Gurbir Grewal and 'A Culture of Proactive Compliance'

When a new year begins, it’s natural to reflect on our direction and make improvements where we can. This doesn't just apply to individuals, but organizations too – it's a clean slate across the board. As we enter 2024, the Director of the SEC’s Division of Enforcement, Gurbir Grewal, is focused less on resolutions, and more an actual revolution. Speaking at the New York City Bar Association Compliance Institute in October 2023, he stated:  

“Public trust in our institutions is faltering....but it is clear that we cannot reverse those trends alone. We need your help to do so. We need to work together to create what I call a culture of proactive compliance.” 

Thankfully, Mr Grewal also revealed guidelines for compliance staff and financial organizations to follow in order to establish his desired principles. Here we will unpick his vision, why he has chosen now to be so candid, and how his guidelines can help the firms tasked with making progress. 

What led to this? 

Gurbir Grewal has occupied his role since July 26th, 2021. He recently revealed that his ambition was to enhance public trust in institutions, and that he wished to ‘impose penalties that would have a lasting impact across the industry’.  

When analyzing Grewal’s comments at the Compliance Institute, it’s important to consider the regulatory developments that preceded them. During his speech, he refers to an erosion of public trust. 

“No sector is immune to this trend … If the public doesn’t think the system is fair … they are not going to invest their hard-earned money. This hurts all those companies, professionals, and other market participants who are playing by the rules and doing the right thing” 

The elephant in the room here is undoubtedly the WhatsApp fines that have dominated the last couple of years, and that have prompted intense (and very public) media scrutiny. Grewal is aware that this doesn’t fill consumers with confidence, and so has made it very clear that for the sake of market integrity, penalties must be applied across the board, and all bad actors must be held accountable. 

The regulator’s unwavering application sends a strong message. Firstly, fairness, with no concessions made to culpable firms, whether large or small. Secondly, it demonstrates that Grewal’s vision isn’t a flavor of the month box-ticking exercise, but a real shift in mindset and behavior that will promote the right decisions being made naturally rather than in a prescriptive manner. It’s not a quick fix, but a long-term solution to an age-old problem, coaxing people to ‘do the right thing’ rather than what they can get away with. 

Stuck in the middle 

During his speech, Grewal also clarified when CCOs would be held accountable for their actions, and charges would be filed against them. This would happen... 

• where compliance personnel affirmatively participated in misconduct unrelated to the compliance function; 

• where they misled regulators; and 

• where there was a wholesale failure by them to carry out their compliance responsibilities. 

CCOs were also reassured that the SEC “does not second-guess good faith judgments of compliance personnel made after reasonable inquiry and analysis”. He appears to acknowledge that compliance is a difficult profession - they're tasked with enforcing measures set out by regulators while enabling their companies to flourish, and so give and take on either side will always be tested.  

It’s helpful for Grewal to clarify exactly where compliance professionals stand, and what actions will trigger the SEC to act against them. He is clearly sympathetic to the challenging nature of their responsibilities, but needs to convey that a role in compliance is not a get-out-of-jail-free card. 

The three E’s 

Grewal has shared ‘three E’s’ for firms to adhere to to enable a culture of proactive compliance. 

Education – This entails proactively keeping on top of new legislation, regulatory enforcement, and cultural developments that may have an influence on proceedings (the impact of AI, for example). By issuing fines publicly and vehemently, Grewal insists that the SEC is doing its bit in contributing to this education. 

Engagement – Only by engaging with personnel across organizations can CCO’s learn about their ‘activities, strategies, risks’. This is vital to accurately assess the compliance gaps in an organization, and where improvements can be made and processes changed. Engaging with staff also builds trust and accountability. 

Execution – It's all well and good having written procedures in place – you need to follow them if you want to enact meaningful change. In the case of the WhatsApp fines, relevant policies were formalized but largely ignored, and firms were eventually held accountable for their misconduct.   

As Grewal explains, “through leadership, training, constant oversight and the right tone at the top, you need to ensure that the policies are actually implemented and followed. That’s what proactive compliance requires.” 

The buffer period 

An interesting thing to consider is that with the proliferation of digital channels and developments in technology, regulators take time to catch up with consumer behavior. They need to be very precise with the rules they enforce, and so cannot dive headfirst into issues as they emerge. 

That is what has happened with WhatsApp, and while many companies were flagrantly breaching record-keeping regulations, you could also argue that the SEC’s inaction on the matter lulled firms into a false sense of security, resulting in complacency. It’s clear that having looked the other way for some time, the regulator has now drawn a line in the sand. 

This perfectly exemplifies the value of proactive compliance; businesses have a headstart on regulators, and just because something is not yet explicitly prohibited, that doesn’t make it a loophole. After all, who knows what the next WhatsApp will be? It’s safest for firms to ‘do the right thing’ and apply fundamental principles to modern technology, or it could cost them, financially and reputationally.  

By acknowledging the difficult space compliance personnel occupy and applying some common sense to proceedings, Grewal may well have recruited more supporters within the compliance sector. Those individuals need support themselves, and with the right systems in place (growing dependence on RegTech platforms is anticipated in 2024), they'll be better equipped to manage a snowballing workload and adhere to his guidelines. This will make a difference, and help realize his vision; to build a proactive culture that regulators and compliance personnel can both buy into, together.