7 Ugly Truths About Compliance: a Primer for New Chief Compliance Officers

Many compliance officers live in hope that if they ramp up their persuasive skills, engage employees with spectacular training presentations, and provide succinct and prompt advice, they will receive the respect and recognition that they deserve. Unfortunately, despite all the best efforts, compliance officers will struggle to be heard.
1. No one reads the compliance manual.
Despite all the hard work compliance officers put into the manual, no one reads it. That may be an overstatement, but aside from the many questions received regarding the Code of Ethics and employees’ personal securities transaction reporting obligations, the rest of the manual remains unread. Employees remain blissfully unaware that the manual contains policies and procedures for many daily activities, until the Chief Compliance Officer discovers an issue, or the SEC staff points out a specific passage during an exam.
To encourage readership, compliance officers should consider engaging employees in the drafting and revising the manual. Set up a meeting with each area within the firm to go over the sections of the manual that apply to that area. Revise the procedures based on input received, and require supervisors to review and approve them. Supervisors then have accountability for those procedures.
Another approach is to read the manual to the employees by providing frequent training. Having short, focused training presentations can be very effective. (Free food is also a big draw.) Consider tailoring training to specific areas of the firm, and work with the supervisor to set the agenda and the best date and time for the presentation. Schedule training during periods when the attendees are generally less busy. Request input from the supervisor to ensure you cover topics that he or she identifies as problem areas, even if they may not necessarily be compliance-related. Show your willingness to help advance firm-wide goals, as well as your own.
Development of a good compliance program is a process; it takes time for everyone to understand their roles. By presenting yourself as a resource and taking the time to discuss the goals of the program, the more buy-in you will get. This process can take years, so be patient.
2. Compliance officers don’t get any respect.
Being challenged on your opinions or advice is a fact of life for most compliance officers. Executives, portfolio managers and other investment professionals want data and facts to support a recommended course of action. Unlike other financial professionals, compliance officers don’t have an easily understood track record or a way to compare our services to an existing benchmark. It is not particularly confidence-inspiring to tell a future employer or client: The deficiency letter for my last SEC exam I was involved in was only 12 pages long.” Or “No firm ever got referred to the SEC’s Enforcement Division on my watch.”
To make matters worse, the regulatory rules are vague and advice from the SEC is piecemeal, culled from speeches, no-action letters and administrative actions. Advice from experts may not be specific enough to deal with your firm’s unique situation.
Consequently, compliance officers (and consultants) have to earn respect on a daily basis. This can be accomplished not only through knowledge and experience, but by providing concise and useful advice. Knowledge and experience are meaningless if you can’t deliver your message in a way that your client understands.
My advice is to be prepared. In areas where you know you are going to get push back, read the underlying rule. Consult your firm’s policy and procedure. Read any SEC no-action letters, speeches, and administrative actions relating to the issue. Look through the materials from the last industry conference you attended. Search the internet for articles written by law firms and other industry experts. Call your contacts at other firms to see how they deal with similar issues. Even if you have dealt with similar issues time and time again, it is still helpful to refresh your memory and to see if there are any new interpretations.
There may not always be time to do the legwork, and even if you can, there may not be a clear answer. These are the times when you must go with your gut – provide your initial thoughts on how a regulator might view the situation and a recommended course of action. But be prepared to back it up. For high-risk issues where there is no clear path, call in an expert. There are two benefits to this approach: first, you will find out whether the advocate of a particular action is serious enough to spend some money for advice from a knowledgeable law firm or consultant, and second, you will have proof for regulators that you acted reasonably under the circumstances by consulting an expert. At best, the expert will back up your opinion, or at worst, you will learn the options available.
It also helps to keep up with regulatory issues daily. Subscribe to blogs, law firm newsletters, SEC updates and read the news. There are many free sources of information to help compliance professionals keep abreast of regulatory developments. Knowing your stuff adds to your credibility.
Once you are ready to give your advice, boil it down to its essence, with specific action items and recommendations. Those seeking your advice generally do not want to read the regulations or understand all the legal and regulatory fine points. They want to know what they need to do to solve the problem. Giving constructive, actionable advice demonstrates that you can help the firm reach its goals.
3. No one reads past the first three lines of your email.
This is a corollary to item 2 above, but is important enough to require further discussion. Many compliance officers love the details and have difficulty boiling messages down to their essentials. But people get bombarded by emails, so it’s important to be clear and concise. When a response is required, say that upfront. I recommend using all caps in the subject line: RESPONSE REQUIRED BY [INSERT DATE]. And then flag these emails with a reminder for yourself AND the recipients to follow up by the deadline.
In the body of the email, make sure you get to the point within the first sentence or two. Resist the temptation to provide a detailed explanation. Readers often suffer from email fatigue and seeing more than a screen of text may cause them to hit the “delete” button. If you are responding to a question, the answer should be in the first line of the email. If you need approval or feedback, tell the reader that you need their input on the issue to go forward. Bullet points are also useful to make points without overwhelming the reader with text.
You can always attach a detailed explanation to the email; just do not expect the attachment to be read.
4. If it’s not important to the boss, it’s not important to the employee.
This is a hard lesson. When firm management says compliance is important but takes no action to support this statement, the compliance officer’s job is much more difficult. If management is unwilling to put their money where their mouth is where compliance is concerned, the compliance officer’s only leverage is threats of potential repercussions in the event of an SEC exam. For example, if compliance training is mandatory, but the executives do not attend, they send the message that it is not important.
On the other hand, if the Chief Executive Officer says that failure to complete annual holding reports in a timely manner will result in a reduction in an employee’s bonus, employees will be knocking down the Chief Compliance Officer’s door in an effort to meet the deadline.
Getting management to buy-in to compliance initiatives is a topic that requires more space than I can devote here. It’s good for business because it can help limit liability and preserve a firm’s good reputation. The SEC also holds executives personally liable for failure to adequately support a firm’s compliance program, as evidenced by a few SEC settlements, In re Pekin Singer Strauss Asset Management, Inc., Pennant Management, Inc., and Mark A. Elste.
Perhaps a more chilling example is the Volkswagen’s scandal. In September 2015, the Environmental Protection Agency (EPA) found that VW diesel cars being sold in the United States had software installed that detected when the cars were undergoing emissions testing and adjusted the car’s performance to improve the results. Ultimately, Volkswagen admitted to cheating emissions tests in the United States.
What followed were consumer class-action suits and government enforcement actions, as well as criminal fines in the U.S. and Germany, and an SEC case for defrauding investors. Ultimately Volkswagen’s CEO had to resign, and the company paid out billions in fines, penalties, financial settlements and buyback costs, and suffered untold damage to its reputation.
According to a New York Times article, Volkswagen’s culture played a large part in the scandal. The company’s leadership set aggressive goals and did not want to take “no” for an answer. Former employees described a workplace where subordinates were afraid to admit failure or contradict superiors. Management espoused a single-minded goal to succeed at any cost and bullied employees. Even if management was not aware of the details, the firm fostered an environment that encouraged cheating to boost sales.
This is a worst-case scenario, and it demonstrates how management’s failure to support and encourage ethical behavior can lead to much more significant financial woes than disappointing sales.
5. You don’t know what you don’t know.
Even the most experienced compliance officers can fall into the trap of making assumptions about a firm’s operations and processes. The truth usually comes out as a result of trading error, client complaint, or, in the worst-case scenario, regulatory action.
A common example is the mismatch between what the compliance manual says and what your firm does. A common example is compliance with the Code of Ethics Rule (Rule 204A-1). For example, the rule requires “access persons to report” their personal securities transactions. Firms often forget to maintain a current list of access persons or require a new employee to provide a holdings report within 10 days of becoming an access person.
Similarly, fee calculations are another common area where advisers get cited for deficiencies during exams. Although the firm may have an automated process for calculating and deducting fees, examiners often find mistakes in the process, such as using a valuation that is inconsistent with what is disclosed in the advisory agreement or inaccurately calculating tired billing rates.
Discovering these inconsistencies is always an unpleasant surprise for a compliance officer. The best way to deal with them is to keep an open mind and be willing to dig down through the smallest details to understand a process. This means developing standard operating procedures for all areas of the firm, and understanding the root cause of failures.
Although it’s not the compliance officer’s job to write all the SOPs for the firm, you can review and test these procedures to see if they are sufficiently detailed and robust. The compliance officer can also listen and observe. Have the employee responsible walk you through the process step by step and ask questions. Watching the process from start to finish, or even performing the task yourself, may help you learn what you don’t know.
6. If it’s not documented, it didn’t happen.
This is a lesson learned from numerous SEC examinations. Although an investment adviser might do the right thing, if there is no documentation to show that it was done, for all practical purposes it did not happen.
Most advisers maintain the required records described in Rule 204-2 of the Investment Advisers Act of 1940. The SEC, however, expects advisers to maintain other records, as evidenced in a typical SEC examination document request list. Here are a few examples of records that are not on many investment advisers’ radar screens:
- A current inventory of the firm’s compliance risks and conflicts of interest that forms the basis for its policies and procedures
- The names and location of all service providers and the services they perform and for both affiliated and unaffiliated providers, information about the due diligence process to initially evaluate and monitor thereafter the work provided and how potential conflicts and information flow issues are addressed
- Documentation of controls of employee access (i.e., electronic key card entry, locks, security cameras and guards) to physical locations containing customer information (i.e., buildings, computer facilities and storage record facilities)
- Information about the oversight process the Adviser uses for any remote offices and/or independent advisory contractors, and any policies and procedures with respect to such oversight.
Compliance officers should look for copies of SEC examination document requests and any SEC pronouncements relating to the latest hot-button issues to identify what regulators will expect to see.
7. It’s easy to say no, hard to say yes.
Most compliance officers are aware of this truth – this is a lesson for the rest of the firm. Saying no is easy; it requires no additional work or thought on the part of the compliance officer and eliminates risk. To say yes, a compliance officer has to think, research and provide options, which takes time and effort. Given the SEC’s willingness to hold compliance officers personally liable for compliance breaches, so saying yes can be a risky and expensive proposition.
If you always say no, however, firm employees will stop coming to you for advice and guidance. You will not be consulted when new products are being developed, new marketing efforts are proposed, new types of clients are being sought, and new technologies are being explored. If the compliance officer is not aware of what the firm is doing, then he or she is not going to be effective.
My advice is to take advantage of teachable moments. For example, the marketing team asks you, as a compliance officer, whether they can use hypothetical performance for a client presentation. If the team wants the answer today, the answer is no. But, if they are willing to wait, you will work with them to come up with a way to get the same message across by using extensive additional disclosure, or by using a different approach.
The goal is twofold: getting firm employees to consult you early in the process and demonstrating your willingness to find solutions to meet their goals.
Coming to terms with these ugly truths is not easy. But if you accept them and manage your expectations accordingly, you will decrease your stress level and be more effective in your job.
Painting by Gustave Courbet, The Desperate Man, 1843–45. Image via Wikimedia Commons.
Need assistance with your compliance program? SEC’s team of experienced compliance professionals can help. For more information, please email us at info@sec3ccompliance.com, call (212) 706-4029 x 229, or visit our website at www.sec3compliance.com.
Table of Contents

7 Ugly Truths About Compliance: a Primer for New Chief Compliance Officers
Being a Chief Compliance Officer is an important job but before you accept the offer, there a few things you should know. Enjoy!

Predictions for 2025: What Private Fund Advisers Can Expect from SEC Examinations
There has been a lot of conjecture that the SEC may become friendlier to registrants because of the new administration. Given the SEC’s mandate to protect the investing public, however, we do not expect SEC examiners to become more lenient on private equity and hedge fund managers. Instead, we anticipate SEC staff becoming less focused on “rulemaking through enforcement” and (hopefully) imposing more moderate sanctions than those under Chair Gensler. SEC examiners now, more than ever, feel the pressure to show their value.

SEC3 Gets Readers’ Choice Award for Thought Leadership in Compliance from JD Supra
SEC Compliance Consulting, Inc. (SEC3) has been recognized for its thought leadership in the compliance space by JD Supra, as part of its 2025 Readers’ Choice Awards. The Readers’ Choice Awards recognize top authors and firms read by C-suite executives, in-house counsel, media, and other professionals across the JD Supra platform during 2024. This year’s awards recognize 344 authors selected from among the more than 70,000 who published on the platform during 2024, highlighting firms for their thought leadership across 33 main topics.

The Most Wonderful Time of the Year: Form ADV Season
Check out our latest tips on updating your Form ADV.

Regulatory Roundup for January 2025
Welcome to our January 2025 Regulatory Roundup, where we provide practical advice on the latest regulatory headlines. We start this issue with the appointment of the SEC’s acting Chair, Mark Uyeda. Next, we recap the SEC’s report on its aggressive enforcement efforts in the first quarter of 2025. Finally, we discuss a few of the latest SEC settlement orders, including issuers getting fined for failing to file Form D for unregistered offerings, two cases on fiduciary duty fails, and one more “off-channel” communications case that highlights what a firm did right (for once). Enjoy!

Lessons from 2024: Tips for Private Fund Managers
As we look back on the SEC’s actions in 2024, we wanted to share our thoughts on lessons learned that we believe will carry through to 2025.

For over two decades, we have been providing compliance consulting services and servicing as outsourced Chief Compliance Officers. Our professionals have served as SEC regulators and in senior leadership, guiding the industry’s principal compliance association. Our consultants also have hands-on industry experience as chief compliance officers, experienced securities attorneys and senior management of investment advisers, broker-dealers and fund administrators.
What can SEC3 do for you?
SEC3 offers an extensive suite of customizable compliance services for investment advisers, private fund advisers, CPOs, CTAs, investment companies, institutional investors and broker-dealers which can complement your internal compliance program on a one-time or recurring basis depending on your needs.
Call us today at (212) 706-4029 x 229, or shoot us an email at info@SEC3compliance.com so we can set up a time for one of our consultants to discuss your needs and how we can help.