Speech by SEC Staff: Remarks at the Compliance Outreach Program
Carlo V. di Florio
Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission*
SEC Headquarters, Washington, D.C.,
Jan. 31, 2012
I would like to thank Chairman Schapiro for her excellent keynote remarks.
As you know, the views that I express here today are my own and do not necessarily reflect the views of the Commission or of my colleagues on the staff of the Commission. This morning I would like to speak briefly on three topics. The topics that I will address are the role of management in compliance, the steps that we have taken within OCIE to realize our vision for a more effective exam program regarding investment advisers and investment companies, and how we are addressing our strategic goals for the exam program.
The Role of Management and the Board in Compliance and Ethics.
Some of you may have noticed that the name of this program has been slightly altered from previous years, from “CCO Outreach” to “Compliance Outreach.” The reason for this change is not because we at the staff are no longer trying to reach out and support chief compliance officers. To the contrary, we continue to be very supportive of the critically important role that they play. Rather, what we are trying to do, both at this conference and generally in the examination program, is to elevate the role of compliance by underscoring that it is not a responsibility that stops at the desk of the CCO.
By engaging senior management and the board at various points in the examination process, our goal is to elevate the role of compliance. Strong risk management controls, including a solid compliance program, are a key responsibility of everyone in a regulated entity, but the right culture and tone at the top are especially the responsibility of senior management and the board. A CCO who does not have the full support and engagement of senior management and the board is not going to be effective, and there is nothing that we want more than to help CCOs to be effective. We will focus most intently on firms where we sense that senior management and the board are not setting the appropriate tone and are failing to support key risk and control functions with adequate resources, independence, standing and authority.
In a speech that I gave a few months ago, I pointed out how deeply the federal securities laws are grounded on ethical principles. This is particularly true of the Investment Advisers Act and the Investment Company Act. But the requirements of the law are far from the only reason why ethics should be profoundly important to a well-run financial institution. Good ethics is vital to business success. Treating customers fairly and honestly helps build a firm’s reputation and brand, while attracting the best employees and business partners. Conversely, creating the impression that ethical behavior is not important to a firm is incredibly damaging to its reputation and business prospects. Moreover, a corporate culture that reinforces ethical behavior is a key component of effectively managing risk across the enterprise. Nowhere should this be more true than in financial services firms today, which depend for their existence on public trust and confidence to a unique degree.
Whether we are talking about compliance and ethics or other key risk and control functions, such as risk management, financial control, or internal audit, it is important to clarify fundamental roles and responsibilities across the organization. An effective risk governance framework includes three critical lines of defense, which are in turn supported by senior management and the board.
- The business is the first line of defense responsible for taking, managing and supervising risk effectively and in accordance with laws, regulations and the risk appetite set by the board and senior management of the whole organization.
- Key support functions, such as compliance and ethics or risk management, are the second line of defense. They need to have adequate resources, independence, standing and authority to implement effective programs and objectively monitor and escalate risk issues.
- Internal Audit is the third line of defense and is responsible for providing independent verification and assurance that controls are in place and operating effectively.
Senior management supports each of these levels by reinforcing the tone at the top, driving a culture of compliance and ethics and ensuring effective implementation of risk management in key business processes, including strategic planning, capital allocation, performance management and compensation incentives. The board of directors is ultimately responsible for setting the tone and the top and ensuring an effective culture of risk management across the organization.
The financial crisis revealed among many other things the need for better oversight of risk at the board and senior management levels, and the need for stronger independence, standing and authority among a firm’s internal risk management, control and compliance functions. As a result, in our examinations we are seeking to engage senior management and the board on critical business, risk and regulatory issues. By doing so we hope achieve two benefits: (i) to reinforce the importance of a robust compliance, ethics and risk management program; and (ii) to assess the culture and tone and the top of the organization.
Strengthening the SEC’s National Exam Program
Over the past two years, OCIE has undertaken a comprehensive set of improvement initiatives designed to improve the exam process, break down silos, and promote teamwork and collaboration across the SEC and with other regulatory partners. OCIE continues to implement key program improvement initiatives in the following areas:
People – Recruiting Specialists, Improving Training and Strengthening Culture. The most notable recent development regarding people is our hiring of Andrew (Drew) Bowden as our National Associate Director for Investment Adviser and Investment Company Examinations. Drew came to the SEC last November from Legg Mason, where he held senior executive positions in its legal/compliance and business units. He succeeded Gene Gohlke, who retired from the agency last year after 35 years of public service.
Drew oversees a staff of approximately 450 lawyers, accountants, and examiners responsible for the inspections of U.S. -registered investment advisers and investment companies. Drew brings extensive experience in the operation and oversight of investment advisers and investment companies and will help us implement our risk-based approach to examination of investment advisers and companies. He also has expertise in leading corporate governance initiatives, which will serve us well as we continue our dialogue with senior management and boards on critical business, risk, and regulatory matters. Finally, Drew’s service on the Board of Governors and Executive Committee of the Investment Adviser Association provided him unique perspective on critical issues across the industry.
More broadly, OCIE has been recruiting people with new skill sets that are critical to supervising our modern capital markets. These new recruits compliment an existing talented and dedicated team of examiners. We also are building a training program to provide our examiners with leading practice skills. To that end, we introduced mentoring, project-based staffing, and other steps to build a culture of high-performance, teamwork and accountability. In 2011, the steps to implement this initiative included:
- Recruiting experts to deepen program knowledge and experience in areas such as hedge funds, private equity, derivatives, complex structured products, and valuation, ; and
- Strengthening examiner skill sets through the development of a certified examiner training program.
Strategy – Strengthening Our Governance and Risk-Focusing our National Exam Program. OCIE is implementing a National Exam Program designed to achieve consistency, effectiveness and efficiency across the country. The cornerstone is a national governance model, enhanced risk-focused exam strategy, and new exam tools and techniques to better allocate and leverage limited resources to their highest and best use. Both of these strategies were implemented in 2011. In addition, OCIE has strengthened teamwork and collaboration with other SEC divisions and offices to ensure more effective risk assessment, exam planning and coordinated follow-up. Finally, OCIE has implemented a policy to more proactively engage senior management and boards to discuss critical business, risk and regulatory issues and support effective regulatory compliance and risk management.
Structure – Strengthening Expertise in Critical Risk Areas. OCIE is implementing significant structural enhancements to support the National Exam Program and a risk-focused exam strategy. This restructuring will strengthen expertise and facilitate teamwork, while driving greater consistency, effectiveness and accountability. In 2011we created a centralized Risk Assessment and Surveillance Unit to enhance the ability of the National Exam Program to perform more sophisticated data analytics to identify the firms and practices that present the greatest risks to investors, markets and capital formation.
Process – Streamlining Processes to Drive Consistency, Effectiveness and Efficiency. We are re-engineering and stream lining our exam process end-to-end. This enables us to target more risk-focused examinations, enhance pre-exam preparation, improve multidisciplinary staffing, and increase field supervision. In FY 2011, we conducted approximately 1600 examinations.
We have codified our enhanced exam process and procedures in a National Examination Manual. Until now the examination program has had varying examination policies and practices in different regions and practices group. We have now updated and standardized those policies and collected them in a single manual, which was distributed to our staff earlier this month. Our intention is to field-test the manual over the next several months and then refine it based on feedback from the examination staff. Ultimately we hope to make the exam manual publicly available on our web site so that the public and the registrant community can have a better understanding of how the examination program works.
We are also developing and rolling-out training on our new exam process and procedures. Equally important, we are building out a compliance monitoring function to help ensure we are effectively adhering to our standards. In short, we implementing the functions, policies and processes we expect from all of our registrants.
Technology – Automating and Improving the Exam Process to Keep Pace with New Developments. The NEP is focusing our technology strategy on moving from a manual to an automated exam process where possible. This includes enhancing information gathering to help automate risk assessment and surveillance and improving exam preparation and providing tools and techniques to enhance key activities associated with exam execution, such as work paper management, trade analysis and other data analytics and reporting. We are developing and bringing on board a number of new tools and technologies to enhance program efficiency and effectiveness. Let me briefly describe two recent exciting developments to illustrate these changes.
We recently rolled out a web-based exam documentation and workpaper retention program that serves to reduce/eliminate redundancies, inconsistencies, excessive narrative, and unnecessary management revision in the exam documentation process. It captures each exam’s purpose, scope, risk assessment, findings, and appropriate statistical data. In addition, this new technology serves as a singular database that can maintain all examination workpapers in an electronic searchable format. It also creates a uniform exam documentation process for the NEP and incorporates data used for reporting purposes found in the NEP’s legacy reporting system.
Delivering on Our Mission Objectives
Our mission, as refined by our self-assessment, includes the following four key objectives: (1) prevent fraud; (2) improve compliance; (3) inform policy, and (4) monitor risk. Let me share with you a few examples of how we are working to advance these mission objectives.
Prevent Fraud. While the examination program serves as much more than just a source for enforcement cases, it is certainly true that each year the NEP provides referrals for many significant enforcement actions. I would like to highlight a few examples of such cases from the last two years. The first is a settled enforcement administrative proceeding brought by the Commission against three AXA Rosenberg entities (collectively, “AXA”), charging them with defrauding advisory clients and compliance rule violations for concealing a significant error in the computer code of the quantitative investment model that they use to manage client assets. This case was the result of joint efforts by San Francisco examination staff, Los Angeles enforcement staff and the Enforcement Division’s Asset Management Unit.
The Commission alleged that a senior executive at ARG, the holding company of the two SEC-registered investment advisers, and BRCC, the investment adviser that developed the code, learned in June 2009 of a material error in the model's code, dating back to April 2007, that disabled one of the key components for managing risk. The Commission alleged that instead of disclosing and fixing the error immediately, the senior ARG official, who was also a BRRC official, directed others to keep quiet about the error and declined to fix the error at that time. ARG disclosed the error to SEC examination staff in late March 2010 after being informed of an impending SEC examination. AXA disclosed the error to clients on April 15, 2010. The error caused $217 million in investor losses. AXA agreed to settle the SEC's charges by paying $217 million to harmed clients plus a $25 million penalty, and hiring an independent consultant with expertise in quantitative investment techniques who will review disclosures and enhance the role of compliance personnel.
This is an excellent case study of a breakdown in enterprise risk management on several levels. While computer coding errors will sometimes occur, a mindset among senior managers to sweep a problem under the rug rather than to deal with it forthrightly is obviously not the approach to risk management that anyone wants to see. The failure to escalate the matter to the board is another lesson. In addition, the case raises questions about the independence, standing and authority of key risk and control functions. This case illustrates the need, among other things, for a tone at the top that encourages everyone, from senior managers and risk officers to lower level employees, to identify and address problems as they occur, escalating issues as needed.
Second, I would like to refer to a case from 2010, in which the Commission staff brought an administrative action against Morgan Keegan, a registered broker-dealer and investment adviser, and one of its officers and a portfolio manager, as well as an investment adviser affiliate of Morgan Keegan.1 Morgan Keegan underwrote and distributed shares of several affiliated investment companies that invested in investment securities backed by subprime mortgages, many of which lacked market quotations. Pursuant to Section 2(a)(41)(B) of the Investment Company Act, these securities for which market quotations are not readily available must be priced at fair market value as determined in good faith by the funds’ boards of directors.
In the Order the staff alleged that both Morgan Keegan and its officer failed to fulfill Morgan Keegan’s responsibilities delegated to it by contract by the funds’ boards to price the funds’ securities in accordance with their valuation policies and procedures as set forth in the funds’ prospectuses. For example, the staff alleged that Morgan Keegan accepted unsubstantiated price adjustments made by the funds’ portfolio manager that inaccurately inflated the price of certain securities, contrary to the funds’ policies and procedures. The staff alleged that the portfolio manager actively screened and manipulated dealer quotes from at least one broker-dealer, and that he also failed to advise Morgan Keegan or the fund’s board when he received information that prices for certain securities should be reduced. The staff alleged that his actions resulted in a fraudulent forestalling of declines in the published NAVs of the funds that would have otherwise occurred in a declining market. The staff also alleged that Morgan Keegen fraudulently published NAVs for the funds without following procedures reasonably designed to determine that the NAVs were accurate. The facts alleged in this matter are similar to another administrative action that the Commission brought in 2008 against Heartland Advisors Inc. and several of its officers, which involved a mispricing of municipal bonds.2
These cases are cautionary warnings as to the problems that can arise when advisers have weak controls over valuation of complex and/or illiquid instruments. In the Morgan Keegan case the facts alleged suggest that there were insufficient controls in place to ensure that policies and procedures were followed that could have prevented what the staff alleges was fraudulent conduct by at least one individual. In the Heartland case, the Order issued as to the settling parties suggests a similar lack of controls. For example, the Order indicates that, despite representations in a fund prospectus that the Fund had “intensive credit research” following the Fund’s proprietary method, in reality the Fixed Income Department was understaffed and only performing “catch up research” on its portfolios.
For a third and final example, let me briefly mention a more basic fraud case, SEC v. Francisco Illarramendi. The Commission brought an action in January 2011 charging a Stamford, Connecticut-based investment adviser and its principal, Francisco Illarramendi, with allegedly engaging in a multi-year Ponzi scheme involving hundreds of millions of dollars. As alleged in the Commission’s amended complaint, Illarramendi misappropriated assets and used two hedge funds for Ponzi-like activities in which they used new investor money to pay off earlier investors. The case has also produced criminal charges by the United States Attorney for the District of Connecticut. The fraud was first uncovered by Commission examiners during a risk-based exam of an SEC-registered adviser with which Illarramendi was affiliated. Despite efforts by Illarramendi as described in the Commission’s amended complaint to obstruct the examination and mislead the staff – conduct that led to a criminal charge of obstruction of justice – the examiners and their colleagues in the Enforcement Division obtained evidence of the fraud.
Improve Compliance. Our mutual commitment with you to strengthening compliance is the reason we are all here today. The vast majority of our exams are focused on this important objective. As I mentioned already, our outreach to senior management and fund boards is also motivated in large part by wanting to make sure that key risk management, compliance and control functions get the support and attention that they need. We are also finding other ways to try to bolster compliance. We have begun issuing a series of public risk alerts in areas where the NEP has identified particular concerns, both to alert you about issues that we think you should know about, and to highlight for you compliance practices and techniques that we have observed in our examinations that we thought were effective and worthy of consideration by other firms. So far we have issued risk alerts on the topics of master-subaccounts, broker-dealer branch office inspections, and the use of social media by investment advisers. We have several additional risk alerts in development on a range of topics related to advisers and asset managers as well as other types of financial firms. We have gotten much useful feedback on the risk alerts from the regulated community, and we invite any ideas or constructive criticisms that you care to share with us on future risk alerts.
Monitor Risk. As I have already discussed, one of our key techniques to monitor risk is to develop a top-to-bottom understanding of how firms manage risk, from the board room and executive suite to the trading desks and the back office. The NEP participates in cross-SEC forums to monitor new and emerging risks. For example, in addition to the key role played by our Office of Risk Analysis and Surveillance, we also have a Large Firm Monitoring program within the NEP, and that group closely collaborates with other divisions and offices of the Commission in monitoring risks at such firms. Moreover, we also have very productive monthly meetings between our Investment Adviser and Investment Company senior leadership and leadership of the Divisions of Investment Management, Enforcement, and Risk, Strategy and Financial Innovation to compare observations and concerns. Our monitoring of risk is also critical to our strategy on how we allocate our limited examination resources. The NEP also considers information from multiple sources and risk analytics to identify focus areas to review as well as which registrants to examine. We will tailor the scope of our examinations based on identified risks through our understanding of, for example, the registrant’s business model (e.g., revenue streams, profit centers, products, business plans), affiliations and conflicts of interest, and control environment. The NEP now reviews and evaluates tips, complaints and referrals in accordance with the new national TCR system and related policies. Particular attention is given to TCRs that provide allegations or indications of fraud and surprise custody audits that identify qualified opinions and material discrepancies. This process helps inform the selection of registrants for examination and the scope of such exams.
As we identify risk trends or emerging risks in the course of the examination program, we will communicate this information to our examination staff. We will also publish reports and risk alerts describing notable risks, as well as observations about effective methods for addressing these risks that the NEP staff has observed. Through these public reports we will seek to encourage and strengthen the effectiveness of registrants’ risk management and compliance programs in recognizing and appropriately addressing key risks.
Inform Policy. The NEP’s role in informing policy is exemplified by our involvement in 55 different interdivisional rulewriting teams that were formed to respond to the requirements of the Dodd-Frank Act. In addition, the Dodd-Frank Act imposes significant additional responsibilities on the NEP, including the registration and examination of new entities, such as certain private fund advisers, private equity firms, municipal advisors and five new categories of swap/derivatives registrants. The Dodd-Frank Act also creates specific new examination requirements with regard to existing registrants, such as credit rating agencies, clearing agencies and FINRA. In FY 2012, the NEP will continue to adapt its infrastructure (e.g., examination tools and techniques, as well as other resources) to effectively accomplish the Dodd-Frank mandates, as well as contribute more broadly to the agency’s work on rulemaking, related studies, and implementation of the Dodd-Frank Act.
The NEP also informs policy through our deep collaboration with staff from the other Divisions and Offices as well as our regulatory counterparts, to share information, identify areas of interest or potential regulatory risk, and coordinate examinations. Within the Commission, we have been working closely with colleagues in other divisions and offices at all levels. For example, in addition to giving input in myriad rulemakings, we have conducted numerous joint training exercises, been in almost constant contact with other divisions on changes to forms such as ADV, FOCUS and BD, as well as on examination priorities, planning and review, and made joint inquiries to the industry in response to emergency issues, such as the May 6, 2010 Flash Crash or MF Global. We have worked closely with the Division of Investment Management on many issues, such as collaborative examinations of money market funds and understanding potential vulnerabilities of fund managers to the Euro crisis.
Outside the SEC, we have collaborated with SROs, firms, regulatory counterparts at federal banking agencies, the CFTC, and state regulators on a wide range of examination priorities and regulatory initiatives. Less than three weeks ago we held our first SRO compliance seminar in this very room with the leaders of all the major exchanges and SROs.
Thank you for joining us here today. Like you, I look forward to an informative and engaging program.
* The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private statements by its employees.
1 In the matter of Morgan Asset Management, Inc., et al., Sec. Act Rel. No. 9116, Exch. Act Rel. No. 61856, Admin. Proceeding File No. 3-13847 (April 7, 2010).
2 In the Matter of Heartland Advisors, Inc., et al., Sec. Act Rel. No. 8884, Exch. Act Rel. No. 57206, Admin. File No. 3-12936 (Jan. 25, 2008).