Merri Jo Gillette, partner at Morgan, Lewis & Bockius LLP
Merri Jo Gillette, partner at Morgan, Lewis & Bockius LLP

With the implementation of the Volcker Rule, the Securities and Exchange Commission (SEC) is poised to hold compliance officers personally responsible for their companies’ failures. If a business is like a football team, the chief compliance officer (CCO) may end up like the starting left tackle. If he does not protect the quarterback, he’ll lose his job. Now, if the CCO fails to do everything possible to prevent a compliance breach, then he or she may be the one facing penalties.

“There’s been lots of press around pretty strong enforcement of laws, hefty fines and that sort of thing. A number of companies have been heavily fined,” says Jodi Golinsky, a seasoned in-house lawyer with compliance experience at a number of financial institutions. “This has led to a greater emphasis on a culture of compliance, building up to levels greater than we have seen before.”

This is due, in part, to large fines and criminal enforcements that have been brought against companies found to be out of compliance with federal regulations. When a regulatory body like the SEC investigates a company, it must decide whether or not to pursue enforcement actions. If it does so, and if it finds egregious violations, it can take any number of enforcement actions, up to and including fining or charging a chief compliance officer.

If there’s one person who has a clear insight into the process involved in SEC investigations, it’s Merri Jo Gillette, partner at Morgan, Lewis & Bockius LLP’s litigation practice. Gillette spent more than 28 years at the SEC, eventually serving director of the SEC’s Chicago office.


In her time at the SEC, Gillette saw thousands of cases and examinations, and witnessed a number of sweeping changes in the power and scope of the SEC. One of the biggest changes was the creation of the Office of Compliance Inspections and Examinations (OCIE).

In the wake of the Madoff case, OCIE refocused its program, moving to a risk-based examination process with a national governance structure that sets all priorities and policies for the SEC’s national exam program.” Also, in the past five years or so, the Division of Enforcement reorganized itself, creating five specialty units with people assigned to those units who are dedicated to bringing cases within the subject matter of their specialty.

With all of these changes, according to Gillette, the SEC now looks at firms in a more holistic fashion.

“From an SEC perspective, a compliance program is reflected in the entire environment, the specifics and substance of the procedures and the way a program is structured as well as the resources allocated to compliance within the firm and the compliance tone within the firm,” she explains.

The SEC staff looks at businesses from several perspectives, including risk to investors, customers, clients and the marketplace, risk to fair and equitable operations of markets and risk to the financial firm or entity.


Once a firm is under investigation, there are a number of factors the SEC takes into account when deciding whether to take enforcement action against that company. “It’s not so much a checklist as a nuanced weighing of several factors, each weighing in favor or against bringing enforcement action,” Gillette explains. Factors include the egregiousness of the alleged misconduct, the direct benefit to the company as a result of the violation, whether the misconduct was systemic or isolated and the level of intent or responsibility of the wrongdoers within the company.

All of these factors come into play and what the SEC discovers will influence it in one direction or another. For example, if someone intentionally took steps to defraud investors, or acted recklessly in violation of obligations under the federal securities laws, that would cause the pendulum to swing toward enforcement actions. On the other hand, if the company was misled by a small subset of wrongdoers within the company and, even with strong compliance procedures and controls, it might have been difficult for the company to detect the misconduct, that would swing the pendulum away from an enforcement action against the company.

When deciding to take action, it is rare that the SEC will sue a chief compliance officer just because he or she holds that position, Gillette explains. In making a decision about enforcement charges against a CCO, there are a number of questions that arise.

“First and foremost, the question of whether the CCO engaged in misconduct will be raised. The SEC staff may also look at the program in place. Did the CCO lead or direct the risk assessment process and development of the procedures in the organization? Was the CCO appropriately knowledgeable about the business itself and where the risks might arise within the firm or the marketplace? Was the CCO aware of rules and regulations that apply in all areas pertinent to the firm’s business, or developments in the law or the industry that should have caused him or her to revisit a compliance policy or develop a new one?”

If the CCO was trying to do the right thing in an environment where the firm is not providing adequate compliance resources or where management is not following the CCO’s advice, that will be another variable the the SEC staff would factor those additional variables into its decision. On the other hand, Gillette warns, “If the risk is great enough and management’s ear is deaf enough, the CCO might have an obligation to ensure that misconduct is brought to the attention of the regulator or to walk away from the company.” Though, she points out, this would be an extreme example.

Just like a left tackle in football that protects the quarterback’s blind side, the CCO plays an increasingly important business role. The SEC sees it as a critical role, enabling stronger compliance across industries, and the Commission is looking to partner with CCOs to create robust programs at their firms.

A game of risk

One tack that companies can take to create these robust programs and minimize the chance of enforcement actions from the SEC is to focus on risk. “It’s important that programs be risk-based, that organizations do a risk assessment of where they are truly vulnerable,” says Donna Epps, partner at Deloitte Financial Advisory Services LLP.

“In a global environment, risks change quickly… programs need to be flexible and you need to be constantly kicking the tires, to see if what you believed were the top risks yesterday are still the top risks. Look at the process and make sure there is not a gap between what you do and what your program’s goals are.”

Just as the SEC looks at a firm holistically, Epps emphasizes that compliance should be an integrated part of business operations. Having the right corporate culture and leadership from the top down, as well as integrating compliance in the business end of operations, can go a long way toward ensuring that these matters are taken seriously, proactively preventing any potential trouble.

Compliance problems are a serious matter, and companies must work to avoid them at all costs. With the right compliance procedures in place, they can beef up their offensive line and protect the quarterback—at least long enough for him to make that deep throw.