Speech by SEC Staff:
Remarks at the 2009 NSCP National Meeting
John H. Walsh1
Acting Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission
October 5, 2009
Good morning. It is a pleasure to be here.
The views I am about to express are my own, and not necessarily those of the Commission, the Commissioners, or my colleagues on the staff.
I have attended the National Society of Compliance Professionals ("NSCP") National Meeting for many years. Over those years I have watched it grow from a relatively small gathering to the huge group we see here today. In fact, I am told that you moved the meeting to Philadelphia because none of the hotels in Washington, D.C., have a hall big enough to hold you. That speaks volumes about the work of NSCP, the energy of Joan Hinchman, and the dedication of the compliance professionals here today. I am very proud to be part of this gathering.
More than once over the years, in preparation for this annual meeting, I have reflected back on where we had been in the last year and where we were going in the next. What happened? What lessons have we learned? How would compliance change in the coming year? As I stand here today, I can tell you, over the last year, we have seen events, learned lessons, and now foresee looming changes in compliance, on an order beyond anything in my prior experience.
We need not review the events of the last year. We all lived through them. I am certain the memory remains fresh. Indeed, some of the events, such as those associated with money market funds or fraudulent schemes, will be remembered for a very, very long time. Future students will study them in textbooks and discuss them in seminars. I have seen this in my own family. I have a daughter in college and a son in high school, and they have asked me, in recent months, as they prepared for some class or other, why is it bad to "break-a-buck?" Or, who was this terrible "Mr. Ponzi?" Some day, perhaps, amnesia may set in. But if it does, it will be our job, compliance's job, to remember, and to remind the forgetful.
Instead of reviewing recent events, let us focus on the lessons to be learned from them. At the threshold, the most important lesson, and the most fundamental, is that compliance has changed forever. To put it bluntly, the world of compliance of 2008 is dead. It is ancient history. We cannot go back. Moreover, based on the events of the last year, why would anyone want to go back?
As you know, I practice compliance in the public sector, with the Commission's examination program. I can assure you, the examination program is changing, and it will continue to change. We have watched with interest as our colleagues in the Division of Enforcement, under the leadership of a new Director, have gone through a top-to-bottom self-assessment, and have embarked on a massive rethinking and restructuring of their program. When Chairman Schapiro appoints a permanent Director for the Office of Compliance Inspections and Examinations ("OCIE") — I serve as Acting Director — we anticipate conducting a similar review for the examination program. We look forward to this review.
In the meanwhile, we have been laying the groundwork for this coming review by thinking vigorously and skeptically about our program and identifying areas where immediate improvement is possible. To help us we have the benefit of a very detailed report by our Inspector General on the problems we encountered in certain past examinations. Based on what the Inspector General saw in those examinations he has provided us with a number of recommendations that will enhance our program, and we are moving forward to implement them. We have also engaged in extensive self-evaluation. Different teams in headquarters and regional offices have participated in focus groups or roundtable-type discussions and considered how we need to change. Finally, as Acting Director I have asked individuals to serve as national leads — as national change agents — on designated issues. I have tapped line-managers from headquarters and the regional offices. In some cases they are working full time studying, questioning, formulating ideas, and vetting proposed changes. I have also given them deadlines. By a date certain, the analysis must be completed, the decisions made, and the change agent must be ready to train examiners on the new methods they will follow in the specific designated area.
Today, I would like to discuss five specific areas where the examination program is changing, based on the lessons we have learned. These are not simple check-the-box kinds of changes. Rather, they will fundamentally alter how we operate. All are works-in-progress.
First lesson: we need more expertise. This is one of the most important lessons we have learned. Examiners must have sufficient expertise to keep up with the businesses they oversee. How have we been addressing this?
Sweep examinations will play an important role. In a sweep review we build a special team, reach out around the agency for the expertise we need, prepare a customized plan, circulate our plan through the other offices and divisions within the Commission, consult with the Commission itself, perform a series of examinations with the same team (thus providing the team with a defined learning process), and then report back inside the agency. We have found this type of ad hoc targeted expertise to be very effective. We expect to deploy it in support of other SEC offices' and divisions' initiatives to enhance their own specialization.
We have also created a new type of examiner position called a "Senior Specialized Examiner." Currently, we have only a small number of these positions available, but we anticipate leveraging their expertise around the program. These are individuals with significant expertise trading options, running an equity-trading desk, or rating the credit-worthiness of asset backed securities, and so on.
Finally, we are enhancing our training: with targeted internal programs, collaboration with other regulators, and more extensive use of external certification programs. For example, more than a third of all examiners are currently studying for the Certified Fraud Examiner credential. We are also considering other certification programs.
How will you see these changes? Let me give you an example. During an examination the team leader tells you: "As you know, tomorrow we will interview your trading desk. We will be joined by a colleague from Washington — or New York — who will lead the interviews." That colleague, when he or she arrives, will turn out to be a very experienced individual who once ran a trading desk much like yours. That is the kind of expertise we hope to acquire.
Second lesson: we need to organize ourselves to make sure the right expertise is deployed to each problem. This has been a particularly important lesson for OCIE. For historical reasons our program has been divided into two parts: one for broker-dealers and the other for investment advisers. This is a legacy of the program's origins in two different divisions, and has been preserved for various reasons. Unfortunately, this legacy, and the poor communications it caused, played a role in certain failed examinations. How have we been addressing this?
This is an area where I have put a change agent to work. I have asked a highly regarded Assistant Director from a regional office to take the national lead on this topic. He has been working full time asking: how do we examine firms that are registered as both a broker-dealer and an investment adviser; how do we examine firms that have affiliates with another registration status; and most challenging of all, how do we examine firms that have only a single registration status, but are engaging in activities that require the deployment of expertise that is not possessed by the examination team? The change agent is interviewing staff, reviewing reports, and he will join certain examination teams to observe their collaboration in the field.
Chairman Schapiro has told us that she wants the agency to work with a new "Culture of Collaboration." I view this area, bringing expertise together from across the examination program, and from other offices and divisions, as a case study of her policy. Our ultimate goal is not just to get examiners to talk with each other, but to create and instill a Culture of Collaboration throughout our work.
In addition, in the meanwhile, we have been taking specific steps to enhance this collaborative approach. We are establishing periodic review procedures for all examinations, in which a primary agenda item will be whether the examination team needs help with additional expertise. We have conducted several cross-training programs, in which examiners and examination managers are learning about each other's areas of expertise. Finally, we are building ad hoc teams to address specific compliance issues that touch multiple areas of expertise. For example, we have formed a cross-disciplinary working group to review firms that use algorithms in their trading.
How will you see these changes? Let me give you an example. An examination team gives you a request for records, and you discover that the team wants to see documents from several affiliates: broker-dealers, investment advisers, and perhaps other types of registrants as well. As you study the request you realize that the examiners are tracking transactions, or business relationships, or conflicts of interest, or compliance controls through the many sub-units of your organization. When they arrive on site, you realize that they are taking a holistic view of your organization and its business practices. That is the kind of silo-free oversight we hope to achieve.
Third lesson: we must reach out to third parties to verify what we have been told. The days when we could conduct verification on the premises of a single firm — looking at correspondence on letterhead, requesting manually signed documents, or downloading through a firm's computers — are behind us. Modern verification requires us to reach out directly to counterparties, custodians, and clients. How are we addressing this?
In 2009 we established an aggressive program of third party verification. If you have been examined within the last several months, I am certain you have had first hand experience with this program. In particular, we have focused on third party verification of assets. To do this we have confirmed down, to the client, to learn what they think they have, and we have confirmed up, to the custodian, to find out what is really there.
We are currently reviewing our experiences, refining our procedures, and working to make sure we are contacting the right third parties to verify the right information. I have change agents at work in this area as well. We expect to complete our internal review and finalize our new procedures soon. I have emphasized within the examination program, and I will emphasize to you, that we must use third party verification routinely, and effectively, if we are to regain the trust and confidence of those we serve.
How will you see these changes? You will see third party verification at work when we reach out to your counterparties, custodians, or clients, to have a conversation about you. Sometimes it may only be a conference call. Of course, we will arrange the call by letter so the other parties will know it is really the SEC on the phone. Other times we may test a small sample of information — orders, trades, or assets. Yet other times we may engage in extensive testing designed to validate significant amount of information. This is the new reality. You should make sure that your counterparties, custodians, and clients understand that your regulator may want to talk with them.
Fourth lesson: we cannot allow examiners to be intimidated. I have been very disturbed to learn how law-breakers, people running serious frauds, tried to intimidate SEC examiners. The fraudsters claimed to have special influence, or special access, and they threatened examiners, screamed at them, and tried to direct or silence their inquiries. How are we addressing this?
We have established an internal Exam Hotline for examiners who believe they are being intimidated. Our goal is to make sure they can quickly reach senior officials in Washington, when necessary. The new internal Exam Hotline is set up exactly like the external Exam Hotline that has been available to the regulated community for some years.
I have also asked two senior Associate Directors to serve as national leads in developing a new culture of support for examiners. We must make sure both that examiners have our support, and that they know they have our support. At the same time, the firms that we are examining should feel free to ask questions, or to speak with the examiners' supervisor, or even to call the external Exam Hotline, if they feel that is appropriate. We welcome questions, we welcome having a dialogue, including with supervisors, if you believe that is appropriate. But we will not tolerate threats.
How will you see this? Hopefully you will not. I hope no one here would ever tell an examiner you can get her fired, or that she should be careful, because you know her boss's boss. Indeed, most compliance professionals that I have spoken with about this issue have expressed shock and disbelief that anyone would attempt such a thing. I agree. In fact, this conduct is so unacceptable and abnormal that you can expect examiners to view it as a red flag suggesting that there are substantive problems at the firm. Trying to cover up violations with intimidation will not work.
Fifth lesson: we need to regularly review our policies and procedures to make sure we are keeping them current and up-to-date. This is something compliance professionals learned a while ago. Over the last few years, conducting Annual Compliance Reviews has become a settled element in the professional practice of compliance. I have always thought it was a great idea for you. Now I think it is a great idea for us. How are we addressing this?
We are embarking on an initiative to conduct Annual Reviews within the examination program. This was among the Inspector General's recommendations. We anticipate that we will review our policies and procedures, conduct forensic tests on how they are working, and otherwise consider whether our program is addressing the risks we have identified. I am certain this sounds very familiar to you all. In addition, as you may recall, when the Commission adopted the compliance rules for funds and advisers, it gave you approximately two years to conduct your first annual review (counting the rule's delayed effectiveness and the time after effectiveness to conduct the review). Many compliance professionals told me that the extra time to get ready, the first time around, was very helpful. Not surprisingly, even though we will begin working on this immediately, we anticipate requiring the same length of time in-house.
How will you see this? Actually, you will see it very soon. We expect to post a new position in the examination program to take the lead in this effort. It will be posted as a Senior Specialized Examiner (one of the new senior positions I mentioned before), and also as a Senior Attorney (the double posting will permit both attorneys and non-attorneys to apply). We hope an experienced compliance professional who has conducted annual reviews of large and complex organizations will come to the SEC to help us conduct our own. I must admit, having spent a lot of time over the last few years observing your efforts in this regard, I am pleased to see this idea come full circle.
Up to this point I have focused on how the examination program is changing. It is. But the events of the last year have had an impact on the practice of compliance everywhere. I hope all of you have been looking at recent events, and asking the same questions: What lessons can we learn? How do we need to change our programs in response? All of us need to reflect upon these questions. I would like to suggest that in your reflections, or perhaps in your Annual Review, you give some thought to the lessons we have learned, to ask if they might be applicable to you:
First, we all should enhance our expertise. Every compliance office should be asking: do we have enough expertise to keep up with the business side? For example, if you have a trading desk: Do the compliance professionals who work with the desk understand it? Can they test its activity to ensure that it complies with the firm's policies and procedures, or with a strategy's stated goals? If you use an algorithm to trade, do have anyone with the expertise to oversee it? These are questions for all of us.
Second, we all should break down the silos that divide us. Many compliance offices are divided into the same kinds of silos we have had in the examination program. The business side escaped its silos a long time ago. Have you kept up? We all need a Culture of Collaboration to make sure specialized groups are working together.
Third, we all should focus on obtaining verifiable and verified information. Do you, as a compliance professional, reach out to the third parties that do business with your firm: counterparties, custodians, and clients? Stated broadly: how can you trust the information you use in your compliance processes? We are asking the question of ourselves, and you can expect us to ask it of you.
Fourth, we all should protect compliance professionals from intimidation. Are there employees at your firm who use intimidation to attempt to escape compliance oversight? Do not let them get away with it. You may want to mention their names the next time you meet with the CEO, or the Independent Directors — or even — the next time you meet with me. As professionals, we cannot tolerate this.
Fifth, we all should focus on conducting top quality Annual Reviews. Here, you have a head start, since you have been doing them for several years. Let me just say that I am pleased to join those who practice — as well as preach — the benefits of an Annual Review.
This has been an extraordinary year. Compliance will never be the same. But if we learn our lessons, if we give compliance more expertise; if we develop a true Culture of Collaboration across different areas of specialization; if we make sure we have verifiable and verified data; if we protect compliance professionals from intimidation; and if we conduct effective annual reviews, we will all emerge wiser, and the practice of compliance will emerge better, from the experience.