In July 2025, the SEC settled charges against the Chief Compliance Officers (CCOs) of two investment advisers that involved backdating compliance documents and attempting to conceal these fabrications from examiners. The settlements imposed civil monetary penalties for both officers as well as a three-year bar for the more severe violation.

These actions reinforce a lesson that should be familiar: regardless of the party in power, regulators do not look kindly on backdated documents or attempts to mislead them. While most CCOs would never consider engaging in similar conduct, any action against a CCO in their personal capacity inevitably raise broader questions in the industry about what other actions could expose a CCO to personal liability. Put another way: most CCOs understand not to go 60 miles per hour in a school zone, but what if they roll through a stop sign?

While every case will be judged individually, SEC staff members have previously provided some guidance on factors they consider when deciding whether to charge a CCO in their personal capacity. Staff statements are not binding on the SEC but, taken together with previous actions against CCOs, they provide some hints as to how the SEC will make decisions. With that in mind, we list below some dos and don’ts designed to help CCOs avoid seeing the SEC’s flashing lights in their rearview mirror:

• Do: Document your regular efforts towards compliance.
  • A “wholesale” compliance failure at an organization (i.e., one so basic and so long-running that it is akin to not having a compliance program at all) is far more likely to trigger personal liability than a mistake, even a serious one, that does not call into question the program as a whole. A CCO should have a record of some type showing that, whatever the SEC thinks happened, it was not a “wholesale” compliance failure. CCOs frequently use their firm’s annual review of its compliance policies and procedures and the effectiveness of their implementation as an opportunity to document the firm’s efforts and to show that policies, procedures, and implementation are regularly evaluated. Calendar invites for compliance meetings, notes of internal training sessions, and emails flagging regulatory issues all help to create a record showing the program is active and functioning, even if it’s imperfect.
• Don’t: Mislead the SEC staff to hide deficiencies.
  • When it comes to responding to an SEC exam or investigation, it is important to recall the old adage: “it’s not the crime, it’s the coverup.” If the SEC asks for a record that does not exist (but perhaps should), it is never appropriate to create it after the fact and present it as contemporaneous. In certain circumstances, it can be acceptable to create and provide documents after the SEC inquiry begins, but not if they are backdated. For example, a firm may discover during an exam that it neglected to conduct a procedure that its compliance manual required on a quarterly basis, such as collecting employee trading records. Rather than fabricate backdated certifications, the firm could consider obtaining employee attestations effective as of the quarter’s end, but clearly dated as of the actual date they were signed. The SEC staff may still take issue with the delay, which may be a violation of the firm’s compliance manual, but a good-faith effort to correct an issue when it is discovered signals to the staff that the CCO understands the error and is seeking to prevent it from reoccurring, and is not personally and willfully involved in any misconduct that may have occurred.
• Do: Promote a firmwide culture of compliance.
  • As the New York City Bar Association Compliance Committee observed in 2022, CCOs often are responsible for conduct “ultimately determined by other human beings whom the CCO cannot control.” A CCO cannot guarantee perfect outcomes, but can mitigate the risk of a “wholesale” breakdown by fostering a culture in which compliance is taken seriously. This includes staying attuned to developing issues (in and outside the firm) and making sure compliance is seen as part of the firm’s business infrastructure, not merely a box-checking exercise.
• Don’t: Be complacent.

The regulatory landscape is constantly evolving, and staying up-to-date on emerging risk areas and recent guidance from the SEC and other bodies is important. A firm’s compliance program cannot be “set it and forget it.” Diligence and assertiveness in finding and addressing actual and potential compliance issues can benefit the whole firm, and certainly the CCO personally.