Keynote Speech by SEC Staff:
Compliance and Internal Controls Key Priorities for US SEC Examination Program
Mary Ann Gadziala
Associate Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission
Fourth Annual Financial Institutions Regulatory Compliance Summit, Toronto, Canada
September 23, 2002
The SEC, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of the author and do not necessarily reflect the views of the Commission or the staff of the Commission.
Good afternoon. It's a pleasure to be here with you to share my views on compliance and risk management. I commend the planners of this conference for recognizing the great importance of these areas particularly in the current environment.
In recent times, the financial services industry has experienced numerous challenges that have tested compliance and risk management capabilities. Products and businesses have become more complex, and investors have more diversified needs. The volume, speed and sophistication of transactions have increased enormously. Technology, automation, innovation, and geographic dispersion all offer substantial new challenges. As mergers proliferate, firms have the added challenge of combining and integrating disparate procedures and systems. And firms must respond to the continuous stream of new laws and regulations. Compliance and risk management programs cannot be standardized. They must take into account business operations, market conditions, laws, customers and other factors. They cannot be static. They must adapt as the environment changes.
Why are robust and comprehensive compliance and risk management systems so critical? It is because they are a key defense against significant losses, violations, customer harm and ultimately, the failure of a firm. Enforcement actions are critical and send the strongest message about transgressions. But enforcement actions take place after the harm has been done. Compliance and risk management systems are preemptive- they are intended to stop the harm from occurring and/or mitigate resulting damage. Systems must be designed to anticipate potential problems, and must include controls and checks and balances along with independent reviews, to protect against them.
Failure to design and implement robust risk management and compliance systems has evidenced itself in some historic and well-publicized losses and failures. They serve as constant reminders that firms must continually reevaluate the financial environment and enhance risk management and compliance systems correspondingly.
For example, the headline losses and customer harm resulting from activities at Metallgesellschaft AG, Bankers Trust, Kidder Peabody, Barings and Allied Irish Banks all can be traced to failures of risk management and internal controls. Compliance lapses played a significant role in other cases. Examples include the cases of abusive practices relating to the allocation of stock in hot IPOs, and the misappropriation of tens of millions of dollars and defrauding of investors in a number of high profile cases. Such events have brought risk management and regulatory compliance to the forefront. It is continuous vigilance under such systems and procedures that can prevent major problems and/or reduce their impact, and maintain trust in our financial institutions.
Only a decade ago, comprehensive compliance and risk management controls were virtually unheard of. Firms as well as regulators focused primarily on compliance with specific rules and requirements. However, the phenomenal development and growth of derivatives and some significant financial failures in the late 80's and early 90's highlighted the need for change. Beginning with the work of the G-30, which pioneered general risk management best practices for risky derivatives activities, our thinking about risk and compliance in the financial services industry was revolutionized. Key components included value at risk, stress testing, aggregating counterparty credit risks, netting, and independent risk management oversight reporting to senior management. While technical compliance with specific rules remained a component of supervisory systems, comprehensive risk management systems have become central to firm stability, regulatory oversight, and the integrity of financial institutions and markets.
The responsibility for risk management and compliance with securities laws in the U.S. rests first with the firms themselves and their senior management. The risk management buck stops at the top. Broker-dealer supervisors, compliance personnel, management and legal advisors all play roles in building effective internal controls and compliance programs. Self-regulatory organizations (SROs) including the NYSE and NASD are the next line of defense. They conduct surveillance, monitor reports, and perform regular on-site examinations of firms. The U.S. Securities and Exchange Commission - the SEC - oversees the work of the SROs and, in coordination with the SROs, conducts surveillance activities and on-site examinations of broker-dealers.
Risk management is the foundation of the SEC examination program. That is, we focus our attention on areas with the greatest potential risks. How do we do this?
Among the most important factors we consider are the firm's own practices and procedures. We use two primary types of on-site examinations to evaluate broker-dealers for potential risk: first, internal controls and risk management examinations, and second, comprehensive compliance examinations. Because of the significance of these two types of comprehensive examinations, I would like to say a few words about each.
Internal Controls/Risk Management Exams
The SEC examination program participated in the revolution in regulatory oversight in the mid 1990's by developing and implementing comprehensive risk management and internal controls examinations for the largest securities firms. Our fundamental objective is to ensure that securities firms have internal controls systems that are not only adequate, but that implement best practices commensurate with their risks. It is essential that each firm evaluate its own risks considering its particular circumstances, including such factors as trading strategies, choice of counterparties, adequacy of funding, geographic dispersion, technology, customer base and organizational structure.
SEC internal controls examinations begin with an overview of a firm's risk management process. We look at organizational structure and the process by which managers identify, assess, monitor and control all risks within the broker-dealer. These exams are conducted in conjunction with a review of the firm's compliance with the SEC financial responsibility rules, including capital rules. These reviews have been an excellent method for evaluating the overall risks at firms, and for identifying problem areas. If a firm is not vigilant in a particular area and lacks controls, it will very likely have related deficiencies and violations in the area.
Our internal controls examinations include reviews of the following areas:
- Senior management, to look for establishment of overall policies and active oversight of risk parameters and controls
- Internal audit, to ensure that independent assessments get to management; we look at coverage, resources, experience, and follow-up
- Market risk in proprietary trading and firm inventory, including VAR (value at risk), economic models, scenario analyses, stress testing, and back testing; we follow trades from the trading desk through the entire risk management system
- Funding, liquidity and credit risks, including counterparty credit risk across all products and businesses, credit limits, settlement and legal risks
- Operational risks, including segregation of duties, checks and balances, protection of customer funds and securities, operating systems, management information systems, management reporting, front and back office operations, contingency planning and disaster recovery
- And finally, we look to see that new products and activities are assimilated into the risk management system in a timely and appropriate manner.
What are some weaknesses we have seen in internal controls system at firms?
- Inattention by senior management
- Allowing senior trading personnel to oversee risk management the inherent conflict between profit and risk control
- Failure to adhere to the firm's risk limits
- Understaffed and inexperienced audit staff
What are examples of sound practices?
- Having the board of directors involved in risk management policy and oversight
- Independent and experienced high-level risk managers
- Periodic (daily) reconciliations of information data systems.
In conducting these reviews, our examiners are looking for areas where the firm's controls are weak or inadequate. We will conduct more thorough reviews in those areas and often find deficiencies and violations of laws and rules. Therefore, the first type of examination focuses on the structure and operation of a firm's risk management processes and systems.
The second type of examination that gives us an overview of how well a firm is self-policing its activities is the comprehensive compliance examination. This examination focuses on compliance with securities laws and regulations. Broker-dealers are required to establish, maintain, and enforce a system to supervise properly the activities of its employees. The firm's systems and implementation of procedures must reasonably ensure compliance with all securities laws. This type of exam assesses the strength of a firm's compliance culture and how effectively a firm carries out its compliance responsibilities.
Some of the areas we assess in these examinations include:
- senior management oversight
- written supervisory procedures
- independence and expertise of compliance personnel
- business and branch supervision
- surveillance and exception reports
- implementation of supervisory and compliance procedures
- employee supervision
- tracking and resolution of compliance concerns
- complaints, arbitrations, litigation, and investigations.
Our reviews evaluate whether the firm's compliance program covers all the firm's businesses and all the laws and regulations that apply to them. Some key areas that should be covered by a compliance program include:
- supervision of registered representatives
- suitability and unauthorized trading
- excessive markups
- cancels and corrects
- trading and execution
- reviews for insider trading and market manipulation
- information barriers, including restricted and watch lists
- reviews of correspondence
- handling customer funds
- anti-money laundering compliance
- rule S-P (security and privacy).
And remember having well structured procedures is a good start, but it must be accompanied by effective communication, implementation, and independent oversight.
Prompt Corrective Action
I am borrowing a phrase from the U.S. banking industry to stress one final point for compliance prompt corrective action. It is critical that if problems do occur, a firm must promptly investigate them, correct the problem, advise regulators, and fix the deficiencies in internal controls that allowed the problem to occur. The SEC has advised firms that such prompt responsiveness will be positively considered by examiners, enforcement staff, and the SEC in making enforcement decisions and other regulatory determinations.
In our role as examiners, we will do what we can to assist you to take prompt corrective action. We keep open lines of communication during examinations. We will also generally conduct an exit interview to inform firms of any problems we have found during our examinations so that they can resolve them as quickly as possible.
In conclusion, the SEC plays a critical role in enforcement, investigating violations and penalizing wrongdoers. The SEC also acts preemptively to help prevent problems from occurring through its oversight of internal controls, risk management, and compliance. These key areas have ascended in prominence in recent years and now play a significant role in preventing major losses and maintaining public confidence. Systems must be designed to cover diverse business operations and the changing market and regulatory environment. We are continuing to learn ways to improve these systems. Constant vigilance and a strong compliance culture are key. Prompt corrective action is critical. Despite everyone's best efforts, history has demonstrated that systems are not perfect and even the best systems cannot prevent the adverse impact of certain external events. Financial market participants have learned some very painful lessons, but these have led to an improved and more resilient financial system.
The fundamental strength and preparedness of our financial community was severely tested a year ago on September 11. The terrorist attacks on New York City caused previously unimaginable destruction and loss of life. Survival and recovery in the face of this attack was our greatest challenge. Absent the risk management and disaster recovery procedures in place since the early 1990's, and particularly since the 1993 terrorist attack on the World Trade Center, the financial fallout could have been substantially worse. Contingency and disaster recovery plans contributed to a remarkable resiliency. The U.S. markets were all reopened in less than a week. But we could never have predicted the extent of this destruction. And lessons were learned that will mean even better contingency planning and disaster recovery in the future.
I hope you will all focus your attention on comprehensive compliance and risk management at your firms. You should work to bring, not just adequate programs, but best practices to the financial services industry. There is no way to compute the cost savings from disasters and customer harm that never occurred, or the losses that were mitigated. However, there is no doubt that the number is great, and that effective compliance and risk management systems played a key role in preventing problems. Therefore, it is critical that we continue to work together to ensure that financial firms have the best possible compliance and risk management systems to maintain the integrity of our markets and the stability of financial firms and to retain the public trust.