On October 24, 2023, the Director of the Securities and Exchange Commission's Enforcement Division, Gurbir S. Grewal, gave a keynote address to the New York City Bar Association's 2023 Compliance Institute.

This address, which was targeted primarily at compliance officers in the private funds space, represents a maturation in how the Enforcement Division views the role of the Chief Compliance Officer. This new framework may represent a "New Deal for CCOs," which signals some fairly rigorous expectations and requirements on CCOs and other legal and compliance officers.

SEC Enforcement's View of the Compliance Function

The Commission and its staff have struggled for decades with how to characterize a firm's internal compliance function. The SEC's approach has ranged from characterizing the CCO as the SEC's internal ally to a more administrative view where a CCO is seen as a technical implementer and manager of a firmwide compliance process.

Director Grewal has a much broader view—he sees the compliance function as being responsible for restoring and ensuring "public confidence in the financial markets[.] 1" In other words, SEC Enforcement expects CCOs to fulfill their function with at least one eye on a social policy goal. While a broader focus on responsibilities of private actors to the public is not unprecedented – consider, for example, the "public" aspect of a "Certified Public Accountant" qualification – it is a stark shift from the traditional "inward-looking" conception of the CCO role. While this may not be an actionable instruction from the Director, it is a consideration for all CCOs to keep in mind in statements and actions.

Moving from a 'Culture of Compliance' to 'Proactive Compliance'

In terms of CCO performance expectations, Director Grewal's remarks challenged the idea that SEC Enforcement will be satisfied with subjective, internal assertions about a firm's adherence to a "culture of compliance." To replace this, the Director has set forth a new catchphrase: "proactive compliance." And to assess the proactiveness of a given compliance program, he set forth a three-factor rubric against which a CCO and a compliance program can be assessed: (1) education, (2) engagement and (3) execution.

The Three-Factor Rubric

These three factors touch on all aspects of a compliance program, but in a straightforward and concise manner. There are very few, if any, new requirements or concepts in these factors. However, by reducing the evaluation process to three elements, it is easier to grade on a "pass/fail" basis:

1. Education: Effective education of a firm's employee base has always been a staff expectation. The Director made clear that he expects educational efforts to directly assess the impact of SEC priorities and actions on a firm's business—especially by focusing on "emerging and heightened risk areas."

2. Engagement: "Proactive compliance" requires compliance functions to engage with various firm business lines. A failure to understand a certain business line is "not an excuse to punt" on compliance. Clearly, the Director is focusing on situations where Compliance has observed a deficiency, but has not—in the staff's opinion—done enough to push the firm to address the perceived weakness. On a go-forward basis, CCOs should expect to be asked to show how they engaged with other firm functions to mitigate and eliminate risks and conflicts.

3. Execution: Relatedly, CCOs must pay attention to the execution and implementation of existing policies and procedures. This reflects current expectations on effective processes and procedures, and also may be a warning of a greater focus on compliance processes and results.

Enforcement Lessons

The Director stressed how recent enforcement actions already align with this new framework and rubric, highlighted by the SEC's ongoing off-channel communications sweep, which focuses on firms that allegedly failed to abide by their own policies and procedures regarding recordkeeping. Director Grewal observed that "in every case, the firms had policies and procedures in place, but employees nevertheless communicated through unapproved methods. That is because there was widespread failure in implementing those policies."

Director Grewal also focused on the SEC's enforcement action against a New York-based registered investment adviser, which was charged with violating the Dodd-Frank whistleblower protections in Rule 21F-17. The investment adviser paid $10 million in penalties, which is "the highest penalty on record for a standalone violation of the rule," for chilling potential whistleblowers with various provisions in employee agreements. The Director stated that this fine shows that "proactive compliance is cheaper and better for business than facing a potential enforcement action."

Finally, Director Grewal emphasized the importance of self-reporting when firms identify execution failures and cited (and predicted) substantial reductions in penalties for self-reporters.

'Rare' Enforcement Actions Against Compliance Personnel

The good news is that Director Grewal went out of his way to address the continuing concern around CCO liability, which is an area on which the NYC Bar Association has published a detailed framework. The Director's remarks are some of the highest-level statements on CCO liability to date. Director Grewal defended the use of "rare" actions against CCOs and strongly asserted that CCO liability cases evidenced a restrained approach with reasonable determinations on what actions to charge.

Notably, Director Grewal's remarks aligned with the Commission's prior three-scenario framework for when liability attaches to actions taking by CCOs, including where: (1) "compliance personnel affirmatively participated in misconduct unrelated to the compliance function; (2) where they misled regulators; and (3) where there was a wholesale failure by them to carry out their compliance responsibilities." (Director Grewal did not provide any further insight into the meaning of the amorphous term "wholesale failure.")

However, the Director did provide an overview of recent enforcement actions against CCOs, in which the conduct was particularly egregious. For instance, in a recent enforcement action, a firm's CCO adopted policies and procedures that copied trade association standards and were not tailored to the firm's business line. Further, the firm did not conduct any compliance training or annual reviews of its program. The Director remarked that, "[i]n simple terms, in these cases, there was no education, no engagement and no execution. Rather, there were wholesale failures to carry out compliance responsibilities and to conduct even basic inquiry and analysis."

For future actions, the explicit message was that CCOs who engage in "good faith" efforts to keep their firms on track, and are not personally participating in wrongdoing, should not expect to become the targets of investigations. Presumably "good faith" efforts and judgment will be assessed against the "proactive compliance" expectation and the requirements of the three-factor scorecard, although the extent of Commission restraint in assessing actions against CCOs will be assessed in hindsight at a future date. Director Grewal pointed out that Enforcement's track record in this area is consistent with this view.


Director Grewal's "proactive compliance" mantra is one that all CCOs should consider and, where appropriate, weave into annual reviews, employee training and day-to-day operations. The use of this new three-factor evaluation rubric will also need to be considered in structuring annual reviews, as well as in ad hoc policy considerations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.