U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

Speech by SEC Staff:
Working Towards a Culture of Compliance: Some Obstacles in the Path


Lori Richards

Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission

National Society of Compliance Professionals 2007 National Membership Meeting
Washington, D.C.
October 18, 2007

As a matter of policy the SEC disclaims responsibility for any private statement by any employee. The speaker's views are her own, and do not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.

Good Morning. I'm very pleased to be here with you today — I'm thrilled actually, as I view compliance professionals and the work you do as so terribly critical to the effective functioning of our markets and to the protection of investors. As compliance professionals, you are a key constituency of the SEC, and I view you as important allies in our work to protect investors.

And, your organization — the National Society of Compliance Professionals, under Joan's leadership, has done much to foster and grow compliance as a profession over the years, and NSCP provides valuable educational information for the compliance community. So, it is with much respect for the work that you do that I that I greet you this morning.

At this conference in the coming days you will learn about some key regulatory requirements and issues, such as the Compliance Rule, pricing and fair value, controls to prevent insider trading, best execution, anti-money laundering, protecting the security of client information, soft dollars, and more. These are obviously important topics, and SEC staff are here to speak more about their importance in our examinations. But before you get to these or any discrete compliance obligations, you've got to have an infrastructure that can incorporate them. I'm a serious gardener, so, to put it another way — you've got to make sure that you have fertile soil before you plant!

In the past, I've thought that the operational aspects of compliance didn't receive the attention they deserved, and that too much focus was placed on discrete legal requirements — too much on the end result and not enough on the "how to." I've been pleased to see recently that more compliance conferences are focusing attention on the process of compliance, and not just on specific legal obligations. Perhaps this is due to an increasing appreciation of the fact that compliance plays an operational role and has a toolkit that is different from that used by lawyers in a firm's legal department. And of course this operational aspect of compliance is the essence of our CCOutreach program at the SEC, which is designed to provide a forum for compliance professionals and the SEC staff to communicate about compliance practices that are effective, and ultimately, to strengthen industry compliance for the protection of investors.

As you know, we started CCOutreach following implementation of the new Compliance Rule for advisers and funds, as a way to create new lines of communication through regional conferences and a national seminar.1 The program has been enormously well-received by participants, and we are set to continue it in 2008.

Until now, the program has been limited to focusing on the specific compliance issues of fund and adviser CCOs. In the last year or so, we've heard from many broker-dealer CCOs that they'd value a similar program for them, and we too think that a CCOutreach program focused on the specific issues that affect broker-dealer CCOs would be valuable.2

I'm pleased Chairman Cox recently announced that, in partnership with the Financial Industry Regulatory Authority, we will launch a CCOutreach program dedicated to the broker-dealer community. In this program, like our CCOutreach for advisers/funds, we will focus on the specific compliance topics that broker-dealer CCOs are most interested in. We anticipate that the program will feature a national program, regional meetings, and other communications about compliance issues. Look for more information about specific components of CCOutreach BD on our website, and on FINRA's website.

In this and in other initiatives, I believe that we can help foster significant improvements in compliance outside of the examination process. With this in mind, we'll continue to publish "ComplianceAlerts" on the SEC's website, probably twice a year. These Alerts provide the compliance community with information about compliance issues and problems that we see in our examinations, and allow you to do a deep dive in your own firms and make sure that your compliance is effective in those areas.

Today, I wanted to talk with you about the "Culture of Compliance." Specifically, I want to talk with you about some of the obstacles that you may face in helping your firms establish a healthy Culture of Compliance, and some possible ways of avoiding these pitfalls or overcoming them if they come your way.

What is a Culture of Compliance?

First, some background — what is a Culture of Compliance? We at the SEC have often talked about the need to instill a strong Culture of Compliance within firms — this means establishing, from the top of the organization down, an overall environment that fosters ethical behavior and decision-making. Simply put, it means instilling in every employee an obligation to do what's right. This culture will underpin all that the firm does, and must be part of the essential ethos of the firm, so that when employees make decisions, large and small, and regardless of who's in the room when they make them, and whether or not lawyers or regulators or clients or anyone else is looking, they are guided by a culture that reinforces doing what's right. Importantly, a firm's Culture of Compliance exists outside the compliance department — it exists throughout the firm.

It is of great interest to me that compliance programs exist outside the securities industry in companies of every type. After all, organizations of all types are asked to comply with a pretty diverse body of laws and regulations, as well as with ethical standards. A significant paradigm for compliance programs is contained in the Federal Sentencing Guidelines, which sets forth criteria for courts to follow in sentencing organizations for criminal offenses. Having an effective compliance program may allow an organization to mitigate punishment under criminal laws. To provide guidance, the Sentencing Guidelines set forth underlying core elements of an effective compliance program.3 Importantly, the Guidelines state that, to have an effective compliance and ethics program, an organization shall "promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law" (emphasis added).4

SEC Chairman Christopher Cox recently recently spoke about best practices in establishing an ethical culture in U.S. companies. He said that:

"Without a doubt, the best practice of all in any company is to set the right tone at the top. Over and over again, commissioners and staff at the SEC observe that the tone at the top is a major factor in determining the effectiveness of internal controls to prevent fraud, in treating customers, employees, investors and other stakeholder fairly, and in contributing to the long-term success of the organization. Leadership by example, good communication, and ongoing ethics education and training are all vital."5

How Do You Measure Effectiveness?

At this point, most securities firms have a compliance program. Now, measuring its results and determining whether it is effective is your challenge. Today, some years after industry scandals, business leaders may be asking if the resources they had dedicated to compliance programs in past years are still worth maintaining, or maintaining at the same levels. In this environment, it's critical that compliance professionals be able to clearly demonstrate the effectiveness of their programs.

I think it's important to realize that firms can technically have all the elements of a compliance program — the policies, the procedures, the training — but not actually have an effective compliance program. Let's face reality here — if you have all the bells and whistles but still have violations, or are at least not seeing declining levels of violations — what's the use? In 2004, in recognition of this, the Sentencing Guidelines were modified to put more emphasis on not just having a compliance program, but having an effective compliance program.

In measuring the effectiveness of your program, I would strongly suggest that you think about measurements that include not just output, but that also include outcomes. That is, that you not just measure the number of new surveillance reports, new training programs, new guidance provided to firm employees, but that you also seek to measure the reduction or elimination of violations.6

In that spirit, and with my experience as an examiner in seeing both the best and the worst in compliance programs at firms, I've been giving some thought to why some compliance programs fail, or are at least not fully effective.

Why do Some Compliance Programs Fail?

I believe that the most common reason why compliance programs fail or are not fully effective is that they don't operate within a larger Culture of Compliance within the firm. We've all heard the management truism that a firm's culture will beat its change agents every time. What that means is that a firm's cultural norms will be stronger than any new contrary policy that a manager develops. This was borne out in the 2005 National Business Ethics Survey — which found that employees in organizations with a weak ethical culture reported observing much higher levels of misconduct than employees in organizations with strong ethical cultures (70% compared to 30%). And, employees in organizations with a strong ethical culture were more likely to report the misconduct than those in weak-culture organizations (79% compared to 48%).7

So, with this in mind, it's imperative to think about how a firm's culture can be influenced to achieve a strong Culture of Compliance. There are some obstacles and pitfalls in improving a firm's Culture of Compliance. I'd like to talk about 5 of them: 1) Lack of Real Management Support; 2) Valuing Risk-Taking Over All Else; 3) Employees Who Don't Understand the Value or Purpose of Compliance Obligations; 4) Lack of Resources; and 5) Lack of Constancy.

Lack of Real Management Support

Lack of real support by senior management is far and away the fastest and most destructive retardant to an effective compliance program. It's pretty easy for employees to see when the firm's leaders are paying lip service to the importance of compliance.

Here's an example — a private lawyer friend of mine told me about a newly-registered investment adviser that asked him for legal advice about a transaction, and he gave it — that the transaction was clearly illegal. The manager called back awhile later and asked what dollar amount of penalty he would pay in an enforcement action if he went ahead with the transaction and got caught — he was doing a cost-benefit analysis to determine whether he should go ahead with the transaction. He was weighing his likely profits from the transaction against the dollar amount of the enforcement penalty! This story stunned me — because it was so brazen, and so clearly showed a lack of any real management support for compliance.

I hope nothing about this anecdote rings familiar to you. But if it does, what do you do? My CCO friends would say that this is a situation in which their placement within the organization might really make a difference — if they have a seat at the table, along with other senior managers, they might be able to bring their perspective to bear. They would use their "C" status within the organization to maximum effect. In this regard, they are most likely to be heard and respected by management if they can articulate the connections between the firm's "brand" and its trust with its clients and investors and its compliance with high ethical standards. In other words, be able to convince senior managers that good compliance is good business. One CCO friend said that he'd work hard to make clear that he understands and supports the business, he would strive to be seen as a member of team, and not a naysayer or an obstacle — that he'd work to find compliant solutions to problematic practices or proposals.

Another CCO said that this is a situation in which she might bring in an outside expert to educate senior management and make clear their legal and fiduciary obligations, and the serious legal, reputational and business risks that exist in violating the law — drawing a clear connection between the firm's compliance and its bottom-line profitability. Another CCO said that it's useful to find a member of senior management or the board who "gets it" and can champion the cause of compliance to his/her peers.

Valuing Risk-Taking Over All Else

Sometimes, cultural values can clash. A value that may clash with a Culture of Compliance is one that values risk-taking without limits. I call this the "everyone loves a cowboy" culture. And we do — don't we? The rebel, the contrarian, the James Dean, the Cool Hand Luke, the Jack Bauer. All good, but placing excessive value on risk-taking can minimize the importance of compliance — because compliance efforts may be seen only as box-checking inhibitors to profit-making, rather than as healthy assurance that risk-taking is occurring within the limits of the law, and the firm's policies and risk appetite.

A common example of this is firms that allow excessive deference to their big producers, and to avoid alienating the big producer, managers don't really want to know how he got that way. In this environment, a compliance person who reaches in to find out why the big producer is such a big producer may face pushback and even hostility.

What do you do to overcome this obstacle? I think some education may help — to emphasize that compliance isn't about stifling risk-taking or profit-making, but about helping to ensure that risks are taken within the firm's tolerance for risk, and it may help to remind people that the firm and its franchise are bigger and more important than any one individual producer.

Employees Don't Understand the Value or the Purpose of Compliance Obligations

If the firm's employees don't affirmatively buy in to the value and the purpose of compliance, the compliance program won't be effective. We all know that compliance people don't "do" compliance, they set up the infrastructure within which it happens. If employees don't get what you do or why you do it, they're a lot more likely not to think to come to you for advice when a vexing situation arises, and also not likely to report possible problems to you. And, if employees don't understand why they are required to do certain things, they're less likely to do them.

I read a recent survey that found that one in five firm employees never read their firms' compliance manual. To me, this indicates that these employees didn't see either the need or the value in doing so. Perhaps the policy manual was poorly written and didn't really speak in plain English. I don't know. Firms that grab their employees' attention with real world examples of compliance issues — using video, Q &A, and other techniques — seem to have a better chance at getting employees to understand and thereby to value compliance efforts. And, firms that explain the underlying reasons for the compliance policies, and why they're good for the firm, do even better.

For example, one firm was having a very hard time getting its employees to comply with the various anti-money laundering rules. When the firm's compliance staff provided employees with clear explanations about the purpose of these requirements, and their own role in possibly stopping terrorist financing, they were much more willing to comply with them. This is an example of how simply telling employees to do something, without explaining the larger reasons why — will undercut strong compliance.

A sidebar on training — we've seen training programs for firm employees that were very engaging — even entertaining — and that really focused on how compliance guidelines applied to employees in the specific context of their work. I've also seen compliance programs that are "branded" within firms using ad campaign-like tactics — to get the word out to employees that compliance is an easy resource to use, and a part of the team.

Lack of Resources

We all know that ensuring compliance costs money. Hiring and retaining good people, and in sufficient numbers, and obtaining and implementing technological tools has costs. Implementing new technology solutions may have up-front costs. And, because compliance is an ongoing requirement, it has steady-state costs. Inadequate and variable funding can cause compliance programs to be unable to effectively plan and implement long-term solutions to issues.

Let me give you an example. One large firm invested heavily in its compliance program a few years back — it spent alot of money on its human and technological resources (and it complained loudly about doing so!). It did so only after it was sanctioned in a serious enforcement action. The firm could not effectively comply with regulatory obligations, or implement any new rules, because it lacked the compliance infrastructure within which to do so. Because it had been so behind in funding its compliance program, when it did decide that it needed an effective compliance program, this effort required a lot more money than it would have, had the firm been investing steadily in compliance along the way.

What can you do to help ensure that compliance efforts are adequately funded? My CCO friends say that you will need to carefully determine if you need additional compliance resources. If you do, you will need to make the case clearly and credibly, and be willing to take it up the chain of command.

You may also want to refer to regulators' expectations. I will be clear with you about what those expectations are. Simply put, under the securities laws, securities firms need to have adequate compliance and supervisory programs to ensure that they are operating within the law. OCIE examines securities firms' compliance and supervisory programs for adequacy — and if there are weaknesses, those are the very areas that examiners will probe most deeply for possible violations. We determine the relative risk of each firm we examine in part, based on whether the firm has a healthy compliance program, such that it is likely to identify and head off any compliance problems in the future. A firm that has a strong compliance program should be predictably more compliant, and thus not as deserving of our examination. In addition, if violations exist and the firm is found to have an inadequate supervisory or compliance program, the firm may be held responsible in an enforcement action by the SEC or another securities regulator.

Lack of Constancy

Another obstacle to embedding a culture of compliance in a firm is lack of constancy. Compliance education may be once a year, or may involve a big push in one area — such as when new rules come out — and then employees may never hear about the issue again. I think that this is a common phenomenon — we assume that if we tell people something important once, they will know it forever. This is just not true. In fact, repetition is key.

In a different context, academic literature suggests that compliance that requires behavioral changes — as opposed to a technological fix — requires more constant vigilance by management. And this makes obvious sense doesn't it? If you've programmed your trading system not to accept certain types of violative trades, you don't need to rely on individuals remembering and supervisors ensuring that employees don't place violative trades into the system. In contrast, for those provisions that rely entirely on behavioral compliance, you need to be very, very constant in your message.

And, to ensure a Culture of Compliance, constancy is needed at all levels, from the CEO down. The best example of this is the firm with senior managers who often speak about the firm's culture and emphasize that doing what's right is what is expected. They repeat, repeat, repeat this message in many different ways — in written messages to the firm's employees, to its service providers, to its shareholders. And, perhaps most importantly, in meetings and in private conversations, they make clear that the decision-making process will be guided by this philosophy.

What can you do to ensure constancy of message? You might inventory compliance obligations that rely on behavioral compliance and focus your ongoing message on those areas. And, develop ways to get the message out in an interesting way, again and again and again, as part of a long-term plan.


I hope that I have provided you with some helpful information — or at least that I've sparked your thinking about what you might do to help overcome any obstacles in the path to a Culture of Compliance at your firm. Whatever obstacles you deal with every day as compliance professionals, I do want you to know that I support and value the work that you do, and I hope that you persevere in whatever steps you are taking to help instill a strong Culture of Compliance at your firms.

Thank you for listening, and I'd be happy to answer any questions.



Modified: 10/31/2007