Historically, the dialogue surrounding compliance among SEC regulated investment advisers has heavily focused on fostering a “Culture of Compliance,” highlighting the “Culture at the Top” and the pivotal role of the Chief Compliance Officer in administering regulatory adherence.

Remarkably, recent rhetoric from SEC statements and actions illustrates a shift towards the new standard of “proactive compliance.” Have you been noticing? This transition we think is significant and underscores a more dynamic approach where compliance functions are not only integrated into the day-to-day operations but are also anticipatory in nature. Not only do we see this shift in recent SEC speeches, but we see the parallels in the SEC’s approach to AI.

Gurbir S. Grewal has been at the forefront of articulating this shift in two significant speeches: most recently his “Remarks at Program on Corporate Compliance and Enforcement” on April 15, 2024, and “Remarks at New York City Bar Association Compliance Institute” on October 23, 2023.

We even see this concept in his Regulation Best Interest (Reg BI) speech as early as June 5, 2019. These statements by Grewal emphasize the importance to him of this subtle but critical shift to what he describes as the need for “Proactive Compliance,” indicating a shift in evolution in regulatory expectations beyond the culture of compliance and the important role of the Chief Compliance Officer alone.  It now encompasses the expectation to be proactive. As an example, we see this with the approach to AI and see parallel implications with expectations around off channel communications, the marketing rule oversight, fees, and expenses.

Grewal’s general principles of what he calls “proactive compliance,” is a framework requiring three things:  education, engagement, and execution. 

The Gensler Alignment

Gary Gensler, in his role as SEC Chairman, stresses the need for compliance efforts which foster an organizational culture that prioritize compliance, integrity and safeguarding investors.  Gensler has shown alignment with Grewal’s emphasis on proactive compliance in numerous ways, particularly surrounding a specific focus on new and emerging risks posed by new technologies and products, such as AI or crypto technologies. This emphasis underlines the importance of firms proactively updating their compliance and risk management practices to align with evolving market conditions and regulatory expectations and encourages firms to focus their compliance efforts on areas that could pose heightened risks to retail investors and the integrity of the capital markets.

This emphasis on proactive practices is consistent with the broader SEC strategy to encourage firms to anticipate and mitigate risks rather than merely be reactive, illustrating a more proactive stance in their compliance operations.  

Proactive Compliance Implications:  AI

Gensler’s focus on the implications of AI and the need for accurate disclosures and careful consideration of conflicts of interest aligns closely with the proactive compliance framework. Gensler’s discussions underscore the significance of understanding and integrating regulatory expectations into the firm’s practices, particularly in fast-evolving areas such as digital finance and AI. The recent AI enforcement cases highlight the SEC’s stance on emerging technologies and the necessity for organizations to maintain rigorous compliance measures. Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, said “…if you claim to use AI in your investment processes, you need to ensure that your representations are not false or misleading.”

Examples of a Proactive Compliance Framework

Bringing a proactive strategy to compliance expands beyond testing existing polices, or living with current testing protocols, known risks and existing conflicts.  Bringing a proactive strategy is being intentional about gaining knowledge in different ways and being more anticipatory, collaborative and probing.  Being intentional includes seeking information about regulatory views and other industry viewpoints. Fundamental to a proactive compliance strategy means asking questions, seeking input across your firm to explore and identify unknown risks and conflicts. Asking questions and being collaborative is fundamental to creating a proactive, forward-thinking approach. 

The Three Principles of Grewal’s “Proactive Compliance” include:

  1. Education: The Cornerstone of Proactive Compliance
    Education extends beyond traditional compliance training or even continuing education; it involves a continuous and proactive understanding of the evolving regulatory environment. Compliance officers must educate themselves about potential risks specific to their business sectors that could signal shifting priorities or new concerns within the industry. For instance, Gensler’s recent speech on the challenges and regulatory focus on AI in financial services emphasizes the need for compliance frameworks that can adapt to technological advancements. This highlights the importance of staying current with regulatory discourse as a form of proactive education.
  2. Engagement: Keeping Lines of Communication Open
    Engagement in proactive compliance involves maintaining open lines of communication with various stakeholders within the firm. This includes regularly updating firm personnel about significant changes in rules, company compliance policies, and insights from SEC actions. The goal is to ensure that all employees are aware of and understand their roles in complying with securities laws, thus preventing inadvertent violations. This aspect of proactive compliance ensures that compliance is not just a department but a firm-wide ethos.
  3. Execution: Turning Knowledge into Action
    Execution in the context of proactive compliance means putting the knowledge and collaborative strategies into practice. This involves designing and implementing compliance policies that not only address existing rules but anticipate potential future risks. The SEC’s proposed rules on adaptive analytics, which call for comprehensive management of conflicts of interest in predictive data analytics used by broker-dealers and investment advisers, serve as a prime example. These rules require firms to evaluate and neutralize potential conflicts, thereby necessitating that firms execute compliance strategies that are both preventative and responsive. As Grewal points out, adoption of the policy is only part of the battle—”effective execution to implement the policies and procedures is equally important.”

An AI Case Study: How Can a CCO Utilize the 3 Proactive Compliance Principles

Compliance officers can effectively utilize Grewal’s principles of proactive compliance—education, engagement, and execution, for example, in their firm’s approach to AI, to ensure compliance and avoid pitfalls like those seen in recent AI enforcement cases. Here are how these principles could be applied:

Education

It is critical for Compliance Officers to be informed about new product initiatives within their firm, particularly as they relate to industry developments and regulatory concerns. This is evident regarding the latest developments in AI technology and its implications for compliance and regulation. The principle of education involves learning about AI capabilities, limitations, potential biases, and the regulatory landscape surrounding AI usage in financial services. CCOs can achieve this by collaborating with experts in AI and technology within their organizations or through external partnerships. This collaborative approach allows CCOs to leverage expert knowledge and insights, ensuring that their compliance strategies are informed by the most current and relevant information without the necessity for them to master the technical complexities of AI themselves. This strategy not only enhances the compliance framework but also ensures that the use of technology aligns with both business objectives and regulatory requirements.

In the context of AI enforcement cases, such as the ones involving firms misrepresenting their AI capabilities, a proactive approach would identify gaps between the firm’s actual AI use and the claims being made publicly, with marketing material approved by Compliance prior to use.   Exploring the firm’s use of AI and asking, “Are we doing what we are saying?” will help the compliance officer to validate the accuracy of disclosures and prevent misleading statements that could lead to regulatory action.

Engagement

Engagement involves active involvement in how AI technologies are integrated and used within the firm. Compliance officers should work closely with AI teams to ensure that the deployment of AI technologies aligns with compliance standards and ethical guidelines. This means being part of the conversation from the initial stages of AI project planning through to implementation, providing compliance insights that can guide regulatory impact in the development and deployment of AI tools.

Effective engagement ensures that any potential conflicts of interest or compliance issues are addressed. In the AI enforcement cases, active engagement could have helped ensure that all AI-driven products or services were vetted for compliance risks before being marketed to investors or used in client interactions.

Execution

Execution in the context of AI involves the implementation of robust compliance programs that include policies and procedures tailored to manage the risks associated with AI. This includes setting up controls for monitoring systems to continuously assess the performance and outputs of AI systems to ensure they operate within regulatory and ethical boundaries. Firms should ensure that there are controls in place to detect and address any deviations from expected behaviors or outcomes from AI systems.

In the context of recent enforcement cases, if a firm advertises that it uses AI to enhance investment strategies, there must be effective and adequate policies and procedures to verify and validate the accuracy of the claims. Effective execution of these policies could prevent situations where AI capabilities are overstated or where disclosures and marketing content are not based on facts, as seen in enforcement cases. This helps protect the firm from regulatory penalties and reputational damage.

By adopting Grewal’s principles of proactive compliance, compliance officers can create a compliance framework that addresses current regulations but also is anticipatory of future challenges posed by evolving technologies, like AI. This proactive approach can significantly mitigate risks and enhance the firm’s ability to maintain effective compliance programs, potentially avoiding situations like those seen in AI enforcement cases.

Key Takeaways: Steps to Help Shift from Reactive to Proactive Compliance

In the evolving landscape of regulatory compliance, firms need to think how they can move from a reactive to a proactive compliance framework. This shift is necessary because risks are not only diverse but can also have rapid and widespread impacts. A proactive compliance framework involves strategic steps that compliance officers and firms can adopt to foster a more collaborative and anticipatory approach to compliance, thereby enhancing their ability to manage risks effectively and maintain regulatory integrity.  The shift towards proactive compliance involves clearly communicating the value of proactive compliance not just as a regulatory necessity but as a core component of the firm’s strategic advantage. Leaders should make clear that it is integral to the success of the organization. This proactive approach can avoid unnecessary and unwanted regulatory situations.

Two Tactical Steps for a Proactive Compliance Program:

  1. Assess the Effectiveness of your Compliance Program: Firms should consider an assessment of the effectiveness of their programs, including policies and procedures. This includes a focus on identifying gaps, reactionary components, and strengthening engagement. Risks can be reduced by assessing where processes or controls are reactionary, resulting in strengthening the compliance program, controls, and testing.
  2. Continuous Education and Adaptation: Adapt or expand training programs to be more collaborative. Collaboration across the organization to identify emerging risks and conflicts is critical to a proactive approach.   Examples, in addition to annual and periodic training sessions, could include continuous updates via internal communications, use of case studies, workshops, and seminars that encourage an ongoing dialogue about compliance, risk and conflicts.

Conclusion

In summary, proactive compliance, as advocated by Grewal and evident in Gensler’s regulatory focus, requires a multidimensional approach not only involving education, engagement, and execution, but shifts to a mindset focusing on the importance of foresight and initiative. In this manner, firms can shift from a reactive posture to a proactive one, strengthening policies, revising procedures and testing to proactively identify new risks and conflicts.  

The effectiveness of proactive compliance becomes strikingly clear when you apply these principles retrospectively to recent enforcement cases or even SEC examination deficiencies.  By introducing proactive compliance into the fabric of your compliance program and operations not only minimizes risks but also enhances the firm’s reputation and growth opportunities in the long run.

For further exploration of these concepts and to get help in taking steps to put the proactive assessment in place, contact our Team at Salus GRC.