Stephen L. Cohen
Associate Director of Enforcement
SCCE Annual Conference, Washington D.C.
Oct. 7, 2013
Good morning, and thank you for that kind introduction.
I appreciate the opportunity to offer you some insights in support of the profoundly important work you all do to strengthen compliance and ethics in companies and firms.
Although I hope you’ll find my remarks today encouraging, they are nonetheless only my views and do not necessarily reflect the views of the Commission or of my colleagues on the staff of the Commission.
My grandmother always said that the best way to warm up an audience is through flattery. So, I’d like to start with that.
You are one of my favorite audiences to speak to. Why is that? Because I view your profession in so many ways as a kindred spirit of mine. We are all seeking to prevent unlawful or improper conduct before it happens. We each use our respective tools to cultivate effective company cultures that promote integrity, respect for the law and the highest levels of professionalism.
Even so, I must confess that I find it a bit daunting to talk to you all about what makes a good compliance program. Much of what I have learned in this area comes from you and your colleagues – the professionals who practice this trade every day. But, I am frequently told that the regulator and law enforcement community does not speak enough about the importance of the compliance profession, and I want to help change that. I hope that my observations today will help you carry out your vital responsibilities in some fashion.
In that spirit, I thought you might like to hear a law enforcement perspective on three related topics:
(1) why I believe robust compliance programs are so critical;
(2) the SEC’s broad role in supporting compliance programs; and
(3) some hallmarks I see of good and bad compliance programs.
- Importance of Robust Compliance and Ethics
There can be little question in a post-financial crisis,
post-Dodd-Frank world that rigorous compliance must be at the forefront of every company’s attention.
After all, “risk” is the buzzword of the day – not just in corporate America and on Wall Street but in government as well. You all sit at the epicenter of the daily business decisions that could pose significant risks to your companies – significance that is only magnified when the SEC or DOJ files a case where issues were not discovered, not escalated, or where management ignored push-back from compliance staff.
But among the most concerning risk I see is companies that do not take compliance seriously until misconduct comes to light; where internal controls are insufficient for the size of a company’s risk; or when management simply leaves the impression that these issues are not important.
Last month JPMorgan Chase agreed to pay $920 million in total penalties in a global settlement with regulators. The bank also acknowledged that it violated the federal securities laws while admitting to facts underlying the SEC’s charges. Somehow, JPMorgan, a highly regulated institution, failed to keep watch over its traders as they overvalued a very complex portfolio to hide massive losses. It was bad enough that JPMorgan experienced a breakdown in its internal controls. But when its senior management discovered these issues, it deprived the Board of critical information needed to fully assess the company’s problems and determine whether accurate and reliable information was being disclosed to investors and regulators. That does not inspire confidence that management takes ethics and compliance issues seriously.
The SEC investigates and prosecutes misconduct to protect investors and preserve the integrity of our markets. Make no mistake. We will vigilantly seek to hold companies and firms responsible – including through substantial financial penalties and admissions of wrongdoing in some instances – when profits or personal gain are advanced over truthful disclosure and adherence to the law.
That is why companies are well served by having professionals like you at the table where key decisions are made. They benefit when they consider you as trusted advisors and give you the necessary authority and independence to help lead your organization.
- The SEC’s role in supporting compliance programs
As I discuss the many ways that the SEC’s efforts support compliance and ethics programs, I fully appreciate that you all are on the front lines in the battle to persuade companies to invest in your profession. You need to be armed with the knowledge of how law enforcement and regulatory agencies value the genuine efforts undertaken by companies to generate a culture of integrity and respect for the law. We care and we give credit for those efforts.
Our support takes the form of informal and formal efforts as well as initiatives. I’ll talk about these different types of support, starting with the informal.
Every day, our enforcement staff makes judgments about the inferences that are properly drawn from the evidence under investigation. It is common sense that a company that demonstrates an effective compliance program and a genuine commitment to ethical principles can only benefit when those inferences are drawn. We also consider these programs when we decide how to credit an internal investigation.
I cannot emphasize enough the level of trust that you can inspire by demonstrating a genuine commitment to these principles, and the level of distrust that ignoring or merely paying lip service to these principles can yield.
I am surprised how infrequently companies try to persuade us at the front end of an investigation that they have a robust compliance culture and record of ethical conduct. Invariably, the discussion about a company’s compliance program takes place during settlement negotiations in the context of the substantial remediation that the company has undertaken since violations occurred.
Although we give credit for these important efforts, I often wonder why it so often takes an enforcement action to change corporate behavior. Where are the compliance culture studies during normal times? Why not use them to support deference to your internal investigation? Why are companies creating or elevating CECO roles after we notify them of impending charges rather than before?
JPMorgan Chase recently announced it was spending billions of dollars and hiring or focusing 5,000 people to compliance and control functions in the wake of its recent regulatory struggles. These efforts should be applauded. But, imagine how much it could have saved in money and reputation by making that investment years earlier.
So, as you go back to your companies to advocate for more resources and stature, tell your management that they will get much more credit from regulators by demonstrating that misconduct is an outlier in a highly ethical and compliance-driven culture rather than a remedial step after investors have suffered losses.
But I suspect it is the more formal guidance that your companies may notice.
When evaluating a company’s misconduct, we typically give credit when a company can demonstrate a strong compliance culture.
You are all familiar with the U.S. Sentencing Guidelines. In similar fashion, the Commission issued guidance in the so-called Seaboard Release in 2001, which laid out a framework for considering cooperation by companies. Under that guidance, we have rewarded the role that compliance programs play in recognizing whether and to what extent self-policing helped ferret out misconduct.
Formal guidance related to the SEC’s cooperation tools – including declinations to prosecute, non-prosecution agreements and deferred prosecution agreements – makes clear that they are reserved for those organizations that display an exemplary commitment to compliance, cooperation and remediation.
Finally, the recent FCPA Resource Guide – put out in November 2012 – is a testament to the SEC’s partnership with the Department of Justice in trying to promote more publicly the role of effective compliance programs in fostering an organizational culture centered on ethical conduct.
The information in the FCPA Resource Guide regarding compliance programs is applicable to detecting and preventing securities law violations generally. The guide describes our approach as “non-formulaic, common-sense and pragmatic,” focusing on whether the program is well designed, whether it is applied in good faith, and whether it works. I commend the guide to folks looking for a detailed discussion of hallmarks of an effective compliance program.
But, what is crystal clear in the Guide is that we will consider a company’s compliance program as a factor in several aspects of our charging decisions. For example, the better the compliance program, the less likely we may charge the parent company for acts of a subsidiary. Of course, strong compliance makes it more likely the problem will be caught early. And, when problems are caught early, a company is more likely to get self-policing and possibly self-reporting credit.
The compliance program may also factor into our consideration of what is an appropriate penalty in a resolution.
And, here is the part companies care about most. Isolated conduct combined with good compliance and internal controls make it less likely that we will bring an action at all.
The SEC and DOJ demonstrated this last year when each decided not to bring charges against Morgan Stanley after a criminal bribery conviction of one of its employees. There, the government made clear that the decision was based, in part, on the firm’s demonstration that it has internal controls that provided assurance that other employees were not bribing government officials. Let me emphasize that it is deeds and not words that count most.
Another great example for compliance professionals is the recent non-prosecution agreement with Ralph Lauren. There, we highlighted substantially the role that the company’s compliance efforts had in our decision to forego prosecution. We specifically noted, among other things, the company’s comprehensive new compliance program, training, and risk assessment of major operations worldwide to identify any other compliance problems. I think we can do better at highlighting the impact on our decisions of specific actions by companies pertaining to compliance and ethics programs.
Nevertheless, enforcement actions rather than declinations and cooperation agreements can also be helpful tools to highlight the importance of compliance and internal controls.
In August, the SEC banned a Colorado portfolio manager from the securities industry for five years. Do you know what his offense was? Misleading and obstructing a chief compliance officer. This case should send a clear message to the securities industry that professionals have an obligation to adhere to compliance policies, and that the Commission will not tolerate interference with CCOs who enforce those policies.
It is also vital that Boards fulfill their important roles. Earlier this year, we settled charges against eight mutual fund directors who failed to satisfy their responsibilities for determining the fair value of assets held by the funds. There was no compliance framework around these critical functions, and the funds were not even following clear procedures requiring certain information to be provided to the Board to fulfill their role. The SEC had already brought a case against the funds’ managers, who agreed to pay $200 million to settle charges that the funds fraudulently overstated the value of their securities – some of which were backed by subprime mortgages – as the housing market was on the brink of financial crisis in 2007.
There are many other lessons arising out of our enforcement actions that demonstrate our commitment to accountability for insufficient compliance, oversight and controls. But, they are too numerous to mention here.
We also demonstrate the importance of compliance through other initiatives. The best example I can point to is a successful initiative with a very clever name. We call it: “Compliance Initiative.”
Working closely with our National Exam Program and colleagues in our Investment Management Division, Enforcement’s Asset Management Unit is coordinating efforts to identify and bring cases against registered investment advisers who lack effective compliance programs and procedures. Effective compliance programs and personnel are instrumental to protecting the investing public from investment adviser fraud. To date, the Commission has brought six actions arising out of this initiative, which is particularly timely because hundreds of private fund advisers have recently registered with the Commission under Dodd Frank. And there are more in the pipeline.
More broadly, in the firms the SEC regulates, our National Examination Program staff meets with senior leaders, boards and compliance personnel, to assess the culture of compliance and ethics in the organization. These assessments can factor into the level of risk the staff ascribes to a firm, which can affect how frequently they are examined. And, they do not hesitate to emphasize the importance of supporting these functions through enforcement if necessary.
Lastly, I continue to believe that the SEC’s focus on Whistleblowers exemplifies in many ways the importance we place on compliance programs.
The agency’s Whistleblower Program – created under the Dodd-Frank Act – is open for business. In fact, just last week we awarded over $14 million to a single whistleblower – our largest award to date. And I assure you, there are more to come.
As part of the team that helped with the legislation and wrote the agency’s rules, I can tell you first hand that the purpose of the whistleblower program is to bolster, not supplant, the compliance framework in the private sector.
That is why our program provides unprecedented incentives for whistleblowers to utilize internal compliance programs when appropriate to do so. Participation in or interference with internal reporting will be considered in determining the amount of an award.
In fact, if a whistleblower reports internally and the company subsequently provides fruits of an investigation arising out of that report, the whistleblower can receive an award based on all of the information shared by the company. So far, I am seeing a significant majority of whistleblower claims from people who have reported internally first. They don’t appear to be running to the SEC and away from corporate compliance programs.
The SEC’s rules also largely exclude legal and compliance professionals from our program to avoid the use of these important positions to reap rewards. There are limited exceptions, however, where legal and compliance staff can come forward after they have fulfilled their responsibilities. The exception essentially is for the compliance manager faced both with fraud and senior managers who are complicit or unwilling to remedy that fraud.
The bottom line is that the whistleblower program is alive and vibrant. Faced with this reality, companies need to understand that employees are more likely to report complaints internally when they truly believe that they are working in an ethical environment where their complaints will be taken seriously and where retaliation is not tolerated – in other words, where compliance professionals and management are trusted. You should continue to urge management to demonstrate that they value employees who raise their hand to identify problems that need to be addressed.
- HALLMARKS OF COMPLIANCE PROGRAMS
My last segment will offer some personal observations regarding problematic and successful compliance programs.
- Warning Signs
Where we find fraud, there are often early warning signs that may have suggested a corporate compliance culture that is not meeting appropriate standards.
Pushing the envelope.
Risk-taking in the area of legal and ethical obligations invariably leads to bad outcomes. Any company or person prepared to come close to the line when it comes to legal and ethical standards is already on dangerous ground.
Tolerating close-to-the-line behavior sends a terrible message throughout an organization that pushing the envelope is acceptable.
Be on the lookout for people who are overly technical in their approach to issues of ethics and professional responsibility. Pay particular attention to those who may disparage or diminish the importance of respect for the law and protecting the organization from reputational harm.
Be skeptical of explanations that don’t add up regardless of who provides them. If someone explains something to you in a way that you don’t understand, don’t accept it.
In many ways, one of the important lessons of the financial crisis is that highly sophisticated models that can explain away risk but defy common sense shouldn’t be trusted. We often see people come in and testify that they failed to follow up on their hunches until after it was too late.
Lack of Empowerment.
Another warning sign is an organization that limits the access of legal and compliance personnel to senior leadership of the company.
These leaders need to hear candidly and regularly from those on the front lines of compliance efforts. Compliance professionals are not hallway monitors. Companies that empower these professionals to act as trusted advisors are more likely to stay out of harm’s way.
B. Effective Programs
Although I urge you to consult the FCPA Guide for a terrific discussion on hallmarks of good compliance programs. I thought you might like to hear some brief perspectives on things I often look out for.
A strong compliance and ethics program must start with proper governance, including a tone at the top built on actions rather than words. Proper governance involves the board of directors and senior management providing compliance and ethics programs and their CECO with the necessary resources, independence, standing, and authority to be effective.
Of course, it is a fair question to ask whether the CECO IS Senior Management, which certainly helps set the right tone. Other fair questions include: to whom does the CECO report? What access do they have to the Board or Audit Committee? Does management support their disciplinary recommendations? Do they have a clear, unambiguous mandate that empowers the CECO to carry out her duties? Does the compliance department have access to all the information needed to carry out their duties?
There seems to be a positive trend toward adding compliance expertise to Audit Committees, especially in highly regulated industries. For sure, it would be relevant to me when a company is extolling the virtues of its compliance culture that it had leadership of this nature on the board, taking an active role in overseeing compliance efforts. It not only shows commitment to compliance, but provides evidence that the company has the necessary expertise when compliance issues arise.
Culture and values.
A strong ethical culture flows from good governance and requires leaders to promote integrity and ethical values in decision-making across the organization.
This entails asking not just “can we do this, but “should we do this?” A culture of compliance and ethics can and should be measured from interaction with leadership across the organization as well as from front line employees who are often a revealing barometer of what the culture and expectations really are.
Incentives and rewards.
One of the best ways to integrate integrity and ethical values into a firm’s culture is through performance management systems and compensation so the right behaviors are encouraged and rewarded. Of course, the same system must ensure that inappropriate behaviors are firmly addressed. Does the company just pay lip service to these values, or are there measurable ways that companies reward ethical conduct?
Escalation, investigation and discipline.
No culture of compliance can thrive unless employees firmly believe that they can raise concerns confidentially and anonymously, without fear of retaliation, and that matters are effectively investigated and resolved with fair and consistent discipline. I believe this is often overlooked or misunderstood. Those whistleblowers who don’t report internally repeatedly tell us that they believe they will be retaliated against if they raise significant issues to management. Surveys show that vast majorities of employees feel that way. Companies must take active steps to address this perception.
And, if your company does not have a clear record of consistent discipline, it may look an awful lot like retaliation when the first time you discipline a supposedly bad employee is after they blow the whistle. This issue has been a hot topic since the SEC gained authority under Dodd-Frank to bring enforcement actions against companies who retaliate against whistleblowers.
Continual self-evaluation and improvement.
Finally, your organization must proactively keep pace with developments and leading practices as part of a commitment to a culture of ongoing improvement. Business models, rules, ethical standards and compliance tools are continually evolving. Yet, recent studies show that compliance officers may not be focusing on emerging risk areas such as social media and privacy issues. Leading organizations ensure that they stay in front of these changes through a process of ongoing improvement that leverages new technology and best practices.
I’d like to close with two thoughts.
First, there is no doubt in my mind that a strong compliance and ethics program not only provides direct economic benefits to your company but will also allow you to reap significant credit should you ever deal with us or our law enforcement colleagues. The alternative may be squaring off against our vigorous enforcement program.
And, second, remember that we are in this together. We are partners in ensuring that integrity and professionalism are woven into the very fabric of corporate culture. I am encouraged to see that, through programs like this conference, you all will continue your efforts to strengthen the compliance and ethics function at your companies.
Your responsibility is crucial. Know that you have a willing partner at the SEC to pursue strong ethics and compliance cultures.
 The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of the author and do not necessarily reflect the views of the Commission or of the author’s colleagues upon the staff of the Commission.