly failed to take reasonable measures to remediate deficiencies in the firm’s quality control system despite knowing about them for years.
In another action fitting this category, the SEC charged the CCO of an investment advisory firm for, among other things, failing to take appropriate corrective actions for more than two years after the commission issued an order finding that the firm had violated the “custody rule.”
Compliance officers, as well as other officers of an organization who may be viewed to have responsibility for ensuring compliance with the securities laws, should stay up to date, understand, and take reasonable steps to ensure that they and their organizations comply with the federal securities laws. As Grewal noted, the SEC encourages organizations to create a “culture of proactive compliance.”
In that spirit, and to ensure that they are not viewed in hindsight as having failed to carry out their obligations, compliance officers should:
- Take steps to ensure that their organizations adopt and implement reasonable compliance policies and procedures, including ensuring that all aspects of the organization’s operations, including actual and potential conflicts of interest, trading practices, marketing, disclosures, advisory fees and valuation, safeguarding for client privacy and client assets, and portfolio management, are considered in formulating those policies and procedures.
- Take steps to ensure that compliance programs are adequately staffed and resourced.
- Consider and address elevated risks of conflict of interest for compliance officers who wear multiple hats and whose activities may often fall outside the purview of traditional compliance work, such as compliance officers who also hold roles of general counsel, chief financial officer or chief investment officer.
- Periodically review compliance policies and procedures, and educate internal staff regarding them.
- If any internal deficiencies become apparent, act as promptly as possible to remediate them.
- Maintain a robust record-keeping system, reflecting periodic review and testing of key elements of the organization’s compliance program and thorough and prompt remediation of any compliance deficiencies identified.
This post comes to us from Skadden, Arps, Slate, Meagher & Flom LLP. It is based on the firm’s memorandum, “SEC Enforcement Division Director Clarifies Approach to Compliance Officer Liability,” dated October 30, 2023, and available here.