United States: The SEC, The DOJ, And Compliance Officer Liability

When one considers the subject of corporate compliance today, there is a wealth of information regarding how to create and structure compliance programs. But in researching1 the topic, I noticed far fewer articles regarding what has to be equally important to the professional compliance personnel who create and run such programs, viz. their potential legal liability in the pursuit of their work. Since an "effective compliance program" should also be one that minimizes the exposure of its employees to such risks, I decided to look into that somewhat underreported issue. On the issue of personal liability of liability of compliance officers, what I found was at best murky, with a growing number of enforcement actions juxtaposed with qualified reassurance from regulators that they were "on the side" of the compliance profession.

Clearly, all compliance professionals want to see that their employer operates honestly and ethically. They are trained to do this, and take pride in doing their work well. But, like all professionals, in the course of doing their job they must avoid personal liability, and take care not to have their career tarnished or destroyed by association with wrongdoing by their client or employer for which they are not responsible, except for possibly discovering it. Unfortunately for compliance personnel, the line between discovering or preventing the problem and becoming, at least in the view of regulators, part of it has become much more difficult to discern, for a number of reasons I shall examine. In particular, I noted this paradox: the harder the competent compliance officer tries to get upper management to improve compliance programs, the greater the chance that a record is made which can later enable regulators to find that the company did not pay sufficient attention to this function before (or while, in some cases) serious problems emerged. The blowback in such situations can engulf the compliance officer as well. The dramatist Clare Booth Luce's famous idiom "No good deed goes unpunished" comes to mind.

Who Will Watch the Watchman?

This satirical phrase from the Roman poet Juvenal has traditionally been applied to such law enforcement personnel as police and prosecutors. But more recently others who have professional responsibilities to prevent or discover corporate wrongdoing, such as auditors and compliance personnel, have become the subjects of regulatory scrutiny when their employers are involved in wrongdoing. In recent years, the list of corporations and entities that have become embroiled in scandals and frauds seems endless. There is virtually no major business firm, and many smaller ones as well, that has not had some form of brush with the law, be it the DOJ, the SEC, the CFTC, a state attorney general, the FDIC, the OCC, or some other of the myriad of government enforcement agencies that regulate such entities.

In most cases, these organizations have some form of compliance function. In the early going, it was common to find that there was no compliance person, or perhaps ones who had other responsibilities. In recent times, compliance has become a major component of management, and compliance officers an integral part of the makeup of the company's operations. Yet the compliance officer, perhaps akin to the MP on a military base, is not always warmly welcomed in corporate ranks, perhaps because they are not generally viewed as making much of a contribution to the bottom line in revenue. Often, they enforce restrictions that tend more to constrain than support the business, at least in eyes of executives and managers who are under near-constant pressure to produce more and better results, regardless of how many corners are cut or rules and regulations avoided or ignored.

At a recent conference, I asked a friend in compliance how she liked her job. She said, in so many words, "I love the work. I love finding the problems, sometimes the wrongdoing, and exposing it. But I hate the work too, when I realize too often that my superiors on the business or legal side, or even in my own department, ignore or minimize my efforts, or fail to act on issues I have uncovered. This is the stuff that keeps me awake at night."

This reaction is unfortunately reflected in the track record of corporate compliance disasters. Companies with allegedly effective compliance functions repeatedly fail to prevent wrongdoing until it is too late to avoid multi-billion dollar penalties and severe reputational and human damage. Volkswagen has a compliance program, as does Wells Fargo, as does Equifax, and now Adidas, to site the latest scandals. And how many corporate scandals are in process or are waiting to happen, perhaps as yet undiscovered by the regulators and the media, but known or suspected (and probably documented) by someone in the company compliance department?

The general expansion of corporate liability for a host of illegal acts, be they violations of the securities laws, health and safety regulations, money laundering, foreign bribery, bank frauds, procurement fraud, accounting fraud, import/export restrictions, sexual harassment, employment laws, "failure to supervise" cases, or a host of other offenses, has put the compliance function in the vortex of potential wrongdoing on multiple fronts. Increasingly, when things go wrong, the tendency to shift blame increasingly can focus in part, not just on the managerial miscreants themselves, but also on the one function that is most associated with preventing or discovering wrongdoing or illegal behavior: compliance. Consider a few hypothetical situations that may confront the Chief Compliance Officer (CCO):

  1. The SEC is conducting an investigation of securities fraud in connection with one division of the company, and enlists the help of corporate legal and compliance in an internal investigation. The company pledges its "complete cooperation" and will be disclosing its findings to the SEC. A junior compliance officer discovers a fraud scheme in the course of that investigation that appears totally unrelated to the subject of the SEC investigation but could be very harmful to the company, and could lead to another SEC investigation. It should be pursued, but should it also be disclosed to the SEC?
  2. A new Chief Compliance Officer is told by his outgoing predecessor that the company's compliance training program is woefully inadequate in many respects, which he details in a lengthy email to his successor. He says the Board has been repeatedly told of many of these issues but appears unwilling to devote the resources to improving the program. The new CCO wants to improve the situation without creating a paper trail that could be evidence to a regulator of long standing corporate indifference, and at the same time demonstrate that such inaction in unacceptable going forward. Where do you start? What do you do with the evidence of prior inaction? Do you go back to the Board, to legal? How much attention do you want to call to this problem while trying to fix it? See the discussion regarding the Banamax case at the end of this paper.
  3. You learn that the CEO of one of the company's biggest customers (and a personal friend of your CEO) continues to engage in clearly improper sexual harassment. A number of women, including some in your company, have complained and the activity has been documented to the compliance department. Some of the incidents occurred during company functions and may be well known to some of your board members. Should you bring this information to the attention of your CEO, to the Board, to law enforcement? What should you do if your CEO dismisses this as "not our problem and this guy represents 40% of our revenue."?
  1. Compliance learns from an internal whistleblower in the IT department that certain files in the company's computers were hacked several months ago and thousands of files containing personal information of customers may have been stolen. The company makes a prompt public announcement, and there is a public outcry. The SEC sends the legal department a letter requesting documents. You have no idea if the whistleblower has talked to the SEC, and legal tells you not to ask. The whistleblower (whom some say is a little "crazy") tells you that he brought to the attention of the CEO months before the flaw in the computers was discovered the possibility the flaw could allow such a hack to occur. He thinks the CEO did not understand the issue. He produces a memo to himself about their conversation drafted shortly after it occurred, which he says he had not shown anyone else. In the public announcement of the hack by the company no mention is made of the earlier warning to the CEO. The CEO has been asked to testify before a congressional committee regarding this hack. You both know what happened at Equifax. What action, if any, should you as CCO take now?
  2. A reliable internal whistleblower reports that a mid-level manager in a foreign-based division of the company has been paying bribes to local government port officials to get the company's products delivered more quickly. The bribes individually are small, but the practice has been going on for years and the total may be in the thousands. Compliance conducts a prompt investigation, confirms the allegations, and the manager is fired. The activity is in clear violation of company regulations, and probably a violation as well of the Foreign Corrupt Practices Act (FCPA). The investigation reveals there was no effective supervision of this manager. The investigation suggests this practice may not be confined to this manager, or this one country, but there has been no request by the CEO or the Board to expand the investigation. During the investigation, another reliable employee says he told the locally based compliance officer of the practice years ago, but no action was taken. Outside legal counsel has recommended to the Board that the SEC not be informed of this matter. What if anything should the CCO do now?
  3. The CCO askes the Engagement Partner for the company's outside audit firm to share privately the results of the auditors' annual SAS 99 review. This is the required review by the audit team to enable them to share among themselves their experiences with the client during the audit itself and to "brainstorm" how a fraud at that company might be accomplished and concealed. The session general occurs annually and involves the entire audit team, including junior auditors—sometimes the most candid in the group. The objective is to identify risks at the company that could lead to a material misstatement, including an evaluation of the entity's programs and controls. A written record of the meeting must be made. I have seen a few of these over the years and they can be very interesting, e.g. "the CFO seems like the type to try to engage in revenue recognition games if the numbers aren't looking too good." In this case, the CCO learns about serious flaws in controls and potential fraud situations that are of concern to the auditors. He is told the audit committee was informed of these findings, but the senior engagement partner did not feel the committee was overly receptive to his observations. Should the CCO raise this with the audit committee or the full Board? Should the CCO ask more questions of senior managers, based on the auditor's observations? Should he ask to auditors to look into any of these concerns with further audit procedures? Does he have the authority to independently take any of these steps?

These hypotheticals (some of which are loosely based on, as they say in the movies, "actual events"), are just a small slice of the many difficult fact patterns that present themselves to compliance officers. Some readers might reply immediately, "report everything to the board" or "call the SEC and tell them everything, before they hear it from someone outside the company," or "the CCO should hire outside independent counsel for himself." Those responses may not be wrong, but they have serious consequences, not only for the company but for the compliance department as well, and perhaps for the Chief Compliance Officer personally. Note also that the legal department is involved in some of these decisions, which is frequently the case, and that department may be viewing the situation from a very different perspective than compliance. Likewise, as is often the case, various individuals of importance and stature both within and outside the company may have some exposure if all the facts come out. Whatever the Chief Compliance Officer does will surely be second-guessed, and the regulators who ultimately look at these incidents in hindsight may be inclined to apportion blame and punishment in ways that are unexpected and potentially career-ending for those involved, including potentially CCO as well.

What guidance, if any, can a CCO gather from the previous legal cases and pronouncements of the regulators, particularly the SEC and the DOJ, to help inform the decisions he or she may have to make, and quickly, in response in these and similar cases? What personal liability may the CCO incur as events unfold? To what extent should the CCO rely solely on his own legal department for advice on that issue?

The Expansion of Compliance Officer Liability by the SEC

The SEC's posture regarding chief compliance officer liability can most readily be found from two sources: pronouncements and speeches by SEC Commissioners and Enforcement Division Directors and reviewing the decisions of the SEC itself and by its Administrative Law Judges (ALJ's), all of which usually turn on the specific facts of each case. Of particular interest are speeches in 2014 and 2015 by then SEC Enforcement Director Andrew Ceresney in which he set out factors the SEC will consider in reviewing the propriety of the actions of CCOs.

In a May 20, 2104 speech at a compliance conference, Mr. Ceresney urged compliance personnel "to engage and become involved when [you] see an issue that raises concern. You should not hesitate to provide advice and help remediate when problems arise. And I do not want you to be concerned that by engaging, you will somehow be exposed to liability..." (emphasis added). But he said this with a significant caveat: "we have brought, and will continue to bring, actions against...compliance officers when appropriate. This typically will occur when the [SEC] believes...compliance personnel have affirmatively participated in the misconduct, when they have helped mislead regulators, or when they have clear responsibility to implement compliance programs or policies and wholly failed to carry out that responsibility." Then he ended on a positive note: "At the end of the day, though, legal and compliance officers who perform their responsibilities diligently, in good faith, and in compliance with the law are our partners and need not fear enforcement action."

Mr. Ceresney made similar comments, and set forth again his three-part test for CCO liability, in a Nov. 4, 2015 speech to the National Society of Compliance Professionals. He mentioned a recent case in which the SEC did not charge the CCO while charging the firm's CEO with significant compliance failures, where the CCO was "tasked with numerous non-compliance responsibilities that severely limited his ability to focus on his compliance function" and where the CCO had repeatedly asked for more help and warned that the firm would not be ready for an SEC examination.2

Mr. Ceresney did, however, mention cases in which CCOs were charged with efforts to obstruct or mislead the SEC staff, such as by altering documents in the course of an SEC exam3 or before providing the document to the SEC in an insider trading investigation.4 He also noted that the few cases brought under his third category ("cases...where the CCO has exhibited a wholesale failure to carry out his or her responsibilities") were cases brought under the Investment Advisers Act and other compliance-related rules that did not focus directly on the CCOs compliance function.

Mr. Ceresney did mention two other cases in which the SEC did hold CCOs responsible for the firm's compliance failures, noting that "[b]eing a CCO does not provide immunity from liability. When CCOs completely fail in their responsibilities, and particularly when investor harm results, it is appropriate for us to address that misconduct." In one of the cases, the BlackRock firm did not have any written policies and procedures regarding the outside business activities of its employees, even though the CCO knew of and approved numerous outside activities engaged in by BlackRock employees, one of which involved a senior portfolio manager that posed a conflict with the investments his funds held. Mr. Ceresney stressed that the charge against the CCO was solely based on "a wholesale compliance failure...to adopt written policies regarding outside business activities such as those engaged in by the senior portfolio manager. The absence of an outside business policy, in the face of red flags, was a clear compliance failure given the CCOs awareness of, and focus on, the issue."5

In the second case, an employee of an investment adviser misappropriated client assets for more than five years by withdrawing money directly from those accounts. The CCO was not involved with that activity and was not charged for it. However, he was charged with causing the firm's violation of the Investment Advisers Act, Rule 206(4)-7.6 The firm's policies and procedures specifically assigned the CCO with responsibility to implement the firm's policy requiring review of "cash flows in client's accounts." But for more than five years "the CCO failed to ensure that any review occurred, even though certain SFX employees had full signatory power over client bank accounts."7

A former SEC Commissioner, Daniel M. Gallagher, voted against these two settlements and noted that "I have long called on the Commission to tread carefully when bringing enforcement actions against compliance personnel." He argued that these settlements "illustrate strict liability for CCOs under Rule 206(4)-7." He cautioned, that, "as regulators, we should strive to avoid the perverse incentives that will naturally flow from targeting compliance personnel who are willing to run into the fires that so often occur at regulated entities."8 But another Commissioner, Luis A. Aguilar, promptly issued a rebuttal Statement to that of Commissioner Gallagher, in which he expressed concern that it (and other commentary) had "created an environment of unwarranted fear in the CCO community."9 He counted the cases brought since 2009 against CCOs and noted that relatively few were brought relating solely to their compliance-related activities, averaging about 11% of the cases, and most involved CCOs who "wore more than one hat" and many of their activities were outside the traditional work of CCOs, such as those who were founders, sole owners, officers, owners, and portfolio managers. He noted that only 8 cases were brought over the past 11 years (before 2015) involving a CCO with no job functions other than that of a CCO.

Commissioner Aguilar also cited a 2015 compliance survey by PWC that "shows that CCOs have to deal with a wide variety of compliance risk areas that are only growing in complexity, such as data security, privacy and confidentiality, industry-specific regulations, bribery and corruption, conflicts of interest, fraud, money laundering, business continuity, and insider trading." Id. at 4. He added that in recognition of "these challenges, and the many difficult judgment calls CCOs need to make in exercising their duties and responsibilities, the Commission and its staff think long and hard when considering enforcement actions against CCOs, and oftentimes exercise prosecutorial discretion not to bring such actions." Id. He also cited the Pekin Singer Strauss case in which the CCO who had sought additional resources was not charged (see Note 2 supra).

I also noted with some interest (because I represent SEC whistleblowers), that Commissioner Aguilar added this line to his address in support of CCOs: "Moreover, the Commission has used its Whistleblower program to protect and reward CCOs who did the right thing." Id.10

It is interesting that in the 2016 PWC State of Compliance Study, the firm cautioned that "our state of compliance survey results show what appear to be low levels of CCO involvement in strategic decision making. The survey shows that only 48% of respondents describe their compliance functions as either fully integrated or playing a key role in strategic plans and activities...the survey results suggest that CCOs and institutions may be missing out on important input into strategic making. Without the CCO in the room, decision makers generally rely on the business areas...[b]ut the views of those in the company's business areas may be more influenced by other factors—ones that don't consider compliance risks."

Coming from PWC, a firm which audits many major corporations and sees plenty of "risk" situations, these observations are significant. PwC may be saying, in polite terms, that the compliance function is still out of the loop in many corporations when it comes to fully addressing risks. With no compliance input (except when something goes awry), companies are driven by the profit-making folks, for whom (as we learn every week it seems) are willing to take serious risks to make the bottom line. The risk in turn for compliance people is that, in trying to uncover and deal with the mess, or worse if they have been warning about it for years (and perhaps sending emails to boot), they are digging a big hole for themselves when the regulators finally swoop in, start reading those emails, and hold them up to Mr. Ceresney's three-part test for CCO liability.

The takeaway from the SEC guidance, found in the Ceresney-Gallagher-Aguliar dialogue, may simply be that, while CCOs are given some leeway to make mistakes in the course of their difficult work, they can be, post-facto, punished for letting bad conditions fester, or for grossly (or perhaps even negligently) allowing situations which clearly violate written or stated rules to continue without immediate remediation. While none of these individuals are still at the SEC, their opinions surely carry weight with their successors. And apart from SEC issues, in the swirl of finger-pointing that inevitably follows a corporate scandal, defensive C Suite types, and particularly board members perhaps caught asleep at the switch, may be tempted to blame the CCO if it deflects attention away from their own management or oversight failures.

One Commissioner still on the job is Kara Stein. In a 2014 speech before a group of compliance officers, she offered some thoughts on their challenging work:

"Another critical partner is the CCO. Many of you in the audience are CCOs, and I appreciate the important work that you do each day. The CCO is a relatively new position, and the role has evolved significantly over time. It is clear to me that the vast majority of CCOs are working hard and getting good results. But many of you are nonetheless concerned about possible enforcement actions against CCOs. There is a concern that charging CCOs will have the unintended consequence of weakening the compliance function. I have heard it said that these cases may lead to a drop in the quality of CCOs, because the best candidates will not be willing to serve. And those CCOs that remain willing to assume the role will be less effective because, for example, they may avoid certain functions such as participating in firm committees. That is not the intention.

If you read the facts in the cases we bring, you will see that they are not cases against CCOs that were promoting compliance. Instead, they are cases against CCOs that were assisting fraud, ignoring red flags, not asking the tough questions, and not demanding answers...

For some gatekeepers, such as accountants, the role is well-defined. For others, such as CCOs, it is less so.

This creates uncertainty, which I believe is at the heart of the concerns that I've heard about CCO liability. We owe it to you to remove some of this uncertainty so that you can fully unleash your power to prevent harm." (emphasis added).11

The SEC has issued no formal individual guidance for CCOs. What we do know is that the SEC in particular takes internal control violations very seriously, and often brings what it calls "books and records" cases, which often turn on how well the company complied with its own stated and published policies. Whether the SEC thinks CCOs can be charged with compliance failures that amount to, in legal terms, simple negligence for their oversite of others, especially outside the arena of the Advisers Act, is unclear. The irony is that, the better the job the CCO has done in getting such standards codified and disclosed, the more risk the CCO runs if such standards are not met, or efforts to enforce them are not properly documented. To the regulators, "red flags" always seem brighter in hindsight. Voicing complaints over time, but "not asking the tough questions, and not demanding answers" may indeed be the very shortcomings that can destroy the career of even the most well-intentioned and dedicated compliance officer.

The Department of Justice Guidance on Corporate Compliance Programs

Recently, the DOJ has taken a keen interest in corporate compliance. While it is not a federal crime to have an inadequate compliance program, the department has encountered this issue when deciding what if any credit to give companies accused of various criminal acts for their prior efforts, if any, to prevent or remediate such violations. In November 2015, the DOJ Fraud Section retained a full-time compliance expert, Hui Chen. Her prior job was in compliance at a large bank, a major pharma company, and with Microsoft. She is also a former federal prosecutor.12

She undoubtedly had a role in the DOJ's Fraud Section publishing in early 2017 its "Evaluation of Corporate Compliance Programs." This document has to date not received the attention it deserves, but it is clearly one of the best single sources of information for CCOs and their companies to understand how the U.S. government views the components of a good compliance program, and the questions it will ask of companies who have violated federal law but seek leniency on the basis of allegedly having tried hard to find or fix the problems.13 To see it, Google "Evaluation of Corporate Compliance Programs—Department of Justice."

While the DOJ Guidance is too detailed to fully describe here, several important observations can be made, especially as they might impact liability of CCOs in future prosecutions or SEC or other government enforcement actions. The Guidance asks, for example, "Were there prior opportunities to detect the conduct in question, such as audit reports identifying relevant control failures or allegations, complaints or investigations involving similar issues? What is the company's analysis of why such opportunities were missed?"

This question goes right at the compliance function. What did you know and when did you know it? If you did not know it, why not? The CCO should be ready to address these questions before they are posed in the white-heat of an enforcement investigation. The Guidance also asks: "Was compliance involved in training and decisions relevant to the misconduct? Did the compliance or relevant control functions (i.e. legal, Finance, or Audit) ever raise a concern in the area where the misconduct occurred? Woe to the CCO who has to admit that the answer yes, and similar woe for different reasons to the CCO who has to answer no.

The Guidance also asks multiple questions about the compliance function, e.g. how does it compare with other strategic functions in the company in terms of "stature, compensation levels, rank/title, reporting line, resources, and access to key-decision makers"? It asks "what role has compliance played in the company's strategic and operational decisions." Based on the PWC results discussed earlier, my suspicion is many companies (and their CCOs) may have a hard time producing a satisfactory answer to that question.

The Guidance goes on to ask similar hard questions on such areas as Policies and Procedures, Risk Assessment, Training and Communication, Confidential Reporting and Communication, Incentives and Disciplinary Measures, Continuous Improvement, Periodic Testing and Review, Third Party Management, and Mergers and Acquisitions. Any CCO who reads through this gauntlet and comes out feeling confident is either very good or very naďve. Many, I suspect, will have trouble sleeping at night while dreaming of sitting in the witness chair in a paneled federal courtroom answering these questions under oath.

On the positive side, the CCO can use this document to convince board members, general counsels, and C suite skeptics that being able to answer these questions to the satisfaction of the regulators in the wake of a corporate crisis could go a long way to saving their hides and the shareholders' investments.

The Banamax USA case

A recent DOJ case which is a textbook study of bad compliance is the DOJ money-laundering case against Banamax USA, an indirect Citigroup subsidiary which in May 2017 entered into a non-prosecution agreement (NPA) with the DOJ. It agreed to forfeit $97 million and admitted to criminal violations for failing to maintain an effective money-laundering compliance program, while processing more than $8 billion in over 30 million remittance transactions to Mexico. While the company's monitoring system generated more than 18,000 alerts involving over $142 million in potentially suspicious transactions, Banamax conducted fewer than 10 investigations and filed only 9 SAR's (Suspicious Activity Reports). In a related proceeding, the FDIC and California authorities fined the company $140 million, and four senior executives were fined and/or prohibited from working for any financial institutions in the future.

One of these individuals was the Chief Compliance Officer. His story is set forth in the Statement of Facts in the Banamax NPA. To see it, Google "Banamax USA NPA—Department of Justice" (see especially pp.7-12). It is worth reading for any CCO who wonders how things can go from bad to worse, even when you see it happening and make some effort to prevent it. It is also a testament to (1) how you can be undone by your superiors, who were too cheap to make your compliance program work, and (2) how bad it can get when you have an honest and persistent subordinate who routinely sends emails seeking assistance and setting out the problems. I suggest this case should be reviewed in every Compliance 101 course.

These cases never seem to end. Regarding one of the latest, the basketball recruiting scandal involving Louisville coach Rick Pitino, Adidas, and others, the CEO of the Society of Corporate Compliance and Ethics recently observed concerning the more recent scandals:

"I am sure that a number of leaders whose jobs ended tumultuously were left wondering 'Where the heck was my Chief Compliance Officer (CCO)?' The press, public, politicians, and prosecutors want leadership to be held accountable even if they didn't commit the wrongdoing.... Some Boards are going to be faced with a choice between millions of dollars vs. turning over one or more of their leaders."

Roy Snell, Compliance Today, January 17, 2017, p.3.

In sum, there is ample reason to think that cases involving CCO liability will increase as compliance programs become more important in corporate governance and those involved in the process come under greater scrutiny by regulators. Nevertheless, there are many "best practices" to reduce Chief Compliance Officer liability. Concrete suggestions abound, and I refer the reader to several here.14

As for the hypos at the beginning, there are no certain answers. Discuss them with your colleagues. I could have written dozens more, as can you. They were written to set out only a few of the multitude of complex fact situations compliance officers may encounter. To be sure, good faith mistakes can and will be made in the course of the difficult and complex work undertaken by compliance officers, and their actions will be second-guessed. Some may cross the line, to the extent there is a "line." A few may face regulatory sanctions. I continue to trust, however, that an honest and conscientious Chief Compliance Officer who builds an effective compliance program, vigorously oversees its implementation and demands full support by the company, and is not afraid to "tell truth to power," will be able to avoid personal liability and serve an increasingly critical function in corporate management and governance.

Footnotes

1 A version of this article was presented at the ABA Section of Labor and Employment Law 11thAnnual Labor and Employment Law Conference, Washington, D.C, November 9, 2017.

2 Pekin Singer Strauss Asset Management Inc., Advisers Act Release No. 4126 (Jun. 23, 2015).

3 In the Matter of Parallax Investments, LLC, John P. Bott, II, and F. Robert Falkenberg, Advisers Act Release No. 4159 (Aug. 2, 2015).

4 Press Release, SEC Announces Enforcement Action Against Former Wells Fargo Advisors Compliance Officer for Altering Document (Oct. 15, 2014).

5 In the Matter of BlackRock Advisors LLC, AP File No. 16501 (Apr. 20, 2015).

6 This Rule requires, inter alia, investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violations by them and persons they supervise of the Advisers Act and rules adopted under the Act.

7 In the Matter of SFX Financial Advisory Management Enterprises Inc. AP File No. 3-16591 (June 15, 2015)

8 Commissioner Daniel M. Gallagher, Statement on Recent SEC Settlements Charging Chief Compliance Officers With Violations of Investment Advisers Act Rule 206(4)-7, June 18, 2015.

9 Commissioner Luis A. Aguilar, The Role of Chief Compliance Officer Must be Supported, June 29, 2015.

10 He cited two cases in which the SEC had rewarded CCO whistleblowers, including an April 2015 proceeding in which a one-million-dollar award was made. The SEC whistleblower rules make it possible for CCOs to become whistleblowers if certain conditions are met. See Daniel J. Hurson, When Should Auditors and Compliance Officers Become SEC Whistleblowers, Mondaq Publishing, December 10, 2014.

11 Kara M. Stein, "Keynote Address at Compliance Week 2014," May 19, 2014. A law firm commentary on the Stein speech noted:

"Ms. Stein further discusses the possibility that holding individuals to account for such [gatekeeper] failures might be more useful then imposing large penalties against the organizations with which such individuals are associated. Assuming gatekeepers should be held responsible for their failure to act, it is not a far reach to assume that compliance and legal personnel that fail to provide 'critical compliance information' to the gatekeepers should similarly be held responsible for such failure." Winston & Strawn, Chief Compliance Officers Subject to Expanding SEC Enforcement Trend—What "Personal Liability" Means Now, April 28, 2015. Ms. Stein's views on this issue could be very important going forward, as the other two current SEC commissioners, Chair Jay Clayton and Commissioner Michael Piwowar, have expressed similar views about focusing in appropriate cases on individual actors as opposed to their corporations.

12 Ms. Chen resigned in June 2017, in what lawyers who withdraw from representing a client sometimes refer to as a "noisy withdrawal." See David Sirota, Justice Department's Corporate Crime Watchdog Resigns, Saying Trump Makes It Impossible To Do [her] Job, International Business Times, July 2, 2017.

13 One law firm analysis stated that the Guidance "is the most recent public statement by the Fraud Section demonstrating the increased sophistication of the DOJ's compliance expertise...[and] represents the most universally applicable and clearly articulated statement of the Fraud Section's primary focus areas when determining the efficacy of corporate compliance programs." DOJ Issues New Program Evaluation Guidance, Baker and McKenzie, February 28, 2017.

14 Luis Mejia et al, Preparing For SEC's Pursuit Of Compliance Officers, Law 360, March 9, 2016. For an intriguing "outside the box" method of conducting a corporate compliance program, see Todd Haugh, The Trouble With Corporate Compliance Programs, MIT Sloan Management Review, Fall 2017, p. 55-62.

Daniel J. Hurson was formerly an Assistant United States Attorney for Maryland and Assistant Chief Litigation Counsel for the Securities and Exchange Commission (SEC). He is a former Chairman of the Steering Committee of the District of Columbia Bar's Corporation, Finance and Securities Law Section. His primarily practice now is the representation of SEC and Commodity Futures Trading Commission (CFTC) whistleblowers. His website is http://www.hursonlaw.com .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement

    Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of www.mondaq.com

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

    Disclaimer

    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

    Registration

    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

    Cookies

    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

    Links

    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

    Mail-A-Friend

    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

    Emails

    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .

    Security

    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at enquiries@mondaq.com.

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions