Strategic Planning for the Inevitable SEC Examination
While being examined by the SEC staff, SEC registrants often seek a framework for evaluating if and how to effectively cooperate and self-report noncompliance with applicable regulations or policies and procedures. It is nearly impossible for SEC registrants to anticipate every risk in the face of mounting regulatory requirements. However, the one event that they likely can eventually count on is an SEC examination (“exam”). SEC registrants are generally more likely to face an exam than an enforcement investigation because of the SEC Division of Examinations’ (Exam Division) broad inspection authority.
Specifically, SEC registrants may be subject to risk-based examinations that may be triggered by various factors such as the lack of or recency of the last exam; tips, complaints or referrals; suspicion of fraudulent activity; prior examination or regulatory history; disciplinary history; key personnel departures; emerging risks; and/or national and regional agency priorities. While the stated goal of such examinations may be to foster compliance with regulatory obligations, the tactics employed seek to uncover whether the compliance program is reasonably designed, tailored and implemented to detect and prevent actual or potential violations of applicable legal requirements.
Given the inevitable SEC exam, compliance professionals are largely familiar with the benefits of exam preparedness from a books and records standpoint. After all, there are countless resources on the subject, including the 2023 and 2024 Exam Division’s Risk Alerts concerning the exam process. Yet, compliance professionals may overlook considerations and strategies for self-reporting and cooperation during an exam, in part, because most resources cover those topics in the enforcement context. As with SEC investigations, these proactive measures present potential risks and rewards in SEC exams.
The Self-Reporting and Cooperation Dilemma
While an SEC exam is inevitable, SEC registrants are unlikely to know the full details of why the firm is being examined or when that exam will occur. This uncertainty presents a dilemma for compliance professionals who are often aware of firm compliance weaknesses, even if the SEC staff has not officially announced an exam. Compliance professionals also often discover deficiencies after SEC staff initiate an exam, but before the staff issue a deficiency letter. Often the question nagging compliance professionals’ conscience is whether to self-report or not. What are the pros and cons to self-reporting or other forms of cooperation?
Potential Upside Considerations
The SEC has encouraged self-reporting through its whistleblower program and public messaging. Likewise, the U.S. Department of Justice (DOJ) has also announced various cooperation programs, further underscoring regulators’ expectations to self-report and/or cooperate. The selling points boil down to costs, time and reputation. Said differently, settling firms may increase their chances of getting favorable sanctions, including monetary penalties or charges, minimize legal costs and control the narrative of any public-facing orders or complaints. Self-reporting also pauses the clock. The SEC has emerging sophisticated tools and techniques to uncover potential misconduct early, such as artificial intelligence (AI) technologies and data analytics. SEC registrants who delay self-reporting are, in essence, gambling that the SEC will not independently spot the misconduct first. Self-reporting before the SEC catches wind of potential misconduct subverts the race altogether.
Potential Downside Considerations
Compliance professionals are cautious about unnecessarily drawing the SEC staff’s attention to a potential non-issue. After all, the SEC rarely reports publicly when and why the staff declines to pursue charges, let alone cite an exam deficiency. Unlike the enforcement context, SEC resources providing guidance on cooperation during an exam are limited. There is also no guarantee that self-reporting will yield benefits. Cooperation credit is given at the SEC staff’s discretion, subject to the SEC’s approval in a nonpublic forum, and typically well after the self-reporting. Even if the SEC waives or reduces civil penalties, the legal and operational costs associated with cooperation may well exceed those savings. Worse yet, there is no telling what else the SEC staff may look for and find once that door is opened.
Baseline Expectations in an SEC Exam
The irony of this dilemma is that most firms technically cooperate in an SEC exam without much thought. While the SEC exam staff only have the legal authority to compel certain pre-existing books and records, they routinely request firms to create records, such as lists and spreadsheets. Given that most firms comply, any pushback, even if legally justified, may be perceived as difficult. As a result, firms often comply to avoid appearing obstructionist or for other reasons, and the SEC staff generally view such compliance as merely responsive. Given these expectations, SEC registrants are left puzzled as to what actions, if any, earn cooperation credit.
Cooperation is Defined by Principles, Not Bright-Line Rules
Adding to this confusion, the SEC has not issued official guidance on cooperation. Within the last twenty-three years, the SEC staff have mainly pointed to three dated and non-binding resources—the 2001 Seaboard Report, the 2010 Policy Statement Concerning Cooperation by Individuals and the SEC’s Enforcement Cooperation Program. The SEC staff has also discussed cooperation in public speeches, SEC press releases and whistleblower announcements, all within the enforcement context. Thus, SEC registrants undergoing exams are left with little to no guidance on how cooperation is viewed or rewarded in an exam. The limited resources cited above, however, reflect that cooperation is generally defined by principles rather than bright-line rules. They also highlight themes of self-policing, self-reporting, remediation and meaningful engagement with the staff. Similarly, the DOJ’s recently announced cooperation programs reflect a trend among regulators and law enforcement agencies of a general expectation for cooperation and/or self-reporting. As detailed below, SEC registrants may draw lessons from these principles when undergoing an SEC exam.
Demystifying Cooperation in an SEC Exam
Self-Policing—Principles and Exam Takeaways
Firms with established self-policing measures are better positioned to credibly attribute deficiencies or violations to unintentional and/or isolated conduct. Such firms are also more likely to have measures in place to prevent deficiencies or violations from recurring. Therefore, the SEC has less basis to impose penalties or other deterrent forms of relief against firms which self-police. For example, in the SEC’s February 2024 announcement of its sweep of “off-channel communications” cases, the SEC recognized a firm for its self-policing measures and imposed a substantially lower penalty compared to the other firms charged in the same sweep (i.e., a $1.25 million penalty compared to $8 - $16.5 million range).
Because SEC registrants are legally obligated to establish and oversee compliance programs, they are unlikely to get significant cooperation credit during an SEC exam for essentially fulfilling their legal obligations. However, firms will still benefit from self-policing during an exam. For example, firms which effectively self-police mitigate the risks of facing an exam deficiency letter or enforcement referral. These firms are also generally better prepared for an exam and therefore reduce exam support costs. As such, firms should seize opportunities in an exam to show the staff their robust self-policing controls.
Yet, no firm’s compliance program is perfect. Many firms have known gaps when an exam is announced. Compliance professionals should not assume that it is too late to act. Commitment to self-policing can also be conveyed by responding to the SEC exam staff’s concerns throughout an exam. Failing to respond promptly only increases the risk that the staff will issue a deficiency letter or, worse yet, an enforcement referral. The SEC has publicly noted when SEC registrants allegedly disregarded the SEC exam staff, as seen in this 2023 enforcement action. While not expressly stated in the Complaint, such conduct may be viewed as an aggravating factor when assessing liability and remedies.
Self-Reporting—Principles and Exam Takeaways
Self-reporting alone typically will not earn cooperation credit for three reasons. First, the SEC may be aware of the conduct (e.g., through tips or complaints) by the time that it is self-reported. Second, the SEC must expend resources to evaluate potential violations. Third, the nature of the underlying conduct may inherently cap the extent of cooperation credit to be earned. Put simply, the staff will view stealing from a senior citizen’s 401(k) account differently from delaying an annual compliance training. It is the nature, timing and quality of the reporting that will impact benefits earned. The SEC Enforcement Director explained that self-reporting that is made early and is supported by clear evidentiary support is more likely to earn credit, which is also outlined in a recent SEC settled order. Said differently, the SEC staff are likely to value actions which maximize investor protection and preserve SEC resources.
There are unique strategic considerations in the timing and manner of reporting in an SEC exam. For example, firms should recognize the heightened risk of delaying self-reporting during an exam. Even if the staff did not open an exam based on suspected violations, there is a tangible likelihood that the staff will eventually uncover the potential deficiencies through their broad requests. Firms should, in consultation with legal counsel, map out all known deficiencies and decide if and when to self-report.
SEC exams present multiple avenues to self-report and firms should strategize over which mediums are best suited for the issue at hand. For example, lower risk issues may be more appropriately addressed in narrative responses to document requests, while higher risk issues may warrant a formal presentation. The appropriate recipient of the self-report at the SEC staff or senior officer level should also be carefully considered, likely contingent in part upon the nature of the underlying issue reported and the firm’s prior interactions with the SEC staff. In further consideration of the manner of reporting, firms should evaluate whether and how to engage counsel during the process. Counsel’s involvement may signal heightened stakes, but at the same time may offer further credibility to the firm’s efforts. SEC Registrants should also consult with legal counsel to understand what matters are protected by attorney-client privilege or may be subject to waiver depending on the counsel’s roles, such as leading internal investigations.
The quality of the reporting should also go beyond mere disclosure to earn cooperation credit. Firms should be prepared to offer the “who, what, where, when and why” behind each issue and supporting evidence. For additional credit, firms should also prepare and share a detailed remediation plan and timeline.
Remediation—Principles and Exam Takeaways
Firms that proactively remediate are likely to yield cooperation credit. Like principles underlying self-policing, firms that remediate are better positioned to prevent similar deficiencies and violations from recurring and therefore undercut the grounds for punitive or deterrent measures. The SEC staff has recognized remedial actions when taken independent of the staff, commenced promptly after discovery and executed in an effective manner.
During exams, firms should be thoughtful in how they decide which issues to remediate and when to begin remediation. SEC exam staff members often shed light on what they perceive as firms’ potential compliance gaps or weaknesses well before an exit interview or a deficiency letter. Although it may be tempting to assume that seemingly minor issues do not require immediate remediation, if any, compliance professionals should bear in mind SEC registrants’ obligations to reasonably establish and oversee compliance programs. Likewise, remediation in real time will likely be valued more than after the receipt of a deficiency letter.
In designing the remediation plan, firms should consider and incorporate as many pillars of a compliance program as appropriate: policies and procedures, training, supervision and monitoring, testing, controls, disclosures and recordkeeping. The plan should also present a reasonable timeline for projected completion. Firms should also document the execution of the remediation plan in the likely event that the staff will follow up on the remediation progress.
Meaningful Engagement with Staff—Principles and Exam Takeaways
SEC staff do not view mere compliance with a subpoena or exam document request as conduct worthy of cooperation credit no matter how professionally or timely performed. Yet, firms may receive cooperation credit or other benefits if they engage with the SEC staff in a way that leads to investor protection and preservation of staff resources. For instance, like the principles underlying self-reporting, notifying the SEC staff about a potential issue early enough to prevent investor harm would likely be valued. In another example, explaining the evidence underlying an issue in a helpful format (e.g., timelines, narratives, summaries, etc.) which saves staff time is more likely to be well-regarded.
Through the lens of cooperation, firms should not approach SEC exams like litigation. Although firms may have legal or valid reasons to object to or narrowly interpret the staff’s requests, this approach is unlikely to earn cooperation credit. Instead, firms should be transparent in how they interpret the staff’s requests and, in consultation with counsel, could even strategically volunteer information. For example, firms may share that they have proactively taken steps to enhance an area of the compliance program. Firms will also likely be viewed more favorably for presenting information in a way that preserves staff resources (e.g., charts, spreadsheets, timelines, summaries, etc.).
Firms should also treat the SEC exam as an opportunity to credibly demonstrate that they share the exam staff’s goal of protecting investors through robust compliance. Involvement by C-suite or senior personnel throughout the exam will likely support the firm’s commitment to the exam process and general compliance. Finally, SEC registrants should be prepared to educate the exam staff about the underlying business in an exam. For example, a firm may receive broad requests which are not entirely relevant to the firm’s business. Firms should consult with counsel before merely responding “not applicable” to such requests, as there may be strategic benefits to sharing context or more explanatory information with the SEC staff.
In sum, SEC registrants may consider and apply the principles of self-policing, self-reporting, remediation and meaningful engagement in SEC exams to earn cooperation credit. Kroll experts stand ready to support SEC registrants with preparing for or navigating SEC examinations. Contact our experts today to learn more.