Speech by SEC Staff:
Remarks before the National Society of Compliance Professionals 2004 National Membership Meeting
Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission
October 28, 2004
Instilling Lasting and Meaningful Changes in Compliance
Good Morning. I'm very pleased to be here with you today -- the National Society of Compliance Professionals is comprised of compliance professionals in the securities industry, including employed by broker-dealers, investment advisers, mutual funds and banks. As compliance professionals, you are a key constituency of the SEC, and we view you as important allies in our work to protect investors. At the outset, let me remind you that the views I express are my own views and not necessarily the views of the Commission, the individual Commissioners or my colleagues on the Commission staff.
I last spoke to the National Association of Compliance Professionals at its general membership meeting in October 2001. At that time, our focus at the SEC, and your focus as well, was on the key compliance topics of the day. We talked then about the importance of internal controls, strong policies and procedures, using technology to aid in compliance, conducting surprise audits, resolving compliance problems quickly and contingency planning. All are topics that are equally important today, and yet…
Since that time, so much in securities industry has changed. One of the most significant changes is certainly the increased respect that compliance professionals now enjoy. Increasingly you're now viewed not as a "necessary obstacle" to getting business done, not as the master of the compliance "checklist," but as a key player in the process of getting the business done in the right way. I hope that you are receiving the respect, resources, access and power within your organizations that your function demands.
I want to speak with you today about change, and about the challenge that securities firms face now in making sure that the lessons learned from recent instances of fraud and abuse result in change in firms' culture of compliance that proves to be both meaningful and lasting.
I. How Does Change Occur?
In recent months, I've been thinking about how change occurs. I think that change is occasioned in two ways: it can occur over time, in an evolutionary manner, or it may occur relatively rapidly, hastened or instigated by events. Change that occurs over time may be quite slow, may progress in fits and starts, and may be informed by results of successive earlier actions. Change wrought quickly by events, on the other hand, may be bold in its breadth and offer immediate relief. I would guess that an empirical review of both types of change would show that change wrought by events may be more meaningful, in that events can trigger change that may not have occurred incrementally at all. In the securities industry, there are many examples of this type of positive change.
The most famous episode took place more than seventy years ago. In the 1920s, the securities markets went through an extraordinary boom. Prices soared as Americans rushed to invest in companies developing new and innovative products. Investors were ready to pay tremendous premiums to get in on the latest technologies, like radio. As we all know, the boom went bust. The market crashed. In the aftermath, massive frauds and breaches of duty came to light. For the people of the 1930s, it was a very grim time. But, the story ends on a positive note. The crisis led to significant positive change.
In the 1930s, Congress created the federal regulatory regime for the securities markets. From the Securities Act of 1933 and the Securities Exchange Act of 1934, to the Investment Company and Investment Advisers Acts of 1940, Congress established the regulatory framework governing us today. In the 1930s and 1940s, implementing these new laws was probably quite a challenge. Contemporary records reflect a lot of anxiety about the new regulatory system. But once in place, it established a new level of protection, both for investors, and for honest members of the securities business.
In fact, the most important positive change resulting from the crisis of the 1930s, may be something that we cannot measure or look up in any law book. That is, when honest members of the securities business surveyed the terrible damage that had been done to the markets by fraud and abuse, they realized that if their business was to survive, it had to change its ways. They realized that before they could restore their business, they had to restore investors' trust.
It is important to remember that creative business leadership started many things that we take for granted today. Modern self-regulation for broker-dealers started with business-people getting together to prepare a code of ethics. Federal recognition that investment advisers are fiduciaries started when members of the fledging industry urged this view on the Commission.
The 1930s were an exceptional time. But we can see the same challenge and response in other periods as well. For example, how many people today remember the "back office crisis"? It happened only a few decades ago, when the securities business operated in hard copy (do you remember the days before email?), and lower Manhattan was full of couriers shuttling pieces of paper back-and-forth between firms.
In some respects, this crisis was exactly the opposite of the crisis of the 1930s. Instead of markets crashing, they were rising. In fact, they were rising so quickly, and so many investors wanted in on the action, that the securities business could not keep up. It could not generate and distribute enough paper. Firms simply choked on the volume of transactions flowing through their back offices.
As before, this crisis also had a happy ending. The federal government stepped in and enacted a series of new laws and rules governing securities utilities and operations. But again, equally important, this crisis evoked a positive and creative response within the industry itself. Creative members of the business community realized that they faced a previously unsuspected risk - too much business. Too much business can be a bad thing if you are not ready to process it. As a result, many securities firms embarked on significant programs to automate their operations. To this day, the securities business continues to be a leader in the use of electronic operational systems.
Like these examples from the past, I believe that, while painful for the industry, the compliance failures we have witnessed in recent years have the potential to result in change that may be very positive for the industry and for investors.
II. Today's Challenge
The challenge for securities firms now, I think, is to seize lessons from recent events, and to instill, in a permanent way, changes necessary to ensure lasting improvements. The overarching lesson of recent compliance failures is that all firms must be proactive in identifying areas of risk in their organizations and in taking steps to mitigate or eliminate those risks. I'd like to talk with you today about some concrete ways that I think firms can do this.
First, and speaking of change, let me say a few words about how we at the SEC, and in the Examination Program in particular, have changed. We have dedicated ourselves to being more proactive, to identifying high risk conduct and taking steps to mitigate or eliminate it, before it can blow up and investors are harmed. This is a fundamental goal of our Chairman, and as an examiner, I've simply seen too much investor harm and abuse, and have heard from too many investors who were misled or taken advantage of not think about how this misconduct might have been prevented in the first place.
I know that you, as compliance professionals, would also agree that the best outcome would be for compliance and other problems to be prevented, rather than to deal with them after the fact. Think about the damage done in the last few years, which has had a real impact on investors, not just in terms of the dollars lost due to particular fraudulent or abusive behavior, but also in terms of trust, your firms' customers' trust. I have often said that what's good for investors is good business for those who serve investors. The inverse is equally true -- loss of investor trust has real economic consequences for firms and for our markets overall. Think too about the clean-up costs. Think about all the time and resources that your firm puts into responding to customer complaints, to arbitrations, to investigating possible misconduct, to hiring outside lawyers to defend the firm. Too much time and resources are spent cleaning up problems, and, in my view, not enough time is spent on an alternative approach -- proactively identifying areas where risk exists, and then implementing controls to reduce or eliminate that risk.
I have talked about the need to instill a "Culture of Compliance" within firms - this means establishing, from the top of the organization down, an overall environment that fosters ethical behavior and decision-making.1 This notion certainly goes beyond having good policies and procedures, beyond having a dedicated compliance staff, and beyond having sufficient compliance resources and electronic exception reports, although the absence of those things can certainly indicate a poor culture of compliance. Our Chairman has talked about the need to instill an ethical culture as part of the "essential DNA" of the corporate body itself. He has said that companies must "look beyond just conforming to the letter of the new laws and regulations. They must redefine corporate governance with practices that go beyond mere adherence to new rules and demonstrate ethics, integrity, honesty, and transparency."2 Simply put, this means instilling in every employee an obligation to do what's right - even if there is no clear legal restriction or regulatory guidance.
This culture will underpin all that the firm does, and must be part of the essential ethos of the firm, so that when employees make decisions, large and small, and regardless of who's in the room when they make them, and whether or not regulators are looking, they are guided by a culture that reinforces doing what's right.
As you know, we at the SEC have urged firms to undertake their own self-analysis, to identify conflicts of interest in their operations - areas where the interests of the firm's customers or clients, its employees and the firm itself may be at odds. These are the areas where, as we have seen, firm employees may be tempted to place their interests, the interests of the firm, or the interests of a favored customer, above interests of investors. Many firms are undertaking this effort. I encourage all firms to do so, and to dig deep. Be proactive in identifying conflicts of interest that might incentivize not only illegal but also unethical conduct, and take steps to eliminate or mitigate those conflicts.
While many firms are engaged in this effort and are taking it quite seriously, it appears to me that others may not be as serious about the effort. Firms that have only scratched the surface by identifying conflicts that have previously been identified by regulators -- such as conflicts of interest in the sales of proprietary or revenue-sharing products, incentive compensation paid to registered representatives, or mutual fund sales' missing breakpoints -- have not really done a serious self-analysis. This worries me because without a careful analysis of your vulnerabilities, you can't really begin to start the effort to make the kind of proactive change that I think is important.
I was also disheartened to see results of a recent study by Pricewaterhouse Coopers of global financial institutions.3 That survey found that reputational risk is now regarded as the greatest threat to an organization's market value. But, half of the executives surveyed measured the success of their risk management systems by having received favorable comments from regulators, and over 70% of the executives said that regulatory pressures were either extremely significant or a major driver for changes in the priority of their organization's risk management. According to PWC, the survey revealed that many financial services firms are still failing to think proactively about unseen and emerging risks. Their report concluded that:
The tendency for financial institutions to focus on areas of risk that are most familiar and where data and techniques are most developed is natural, of course. But in an environment where new and potentially lethal risks can suddenly emerge, the leading institutions consciously and continually look at the bigger picture. They seek to anticipate and avoid the submerged risks that can abruptly sink an enterprise.4
While I am certainly glad that regulators have firms' attention, it seems to me that the key lesson of recent years is that firms must be proactive in identifying issues, conflicts and potential problems, before regulators do, and before they harm investors. I am concerned that some firms are still not generating their own impetus for change, but are instead relying on regulators to identify and urge, or require changes. And while regulators are focusing lots of attention on emerging risks, at the beginning of the day, firms and firm employees are in the best position to identify and fix emerging problems. It also seems to me that one of the best measures of whether a firm has truly inculcated a strong culture of compliance is its ability to proactively identify possible conflicts that could create problems, before those problems manifest themselves into trouble.
III. Instilling Lasting and Meaningful Changes in the 'Culture of Compliance'
I promised today that I would set forth some concrete steps that firms might take to instill, in a meaningful and lasting way, a strong culture of compliance. I don't think that any one of these steps, taken alone, is adequate, and I think there are likely lots of other things firms can do, but I offer the following:
Tone at the top: The firm's board, senior management and other key executives make it clear that they expect the firm and all of its employees to operate ethically and consistent with fiduciary and legal obligations. Supervisors are also held responsible for ensuring compliance with these standards. To be effective, firms' CEOs put this mandate in writing, emphasize it repeatedly, and mean it.
Training: Make sure all employees understand these expectations, and how the expectations apply in the context of their work. Use examples that they understand, generalities will not communicate the importance of the mandate to them and it will not be clear to them how they are to live up to these expectations in their daily work.
Compliance over profits: One the best ways to make the firm's culture of compliance evident to employees is for firm leaders to make decisions that demonstrate intolerance for compliance risks, even if it means losing the trade, the client, or the deal. Employees will remember this ethic the next time they are called upon to make a tough call.
Establish strong policies and procedures to prevent and detect violations: One of most frequent findings in examinations is that firms lack adequate written policies and procedures. Review your firm's operations and ensure that key risk areas are covered by strong internal controls. Test procedures regularly, improve them, question frequently whether they can't be better. Compliance policies should not be static, written in stone, but can be improved over time with the benefit of the lessons learned from using them.
Implement policies and procedures: Another frequent finding is that firms have good procedures, but don't follow them. This can communicate a lack of respect for all policies and procedures.
Test for compliance: Make sure supervisors are doing their job in reviewing conduct. Evaluate them not just on production standards, but on their ability to prevent problems. Have a strong internal audit program - give your internal auditors the teeth they need to detect problems. Ditto for compliance staff.
When problems are detected, deal with them quickly and appropriately: Provide redress to investors, and make clear by how you deal with the violator that the firm really means it when it says it maintains a culture of compliance, even with respect to its big producers.
Implement a superior compliance program: Give compliance staff the resources, respect, and access they need. Ensure that all firm employees, particularly supervisors and senior managers, respect the work they do.
Empower employees to question conduct: Employees can help identify questionable conduct before it becomes a problem, and can help identify problems that should be remedied. Make sure they know who to speak with to discuss problems and concerns. Make sure that they feel encouraged to do so: this means being ready and able to hear bad news. Managers who subtly send the message that they only want to hear good news will not know what's really going on in their organization. There are many examples of otherwise non-culpable employees trying to cover up compliance problems just to avoid having to tell the boss about them.
Report problems to senior management and to the board: Establish an expectation that compliance issues are important to the firm.
Self-assess honestly and periodically: As business, products, customers, and employees change, firms should assess periodically whether new conflicts of interest exist, and whether business practices assumed appropriate in the past continue to be so. Don't be lulled by the fact that "other firms are doing the same thing," or by so-called "best practices" that are really mediocre or "lowest common denominator" practices. Strive higher.
Think long term: Recent events remind us that reputations are forever damaged by actions motivated by short term profits. Winning some market share or performance "contest" this month, quarter or year at any cost simply isn't worth putting the firm in jeopardy.
Finally, keep your regulator informed: Pick up the phone. Let us know about the problems you're dealing with, and the changes you are implementing. It may be a difficult call to make, but you're much better off being forthcoming with your regulator than if we detect the problem ourselves. More broadly, we need to understand each other, and to make sure that our efforts at change are mutually supportive. We need to keep each other informed.
Today, we have talked about the big picture: leadership and change in the standards of compliance. I hope these thoughts help you identify concrete steps you might take to implement change that's both meaningful -- as measured by a reduction in compliance problems -- and lasting, in that a strong culture of compliance inculcates the firm, even when memories of today's fraud and abuse fade.
Thank you for listening, I'm happy to answer any questions.