Remarks at NRS 30th Annual Fall Investment Adviser and Broker-Dealer Compliance Conference
Andrew J. Donohue, Chief of Staff
San Diego, California
Oct. 14, 2015
Thank you for that very kind introduction and for inviting me to speak today. Before I start, I must provide our standard disclaimer that the views I express today are my own and do not necessarily reflect the views of the Commission, the Chair, other Commissioners, or my colleagues on the Commission staff.
In preparation for this speech I looked back and saw that it was almost five years ago that I gave my last speech while I was Director of the Division of Investment Management. And, it’s been almost seven years since I last addressed this group. A lot has changed in that time. Financial markets and the regulations affecting them and their participants, including investment advisers and broker-dealers, have changed dramatically. Change has also taken place at the SEC especially regarding the sophistication and use of data and analytics by the staff. What has not changed however is the critical importance of the role you play in your firms.
I have worked in and around the financial industry for almost 40 years in a variety of roles. In addition to being a regulator, I was responsible for legal and compliance functions at a few large financial institutions. From my own experience, I know how difficult your jobs can be. So what I would like to do today is to provide you with some observations I have about your role as compliance professionals, the role of the SEC, and offer some thoughts for your consideration.
I. Role of Compliance
First of all, let me thank you for the important work you do each day on behalf of investors. By working within your organization to create a strong compliance program, you are not only helping your organization to meet its regulatory responsibilities, you are also helping to ensure that investors are protected.
The environment you work in is more complex than ever. The securities business is constantly innovating and introducing new products and services. Moreover, given developments in technology, this change is occurring at a staggering pace. In fact, it is this complexity and speed of change that makes your jobs so important and renders it imperative that you consistently challenge yourself to evolve to meet the demands of your profession.
II. Promoting Compliance
The Commission staff strives to support you in meeting this challenge.
The work and transparency of the Commission’s Office of Compliance Inspections and Examinations, or OCIE, is a prime example of how the Commission supports you in the development of strong compliance programs at your firms. I think of OCIE as the “eyes and ears” of the Commission. OCIE consists of approximately 900 examiners who directly engage with registrants to assess their compliance with the federal securities laws and regulations.
One of OCIE’s primary objectives is to promote compliance. OCIE, in collaboration with leaders from the Division of Trading and Markets, the Division of Investment Management and others at the Commission, is engaging directly with the senior management at firms throughout the industry. In these meetings, the staff aims to emphasize the importance of the tone at the top and compliance culture of a firm. These meetings offer compliance personnel and senior executives an opportunity not only to get to know the staff outside the context of any examination or enforcement action; they also provide a platform for you to discuss challenges you face in the industry and ways that the SEC might be able to play a role in addressing those challenges.
SEC staff also publishes materials and conducts outreach to inform you where it sees risk and potential compliance pitfalls. For example, the Division of Investment Management publishes Guidance Updates as a meaningful way to communicate the staff’s thinking on discrete issues regarding investment advisers and investment companies. In addition, for the last three years, OCIE has published a list of its annual examination priorities, with the hope that this information will let you know what areas examiners will be paying particular attention to in the coming year. OCIE also publishes Risk Alerts with descriptions of some of its larger upcoming initiatives such as the Cybersecurity examinations and exams focusing on retirement savings. These sometimes even include specific risk areas and sample document request lists that you can use as tools in your own compliance programs. After conducting examinations, OCIE often shares descriptions of areas where examiners have identified potential compliance issues across firms so that you can assess whether your firms may be facing similar challenges.
In addition to publications, OCIE, in conjunction with SEC Divisions focused on regulatory policy, regularly hosts outreach events, and SEC staff speaks at numerous industry-focused events. In this way, we welcome a dialogue to hear what key risks you see in the industry, and we share with you what we are seeing, including potential areas of improvement.
By paying attention to topics covered and issues raised by SEC staff, you’ll have tools to preemptively address potential risk areas within your own organizations.
III. Compliance Challenges
At the SEC, we understand resources can be a significant challenge. We — and particularly the examination program — face the same constraints. The SEC currently oversees more than 25,000 market participants, including nearly 12,000 investment advisers, approximately 10,500 mutual funds and exchange-traded funds, nearly 4,500 broker-dealers, and about 450 transfer agents. Other registrants also include the 18 national securities exchanges, 10 credit rating agencies, eight active registered clearing agencies, and several self-regulatory organizations such as the Public Company Accounting Oversight Board, FINRA, Municipal Securities Rulemaking Board, the Securities Investor Protection Corporation, and the Financial Accounting Standards Board. Despite the fact that this registrant base is constantly expanding, OCIE has only seen modest increases in resources dedicated to examinations.
I’ll briefly touch on OCIE’s strategy for optimizing examination resources, as you may find it relevant to your compliance departments.
A. Identifying Risk
OCIE has made it a priority to channel its limited resources toward their highest and best use by implementing a risk-based strategy across the entire examination program. Identifying the greatest risks to investors and markets is therefore a key part of OCIE’s program. OCIE’s Risk Assessment and Surveillance Group aggregates and analyzes data from SEC filings concerning all registrants to identify activity that may warrant examination. This analysis enables OCIE to identify operational red flags throughout entire industries — such as firms with aberrant swings in reported assets under management, changes in key individuals, business activities, and affiliates, and other possible indicia of heightened risk.
B. Embracing Data and Technology
OCIE has incorporated state of the art technology to collect and analyze large data sets to help optimize this process and to better understand each firm’s business when conducting examinations. Exam teams increasingly utilize the “National Exam Analytics Tool” or “NEAT,” which was developed by highly skilled PhDs and technologists in OCIE’s Quantitative Analytics Unit, to access a registrant’s trading data and subject it to a battery of tests in order to identify potential compliance concerns.
OCIE’s Risk Analysis Examination Group is continuing to leverage technology in exams of clearing firms and large broker-dealers by analyzing transactions cleared by selected firms over a period of years and then using that data to identify potential problematic behavior across multiple firms, including unsuitable recommendations, misrepresentations, inadequate supervision, churning, and reverse churning.
SEC examiners also are mining large amounts of data to assess how large firms have implemented their compliance programs across branch offices. For example, OCIE recently published a Risk Alert, describing how examiners used data from over 26,600 sales of structured securities products to evaluate how ten branch offices of various registered broker-dealers had implemented controls over suitability and supervision in this area. Examiners queried how often each branch exceeded the firm’s internal policies and procedures governing suitability of recommendations as well as supervisors’ documentation approving overrides of internal guidelines. This analysis revealed that some branches paid significantly more heed to internal policies and procedures than others, and that some supervisors routinely submitted sparse documentation supporting their decisions to override internal guidelines. While these revelations do not necessarily indicate a disregard for compliance or anything more nefarious, they do allow examiners and compliance professionals alike to ask more targeted questions about why such discrepancies might exist.
C. Enhancing Existing Expertise
Having the expertise to assess new and evolving areas in the financial industry — and to use new technological tools for this purpose — is critical to effectively assessing compliance with the federal securities laws and regulations. While SEC staff have great familiarity with these laws and deep experience across the industries they examine, the examination staff increasingly has supplemented that experience and knowledge base with industry and technical experts.
The Technology Controls Program (“TCP”), for example, was recently established in order to bolster OCIE’s experience in the areas of information technology and cybersecurity in the financial industry. TCP teams focus primarily on examining entities covered by Regulation SCI, such as clearing agencies and the national securities exchanges; however, these experts also serve as resources for adviser and broker-dealer examination teams, who need to assess issues involving technology at the firms they examine.
The SEC has also recruited specialized staff in derivatives, valuation, options, prime brokerage, trading, and quantitative analytics, to name just a few areas. By leveraging these experts’ knowledge in particular exams, larger examination initiatives, and program-wide training, OCIE is staying current on industry trends and practices and improving its capabilities and efficiencies in examinations.
I encourage you to consider these strategies, including leveraging those within your firms with technological and specialized trading expertise to help you develop your own firms’ compliance programs to keep pace in a constantly evolving marketplace.
IV. Risk of Liability
At this point, I have challenged you to be pro-active in your role as compliance professionals. I’ll acknowledge, however, that some of you may be wondering whether this elevated role could expose you to increased personal liability. In my opinion, the answer to this question is no.
Chair White, in an October 2013 speech at the National Society of Compliance Professionals’ National Membership Meeting, stated “[a]lthough we occasionally bring enforcement actions against compliance personnel, compliance officers who perform their responsibilities diligently, in good faith, and in compliance with the law are our partners and need not fear enforcement action.”
The Commission has brought, and will continue to bring, enforcement actions against compliance officers when appropriate. Earlier this year, the Commission took action against three CCOs of investment advisers for causing their firm’s violation of the Compliance Rule. As you know, the “Compliance Rule,” Advisers Act Rule 206(4)-7, requires registered investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and rules thereunder. In one case, the CCO was responsible for the design and implementation of the adviser’s written policies and procedures. The CCO knew of, and approved of, numerous outside activities of the firm’s employees, but the CCO did not cause the firm to adopt any written policies and procedures to assess and monitor those outside activities. In another case, the adviser’s policies and procedures required a review of cash flow in client accounts. The CCO was responsible for implementing the policies and procedures, but the CCO did not effectively implement this particular provision and as a result, a firm employee was able to misappropriate client funds. In the third case, the CCO was assigned the responsibility for establishing and administering the firm’s compliance program. The CCO knew the firm needed to tailor an off-the-shelf compliance manual to the specific needs of the firm, but the CCO never updated the firm’s manual.
Following these cases, there was a lot of discussion about whether the Commission was targeting CCOs. From my point of view, the Commission is not targeting — and has not targeted — compliance personnel. As Chair White stated in her remarks at the July 2015 Compliance Outreach Conference for Broker-Dealers, “it is not our intention to use our enforcement program to target compliance professionals….Being a CCO obviously does not provide immunity from liability, but neither should our enforcement actions be seen by conscientious and diligent compliance professionals as a threat. We do not bring cases based on second guessing compliance officers’ good faith judgments, but rather when their actions or inactions cross a clear line that deserve sanction.”
In a May 2014 speech at Compliance Week 2014, Andrew Ceresney, Director of the SEC’s Division of Enforcement, described three scenarios in which the Enforcement staff typically will recommend that the Commission bring enforcement action against CCOs: when they have (1) affirmatively participated in the misconduct; (2) helped mislead regulators; or (3) had clear responsibility to implement compliance programs and policies and wholly failed to carry out that responsibility.  In light of these factors, I believe that CCOs should feel empowered to diligently carry out their responsibilities without fear of personal liability.
I’ll close now by going into some specifics. If I were a Chief Compliance Officer, I would consider my role in terms of the following categories. These are non-exhaustive, but I present them for your consideration:
A. Laws, Regulations and other Requirements
Clearly I would need to have first-hand knowledge of the various laws and regulations that apply to my firm and its activities as well as any particular conditions or requirements of exemptive orders or other compliance requirements. This would also entail an understanding of the interplay of the requirements of the various regulatory regimes applicable to the firm based on its business model and the jurisdictions in which the firm operates.
B. Organization and Operations of the Firm
I would need to develop a deep understanding of the firm, its structure, and internal operations with a particular focus on the different areas of the firm with respect to which I was CCO. I would also need to develop a working knowledge or roadmap of how the different areas of the firm interacted with, or were dependent upon, other areas of the firm. A detailed knowledge of the supervisory structure of the firm would also be essential.
C. Conflicts of Interest
I would need to have a clear understanding of how the firm identifies all of the conflicts of interest that might exist; how frequently potential conflicts are reviewed and, when conflicts are identified, how they are resolved and by whom. If the resolution requires disclosure, I would want to understand who drafts the disclosure and how and when it is effectively communicated to clients/customers.
D. Clients of the Firm
To effectively discharge my responsibilities, I would also need to develop a detailed understanding of who the clients/customers of the firm were and what products and services were being provided to them by the firm. To help inform a robust analysis of potential conflicts, I would also need an understanding of the profitability of these products and services for the firm and the firm’s registered representatives. Reviewing offering and sales materials and related documents on a regular basis would help inform this view.
E. Compliance and Other Systems
I would need to develop a deep understanding of the compliance and other technology platforms utilized by the firm and appreciate the implications they pose for developing and implementing a robust compliance program. After all, you can develop great procedures but they need to be able to be implemented within the constraints of the compliance and other systems of the firm. An understanding and appreciation for key dependencies of your program and of the firm is very important.
F. Policies and Procedures
Clearly I would need to have a detailed knowledge of the policies and procedures of the firm and an appreciation of how they are applied and monitored. I would also need to develop an understanding of how they interacted with each other and the intended goal for each.
G. Markets and Business Practices
I would need to develop an understanding of the various markets in which the firm operates, including any specific practices in those markets and areas that might raise concerns. A detailed understanding of the types of investment products and strategies involved and their potential issues would also be essential.
H. Culture of the Firm
I would absolutely need to grasp the culture of the firm. I would insist that the customer/client comes first and that the firm will endeavor to “do the right thing.” Rather than fostering a culture of “can I do this?” you really want to develop a culture of “should I do this?” The firm would also need to devote sufficient resources to compliance and empower the CCO to provide the proper stature to the compliance area and its critical mission.
I. What DON’T I know?
Finally, it is very important that, as a CCO, I have an appreciation for what I don’t know or recognize when I am relying on the knowledge or expertise of others. This involves constantly challenging yourself and your colleagues to identify potential risks. It would be critical to create an environment of open communication and freedom to ask the tough questions. What is going on of which I am unaware? What aspects of the markets, financial products or strategies am I not well versed in? Where are there gaps in what I am covering, in my knowledge or in our programs?
Those are some of my thoughts on what I would consider if I were a CCO. Many of you undoubtedly have more experience in this area than I do and probably have a more detailed and expansive list. Nevertheless, I hope this is somewhat helpful for you as you continue in your important roles.
Again I thank you for the important work that you do every day and enjoy the remainder of the conference.
 The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of the author and do not necessarily reflect the views of the Commission or of the author’s colleagues on the staff of the Commission.
 See Andrew J. Donohue, “Keynote Address at the National Regulatory Services Twenty-Third Annual Fall Conference,” Oct. 29, 2008, available at http://www.sec.gov/news/speech/2008/spch102908ajd.htm.
 See “Guidance Updates” from the SEC Division of Investment Management, available at: http://www.sec.gov/investment/im-guidance-updates.html.
 See, e.g., OCIE “Examination Priorities for 2015,” January 13, 2015, available at: http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf.
 OCIE Risk Alert, “OCIE’s 2015 Cybersecurity Examination Initiative,” Sept. 15, 2015, available at: https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.
 OCIE Risk Alert, “Retirement-Targeted Industry Reviews and Examinations Initiative,” June 22, 2015, available at: http://www.sec.gov/about/offices/ocie/retirement-targeted-industry-reviews-and-examinations-initiative.pdf.
 See, e.g., OCIE Risk Alert, “OCIE’s 2015 Cybersecurity Examination Initiative,” Sept. 15, 2015, available at: https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.
 See, e.g., OCIE Risk Alert, “Broker-Dealer Controls Regarding Customer Sales of Microcap Securities,” Oct. 9, 2014, available at: https://www.sec.gov/about/offices/ocie/broker-dealer-controls-microcap-securities.pdf
 OCIE Risk Alert, “Broker-Dealer Controls Regarding Retail Sales of Structured Securities Products,” Aug. 24, 2015, available at: http://www.sec.gov/about/offices/ocie/risk-alert-bd-controls-structured-securities-products.pdf.
 Chair Mary Jo White, “Remarks at National Society of Compliance Professionals National Membership Meeting,” Oct. 22, 2013, available at: http://www.sec.gov/News/Speech/Detail/Speech/1370539960588.
 In the Matter of BlackRock Advisors, LLC and Bartholomew A. Battista, Release No. 4065 (April 20, 2015), available at: https://www.sec.gov/litigation/admin/2015/ia-4065.pdf.
 In the Matter of SFX Financial Advisory Management Enterprises, Inc. and Eugene S. Mason, Rel. No. 4116 (June 15, 2015) available at: https://www.sec.gov/litigation/admin/2015/ia-4116.pdf.
 In the Matter of Parallax Investments, LLC, John P. Bott, II, and F. Robert Falkenberg, Rel. No. 75625 (Aug. 6, 2015), available at: https://www.sec.gov/litigation/admin/2015/34-75625.pdf.
 Chair Mary Jo White, “Opening Remarks at the Compliance Outreach Program for Broker-Dealers,” July 15, 2015, available at: https://www.sec.gov/news/speech/opening-remarks-compliance-outreach-program-for-broker-dealers.html.
 Andrew Ceresney, “Keynote Address at Compliance Week 2014,” May 20, 2014, available at: http://www.sec.gov/News/Speech/Detail/Speech/1370541872207.