United States: The SEC, The DOJ, And Compliance Officer Liability

When one considers the subject of corporate compliance today, there is a wealth of information regarding how to create and structure compliance programs. But in researching¹ the topic, I noticed far fewer articles regarding what has to be equally important to the professional compliance personnel who create and run such programs, viz. their potential legal liability in the pursuit of their work. Since an "effective compliance program" should also be one that minimizes the exposure of its employees to such risks, I decided to look into that somewhat underreported issue. On the issue of personal liability of liability of compliance officers, what I found was at best murky, with a growing number of enforcement actions juxtaposed with qualified reassurance from regulators that they were "on the side" of the compliance profession.

Clearly, all compliance professionals want to see that their employer operates honestly and ethically. They are trained to do this, and take pride in doing their work well. But, like all professionals, in the course of doing their job they must avoid personal liability, and take care not to have their career tarnished or destroyed by association with wrongdoing by their client or employer for which they are not responsible, except for possibly discovering it. Unfortunately for compliance personnel, the line between discovering or preventing the problem and becoming, at least in the view of regulators, part of it has become much more difficult to discern, for a number of reasons I shall examine. In particular, I noted this paradox: the harder the competent compliance officer tries to get upper management to improve compliance programs, the greater the chance that a record is made which can later enable regulators to find that the company did not pay sufficient attention to this function before (or while, in some cases) serious problems emerged. The blowback in such situations can engulf the compliance officer as well. The dramatist Clare Booth Luce's famous idiom "No good deed goes unpunished" comes to mind.

Who Will Watch the Watchman?

This satirical phrase from the Roman poet Juvenal has traditionally been applied to such law enforcement personnel as police and prosecutors. But more recently others who have professional responsibilities to prevent or discover corporate wrongdoing, such as auditors and compliance personnel, have become the subjects of regulatory scrutiny when their employers are involved in wrongdoing. In recent years, the list of corporations and entities that have become embroiled in scandals and frauds seems endless. There is virtually no major business firm, and many smaller ones as well, that has not had some form of brush with the law, be it the DOJ, the SEC, the CFTC, a state attorney general, the FDIC, the OCC, or some other of the myriad of government enforcement agencies that regulate such entities.

In most cases, these organizations have some form of compliance function. In the early going, it was common to find that there was no compliance person, or perhaps ones who had other responsibilities. In recent times, compliance has become a major component of management, and compliance officers an integral part of the makeup of the company's operations. Yet the compliance officer, perhaps akin to the MP on a military base, is not always warmly welcomed in corporate ranks, perhaps because they are not generally viewed as making much of a contribution to the bottom line in revenue. Often, they enforce restrictions that tend more to constrain than support the business, at least in eyes of executives and managers who are under near-constant pressure to produce more and better results, regardless of how many corners are cut or rules and regulations avoided or ignored.

At a recent conference, I asked a friend in compliance how she liked her job. She said, in so many words, "I love the work. I love finding the problems, sometimes the wrongdoing, and exposing it. But I hate the work too, when I realize too often that my superiors on the business or legal side, or even in my own department, ignore or minimize my efforts, or fail to act on issues I have uncovered. This is the stuff that keeps me awake at night."

This reaction is unfortunately reflected in the track record of corporate compliance disasters. Companies with allegedly effective compliance functions repeatedly fail to prevent wrongdoing until it is too late to avoid multi-billion dollar penalties and severe reputational and human damage. Volkswagen has a compliance program, as does Wells Fargo, as does Equifax, and now Adidas, to site the latest scandals. And how many corporate scandals are in process or are waiting to happen, perhaps as yet undiscovered by the regulators and the media, but known or suspected (and probably documented) by someone in the company compliance department?

The general expansion of corporate liability for a host of illegal acts, be they violations of the securities laws, health and safety regulations, money laundering, foreign bribery, bank frauds, procurement fraud, accounting fraud, import/export restrictions, sexual harassment, employment laws, "failure to supervise" cases, or a host of other offenses, has put the compliance function in the vortex of potential wrongdoing on multiple fronts. Increasingly, when things go wrong, the tendency to shift blame increasingly can focus in part, not just on the managerial miscreants themselves, but also on the one function that is most associated with preventing or discovering wrongdoing or illegal behavior: compliance. Consider a few hypothetical situations that may confront the Chief Compliance Officer (CCO):

1. The SEC is conducting an investigation of securities fraud in connection with one division of the company, and enlists the help of corporate legal and compliance in an internal investigation. The company pledges its "complete cooperation" and will be disclosing its findings to the SEC. A junior compliance officer discovers a fraud scheme in the course of that investigation that appears totally unrelated to the subject of the SEC investigation but could be very harmful to the company, and could lead to another SEC investigation. It should be pursued, but should it also be disclosed to the SEC?
2. A new Chief Compliance Officer is told by his outgoing predecessor that the company's compliance training program is woefully inadequate in many respects, which he details in a lengthy email to his successor. He says the Board has been repeatedly told of many of these issues but appears unwilling to devote the resources to improving the program. The new CCO wants to improve the situation without creating a paper trail that could be evidence to a regulator of long standing corporate indifference, and at the same time demonstrate that such inaction in unacceptable going forward. Where do you start? What do you do with the evidence of prior inaction? Do you go back to the Board, to legal? How much attention do you want to call to this problem while trying to fix it? See the discussion regarding the Banamax case at the end of this paper.
3. You learn that the CEO of one of the company's biggest customers (and a personal friend of your CEO) continues to engage in clearly improper sexual harassment. A number of women, including some in your company, have complained and the activity has been documented to the compliance department. Some of the incidents occurred during company functions and may be well known to some of your board members. Should you bring this information to the attention of your CEO, to the Board, to law enforcement? What should you do if your CEO dismisses this as "not our problem and this guy represents 40% of our revenue."?

4. Compliance learns from an internal whistleblower in the IT department that certain files in the company's computers were hacked several months ago and thousands of files containing personal information of customers may have been stolen. The company makes a prompt public announcement, and there is a public outcry. The SEC sends the legal department a letter requesting documents. You have no idea if the whistleblower has talked to the SEC, and legal tells you not to ask. The whistleblower (whom some say is a little "crazy") tells you that he brought to the attention of the CEO months before the flaw in the computers was discovered the possibility the flaw could allow such a hack to occur. He thinks the CEO did not understand the issue. He produces a memo to himself about their conversation drafted shortly after it occurred, which he says he had not shown anyone else. In the public announcement of the hack by the company no mention is made of the earlier warning to the CEO. The CEO has been asked to testify before a congressional committee regarding this hack. You both know what happened at Equifax. What action, if any, should you as CCO take now?
5. A reliable internal whistleblower reports that a mid-level manager in a foreign-based division of the company has been paying bribes to local government port officials to get the company's products delivered more quickly. The bribes individually are small, but the practice has been going on for years and the total may be in the thousands. Compliance conducts a prompt investigation, confirms the allegations, and the manager is fired. The activity is in clear violation of company regulations, and probably a violation as well of the Foreign Corrupt Practices Act (FCPA). The investigation reveals there was no effective supervision of this manager. The investigation suggests this practice may not be confined to this manager, or this one country, but there has been no request by the CEO or the Board to expand the investigation. During the investigation, another reliable employee says he told the locally based compliance officer of the practice years ago, but no action was taken. Outside legal counsel has recommended to the Board that the SEC not be informed of this matter. What if anything should the CCO do now?
6. The CCO askes the Engagement Partner for the company's outside audit firm to share privately the results of the auditors' annual SAS 99 review. This is the required review by the audit team to enable them to share among themselves their experiences with the client during the audit itself and to "brainstorm" how a fraud at that company might be accomplished and concealed. The session general occurs annually and involves the entire audit team, including junior auditors—sometimes the most candid in the group. The objective is to identify risks at the company that could lead to a material misstatement, including an evaluation of the entity's programs and controls. A written record of the meeting must be made. I have seen a few of these over the years and they can be very interesting, e.g. "the CFO seems like the type to try to engage in revenue recognition games if the numbers aren't looking too good." In this case, the CCO learns about serious flaws in controls and potential fraud situations that are of concern to the auditors. He is told the audit committee was informed of these findings, but the senior engagement partner did not feel the committee was overly receptive to his observations. Should the CCO raise this with the audit committee or the full Board? Should the CCO ask more questions of senior managers, based on the auditor's observations? Should he ask to auditors to look into any of these concerns with further audit procedures? Does he have the authority to independently take any of these steps?

These hypotheticals (some of which are loosely based on, as they say in the movies, "actual events"), are just a small slice of the many difficult fact patterns that present themselves to compliance officers. Some readers might reply immediately, "report everything to the board" or "call the SEC and tell them everything, before they hear it from someone outside the company," or "the CCO should hire outside independent counsel for himself." Those responses may not be wrong, but they have serious consequences, not only for the company but for the compliance department as well, and perhaps for the Chief Compliance Officer personally. Note also that the legal department is involved in some of these decisions, which is frequently the case, and that department may be viewing the situation from a very different perspective than compliance. Likewise, as is often the case, various individuals of importance and stature both within and outside the company may have some exposure if all the facts come out. Whatever the Chief Compliance Officer does will surely be second-guessed, and the regulators who ultimately look at these incidents in hindsight may be inclined to apportion blame and punishment in ways that are unexpected and potentially career-ending for those involved, including potentially CCO as well.

What guidance, if any, can a CCO gather from the previous legal cases and pronouncements of the regulators, particularly the SEC and the DOJ, to help inform the decisions he or she may have to make, and quickly, in response in these and similar cases? What personal liability may the CCO incur as events unfold? To what extent should the CCO rely solely on his own legal department for advice on that issue?

The Expansion of Compliance Officer Liability by the SEC

The SEC's posture regarding chief compliance officer liability can most readily be found from two sources: pronouncements and speeches by SEC Commissioners and Enforcement Division Directors and reviewing the decisions of the SEC itself and by its Administrative Law Judges (ALJ's), all of which usually turn on the specific facts of each case. Of particular interest are speeches in 2014 and 2015 by then SEC Enforcement Director Andrew Ceresney in which he set out factors the SEC will consider in reviewing the propriety of the actions of CCOs.

In a May 20, 2104 speech at a compliance conference, Mr. Ceresney urged compliance personnel "to engage and become involved when [you] see an issue that raises concern. You should not hesitate to provide advice and help remediate when problems arise. And I do not want you to be concerned that by engaging, you will somehow be exposed to liability..." (emphasis added). But he said this with a significant caveat: "we have brought, and will continue to bring, actions against...compliance officers when appropriate. This typically will occur when the [SEC] believes...compliance personnel have affirmatively participated in the misconduct, when they have helped mislead regulators, or when they have clear responsibility to implement compliance programs or policies and wholly failed to carry out that responsibility." Then he ended on a positive note: "At the end of the day, though, legal and compliance officers who perform their responsibilities diligently, in good faith, and in compliance with the law are our partners and need not fear enforcement action."

Mr. Ceresney made similar comments, and set forth again his three-part test for CCO liability, in a Nov. 4, 2015 speech to the National Society of Compliance Professionals. He mentioned a recent case in which the SEC did not charge the CCO while charging the firm's CEO with significant compliance failures, where the CCO was "tasked with numerous non-compliance responsibilities that severely limited his ability to focus on his compliance function" and where the CCO had repeatedly asked for more help and warned that the firm would not be ready for an SEC examination.²

Mr. Ceresney did, however, mention cases in which CCOs were charged with efforts to obstruct or mislead the SEC staff, such as by altering documents in the course of an SEC exam³ or before providing the document to the SEC in an insider trading investigation.⁴ He also noted that the few cases brought under his third category ("cases...where the CCO has exhibited a wholesale failure to carry out his or her responsibilities") were cases brought under the Investment Advisers Act and other compliance-related rules that did not focus directly on the CCOs compliance function.

Mr. Ceresney did mention two other cases in which the SEC did hold CCOs responsible for the firm's compliance failures, noting that "[b]eing a CCO does not provide immunity from liability. When CCOs completely fail in their responsibilities, and particularly when investor harm results, it is appropriate for us to address that misconduct." In one of the cases, the BlackRock firm did not have any written policies and procedures regarding the outside business activities of its employees, even though the CCO knew of and approved numerous outside activities engaged in by BlackRock employees, one of which involved a senior portfolio manager that posed a conflict with the investments his funds held. Mr. Ceresney stressed that the charge against the CCO was solely based on "a wholesale compliance failure...to adopt written policies regarding outside business activities such as those engaged in by the senior portfolio manager. The absence of an outside business policy, in the face of red flags, was a clear compliance failure given the CCOs awareness of, and focus on, the issue."⁵

In the second case, an employee of an investment adviser misappropriated client assets for more than five years by withdrawing money directly from those accounts. The CCO was not involved with that activity and was not charged for it. However, he was charged with causing the firm's violation of the Investment Advisers Act, Rule 206(4)-7.⁶ The firm's policies and procedures specifically assigned the CCO with responsibility to implement the firm's policy requiring review of "cash flows in client's accounts." But for more than five years "the CCO failed to ensure that any review occurred, even though certain SFX employees had full signatory power over client bank accounts."⁷

A former SEC Commissioner, Daniel M. Gallagher, voted against these two settlements and noted that "I have long called on the Commission to tread carefully when bringing enforcement actions against compliance personnel." He argued that these settlements "illustrate strict liability for CCOs under Rule 206(4)-7." He cautioned, that, "as regulators, we should strive to avoid the perverse incentives that will naturally flow from targeting compliance personnel who are willing to run into the fires that so often occur at regulated entities."⁸ But another Commissioner, Luis A. Aguilar, promptly issued a rebuttal Statement to that of Commissioner Gallagher, in which he expressed concern that it (and other commentary) had "created an environment of unwarranted fear in the CCO community."⁹ He counted the cases brought since 2009 against CCOs and noted that relatively few were brought relating solely to their compliance-related activities, averaging about 11% of the cases, and most involved CCOs who "wore more than one hat" and many of their activities were outside the traditional work of CCOs, such as those who were founders, sole owners, officers, owners, and portfolio managers. He noted that only 8 cases were brought over the past 11 years (before 2015) involving a CCO with no job functions other than that of a CCO.

Commissioner Aguilar also cited a 2015 compliance survey by PWC that "shows that CCOs have to deal with a wide variety of compliance risk areas that are only growing in complexity, such as data security, privacy and confidentiality, industry-specific regulations, bribery and corruption, conflicts of interest, fraud, money laundering, business continuity, and insider trading." Id. at 4. He added that in recognition of "these challenges, and the many difficult judgment calls CCOs need to make in exercising their duties and responsibilities, the Commission and its staff think long and hard when considering enforcement actions against CCOs, and oftentimes exercise prosecutorial discretion not to bring such actions." Id. He also cited the Pekin Singer Strauss case in which the CCO who had sought additional resources was not charged (see Note 2 supra).

I also noted with some interest (because I represent SEC whistleblowers), that Commissioner Aguilar added this line to his address in support of CCOs: "Moreover, the Commission has used its Whistleblower program to protect and reward CCOs who did the right thing." Id.¹⁰

It is interesting that in the 2016 PWC State of Compliance Study, the firm cautioned that "our state of compliance survey results show what appear to be low levels of CCO involvement in strategic decision making. The survey shows that only 48% of respondents describe their compliance functions as either fully integrated or playing a key role in strategic plans and activities...the survey results suggest that CCOs and institutions may be missing out on important input into strategic making. Without the CCO in the room, decision makers generally rely on the business areas...[b]ut the views of those in the company's business areas may be more influenced by other factors—ones that don't consider compliance risks."

Coming from PWC, a firm which audits many major corporations and sees plenty of "risk" situations, these observations are significant. PwC may be saying, in polite terms, that the compliance function is still out of the loop in many corporations when it comes to fully addressing risks. With no compliance input (except when something goes awry), companies are driven by the profit-making folks, for whom (as we learn every week it seems) are willing to take serious risks to make the bottom line. The risk in turn for compliance people is that, in trying to uncover and deal with the mess, or worse if they have been warning about it for years (and perhaps sending emails to boot), they are digging a big hole for themselves when the regulators finally swoop in, start reading those emails, and hold them up to Mr. Ceresney's three-part test for CCO liability.

The takeaway from the SEC guidance, found in the Ceresney-Gallagher-Aguliar dialogue, may simply be that, while CCOs are given some leeway to make mistakes in the course of their difficult work, they can be, post-facto, punished for letting bad conditions fester, or for grossly (or perhaps even negligently) allowing situations which clearly violate written or stated rules to continue without immediate remediation. While none of these individuals are still at the SEC, their opinions surely carry weight with their successors. And apart from SEC issues, in the swirl of finger-pointing that inevitably follows a corporate scandal, defensive C Suite types, and particularly board members perhaps caught asleep at the switch, may be tempted to blame the CCO if it deflects attention away from their own management or oversight failures.

One Commissioner still on the job is Kara Stein. In a 2014 speech before a group of compliance officers, she offered some thoughts on their challenging work:

"Another critical partner is the CCO. Many of you in the audience are CCOs, and I appreciate the important work that you do each day. The CCO is a relatively new position, and the role has evolved significantly over time. It is clear to me that the vast majority of CCOs are working hard and getting good results. But many of you are nonetheless concerned about possible enforcement actions against CCOs. There is a concern that charging CCOs will have the unintended consequence of weakening the compliance function. I have heard it said that these cases may lead to a drop in the quality of CCOs, because the best candidates will not be willing to serve. And those CCOs that remain willing to assume the role will be less effective because, for example, they may avoid certain functions such as participating in firm committees. That is not the intention.

If you read the facts in the cases we bring, you will see that they are not cases against CCOs that were promoting compliance. Instead, they are cases against CCOs that were assisting fraud, ignoring red flags, not asking the tough questions, and not demanding answers...

For some gatekeepers, such as accountants, the role is well-defined. For others, such as CCOs, it is less so.

This creates uncertainty, which I believe is at the heart of the concerns that I've heard about CCO liability. We owe it to you to remove some of this uncertainty so that you can fully unleash your power to prevent harm." (emphasis added).¹¹

The SEC has issued no formal individual guidance for CCOs. What we do know is that the SEC in particular takes internal control violations very seriously, and often brings what it calls "books and records" cases, which often turn on how well the company complied with its own stated and published policies. Whether the SEC thinks CCOs can be charged with compliance failures that amount to, in legal terms, simple negligence for their oversite of others, especially outside the arena of the Advisers Act, is unclear. The irony is that, the better the job the CCO has done in getting such standards codified and disclosed, the more risk the CCO runs if such standards are not met, or efforts to enforce them are not properly documented. To the regulators, "red flags" always seem brighter in hindsight. Voicing complaints over time, but "not asking the tough questions, and not demanding answers" may indeed be the very shortcomings that can destroy the career of even the most well-intentioned and dedicated compliance officer.

The Department of Justice Guidance on Corporate Compliance Programs

Recently, the DOJ has taken a keen interest in corporate compliance. While it is not a federal crime to have an inadequate compliance program, the department has encountered this issue when deciding what if any credit to give companies accused of various criminal acts for their prior efforts, if any, to prevent or remediate such violations. In November 2015, the DOJ Fraud Section retained a full-time compliance expert, Hui Chen. Her prior job was in compliance at a large bank, a major pharma company, and with Microsoft. She is also a former federal prosecutor.¹²

She undoubtedly had a role in the DOJ's Fraud Section publishing in early 2017 its "Evaluation of Corporate Compliance Programs." This document has to date not received the attention it deserves, but it is clearly one of the best single sources of information for CCOs and their companies to understand how the U.S. government views the components of a good compliance program, and the questions it will ask of companies who have violated federal law but seek leniency on the basis of allegedly having tried hard to find or fix the problems.¹³ To see it, Google "Evaluation of Corporate Compliance Programs—Department of Justice."

While the DOJ Guidance is too detailed to fully describe here, several important observations can be made, especially as they might impact liability of CCOs in future prosecutions or SEC or other government enforcement actions. The Guidance asks, for example, "Were there prior opportunities to detect the conduct in question, such as audit reports identifying relevant control failures or allegations, complaints or investigations involving similar issues? What is the company's analysis of why such opportunities were missed?"

This question goes right at the compliance function. What did you know and when did you know it? If you did not know it, why not? The CCO should be ready to address these questions before they are posed in the white-heat of an enforcement investigation. The Guidance also asks: "Was compliance involved in training and decisions relevant to the misconduct? Did the compliance or relevant control functions (i.e. legal, Finance, or Audit) ever raise a concern in the area where the misconduct occurred? Woe to the CCO who has to admit that the answer yes, and similar woe for different reasons to the CCO who has to answer no.

The Guidance also asks multiple questions about the compliance function, e.g. how does it compare with other strategic functions in the company in terms of "stature, compensation levels, rank/title, reporting line, resources, and access to key-decision makers"? It asks "what role has compliance played in the company's strategic and operational decisions." Based on the PWC results discussed earlier, my suspicion is many companies (and their CCOs) may have a hard time producing a satisfactory answer to that question.

The Guidance goes on to ask similar hard questions on such areas as Policies and Procedures, Risk Assessment, Training and Communication, Confidential Reporting and Communication, Incentives and Disciplinary Measures, Continuous Improvement, Periodic Testing and Review, Third Party Management, and Mergers and Acquisitions. Any CCO who reads through this gauntlet and comes out feeling confident is either very good or very naïve. Many, I suspect, will have trouble sleeping at night while dreaming of sitting in the witness chair in a paneled federal courtroom answering these questions under oath.

On the positive side, the CCO can use this document to convince board members, general counsels, and C suite skeptics that being able to answer these questions to the satisfaction of the regulators in the wake of a corporate crisis could go a long way to saving their hides and the shareholders' investments.

The Banamax USA case

A recent DOJ case which is a textbook study of bad compliance is the DOJ money-laundering case against Banamax USA, an indirect Citigroup subsidiary which in May 2017 entered into a non-prosecution agreement (NPA) with the DOJ. It agreed to forfeit $97 million and admitted to criminal violations for failing to maintain an effective money-laundering compliance program, while processing more than $8 billion in over 30 million remittance transactions to Mexico. While the company's monitoring system generated more than 18,000 alerts involving over $142 million in potentially suspicious transactions, Banamax conducted fewer than 10 investigations and filed only 9 SAR's (Suspicious Activity Reports). In a related proceeding, the FDIC and California authorities fined the company $140 million, and four senior executives were fined and/or prohibited from working for any financial institutions in the future.

One of these individuals was the Chief Compliance Officer. His story is set forth in the Statement of Facts in the Banamax NPA. To see it, Google "Banamax USA NPA—Department of Justice" (see especially pp.7-12). It is worth reading for any CCO who wonders how things can go from bad to worse, even when you see it happening and make some effort to prevent it. It is also a testament to (1) how you can be undone by your superiors, who were too cheap to make your compliance program work, and (2) how bad it can get when you have an honest and persistent subordinate who routinely sends emails seeking assistance and setting out the problems. I suggest this case should be reviewed in every Compliance 101 course.

These cases never seem to end. Regarding one of the latest, the basketball recruiting scandal involving Louisville coach Rick Pitino, Adidas, and others, the CEO of the Society of Corporate Compliance and Ethics recently observed concerning the more recent scandals:

"I am sure that a number of leaders whose jobs ended tumultuously were left wondering 'Where the heck was my Chief Compliance Officer (CCO)?' The press, public, politicians, and prosecutors want leadership to be held accountable even if they didn't commit the wrongdoing.... Some Boards are going to be faced with a choice between millions of dollars vs. turning over one or more of their leaders."

Roy Snell, Compliance Today, January 17, 2017, p.3.

In sum, there is ample reason to think that cases involving CCO liability will increase as compliance programs become more important in corporate governance and those involved in the process come under greater scrutiny by regulators. Nevertheless, there are many "best practices" to reduce Chief Compliance Officer liability. Concrete suggestions abound, and I refer the reader to several here.¹⁴

As for the hypos at the beginning, there are no certain answers. Discuss them with your colleagues. I could have written dozens more, as can you. They were written to set out only a few of the multitude of complex fact situations compliance officers may encounter. To be sure, good faith mistakes can and will be made in the course of the difficult and complex work undertaken by compliance officers, and their actions will be second-guessed. Some may cross the line, to the extent there is a "line." A few may face regulatory sanctions. I continue to trust, however, that an honest and conscientious Chief Compliance Officer who builds an effective compliance program, vigorously oversees its implementation and demands full support by the company, and is not afraid to "tell truth to power," will be able to avoid personal liability and serve an increasingly critical function in corporate management and governance.

Footnotes

1 A version of this article was presented at the ABA Section of Labor and Employment Law 11thAnnual Labor and Employment Law Conference, Washington, D.C, November 9, 2017.

2 Pekin Singer Strauss Asset Management Inc., Advisers Act Release No. 4126 (Jun. 23, 2015).

3 In the Matter of Parallax Investments, LLC, John P. Bott, II, and F. Robert Falkenberg, Advisers Act Release No. 4159 (Aug. 2, 2015).

4 Press Release, SEC Announces Enforcement Action Against Former Wells Fargo Advisors Compliance Officer for Altering Document (Oct. 15, 2014).

5 In the Matter of BlackRock Advisors LLC, AP File No. 16501 (Apr. 20, 2015).

6 This Rule requires, inter alia, investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violations by them and persons they supervise of the Advisers Act and rules adopted under the Act.

7 In the Matter of SFX Financial Advisory Management Enterprises Inc. AP File No. 3-16591 (June 15, 2015)

8 Commissioner Daniel M. Gallagher, Statement on Recent SEC Settlements Charging Chief Compliance Officers With Violations of Investment Advisers Act Rule 206(4)-7, June 18, 2015.

9 Commissioner Luis A. Aguilar, The Role of Chief Compliance Officer Must be Supported, June 29, 2015.

10 He cited two cases in which the SEC had rewarded CCO whistleblowers, including an April 2015 proceeding in which a one-million-dollar award was made. The SEC whistleblower rules make it possible for CCOs to become whistleblowers if certain conditions are met. See Daniel J. Hurson, When Should Auditors and Compliance Officers Become SEC Whistleblowers, Mondaq Publishing, December 10, 2014.

11 Kara M. Stein, "Keynote Address at Compliance Week 2014," May 19, 2014. A law firm commentary on the Stein speech noted:

"Ms. Stein further discusses the possibility that holding individuals to account for such [gatekeeper] failures might be more useful then imposing large penalties against the organizations with which such individuals are associated. Assuming gatekeepers should be held responsible for their failure to act, it is not a far reach to assume that compliance and legal personnel that fail to provide 'critical compliance information' to the gatekeepers should similarly be held responsible for such failure." Winston & Strawn, Chief Compliance Officers Subject to Expanding SEC Enforcement Trend—What "Personal Liability" Means Now, April 28, 2015. Ms. Stein's views on this issue could be very important going forward, as the other two current SEC commissioners, Chair Jay Clayton and Commissioner Michael Piwowar, have expressed similar views about focusing in appropriate cases on individual actors as opposed to their corporations.

12 Ms. Chen resigned in June 2017, in what lawyers who withdraw from representing a client sometimes refer to as a "noisy withdrawal." See David Sirota, Justice Department's Corporate Crime Watchdog Resigns, Saying Trump Makes It Impossible To Do [her] Job, International Business Times, July 2, 2017.

13 One law firm analysis stated that the Guidance "is the most recent public statement by the Fraud Section demonstrating the increased sophistication of the DOJ's compliance expertise...[and] represents the most universally applicable and clearly articulated statement of the Fraud Section's primary focus areas when determining the efficacy of corporate compliance programs." DOJ Issues New Program Evaluation Guidance, Baker and McKenzie, February 28, 2017.

14 Luis Mejia et al, Preparing For SEC's Pursuit Of Compliance Officers, Law 360, March 9, 2016. For an intriguing "outside the box" method of conducting a corporate compliance program, see Todd Haugh, The Trouble With Corporate Compliance Programs, MIT Sloan Management Review, Fall 2017, p. 55-62.

Daniel J. Hurson was formerly an Assistant United States Attorney for Maryland and Assistant Chief Litigation Counsel for the Securities and Exchange Commission (SEC). He is a former Chairman of the Steering Committee of the District of Columbia Bar's Corporation, Finance and Securities Law Section. His primarily practice now is the representation of SEC and Commodity Futures Trading Commission (CFTC) whistleblowers. His website is http://www.hursonlaw.com .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.