Merri Jo Gillette, partner at Morgan, Lewis & Bockius LLP
With the implementation of the Volcker Rule, the Securities and Exchange Commission (SEC) is poised to hold compliance officers personally responsible for their companies’ failures. If a business is like a football team, the chief compliance officer (CCO) may end up like the starting left tackle. If he does not protect the quarterback, he’ll lose his job. Now, if the CCO fails to do everything possible to prevent a compliance breach, then he or she may be the one facing penalties.
“There's been lots of press around pretty strong enforcement of laws, hefty fines and that sort of thing. A number of companies have been heavily fined,” says Jodi Golinsky, a seasoned in-house lawyer with compliance experience at a number of financial institutions. “This has led to a greater emphasis on a culture of compliance, building up to levels greater than we have seen before.”
Once a firm is under investigation, there are a number of factors the SEC takes into account when deciding whether to take enforcement action against that company. “It's not so much a checklist as a nuanced weighing of several factors, each weighing in favor or against bringing enforcement action,” Gillette explains. Factors include the egregiousness of the alleged misconduct, the direct benefit to the company as a result of the violation, whether the misconduct was systemic or isolated and the level of intent or responsibility of the wrongdoers within the company.
A game of risk
One tack that companies can take to create these robust programs and minimize the chance of enforcement actions from the SEC is to focus on risk. “It's important that programs be risk-based, that organizations do a risk assessment of where they are truly vulnerable,” says Donna Epps, partner at Deloitte Financial Advisory Services LLP.