CCO Enforcement Actions the “Rare” Exception—Not the Rule: Additional Details From SEC’s Enforcement Division

On October 24, 2023, Gurbir S. Grewal, Director of the U.S. Securities and Exchange Commission’s (“SEC”) Division of Enforcement, provided a preview of the agency’s enforcement outlook against Chief Compliance Officers (“CCO”) in the upcoming year.  His remarks highlight the continued importance of compliance programs (and continued focus on the part of regulators on those programs), but also make clear that SEC enforcement actions targeting behavior on the part of CCOs will continue to be rare.

Speaking at the New York City Bar Association’s Compliance Institute, Grewal said, “The short answer is that we do not second-guess good faith judgments of compliance personnel made after reasonable inquiry and analysis.  That is why such actions are rare.”  Grewal emphasized that, in the more than 1,000 enforcement cases initiated by the Commission since 2021, he “can probably count on one hand the number that involve compliance officers.”

Grewal provided the three instances when enforcement actions against compliance personnel—and, as experience shows, principally CCOs—will typically be brought.  Those rare situations occur when they:

1. Affirmatively participate in misconduct unrelated to the compliance function;
2. Mislead regulators; and/or
3. Wholly fail to carry out their compliance responsibilities and conduct basic inquiries and analysis.

For the first instance, Grewal explained that CCOs would not be treated any differently from other similarly situated individuals simply by virtue of their role, and “being a member of the compliance function is not a ‘get-out-of-jail’ card.”  The Commission will hold a CCO accountable for securities violations unrelated to that officer’s responsibilities in the company.

In the second instance, Grewal noted that the Commission will pursue enforcement actions against CCOs when they deliberately thwart, obstruct, or mislead the Commission’s staff in exercising effective oversight and regulation. 

Regarding the third instance, Grewal provided examples of “wholesale failure[s]” subject to SEC action.  He referenced one example when the SEC charged a partner at a public accounting firm with failing to sufficient in the firm’s quality control system.[1] He noted another example when the SEC charged the CCO of a registered investment advisor based on his company’s failure to, among other things, adopt and implement “reasonably designed compliance policies and procedures” or “conduct annual reviews of its compliance program.”[2]

To avoid liability, Grewal encouraged compliance officers and their companies to create a culture of proactive compliance by enacting the 3 E’s: education, engagement, and execution.

• Education: Whenever a new Commission action, priority, or rule is relevant to the company, compliance officers should take the time to digest it, examine it, and understand how it may impact their company. Grewal cited the SEC’s Whistleblower Program as an example of a new policy that compliance officers should study to ensure their own policies align with SEC rules to protect whistleblowers.
• Engagement: Compliance officers should take the necessary steps to learn and understand the relevant issues across different business units within their organizations. Compliance officers should continuously remain alert of how their businesses, operations and risk areas, change over time, and how those intersect with the Commission’s stated enforcement priorities and new rulemaking.
• Execution: Compliance officers should advocate for active leadership, training, and constant oversight to ensure that policies are being implemented and carried out effectively within their companies. A company having compliance policies and procedures in place is not enough.  Those policies and procedures must be coupled with effective implementation and enforcement.

Finally, should a company detect a securities law violation, Grewal urged those companies to self-report and cooperate.  Although the Commission issued robust penalties to violators this year, it also “aggressively rewarded” those companies that self-reported and cooperated, imposing substantially reduced penalties, or no penalties at all.   

Key Takeaways

Grewal’s remarks stand as a reminder to companies and their compliance professionals, including CCOs, to maintain an adequate compliance program as a way to mitigate prospective enforcement risk.  His remarks also underscore the importance of compliance officers ensuring that their companies’ policies are current, sufficiently address known areas of SEC concern, and continuously examine potential areas for improvement.  Companies and their compliance functions should maintain an audit trial of these efforts in the event of any downstream scrutiny.  Moreover, companies should meaningfully cooperate with the SEC when necessary to reduce exposure.^[3]

We would like to thank Ahnna Chu, Senior Law Clerk, for her contribution to this alert.