Advisories October 27, 2023

Investment Funds / White Collar, Government & Internal Investigations Advisory: SEC Enforcement Director Clarifies Compliance Violation and CCO Liability

Executive Summary
Minute Read

Our Investment Funds and White Collar Teams interpret how the Securities and Exchange Commission approaches its enforcement in three aspects: whistleblower restraints, self-reporting and cooperation, and compliance officer liability.

  • The SEC will continue to bring enforcement actions under Rule 21F-17
  • Self-reporting may not insulate a firm from enforcement, but it could reduce the penalty
  • Only a handful of enforcement cases have directly implicated chief compliance officers

In October 24 remarks to the New York City Bar Association Compliance Institute, SEC Enforcement Director Gurbir Grewal commented on three aspects of compliance violation enforcement, including the scope of chief compliance officer (CCO) liability. 

Whistleblower Restraints

Grewal emphasized that the SEC will continue to bring enforcement actions under the Dodd–Frank whistleblower protection rule (Exchange Act Rule 21F-17) against firms for using language in their employment and separation agreements that require employees to: 

  • Attest that they have not filed a complaint against the employing firm with any federal agency.
  • Waive the employee’s rights to financial whistleblower awards.
  • Provide notice to the employing firm if they receive a request for information from the SEC staff after they depart the firm. 

Past enforcement actions under Rule 21F-17 (including for stand-alone violations of the Rule) should also be reviewed for guidance on potentially violative language.

Self-Reporting and Cooperation

Ensuring that policies and procedures are compliant is only part of the task. The more difficult part is execution. And even if a policy or procedure goes beyond what is required by rules or regulations, once it is included in a firm’s compliance manual, it must be followed. Grewal stressed that if a violation is discovered by a firm, the best course of action is to self-report and cooperate with the SEC. 

Proactive behavior will not typically insulate a firm from an SEC enforcement action but may result in reduced penalties. Grewal noted specific instances when the SEC imposed “substantially reduced penalties” because of a firm’s “meaningful cooperation,” including:

  • preemptively remediating and ceasing the unlawful behavior;
  • proactively providing compensation to victims;
  • providing detailed financial analyses, explanations, and summaries of factual issues to the staff;
  • proactively identifying key documents and witnesses that the staff has not yet identified; and
  • facilitating interviews of former employees.

Compliance Officer Liability

As an initial matter, Grewal confirmed what has long been true of CCO exposure: “we do not second-guess good faith judgments of compliance personnel made after reasonable inquiry and analysis.” He also noted that, of the well over 1,000 enforcement cases filed by the SEC during his tenure, only a handful have directly implicated compliance officers. CCO exposure is limited largely to:

  • Affirmative participation in misconduct unrelated to the compliance function.
  • Misleading regulators.
  • A “wholesale failure” by compliance personnel to carry out their compliance responsibilities.

The first two scenarios are self-evident, and the enforcement actions cited by Grewal as being illustrative of a “wholesale” compliance failure involved sustained and egregious departures.


Grewal’s comments reaffirm that compliance officials who make reasoned and informed judgments will not be subjected to enforcement, that self-disclosure and cooperation will continue to be rewarded, and that restraints on whistleblowing activity are a third rail.

Media Contact
Alex Wolfe
Communications Director

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.