Introduction:

Thank you for that very kind introduction.  Let me start off by providing our standard disclaimer that the views I express today are my own and do not necessarily reflect the views of the Commission, the Commissioners or my colleagues on the Commission staff.[1]

I was quite honored to receive an invitation to speak at this event and I am happy to share with you my thoughts and observations about corporate compliance.

I struggled somewhat with how best to structure my talk today.  I look at the faculty and note that you likely will have great discussions regarding the traditional materials related to corporate compliance, its importance and the elements of an effective corporate compliance program.  So I won’t spend my time today reciting some of the important guidance that you can and should consult.  That guidance is contained in a number of documents such as: (a) Section 8B2.1 of the U.S. Sentencing Guidelines[2]; and (b) the Resource Guide to the U.S. Foreign Corrupt Practices Act put out by the U.S. Department of Justice and the U.S. Securities and Exchange Commission[3] to name but two sources.

I could also spend my time today discussing the various enforcement cases that have been brought by the Securities and Exchange Commission (SEC) where there were compliance lapses relating to money laundering, the Foreign Corrupt Practices Act, and other laws we enforce.  But my colleagues at the SEC have done a fine job not just bringing those cases but also talking about them.  So for those who are interested, I recommend various speeches by members of our Division of Enforcement especially those by Andrew Ceresney, the Director of that Division.  There is also a thoughtful piece on compliance and ethics that was given by Stephen L. Cohen, Associate Director of the Enforcement Division in October, 2013.[4]

So what can I contribute to this event?  You already recognize the importance of corporate compliance and you have a distinguished faculty of experts.  So here is what I came up with.  For some forty years I have lived in this world.  I have had responsibility for legal and for corporate compliance at large and small firms, for domestic and international operations, for broker-dealers, investment advisers, commodity trading advisors, investment companies, private funds, UCITS, trust companies and for private – and to a degree public – firms.  I have also had the great privilege of doing two tours at the SEC.  The first as the Director of the Investment Management Division from May 2006 until November 2010 and most recently as the Chief Of Staff since June of last year.  So I thought I might just share some thoughts and observations regarding corporate compliance with you based on that experience.

Integrity and Personal Responsibility

Throughout my career I have witnessed that a critical component of an effective corporate compliance program is the integrity of those people you have in your organization and their ownership of personal responsibility for themselves and the areas for which they are responsible.  If you don’t have the right people with integrity who accept responsibility, the likelihood of your corporate compliance program being effective is, at a minimum, diminished appreciably.

Culture

I can’t stress enough the critical role a firm’s culture has on its corporate compliance program and its effectiveness.  A culture of always doing the right thing, not tolerating bad practices or bad actors is essential.  The culture should encourage people to ask questions and to discuss openly what is the proper response to a particular issue and how conflicts should be resolved.  It should hold the higher up members of the firm to at least the same standard of conduct as those below them.  I have always thought that the higher up you were in an organization, the less tolerant the firm should be of your non-compliance.  If that is the culture of the firm that sends a powerful message within an organization.

Another sign of the culture of a firm is whether there is a correlation between ethical behavior and the firm’s reward structure, such as salaries, bonuses and promotions.  Are people who are less compliant nevertheless rewarded?  It is also telling in a firm when questions are being asked, conflicts being resolved or decisions being made, is the discussion solely about whether we can do this or is it also about whether we should do this?  Is it the right decision or course of action for the firm and its clients?  I always appreciated how extremely difficult it would be to have responsibility for the corporate compliance function within a firm that did not have a good culture.

Keep It Simple and intuitive

When developing the policies and procedures you expect the firm and its personnel to follow they will be most effective if they are as simple as possible, are explained in plain English and are intuitive to those that have to comply with them.  Policies and procedures should be the result of clear thinking by individuals who understand the applicable requirements as well as the firm’s operations and systems.  Identify what you are trying to ensure compliance with and develop a means to that end which people who are less familiar with the law, the industry or the firm and its operations can understand and apply.  The simpler and more intuitive your policies and procedures, the greater the likelihood that they will be understood and complied with.  It may be a little more work on the front-end but it will certainly, in my estimation, be well worth it.

Role of Technology

Advancements in technology over the past 40 years have been phenomenal and have greatly advanced, in many ways, the ability of firms to implement and monitor the firm’s compliance with applicable requirements.  I have been concerned, however, about the impact of technology on the responsibility of individuals for ensuring compliance.

Years ago it was quite clear within an organization who performed certain tasks or had certain responsibilities.  Those individuals then bore the responsibility for ensuring that that task or responsibility was carried out properly.  It was clear back then that compliance resided with the business and most compliance functions back then were backend, done after the fact either manually or via some exception reporting.  As technology developed, firm’s correctly recognized the opportunity to automate a variety of functions relying on the system to replace or at least supplement the individual in performing a task or in discharging a responsibility.  Done correctly, this created tremendous efficiencies and eliminated many human errors.  Technology also created great opportunities for increased testing and monitoring within organizations.  This all seems great for a corporate compliance program – eliminate human error, provide for increased testing and enhance monitoring capabilities.

Of course, not all technology is perfect and the people developing the computer programs you are now relying on may not fully understand what you are seeking to achieve, may not access all the correct files that need to be accessed or might just make a mistake.  And it can be difficult at times for many in the firm to understand exactly what the system did and why it did it.  And frequently, systems are being tasked with roles they were not designed to perform or solutions that are not perfect.  So who now has the responsibility for ensuring that the firm is complying with the requirements?  Is it the programmer?  The business person who receives the output from the system?  It is an important question.  It is not about assigning blame when a problem occurs but rather ensuring ownership of the process to lessen the likelihood that there will be a problem.  This can be pervasive within an organization where technology has been employed extensively.

I do worry that firms may not be paying enough attention to this area and what can be done to insure that personal responsibility is not degraded by the existence of the very technology that was intended to help individuals do their jobs well.  So I do hope that technology is the solution and not the problem.

Complexity of Firms, Their Operations and Their Products and Services

As firms’ operations, products and services have become more complex, their ability to develop and implement effective compliance programs has been a real challenge.  In many cases, businesses have developed different computer systems to address specific operations.  Where there are many businesses or a complex array of products and services within a business, there frequently is a need for business or compliance purposes to integrate those systems.  They may not talk to each other very well and data fields and sources that need to be integrated often can’t be.  But that is just part of the challenge.

As this phenomenon has developed it has required a cadre of experienced and highly talented executives who understand what the various businesses are doing, how they can and cannot interact with each other and what the regulatory requirements are for each.  The knowledge and expertise necessary for key personnel at complex firms has increased significantly and I expect that this trend will continue.  While you can segregate many tasks and responsibilities within a complex firm so they are manageable, you still need a number of key personnel who appreciate how it all works and can then identify where there may be gaps or inconsistencies.

What Don’t I Know?

The thing I always worried about was what I did not know.  I never thought ignorance was bliss.  I believed that I and my colleagues could deal effectively with those things we knew about but I recognized that we did not know everything.  We did not know everything the businesses were doing.  We did not know all the laws and regulations that might be applicable to the firm or its operations (although I did hope we had done a very responsible job in that regard).  Were we comfortable with the approach that had been taken to insure compliance and were we aware of the system limitations that might affect the ability to do so effectively?  Do we have a bad actor in the firm?  Is the firm engaged in certain businesses or transactions that were not fully vetted by legal and compliance?  Do people in the firm feel comfortable in coming forward and bringing potential issues to the attention of the firm?  In short, how can I improve the chances of uncovering issues that should be known and addressed?  I was always asking myself how I knew everything was ok, especially in high risk areas.

How Did I get Comfortable?

So how do you get comfortable having responsibility for the corporate compliance function in a firm?  Now that is a good question.  I never really got comfortable and I was always worried.  But that was ok as it kept me constantly alert and thinking and I was able to sleep most nights.  Here are a few thoughts on how you might get more comfortable with these responsibilities:

• Get to know the businesses better than the people who run them.
  • When you understand the business really well you are in a much better position to identify potential problems that might arise and develop potential solutions to those problems.
• Have a deep understanding of the regulatory regimes you operate under.
  • Understanding the regulatory regimes you operate under is essential for developing your corporate compliance program but it is also necessary for anticipating changes that might affect your firm.
• Identify areas of key risk and focus on them.
  • This is basic for any corporate compliance program but it is not always easy to remember to do as we all get caught up in the firm’s day to day operations. 
  • Step back every now and then and just focus on where the risks are and ask others where they see risks, then focus on those to see if the firm has addressed them adequately.
• Get to know all the key people in your organization and try and discern where you should focus your attention.
  • It is really helpful to appreciate how key people in the firm think, what they focus on, what they are good at, and what they are not so good at. 
  • Where particular individuals may benefit from assistance in an area, you can look at whether there are ways to supplement that potential weakness or increase monitoring of that area.
• Understand and appreciate the limitations inherent in any system that you rely on.
  • Understanding the limitations of systems you rely on is essential as you then have a better ability to assess where additional resources might be needed and better determine how much reliance you can place on that system.
  • That system is not just the computer system but is also the people involved and the reliability of the data or other information being relied on. 
• Constantly ask yourself how you know everything is ok?
  • This is my favorite as the answer is always that I don’t.  But asking the question does get me to focus on where I may have a question or where I may need to spend some time.
• Constantly ask yourself what am I missing?
  • I know that the firm and I are not perfect so there is always something we are missing.  What is that?  How can I discern that?
• Follow your instincts and if something does not make sense to you work on it until it does.
  • Over time you develop instincts and if you are not comfortable with something, work on it until you better understand why you are not comfortable.
  • If something does not make sense to you, work on it until it either makes sense or you otherwise resolve the matter.
• If someone can’t explain something to you in plain English, either they don’t understand it well themselves or you need to do more homework on it.
  • My experience has been that really competent people can explain something in their area in a very simple manner.  When people resort to buzz words or the use of highly technical terms I am always suspicious.
  • I keep working on something I don’t understand until I do understand it.
• Hire good people who are knowledgeable, hardworking and whose judgment you respect and let them do their jobs.
  • You can’t do everything yourself and you cannot be an expert in everything.
  • Hire people who work hard, know their stuff and have judgment you trust.  Then let them do their job.
  • Hire people smarter than you and those with skill sets that complement your own.
• Only work at firms that have a good culture.
  • As discussed, a good culture is essential for an effective corporate compliance program.
• Encourage people to raise questions about practices at the firm.
  • This will help you and the firm better answer the question of what don’t I know?
  • This will also demonstrate the seriousness and importance of your corporate compliance program.
  • You may find out some things.
• Test a lot and ask a lot of questions.
  • Testing helps you verify whether your program is working and identifies areas where more work may be required.
  • Asking questions enables you to better understand things and also enables you to better evaluate the areas providing the answers.
• Walk the floor
  • It has been surprising to me how important it is to get out among the people doing the work.
  • They get to know you better and are more comfortable then to ask questions or tell you about something that might be a problem.
  • You might see something or learn something that is important.
• When you identify an issue address and resolve it quickly.  Unlike wine it does not get better with age.
  • Dealing with issues promptly is important.
  • It demonstrates the willingness of the firm to address and resolve issues.
  • Problems don’t seem to age well.

These are a few of the things I did during my career to get comfortable with the corporate compliance responsibilities I had.  This list is certainly not exhaustive but I hope it gives you some things to think about.

Conclusion

Corporate compliance programs are enormously important.  Developing, implementing and maintaining a corporate compliance program in today’s world is very challenging but it certainly can and must be done.

I hope these thoughts and observations have been helpful and I would be pleased to answer any questions you might have.