The head of enforcement at the Securities and Exchange Commission has been on a bit of a publicity tour this week, making several speeches about the importance of strong compliance functions, enforcement measures such as monetary penalties and “compliance consultants,” and other issues dear to compliance professionals’ hearts.
Most notably, enforcement chief Gurbir Grewal spoke Wednesday about the need for companies to self-report violations of SEC rules, even though some cynics out there might look at specific SEC enforcement actions and wonder whether self-reporting is worth it.
“I think the Commission, more so than ever before, has been clear in the types of behaviors that have resulted in zero penalties or reduced penalties,” Grewal said while speaking at Securities Enforcement Forum 2023 in Washington, D.C. “If you look through those [enforcement actions], they provide a lot of clarity. They help you when you’re having those difficult questions with your clients about whether you should self-report.”
The SEC does have a set of policies to guide its staff attorneys when deciding appropriate punishment for corporate offenders: the Seaboard Report, originally published in 2001. It lists all the factors compliance officers have come to expect over the years, such as voluntary self-disclosure, cooperation in any ensuing investigation, and remediation of underlying control weaknesses.
Except, Grewal stressed, hitting those three basic criteria does not automatically exonerate a company from all penalties. “It’s not an all-or-nothing type of calculus,” he said, since facts and levels of cooperation will differ from one company to the next. “That’s why we see a spread between penalties that are zero or reduced, or in some cases there’s no reduction despite cooperation.”
He then pointed to the SEC’s crackdown on improper use of messaging apps as an example. At last count the agency has now sanctioned at least 40 financial firms for employees’ use of “off-channel communications” that don’t store business records as required by law. Penalties have varied wildly from one firm to another, depending on who in the firm was using improper apps, how the firm responded, and other facts specific to each case.
“The penalties certainly have been on the higher end for these types of violations,” Grewal said — but he also pointed to the specific case of broker-dealer Perella Weinberg. Perella self-reported and cooperated, he noted, and the firm received a $2.5 million penalty. That was a far cry from other violators, who ended up with penalties in the tens or even hundreds of millions.
Independent Compliance Consultants
Grewal also talked about the agency’s use of “independent compliance consultants” as part of SEC settlements. Lots of people (myself included) view these consultants as the SEC’s version of the compliance monitors we routinely see in Justice Department corporate resolutions. Grewal, however, tried to argue that “ICCs” and monitors don’t quite serve the same function.
Monitors, he said, are assigned to a company after it resolves a case, and they are used to — you guessed it — monitor the company’s compliance with the terms of the resolution, and then report back to the Justice Department on the state of that compliance.
In contrast, ICCs are assigned to help a company with future work to improve the compliance program. That is, the compliance consultant reviews the state of the company’s compliance program and makes recommendations for improvement — although, to be clear, a company doesn’t have much discretion not to implement those recommendations.
“We’re making sure the company is operating in a certain way, and the ICC is working with that entity to effect that compliance. They’re not necessarily reporting back to us like a monitor would be,” he said.
OK, but the word “necessarily” is doing a lot of work in that last sentence from Grewal, because I’ve seen numerous instances where the consultant does end up reporting back to the SEC. For example, when JPMorgan settled a case over improper messaging apps back in 2021, a compliance consultant was part of the deal. That consultant had to write annual progress reports about how JPMorgan was improving its compliance program, and copies of those reports were sent to the SEC.
So I remain unclear on how different ICCs and compliance monitors are in practice.
More practically, the Justice Department has published fairly extensive guidance about when it might impose a compliance monitor. Will we ever see similar guidance from the SEC? Grewal never expressly said no, but he did encourage the audience to look at prior enforcement orders to get a sense of when ICCs might be imposed. Which is enforcement-speak for no.
CCO Liability: Still Not a Thing
Separately, Grewal gave another speech on Tuesday to the New York City Bar Association’s 2023 compliance institute. This event tends to attract compliance officers from financial firms, whose concerns are somewhat different from compliance officers in non-financial sectors — including lots of worry about CCO liability for compliance failures, thanks to imprecise language in the Investment Companies Act about the CCO’s role in administering a compliance program.
Grewal, like so many regulators before him, stressed that compliance officers will only face enforcement under three scenarios:
- Where compliance personnel affirmatively participated in misconduct unrelated to the compliance function;
- Where compliance officers misled regulators; and
- Where there was a wholesale failure by the compliance officer to carry out his or her compliance responsibilities.
I have no sympathy for compliance officers who violate either of the first two bullet points above; if you’re committing misconduct or lying about it, you deserve to face the consequences of those choices.
Even that third bullet point doesn’t lead me to worry all that much about compliance officers. You can have poor budgets and unenthusiastic management, and perhaps that will lead to compliance failures — but that’s still light years away from wholesale failures on your part that might get you hauled in front of FINRA (for broker-dealers) or the SEC.
Grewal then cited the example of a compliance officer at a registered investment adviser charged last year with wholesale failures. For at least 10 years, this CCO had copied a set of policies and procedures from a trade association and passed it off to employees, without ever tailoring that material to his actual firm. Nor did the firm conduct any compliance training or reviews of its program. Is anyone really going to argue that this CCO didn’t deserve some accountability for such dereliction of duty?
“In simple terms, there was no education, no engagement and no execution. Rather, there were wholesale failures to carry out compliance responsibilities and to conduct even basic inquiry and analysis,” Grewal said. “But cases like these are rare… We have no interest in pursuing enforcement actions against compliance personnel who undertake their responsibilities in good faith and based on reasonable inquiry and analysis.”
So CCO liability is still not a thing, unless you’re so bad at your job that you deserve it.