SEC’s Gurbir Grewal calls for culture of proactive compliance

SEC enforcement chief sets out three pillars underpinning effective culture, offers assurance on CCO liability.

Compliance professionals, consultants, attorneys, accountants, and others serve as the first lines of defense against misconduct, said SEC enforcement division chief Gurbir Grewal in prepared remarks Tuesday at the New York City Bar Association’s Compliance Institute. And so they need to create “a culture of proactive compliance”, working to implement effective policies and procedures to ensure that those firms comply with their legal obligations on the front end.

Doing so will require compliance professionals to learn the relevant regulations for their businesses, engage with personnel across business units and self-report possible misconduct to the SEC, he said.

The three Es

Grewal explained that creating a culture of proactive compliance revolves around three things: education, engagement, and execution.


He said compliance professionals should understand the law and external developments relevant to their business, particularly emerging and heightened risk areas. When a new action, examination priority, or SEC rule is relevant to one’s company, that compliance team should digest it and examine which segments of the company have exposure to the same or similar issues.

As an example, Grewal mentioned that, his past fiscal year, the Commission brought a number of actions charging firms for using employment agreements that expressly violated the plain language of the rule in various ways. Those cases involved violations of the Dodd-Frank Act whistleblower protection rule (Rule 21F-17), which prohibits entities from taking actions that impede employees from reporting possible securities law violations to the SEC, such as inserting into severance agreements language requiring employees to confirm that they had not filed a complaint against the company with any federal agency, among other illegal, restrictive language.

“In every case, the firms had policies and procedures in place, but employees nevertheless communicated through unapproved methods. That is because there was widespread failure in implementing those policies.”

Grubir Grewal, Enforcement Director, SEC


Grewal said proactive compliance also requires compliance professionals to truly engage with personnel inside their company’s different business units and to learn about their activities, strategies, risks, financial incentives, counterparties, and sources of revenues and profits.

“You may come across aspects of your firm’s business that you do not completely understand. That’s not an excuse to punt. Take whatever steps are necessary to learn and understand the issues,” he said.


“Time and again, we see firms that have good policies, but fall short on implementation,” Grewal said. He immediately turned the discussion to the agency’s ongoing off-channel communications sweep, and how concerned the SEC is in ensuring regulated entities, including broker-dealers and investment advisers, comply with its recordkeeping requirements.

Since December 2021, this sweep has resulted in charges against 40 firms and over $1.5 billion in civil penalties for failures to maintain and preserve electronic communications.

“We do not second-guess good faith judgments of compliance personnel made after reasonable inquiry and analysis.”

Grubir Grewal, Enforcement Director, SEC

“[I]n every case, the firms had policies and procedures in place, but employees nevertheless communicated through unapproved methods. That is because there was widespread failure in implementing those policies. In fact, as detailed in all the orders, the individuals charged with supervising employees to prevent this misconduct were themselves violating the procedures,” Grewal noted. (Italics were included in the prepared speech.)

“What these actions make clear is that adopting the policies is just the first step, not the last. Through leadership, training, constant oversight and the right tone at the top, you need to ensure that the policies are actually implemented and followed,” he said.

Compliance officer personal liability

Grewal said he wanted to address the proverbial elephant that shows up in any room where a regulator like himself is speaking to those working in compliance – When does the Enforcement Division recommend charges against a compliance officer?

(The New York City Bar Association itself – and other groups such as the National Society for Compliance Professionals – have been advocating for greater clarity and even a stated framework the agency could use in compliance-officer liability decision making and to offer compliance professionals more assurance in this area.)

“The short answer is that we do not second-guess good faith judgments of compliance personnel made after reasonable inquiry and analysis. That is why such actions are rare”, Grewal said.

There are really three situations where the Commission typically brings enforcement actions against compliance personnel, he added. They are:

  • where compliance personnel affirmatively participated in misconduct unrelated to the compliance function;
  • where they misled regulators; and
  • where there was a wholesale failure by them to carry out their compliance responsibilities.

The first category is easy, Grewal said. Being a member of the compliance function is not a “get-out-of-jail” card, so when compliance officers violate the securities laws in ways that have nothing to do with exercising their compliance responsibilities, they are held accountable like any other individual would be.

An example can be found in a June enforcement action, in which the SEC charged the chief compliance officer of an international payment processing company with insider trading. The SEC alleged that the CCO traded based on material nonpublic information that he surreptitiously obtained from his girlfriend’s laptop about upcoming mergers and acquisitions in which her employer was involved. He allegedly traded on that information and tipped it to his friends, who also traded.

Quality control

In the category of personal liability involving the wholesale failures to fulfill one’s obligations, the SEC brought an enforcement action in September in which it charged a partner at Marcum LLP, a public accounting firm, with failing to sufficiently address and remediate in a timely fashion numerous deficiencies in Marcum’s quality control system. While not a CCO, the partner oversaw the firm’s quality control policies and procedures, and supervised all personnel working within Marcum’s quality control function.

According to the SEC’s order the partner knew for several years that the PCAOB had identified various deficiencies in that function and that Marcum’s own inspections had also revealed several deficiencies. Yet, he failed to address them, leading to various compliance failures in the firm. The partner agreed to pay a $75,000 civil penalty to resolve the case and was ordered to have no leadership role at an accounting firm for three years.

Grewal emphasized that his agency has no interest in pursuing enforcement actions against compliance personnel who undertake their responsibilities in good faith and based on reasonable inquiry and analysis.

“We fully recognize that this is challenging work, but there is a way to meet those challenges and it requires, as I have detailed: education, engagement and execution.”