In October 24 remarks to the New York City Bar Association Compliance Institute, SEC Enforcement Director Gurbir Grewal commented on three aspects of compliance violation enforcement, including the scope of chief compliance officer (CCO) liability.
Whistleblower Restraints
Grewal emphasized that the SEC will continue to bring enforcement actions under the Dodd–Frank whistleblower protection rule (Exchange Act Rule 21F-17) against firms for using language in their employment and separation agreements that require employees to:
- Attest that they have not filed a complaint against the employing firm with any federal agency.
- Waive the employee’s rights to financial whistleblower awards.
- Provide notice to the employing firm if they receive a request for information from the SEC staff after they depart the firm.
Past enforcement actions under Rule 21F-17 (including for stand-alone violations of the Rule) should also be reviewed for guidance on potentially violative language.
Self-Reporting and Cooperation
Ensuring that policies and procedures are compliant is only part of the task. The more difficult part is execution. And even if a policy or procedure goes beyond what is required by rules or regulations, once it is included in a firm’s compliance manual, it must be followed. Grewal stressed that if a violation is discovered by a firm, the best course of action is to self-report and cooperate with the SEC.
Proactive behavior will not typically insulate a firm from an SEC enforcement action but may result in reduced penalties. Grewal noted specific instances when the SEC imposed “substantially reduced penalties” because of a firm’s “meaningful cooperation,” including:
- preemptively remediating and ceasing the unlawful behavior;
- proactively providing compensation to victims;
- providing detailed financial analyses, explanations, and summaries of factual issues to the staff;
- proactively identifying key documents and witnesses that the staff has not yet identified; and
- facilitating interviews of former employees.
Compliance Officer Liability
As an initial matter, Grewal confirmed what has long been true of CCO exposure: “we do not second-guess good faith judgments of compliance personnel made after reasonable inquiry and analysis.” He also noted that, of the well over 1,000 enforcement cases filed by the SEC during his tenure, only a handful have directly implicated compliance officers. CCO exposure is limited largely to:
- Affirmative participation in misconduct unrelated to the compliance function.
- Misleading regulators.
- A “wholesale failure” by compliance personnel to carry out their compliance responsibilities.
The first two scenarios are self-evident, and the enforcement actions cited by Grewal as being illustrative of a “wholesale” compliance failure involved sustained and egregious departures.
Takeaways
Grewal’s comments reaffirm that compliance officials who make reasoned and informed judgments will not be subjected to enforcement, that self-disclosure and cooperation will continue to be rewarded, and that restraints on whistleblowing activity are a third rail.