Speech by SEC Staff:
The Process of Compliance
Lori A. Richards
Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission
National Membership Meeting of the National Society of Compliance Professionals
October 19, 2006
As a matter of policy the SEC disclaims responsibility for any private statement by any employee. The speaker's views are her own, and do not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.
Good Morning. I'm so pleased to be with you today. The National Society of Compliance Professionals is an organization that I respect, and it has done an enormous amount over the years in helping to make compliance truly a profession. I also want to acknowledge Joan for her tireless commitment to the organization over the years, and to helping foster its growth as a service and educational organization for the compliance community.
And most importantly, I want to acknowledge your work as compliance professionals, and the importance of it, in helping to ensure that investors in our markets are protected, and have confidence when they place their assets and their trust with market professionals. I think it bears noting right at the outset of this conference, that you've logged some miles in this profession over the last five years. You're all members of the compliance frequent fliers club. As I think back on these years I can see the enormous changes in compliance over that short period. Indeed, when I addressed the NSCP's Annual Meeting in October of 2004, I spoke about the nature of change and how it occurs and I noted that change in compliance in the securities industry had been wrought quickly, borne of serious fraud and abuse, and the lessons learned from those events. What is the result of that change? At many firms, compliance is now more integrated into the firm, it's better respected, includes a professional process, and is better funded than in the past. And, much of the credit in making this happen is due to you.
Today, I'd like to talk with you about the compliance process, and share with you some practices we've observed in compliance programs. Then, to help you in your proactive efforts to get in front of compliance problems, I'll also share with you some compliance issues that are on our immediate radar screen that I think you should be dealing with (if you have not done so already!).
Before I begin, however, I must tell you that these are my own views, and do not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.
The "Culture of Compliance"
We at the SEC have often talked about the need to instill a strong "Culture of Compliance" within firms this means establishing, from the top of the organization down, an overall environment that fosters ethical behavior and decision-making. Simply put, this means instilling in every employee an obligation to do what's right. This culture will underpin all that the firm does, and must be part of the essential ethos of the firm, so that when employees make decisions, large and small, and regardless of who's in the room when they make them, and whether or not lawyers or regulators or clients or anyone else is looking, they are guided by a culture that reinforces doing what's right. Having a strong compliance culture with a strong compliance program is in the best interests of securities firms, because (please forgive me for repeating this), what's good for investors, is good business for those who serve investors.
All firms have a culture with respect to compliance. At its best, a strong compliance culture can serve to foster and enhance compliant practices, and, at its worst, it can result in violations of law by firm employees and render efforts by compliance staff meaningless.
Let me share a real example of how having a strong culture of compliance operated during the period of abusive mutual fund market timing. As we all know now, after more than 40 enforcement actions and $3.6 billion in disgorgement and penalties, many large mutual funds were approached by market timers who sought agreements to frequently trade in and out of the funds. Mutual fund executives agreed to these requests, sometimes in exchange for additional assets invested. But an e-mail at one firm, discovered years later, revealed that a portfolio manager said "no" because, as he wrote in the e-mail, it wasn't in the best interests of the fund's investors. Years later, in the midst of an industry scandal, this firm could look back and be grateful that they had established a culture of compliance that led the employee to do the right thing, when no one was looking, when supervisors and compliance staff and lawyers weren't in the picture, and indeed, years before the issue surfaced publicly. He didn't need to ask he knew it was wrong. He may not even have known why it was wrong legally he may not have known about the prospectus disclosure, about the Investment Advisers Act, about redemption fees, or about the academic studies on the topic. He simply knew that it wasn't in the interests of the fund's shareholders and this fact alone informed his answer. This is a good example of how having an embedded culture of compliance can help firms to avoid trouble and reputational damage (it's also, by the way, an example of the value of retaining emails!).
Importantly, a firm's culture of compliance exists outside the compliance department it exists throughout the firm. Compliance personnel can work with other senior firm managers to help identify the compliance culture, can help identify ways to foster a stronger compliance culture, and they can help to educate and train, but they can't create the culture on their own.
The Process of Compliance
One of the key ways that compliance professionals can help to foster a strong culture of compliance is to help create strong compliance programs. Strong compliance programs will have an identifiable process. The process of compliance is important, because if structurally sound, the compliance process will serve to help the firm avoid violations, and help the firm to detect violations and deal with them effectively. And, if the compliance process is institutionalized, it will help the compliance program to survive attacks from those who don't value its mission or who want to "shoot the messenger."
We've certainly all seen and read about cases where, without an institutionalized compliance process, legitimate and serious concerns of compliance staff were ignored, to the peril of the firm. And, even today there are firm leaders who, when asked about their compliance program, simply say "we hire ethical people." As if that were enough. So, given its importance, let me spend a few minutes on process.
It is of great interest to me that compliance programs exist well outside the securities industry. After all, organizations of all types are asked to comply with a pretty diverse body of laws and regulations, as well as with ethical standards. Just think of it, there are requirements with respect to employing personnel, manufacturing and selling food and drugs safely, antitrust, the environment, reporting financial results, paying taxes, providing health services, antitrust, and on and on (and on). While we sometimes tend to think of the securities industry and our laws as the only compliance game in town, we should also look beyond the securities industry for good practices with respect to compliance.
I think that it can be helpful in implementing a compliance program or in evaluating the one you have to break apart the compliance process into its component parts. For all organizations, there are paradigms governing the structure and the process of compliance programs. The most significant of these is found in the Federal Sentencing Guidelines, which state that, to have an effective compliance and ethics program, an organization shall "promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law."1
Applicable to all industries, the Sentencing Guidelines have spawned the growth in professional compliance programs in corporations and organizations of all types. The underlying principles of the Guidelines will not be new to you, and are similar in many respects to the SEC's very own Compliance Rules for advisers and funds.2 I think they break down the components of a compliance program nicely. They include:
- Oversight of Compliance: including by the board, oversight committees, supervisors, and the compliance officer;3
- Standards, Polices and Procedures: including a code of ethics or code of conduct, and operating and compliance policies and procedures that implement the standards;
- Exercise Due Diligence in Delegating Responsibilities: don't delegate significant responsibility to individuals who have engaged in misconduct, or conduct inconsistent with an effective compliance and ethics program;
- Communication, Education and Training: to ensure that all employees and agents clearly understand their obligations, including all those who have responsibilities under the policies and procedures;
- Monitoring and Auditing: including processes to detect violations, like surveillance, exception reporting, internal investigations and hotlines;
- Enforcement and Discipline: encouraging compliant actions and appropriately sanctioning non-compliant actions; and
- Response, Prevention and Evaluation: respond to indications of problems to prevent further similar misconduct, and periodically risk-assess the program to ensure that it's addressing compliance risks effectively.
In 2004, the Guidelines were modified to place more focus on prevention and detection of violations and conformity with ethical standards, and made high-level personnel more responsible for implementing and overseeing a compliance program. Importantly, the amendments also put more emphasis on not just having a compliance program, but having an effective compliance program.
As regulators, we have a stake in your effort to develop effective compliance programs. We want firms to do all that they can to identify possible compliance pitfalls and ensure that they're steering well clear of them, and we want you to do this absent a complaint from a customer, absent an arbitration by an aggrieved customer, absent a regulatory examination by the SEC, and certainly absent an enforcement action. Indeed, while firms must establish their own compliance compass, they really shouldn't gauge their compliance success by whether they have been complained of by others.
As examiners, we also have a stake. We determine the relative risk of each firm we examine in part, based on whether the firm has a healthy compliance program, such that it is likely to identify and head off any compliance problems in the future. A firm that has a strong compliance program should be predictably more compliant, and thus not as deserving of our examination. We spend our limited examination resources focusing on those firms and those areas within firms, where compliance is relatively weak. So, understanding and evaluating the firm's culture of compliance is an important part of our examination, an important part of our risk assessment process, and an important part of our decision about how frequently we should examine a firm.
I wanted to share with you some examples of practices we've observed. While few of these practices are mandated, I thought that sharing these practices might be helpful to you in your line of work.
First, with respect to oversight:
- Because "tone at the top" is a key part of any effective compliance program, the firm's board, senior management and other key executives make it clear that they expect the firm and all of its employees to operate ethically and consistent with fiduciary and legal obligations. The mission and mandate of the CCO and the compliance program is communicated to all employees by the senior-most person or governing authority (the CEO or the board).
- The CCO provides regular reports of compliance problems, issues, concerns to the board or to the audit committee, and meets with the board to discuss the state of compliance at the organization. The CCO also discusses compliance initiatives and new regulatory requirements.
- CEOs speak often about the firm's culture and emphasize that doing what's right is what is expected. They repeat, repeat, repeat this message in many different ways in written messages to the firm's employees, to its service providers, to its shareholders. And, perhaps most importantly, in meetings and in private conversations, they make clear that the decision-making process will be guided by this philosophy.
- We've seen the value of this approach many layers down in the firm, when we hear firm employees say that some borderline practice wouldn't fly at the firm, because the CEO would never go for it.
- One the best ways to make the firm's culture of compliance evident to employees is for firm leaders to make decisions that demonstrate intolerance for non-compliance, even if it means losing the trade, the client, or the deal.
- Some firms have established a Compliance Committee, composed of compliance, legal, and senior management, to review compliance issues and serve as the final escalation level for issues. Minutes record the issues presented and their resolution. Issues addressed included both regulatory compliance and compliance with firm policies.
- Similarly, firms have established a top-level management committee to identify and manage conflicts of interest and potential compliance issues.
With respect to polices and procedures:
- We've certainly seen the adoption of new and more thoughtful policies and procedures to prevent and detect violations new SEC and SRO rules requiring that all firms have adequate written compliance policies and procedures have taken effect, and these rules have had a significant impact in this area.4 Many firms revisited their old procedures and tuned them up. Many firms that did not have written policies do so now.
- The new rules do not mandate specific policies and procedures, but rather, require that firms determine what policies and procedures will best work for them (as an aside examiners will evaluate these policies and procedures against one test are they effective in detecting, reducing and correcting compliance problems?)
- Many firms have engaged in a "risk assessment" effort to identify areas of compliance risk within the firm, and within different organizational units of the firm.
- Firms have established a "mapping" process to track compliance risks to supervisory procedures, to make sure that there are no gaps. Supervisory procedures are then specifically tailored to particular business lines.
- Many firms have revised their codes of ethics in light of recent disclosures of abusive trading by firm employees, and conflicts of interests in the giving/receiving of gifts and entertainment, political contributions and donations, and maintaining multiple lines of business that could create conflicts of interest.
- Firms have a process to track the development, maintenance, and updating of all written policies and procedures. Specific staff are assigned responsibility for maintaining, reviewing, and updating specific procedures.
- Firms follow their policies and procedures, all of them. This communicates respect for policies and procedures, and shows firm employees that the firm has an institutionalized compliance program, and that it's serious about the program.
With respect to delegation of responsibilities:
- A critical element of any sound compliance program is effective delegation. There must be a linkage from the compliance risk, to the compliance control, to how it is to be implemented (frequency and methodology), to, finally, who will implement it. Without effective delegation, we often see a "who's on first?" comedy of disorganization.
- More firms are incorporating compliance, including the prevention of problems, in employee and supervisory evaluation standards and using it as a factor impacting compensation.
- It's become clearer to many firms that have multiple geographic locations that branch managers have responsibilities beyond production and sales training.
With respect to training:
- We've seen training programs for firm employees that were very engaging even entertaining and that really focused on how compliance guidelines applied to employees in the specific context of their work. One training module incorporated new risk areas based on trends noted from customer complaints and branch office audits.
- I've also seen compliance programs that are "branded" within firms using ad campaign-like tactics to get the word out to employees that compliance is an easy resource to use, and a part of the team.
With respect to monitoring and auditing:
- More firms are using automated resources to identify, monitor, report, and document compliance risk. This is an area, however, where many firms could devote more resources to technology that would effectively identify problems, particularly when dealing with vast quantities of information that simply cannot be monitored manually.
- At some firms, compliance staff have online access to information that allows them to monitor and to follow up on exceptions quickly and easily, e.g., customer statements, new account forms, trade confirmations, trade blotters, and order tickets. In fact, some firms have developed automated systems that flag transactions that appear inconsistent with the customer's investment objectives. Some firms track transactions that were rejected after being flagged and reviewed, but others maintain no record of whether the unsuitable transactions were corrected.
- Firms have and use internal auditors, with resources and the mandate to do their job.
- Many firms have established internal "hotlines" for employees to report misconduct. Employees can help identify questionable conduct before it becomes a problem, and can help identify problems that should be remedied.
- Some firms have trained supervisors to be more open to hearing bad news. Managers who subtly send the message that they only want to hear good news will not know what's really going on in their organization. There are many examples of otherwise non-culpable employees trying to cover up compliance problems just to avoid having to tell the boss about them.
With respect to enforcement and discipline:
- Firms take immediate action to discipline employees who engage in intentional violations of the law, even big producers.
- When problems are found, they're dealt with quickly and appropriately, including discipline, redress for investors, adjustments to policies, notifying the regulator or making public disclosure if appropriate.
With respect to response, prevention and evaluation:
- Many firms are struggling now with how to measure their compliance programs. Finding the right metric of "effectiveness" is not easy. Certainly you want to measure outcomes that is, is the compliance program reducing or eliminating violations or infractions? And, you also want to measure the incidence of new problems is the compliance culture serving to reduce the rate at which new types of problems occur?
- Many firms integrated the testing aspect of their annual review into an ongoing process to regularly review policies and procedures, improve them, and question frequently whether they can't be better. Compliance policies should not be static, written in stone, but can be improved over time with the benefit of the lessons learned from using them.
- There are many private firms that are offering products to help firms gauge their compliance culture, largely through surveys and interviews. I'd certainly like to learn more about your experience if you've used these techniques.
- Finally, many firms seem more apt to keep their regulator informed about problems they're seeing, within the firm or within the broader industry.
Again, while few of these practices are mandated, I thought that sharing these practices might be helpful to you in your line of work.
Issues We're Looking at in Exams
I'd like to turn now to highlighting some of the issues that we as examiners are concerned about now. Let me caveat this list it's not all-inclusive! But, these are areas that I think you should be particularly attuned to at the moment.
- Insider trading and front-running: I'm talking about both sharing non-public corporate or order information with others, and also receiving that information and using that information to trade. Whether you're with an adviser, a broker-dealer, a hedge fund, a clearing agency or a transfer agent, include this area in your risk assessment, and in your investigation and monitoring efforts.
- What are you using your clients' money for? Given all of the "secret payments" cases that we've seen, it would make sense for you to look at fund expenses and the use of advisory clients' monies, and be sure that they are appropriate and that the money is used as intended and disclosed. Also be particularly alert to payments to affiliates and those that may be intended to increase assets under management under the guise of something else.
- Seniors: if your firm does business with seniors, be certain that you're doing so in a way that complies with applicable fiduciary and ethical principles, as well as suitability and disclosure standards, in recognition of their age, objectives, capacity and needs.
- Supervision: examiners are very focused on whether firms of all stripes are adequately supervising employees, particularly in branch offices, on trading desks, with respect to big producers, solicitors, and others.
- Trading issues: best execution in debt and equity securities, payments for order flow, soft dollars and use of brokerage, Reg SHO, mark-ups.
- Controls to prevent theft and misrepresentations: this includes issues such as controls over the creation and sending of account statements, and account and position valuations and also includes theft or misuse of customer information by identity thieves.
- AML: we are very interested in your AML compliance programs.
I'll end here. I hope I've given you something of value today as you think about the process of compliance, and also, as you think about particular risk areas within your firms. Thank you for listening, and I'd be happy to answer any questions.