Speech by SEC Staff:
The Vital Role of Effective Comprehensive Compliance Controls at Broker-Dealers

Remarks before The Bond Market Association's Ninth Annual Legal and Compliance

by

Mary Ann Gadziala

Associate Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission

New York, New York
February 4, 2004

It's a pleasure to be here to present my views on an activity that is vital to all broker-dealers - the development and implementation of effective comprehensive compliance programs. This morning, I will describe the SEC's comprehensive compliance examination, which we use to assess compliance programs at broker-dealer organizations. Before I describe the examination, I will provide some preliminary thoughts on reasons for having an effective compliance program and what may be covered by the compliance function.

Why should broker-dealers have compliance programs? The most obvious reason is to comply with the law. All aspects of a broker-dealer's operations are subject to laws and rules. It is not possible to maintain compliance with those laws and rules unless there is a program in place to make sure that it happens. That means having effective compliance policies, procedures, systems and controls that are kept up-to-date and are followed by everyone at the firm affected by the laws or rules.

It also makes good business sense to have a strong compliance program and a strong compliance culture at a broker-dealer. Compliance is a proactive method to identify and control risks that have the potential to result in violations of the law - violations that would result in investor harm and financial and reputational losses at a firm. An effective compliance program can prevent the potential risks from materializing into violations. Put simply - effective compliance impacts the bottom line by preventing losses that would result from violations.

An effective compliance program covers all aspects of a firm's businesses and operations. General subject-matter areas might include:

• Recordkeeping, including financial reports, margin, capital computations
   
• Suitability and general sales practices; product specific requirements
   
• Advertising, disclosures, and correspondence
   
• Trading, including market making, best execution, short sales, and reviews for insider trading and market manipulation
   
• Conflicts of interests
   
• Underwriting and related activities
   
• Registered rep hiring, licensing, and continuing education
   
• Supervision of registered reps and branch offices
   
• Anti-money laundering
   
• Reg S-P (security and privacy)

Compliance personnel should put extra emphasis on areas where there are new rules or where problems have occurred. In preparation for this panel, I reviewed some of our recent examinations covering the fixed income area. Among deficiencies we identified were fraud, misrepresentations, inaccurate financial reporting, unsuitable sales, excessive mark-ups, inadequate supervision, and registration and qualification violations. More effective compliance controls could have prevented these violations - avoiding customer harm and resulting adverse consequences to the firm.

When an organization fails to establish an effective compliance program, it may be ordered to do so in an enforcement action. The Federal Reserve brought such an action just last month against Credit Lyonnais, a large French bank. The Fed ordered the bank and its parent company to establish programs to ensure overall compliance with financial laws, rules and regulations. Specific requirements for the programs included:

• Oversight responsibility by the Board of Directors' Committee on Compliance;
   
• Executive level and senior management responsibility and reporting with respect to compliance;
   
• Detailing steps that the compliance unit would take to ensure compliance;
   
• Maintenance of effective compliance policies and procedures;
   
• A regular audit of the compliance program;
   
• Periodic and ongoing assessments by business areas of the effectiveness of compliance procedures, reports to senior management on assessments, and plans to address issues uncovered in the reviews;
   
• Procedures and a compliance reporting system widely publicized in the organization for employees to report compliance concerns;
   
• Procedures to monitor and evaluate the effectiveness of corrective action with respect to compliance problems;
   
• Training of employees on compliance issues; and
   
• Standards for performance appraisals of employees, which take into account the employee's role in the avoidance of compliance problems.

I mention this Federal Reserve case because it outlines some of the basic requirements of a compliance program. These requirements, imposed on a banking organization, are similar to what we look for in a compliance program at a broker-dealer.

With this general background in mind, let's turn to the SEC's comprehensive compliance examination. What are we reviewing and what are we finding in those exams? SEC compliance examinations are enterprise-wide, covering all broker-dealers within an enterprise. They are top-down reviews of compliance over all business operations. As such, they are different from typical examinations that are bottom-up reviews more focused on specific rules and the firm's compliance with its own procedures. In the comprehensive compliance exam, we evaluate the compliance "culture" at the enterprise - that is the overall environment in which compliance issues are handled at the firm. We examine the adequacy, coverage, and implementation of the compliance and supervision programs over all business operations at all locations. We assess not only what the firm has in its compliance program, but also make an assessment on what it may be missing. What is not there? What is not adequate or effective?

During our exams, we are not looking for any particular standardized compliance and supervision programs. Each firm's programs should take into account firm-specific factors, for example - its organizational structure, operating units, size and geographic dispersion, types of business activities and product lines, and its customer base. Other relevant factors are: operations and technology, reporting systems, legal and regulatory issues, experience and disciplinary records of personnel, and market conditions. While firms do have flexibility in designing compliance and supervisory programs, they must comply with all legal requirements. Some examples are found in the Sarbanes-Oxley Act, the Patriot Act, and SRO rules - such as NYSE Rule 342 and NASD Rule 3010. NASD proposed Rules 3012 and 3013 would also impact compliance programs. Compliance must be viewed as constantly evolving - as the environment changes, or as better practices come to light - firms should change their compliance programs accordingly to maintain the highest level of appropriate compliance controls.

We begin the comprehensive compliance examination by developing an understanding of the business and operations of the firm as well as its organizational structure. Business and operations are indicators of what areas compliance should cover - compliance should cover them all. The organizational structure gives some insight into how the lines of authority and control structure operate at the firm - they may be at the holding company level, within individual broker-dealers, among all broker-dealers in the entity, or within business lines that cross different legal entities.

Some questions the examiners may ask are:

• Does the firm's mission statement include a message on the importance of compliance?
   
• Has the Board of Directors, as the firm's governing body, assigned compliance responsibilities? Do delegations provide clear lines of authority, accountability and descriptions of responsibilities?
   
• Does the reporting structure provide both adequate information to the Board and top management on the effectiveness of the compliance system and material compliance breaches?

Examiners look at communications both from and to the CEO, Board of Directors, and top management - those ultimately accountable for overall compliance. Information that may be requested by examiners includes organizational charts, financial reports, minutes of senior compliance meetings, descriptions and examples of reports to the Board and top management, the code of conduct, documentation of the Board's delegation of compliance functions, and descriptions of Board or executive committees with compliance responsibilities.

In the early stages of the examination, examiners will also ask the firm to self-report on any material compliance breaches and how they are being addressed. We will also request a copy of the firm's annual compliance report required under NYSE rules. The SEC stressed the importance of self-policing, self-reporting, remediation and cooperation with regulatory authorities in its Section 21(a) Report and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions issued on October 23, 2001 [Release Nos. 44969 and 1470]. The SEC listed 13 criteria that it would consider in determining what action, if any, to take against a firm in connection with a violation of securities laws. If you have not recently read these documents, it would be worthwhile to do so as you design compliance policies or prepare for a compliance examination.

Following our reviews of the businesses, structure and compliance culture at a broker-dealer organization, we assess the structure and coverage of the compliance program.

Some questions the examiner may ask in this area are:

• What are the compliance functions at the firm? Do they cover all businesses?
   
• Does the firm have effective compliance policies and procedures?
   
• Is compliance independent from business, both in reporting and compensation? Do they have access to top management and the Board?
   
• Does compliance have adequate resources, systems, and reports?
   
• Do compliance personnel have appropriate expertise and experience? How are they trained? Are they adequately compensated?
   
• Does compliance have the ability to respond to and coordinate with all relevant regulators?
   
• How are new compliance issues and requirements communicated to all personnel?
   
• How are the concerns of compliance and breaches addressed?

Examiners will look for clear lines of authority, accountability, and specificity of assigned responsibilities. Documentation and complete and accurate records are critical.

The next areas of review are the supervisory structure and written supervisory procedures. The firm should have a system to identify all relevant laws and rules and to continually update policies and procedures to cover them. Compliance may work with the firm's supervisors - those with day-to-day business line responsibility for compliance with the law - to ensure that written supervisory procedures are reasonably designed to achieve compliance with all applicable laws and rules. To assist in the evaluation of the coverage of your firm's supervisory procedures, you may wish to refer to the NASD's Written Supervisory Procedures Checklist (Appendix M). The checklist includes some of the key areas representing the range of business activities that may typically be engaged in by a broker-dealer. It also lists relevant laws and rules that apply to the activities.

With respect to supervision, examiners may assess the adequacy and coverage of procedures, the processes to keep informed on legal developments and to update procedures, supervisory controls, exception reports, reports to senior management, and systems to monitor supervisory activities.

The next part of our examination covers employee supervision. We assess hiring, registration, licensing, continuing education, personal trading, and training. Here, for example, we review the firm's background checks, and reviews of CRD, disciplinary history, and customer complaints, with respect to its employees and prospective employees. If a firm employs problem-registered representatives - those with a history of regulatory actions, customer complaints or other problems - examiners will be looking for appropriate heightened supervision plans.

The final part of the comprehensive compliance exam is an evaluation of how the firm identifies and deals with compliance risks. The firm may do this through a general risk analysis, self-assessments, branch exams, audits of compliance functions, new product reviews, surveillance and even whistle blowing. In evaluating the firm's surveillance system, examiners review electronic databases, exception reports, and the resolution of identified concerns. In reviewing internal audit, examiners assess the adequacy of the program over the compliance area, and may review recent internal audits of compliance. Branch exam schedules, modules, procedures and reports are reviewed. Examiners also assess the firm's process to assimilate the compliance risks of new products and businesses into the existing compliance system.

In summary, the comprehensive compliance examination covers five key areas:

• Compliance culture, including Board and senior management involvement in compliance;
   
• Structure, functions, and coverage of the compliance program;
   
• Written supervisory procedures and supervision;
   
• Employee hiring, registration, training and personal trading; and
   
• Firm oversight of compliance risks.

SEC examiners have concluded a number of compliance examinations. Examples of deficiencies and weaknesses that have been noted during those examinations are:

• Material compliance breaches were not reported to top management;
   
• The compliance function was limited to an advisory role;
   
• Compliance and supervisory procedures were inadequate and not updated;
   
• Surveillance reports did not cover major business areas or were too broad to permit identification of problems;
   
• Follow-up on exceptions was inadequate and not tracked;
   
• No compliance review was undertaken for new products.

There were also examples of compliance controls noted during examinations that appeared to be effective, including:

• Compliance issues - breaches, new initiatives, new risks - were comprehensively tracked, updated, and reported to senior levels;
   
• Each business unit was required to conduct regular self-assessments for compliance risks and compliance breaches;
   
• Surveillance systems were highly automated, with a unified database, and regular review of parameters;
   
• Compliance officers were members of the new products committee;
   
• Compliance staff sat in business areas for constant monitoring;
   
• Compliance staff dedicated to business units had expertise in the area.

In conclusion, compliance programs are of vital importance in protecting investors and preventing and controlling losses. Conducting comprehensive compliance examinations is a priority for the SEC examination program. It is our hope that our compliance examinations will encourage your firms to assess their compliance programs and to adopt best practices in fulfilling their compliance responsibilities.

Thank you.

http://www.sec.gov/news/speech/spch020404mag.htm