U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

Speech by SEC Staff:
Compliance Professionals Play Proactive Defense

Remarks by

Lori A. Richards

Director, Office of Compliance Inspections and Examinations
U.S. Securities & Exchange Commission

National Society of Compliance Professionals
National Membership Meeting
Washington, D.C.

October 18, 2001

The SEC, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of the author and do not necessarily reflect the views of the Commission or the staff of the Commission.

Good morning.

Before I begin, I'd like to thank everyone for being here. I recognize that in light of recent tragic events some people may feel uneasy about traveling. So, thank you for coming. September 11, 2001, will be a date forever imprinted upon all of our hearts.

Thank you also for having me speak today. I'm particularly pleased to address this group of compliance professionals -- for two reasons. First, because I so respect and appreciate the jobs you do as compliance professionals, and second, because my first speaking engagement ever, was at an NSCP meeting in Los Angeles in 1987. So what goes around comes around, and I'm glad that Joan decided to invite me back.

I would like to kick off this program by talking about a topic that is near and dear to all of us -- compliance. Good compliance practices are, and always will be, an important part of a securities firm's day-to-day activities. As compliance professionals, both as regulators and as members of the private sector, we play a vital role. We can, and we do, make a difference.

Since we are right in the middle of football season, I think it is a particularly good time to talk about defense. If you know anything about football, you know that a solid defense is a critical component of any successful team. In compliance, we are the defensive squad. It is up to us to make sure problems are stopped before serious harm is done.

Moreover, if you know anything about football, you also know that the best defenses are aggressive, smart, and proactive. They don't hang back waiting for a long bomb. They are up front, reading plays, strategizing and looking forward to the next angle and option. The same is true in compliance. We need to be proactive. And that is what I want to talk about with you today.

The SEC's Examination Program

I'd like to start by talking about SEC examinations and our role in fostering proactive compliance. We very much view our role in the public sector as working to foster private sector compliance. Some of you, unfortunately, may think that our sole mission is to find out what you have done wrong. That is not true. We want to help you, and to support what you do. At the most fundamental level, we have a common mission -- we both want to ensure that the compliance function is strong, well-resourced, respected within the firm and able to do its job. I have often said that compliance is a "bread and butter" function, one that needs to do an excellent job in up markets and in down markets, in good times and in bad. Compliance should be part of the critical infrastructure of every firm. So as you can see, compliance professionals and SEC examiners have a common goal.

As SEC examiners, we look for weaknesses and violations. To be sure, we often find problems of varying degrees, ranging from record-keeping weaknesses, all the way up to significant conflicts of interest, frauds and manipulations. Remember, our mission is to protect investors, and the examination process is one of the ways we do this. But the examination process accomplishes something else, something we hope you consider valuable. It helps you to identify potential weaknesses in your compliance practices, and in so doing, helps you strengthen your compliance program. I also hope that we help educate your management about the need for a top quality compliance program.

The primary tool we use to achieve these goals is the deficiency letter. As you know, a deficiency letter describes our findings and asks you to make corrections. When we find problems, we address them in a deficiency letter. It is important to remember that deficiency letters are findings of the staff, not the Commission. They do not have the legal force of a Commission order. In fact, this informal status is the source of their value. When you receive a deficiency letter, you have an opportunity to informally and quickly, fix the problems.

Fixing problems quickly is our goal and it should be yours too. In years past, when we made an enforcement referral, we sometimes did not provide the firm with a deficiency letter. Now, even when we think the Division of Enforcement or a self-regulatory organization may be interested in conducting further inquiries, we will send you a deficiency letter. We want you to have an opportunity to fix the problems we found. The exceptions to this policy are few -- generally situations where we believe that documents may be destroyed or investors' funds may be depleted.

The deficiency letter is our primary tool, but we have others as well. One tool to foster strong compliance practices is through public reports. Public reports are rare. This is because we vigorously protect the confidentiality of everything you tell us. As a result, almost all of our examinations result in confidential reports and deficiency letters. But from time to time we will issue a public report when we believe a particular area deserves special attention. In these reports we carefully remove the identities of individual firms. We also typically identify areas where firms could improve their practices, and describe examples of strong compliance practices we have seen in examinations. It is important to note that we do not proscribe specific compliance practices. We do want firms to implement whatever compliance methodologies work best for them, and there is rarely any "one size fits all" best practice. When we see that firms have created innovative ways to proactively address compliance issues, this is good information, and can benefit other firms who are asking the same questions about compliance methodologies. Rather than by working one firm at a time, public reports allow us to communicate the need for strong compliance in particular areas to all firms.

Finally, we have been very proactive in reaching out to the industry through conferences such as this one. We want you to understand what we are doing and why.

We will continue our proactive efforts to foster private sector compliance. But the tools we use -- deficiency letters, occasional public reports, and presentations at conferences -- are only effective when coupled with your efforts and commitment to developing top-notch compliance programs.

Private Sector Compliance Programs

We can foster compliance, but we're obviously not on the scene all of the time. But you are. You are there, on the spot, when things go wrong. More importantly, you are there, on the spot, before things go wrong. You know the firm's business and how it operates. As a member of the firm's compliance team, you are in the best position to determine the firm's compliance needs, and to play effective defense.

Some of you are probably thinking, "the way things have been going recently, I'm not on defense, at best I'm on special teams." I recognize that we all have to move quickly and creatively to deal with fast moving situations. But we also need a consistent defensive strategy that will pull us through the tough spots in the game.

I would like to mention a few key compliance areas where I think you should focus your attention. By this, I don't mean specific areas of compliance, like suitability, best execution, or conflicts of interest. Rather, I am referring to the basic compliance structure of your firm. How do you ensure that your firm and its employees are complying with applicable law? This is also the fundamental question that we ask when we arrive to conduct an examination. I'd like to outline five areas for you to think about in addressing this question: the importance of strong internal controls; your policies and procedures; using technology in compliance; conducting "surprise" audits; and quickly resolving compliance problems when they occur.

1. Internal Controls

We place a heavy emphasis on your system of internal controls. You can expect us to carefully review whatever controls you have in place. With our risk-based examinations, we rely on your internal controls to determine where we need to review and test in detail. In areas where controls appear to be strong, our examiners will defer to you and may spend less time reviewing and test-checking -- conversely, in areas where controls appear to be weak, our examiners will spend time thoroughly reviewing and test-checking for violations. We also review internal controls because we need to consider systemic risk in the securities markets. As individual firms become larger and more concentrated, the systemic risk of a failure at any one firm becomes more important.

In recent years, we have been conducting a growing number of stand-alone examinations of broker-dealers' internal controls. In these reviews a large team of examiners will scrutinize the controls you have established over your trading and credit operations. They will review a sample of trading at selected desks, monitor how your risk management systems handled various situations, how you kept management informed, the role played by your internal audit department, and more. These are very in-depth reviews.

But even during regular examinations, as we work our way through targeted areas, you can expect us to pay careful attention to the internal controls you have established for each area. Whether it's best execution, pricing securities, or determining portfolio performance, we will ask you to explain your control environment.

We hope to see strong systems in place. We'll ask for reports and other output, such as checklists, exception reports and management reports. We will also interview senior management to determine their contribution to the control environment. Finally, we will assess the timeliness and reasonableness of your responses to the problems you identified.

We think you should view internal controls as a key element of your defensive strategy. You need to be strong advocates within your firms for strong controls.

2. Policies and Procedures

Policies and procedures are the basic foundation of any firm's compliance program. All of you have them in some shape or form, depending on the size and complexity of your firm --and hopefully in writing. They can be viewed as a subset of internal controls. Often they are viewed as part of the firm's supervisory structure. Where you place them does not matter.

What does matter is that your compliance policies and procedures provide the structure around which the firm conducts its business in compliance with applicable law. Let me tell you about a few issues about compliance policies and procedures that worry me:

  • They can fall out of date very quickly. You need to keep an eye on legal and regulatory developments.

  • They can become useless after a merger. You need to harmonize your written procedures with the post-merger personnel and data systems that will operate them.

  • They can create a fantasy world of perfect procedures that no one follows. You need to make sure your policies and procedures are workable. Then you need to make sure everyone follows them.

  • They can be written in language only a lawyer could love. Please, make them simple. Make them straightforward.

The important point here, once again, is that you need to be proactive. Take out your policies and procedures and ask, do they provide us with an effective defensive strategy? If there are Xs and arrows and crazy lines all over the chalk board, the answer is probably "no."

3. Using Technology in Compliance

More and more, technology is aiding compliance efforts. For large firms and small, computerized compliance tools have become essential for many firms. It's a fact that automated compliance checks avoid human errors, save time, and in the long run, save expensive human-hours. Investing in computer technology that prevents violations and that detects aberrations can allow you to use your capital on the output -- on following up on and solving problems.

4. Conducting Surprise Audits

The next subject that I want to discuss is directed specifically to those of you who serve as compliance professionals at broker-dealers -- the use of surprise audits by compliance staff as a compliance tool.

The Commission has expressed its view, in several enforcement actions, that it favors surprise audits by broker-dealers with many small and remote offices. In addition, the NASD, in Notice to Members 99-45, affirmed the need to conduct surprise audits after receiving red flags.

While there is no rule mandating this, as the Commission has noted, it is certainly part of a prudent compliance program. Indeed, I would suggest, surprise audits are a valuable compliance tool regardless of the size and make-up of the firm or its branch offices. And, as an examiner, I can attest that surprise audits yield results that you may not have if the audit is announced in advance. A candid look at an operation can have many helpful consequences. Most basically, sales literature may be left out on a coffee table. If the literature is for an unauthorized fraud, it is unlikely to be there when the announced auditor arrives.

In terms of strong compliance, we have seen number of firms conducting surprise audits in selected situations. For example, many firms conduct surprise audits when there are red flags and in a certain percentage of regular audits. This gives them the preventive benefit of making all offices aware that a surprise audit could happen to them.

And there is a lesson too for the investment adviser audience here today: it's a good idea to step back periodically and assess your business activities. Go around to your advisory personnel, unannounced, to see how things are going. Assess whether compliance and other internal policies and procedures are being followed. You can never be too prudent!

The bottom line here -- we conduct many unannounced examinations. I think it should be part of your strategy too.

5. Fast Resolutions of Compliance Problems

As I have said, our goal is to find and fix problems. However, finding and fixing are not the only factors in the equation. It is commendable if you have detected a compliance problem and stopped it. That is always the first step. But we need to ask additional questions.

First, how quickly did you find and fix it? When investors are at risk, speed is of the essence. Second, did you resolve the underlying cause of the problem? If you build in lots of inducements for brokers or portfolio managers to cheat, and fire them as they get caught, that is not a fundamental resolution of the problem. You need to ask, beyond what I found, do I have a larger more systemic issue that I need to worry about? Third, have you taken another look at your preventive systems? If one problem slipped through, maybe others could as well.

In the SEC's examination program we are giving a lot of attention to how we can fix problems more quickly. We think you should do the same. Unresolved problems should be a compliance professional's worst nightmare.

Contingency Planning

It has been our misfortune to see an event that demonstrates in clear and dramatic terms the importance of a proactive defensive strategy. I am talking about how preparations for the conversion to the year 2000 helped us overcome the problems caused by the disaster on September 11th.

Securities firms expended huge efforts, both in terms of human resources and money, in getting ready for Y2K. In the examination program we spent much of 1998 and 1999 reviewing Y2K preparations. We saw extensive planning by broker-dealers and money managers. We saw high levels of management dedication, large expenditures, top staff dedicated to the issue, the implementation of solid internal controls, the development of numerous hypothetical failure-scenarios, and the preparation of a new generation of contingency plans and emergency procedures. These typically addressed, among other things, how the firm would conduct business if a disaster struck. I would say September 11th fit that bill. Had it not been for the careful work and sophisticated planning by these firms, we may not have experienced the success we did in reopening our markets.

I think these efforts illustrate the significant impact that your efforts can make. The moral of the story is: a solid defensive strategy will carry us through any number of unexpected events. Never mind why the plans were developed, they were there when we needed them.

Shortly after the attack, Chairman Pitt testified before the House Committee on Financial Services on the state of the nation's financial markets. He assured Congress that our markets were functioning and that they were strong and resilient. He also said that the Commission's examination oversight of firms located in the New York area will continue. We are working hard to make that happen.

As you may know, our New York office was destroyed in the aftermath of the attack. Fortunately, no one was injured, and our New York staff is already back to work in new space in downtown Manhattan. We have been able to retrieve all documents stored electronically, and we are reconstructing records relating to open examinations. We are using examination staff from other regions to ensure that appropriate examination oversight is maintained. Hence, in terms of examination oversight, you should not experience much of a change.

However, we recognize that there may have been disruption to your operations and records. You may be concerned that you won't be able to provide certain books and records if we pay you a visit. Let me reiterate another statement by Chairman Pitt. The SEC staff will make reasonable accommodations to requests for extensions of time for on-site exams or to produce books and records. We will be flexible and work with you on this.

Good planning, good preparation, a good defensive strategy got us through recent events, and demonstrated the importance of contingency planning.


To the uninformed, "proactive defense" sounds like a contradiction in terms. In fact, it is anything but. As compliance professionals, it is our game plan. We are all working hard to solve problems before they happen -- to foster compliance, to create solid internal controls, to draft workable policies and procedures, to use the most effective tools available, to move quickly when investors are at risk, and to plan for future contingencies. That's the essence of proactive defense.

Thank you.


Modified: 10/18/2001