Speech by SEC Staff:
Remarks before the NRS 21st Annual Spring Compliance Conference
John H. Walsh
Associate Director - Chief Counsel
Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission
Palm Springs, California
April 18, 2006
Thank you. It is a pleasure to be here. The views I am about to express are my own, and not necessarily those of the Commission, the Commissioners, or my colleagues on the Commission's staff.
Let me start by saying Congratulations! You did it. If you work for a fund or adviser, you have completed your first Annual Compliance Review. If you work for a broker-dealer, you have completed your first Annual Supervisory Control Report and obtained your first Annual CEO Compliance Process Certification. Some of you probably work for dual registrants, so you did both. Again, to all: congratulations!
Just as a footnote of course, if you have not done it, you are late. The last possible day for a fund or adviser to complete its review was April 5, and broker-dealers' reports and certifications were due April 1. In future years you can adjust your review periods (with some limitations), and I understand many firms are considering moving to a calendar year cycle. That is something to think about for the future.
For now though, I will assume that you met the deadline. You finished your interviews and tests. Your third party reviewers, if you chose to use any, have reported to you. You have all your work papers in hand. You have formulated recommendations for improvements to your compliance systems.
You are probably asking: what now? I do not want you to take this the wrong way, after everything you have already done, but the next few weeks may be the most important part of the process. Right now, there are two important things to do.
First, everyone involved should be thinking about the lessons to be learned. All of us, funds, advisers, broker-dealers, and regulators, should be thinking about the reviews, and what they mean. I am certain that many of you are here this week, because you want to understand how your findings compare to those of your peers.
Second, everyone involved should be working to make sure it was all worthwhile. After your reviews, your testing, your verification, your CEO meeting, after all your work, your recommendations should not simply die on the vine.
Today, I want to join you in thinking about these two issues. What are the lessons to be learned; and what can be done to help you implement your recommendations?
First Topic: What are the lessons to be learned?
In thinking about the lessons you have learned, you might find it interesting to hear about some of the issues we have identified in recent examinations. This is not, I should add, a scientific survey of examination findings. Rather, it is a selection of issues that have come up during examinations conducted during the last few months; the period when most of you were conducting your reviews. My goal is to identify issues that we have seen, that may be relevant to what you have seen. If you like, you could think of this as a "virtual annual review."
Funds and Advisers
Let us start with funds and advisers.
First: The Risk Identification Process
In the adopting release for the compliance rules, the Commission said:
Each adviser, in designing its policies and procedures, should first identify conflicts and other compliance factors creating risk exposure for the firm and its clients in light of the firm's particular operations, and then design policies and procedures that address those risks.
A short-hand language has grown up around this text. Firm say they are conducting a "risk assessment" by creating an "inventory" of risks and then "mapping" those risks to their compliance policies and procedures. These are helpful terms. As always though, whatever terms you choose to use, the important thing is that you perform the functions described by the Commission.
In our examinations of the risk assessment process, we have seen two recurring themes. One, a number of you used checklists. No question: a good one can really help. Please remember though, a check list is only a start. One of the more important assessments you should perform is whether your firm has any unique risk exposures due to its personnel, business model, structure, or affiliations. If these exposures are not widely shared by your peers, they may not appear on a checklist.
Two, some of you, at the end of your risk assessment, ended up with two documents: a check list of possible risks; and a list of compliance policies and procedures; with no apparent connection between the two. Please remember: the Commission said your policies and procedures should be designed to address the risks you identified.
Second: Policies and Procedures
The compliance rules require funds and advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act, or in the case of funds, the federal securities laws.
We are still finding firms that have no written policies and procedures. Most commonly, this arises where there are multiple registered entities within a complex and some of them were just overlooked. Hopefully, as part of your annual review, you created an inventory of the registered entities within your responsibility, and made sure they all had written policies and procedures.
We also find instances where a firm has policies and procedures but a particular area is overlooked. Areas that have come up recently include: market timing; how you handle conflicts of interest when voting client proxies; and sub-advisers.
Finally, we have encountered issues in how you enforce your policies and procedures. This has always been a favorite area for examiners. Once you write down your policies and procedures, be sure to enforce them.
Third: Board Approval
Funds must obtain the approval of their board of directors for their policies and procedures based on a finding, by the board, that the policies and procedures are reasonably designed to prevent violation of the federal securities laws.
Our examinations have raised two concerns. Some fund managers have overwhelmed their Boards with vast amounts of information, such as multiple binders of documents with very small print. The rule doesn't require this, and if I were a director, I would resent it. On the other hand, some fund managers have only given the board very general information, such as nothing more than a list of the policies and procedures' titles. How can such a board find that those policies and procedures are reasonably designed? The Commission's adopting release explained that the Board may rely on summaries, but the summaries must be sufficient "to familiarize directors with the salient features of the [compliance] program . . . and provide [the board] with a good understanding of how the compliance programs address particularly significant compliance risks."
This is the topic everyone likes to discuss. What is testing? What kinds of testing are there? How much do you have to do?
The Commission, in the adopting release, said that your policies and procedures should be designed to detect violations, and that you could do this, where appropriate, with tests that analyze information over time, to identify unusual patterns.
In recent examinations we have seen firms that conducted no tests, even though the nature of their business was such that tests could have been useful in detecting unusual or questionable patterns of conduct. In light of the Commission's statement in the adopting release, we have to question how such a compliance program could be reasonably designed.
We have also seen specific problems that could have been resolved through appropriate testing. For example, if you make affirmative statements in your disclosure about some operational matter, such as waiving redemption fees, and we find that you have engaged in inconsistent behavior, we may ask, "why didn't you test for compliance with your assertion?"
At the same time, there is good news here. We have seen a number of creative tests that can help meet the Commission's goal of looking for patterns over time. Here are some examples:
Tests that compare brokerage allocations to sales of fund shares; if you detect fluctuations in allocations that seem to reflect fluctuations in fund sales; you may have a 12b-1(h) compliance issue;
Tests that take a long-term look at personal trading; if you only monitor day-by-day, trade-by-trade, you may not identify problematic trading; especially by the skilled trader who knows how to work around the margins of your control system;
Tests that compare aggregate IPO allocations over time; if you only look at the allocations one-by-one, you may miss the clients who never show up, or the ones who take a small portion of each IPO, but over time end up with a lot more; and
Tests that compare the performance of similarly managed accounts over time; if you have side-by-side accounts with different compensation structures, this test could be extremely useful.
Fifth: The Chief Compliance Officer ("CCO")
I saved the CCO for last. When the Commission adopted the compliance rules, it set very high expectations for the CCO. He or she should be competent, knowledgeable, empowered, and have a position of seniority and authority. What kinds of issues have we seen in recent examinations?
Let us start with the basics. Your firm should have a CCO. I have been surprised by how often this comes up. But let us assume you have a CCO. What kinds of issues have we seen? Generally they depend on how you chose to fill the position.
There has been a lot of discussion about which is better: an inside CCO or an outside CCO. As people comment on this choice and there has been a lot of commentary something often gets lost. That is: it is your choice. In both cases though, however you choose, potential conflicts of interest or operational issues can arise.
For an inside CCO, you need to be careful that you are not too far inside. If you are the CEO's "right hand" person for compliance, that is great. But what if you give the CEO advice about family matters, outside business dealings, personal taxes, legal and advisory services, or you even find yourself on the CEO's side of a conflict of interest between his or her personal dealings and your clients or investors? You need to carefully identify and address any such conflicts of interest.
Another way you can be too far inside is to be too deep inside. What if you are multiple reporting levels away from the decision-makers in the firm, and you only make rare and carefully choreographed appearances before the board? You need to ask: do I have the authority and influence I need to do this job?
For an outside CCO, you need to make sure you are not too far outside. What if you had no role in creating the compliance policies and procedures, you do not review any reports, you are not involved in any operations, you have no experience in fund or adviser compliance, or you spend a minimal amount of time on your CCO duties? You need to ask: do I belong in this job?
Let us turn to broker-dealers. What sorts of issues have we been seeing?
First: The Chief Compliance Officer
As with funds and advisers, let us start with the basics. Your firm should have a CCO. Again this seems pretty straight-forward. Most commonly this issue seems to arise when the CCO resigns, and is not replaced. Some firms name an interim CCO while they look for a permanent replacement, to make sure the position is never vacant.
In addition, we have found broker-dealers that failed to document how the CCO would handle compliance issues. When you are designing systems for your firm, do not forget yourself. You should ask: how I will identify, escalate and resolve serious compliance issues?
Second: Written Supervisory Procedures
Broker-dealers must have written supervisory procedures, or, as they are universally known "WSPs." In recent examinations a deficiency has continued to come up that I must admit has always been one of my favorites. Firms use "canned" WSPs, but fail to adjust them for their own operations, and in some cases do not even know what they say. On occasion this can lead to comical results. Hopefully, when you tested and verified your procedures, you took the time to read them.
A more common issue is that your WSPs have holes in them. If your firm moves into a new business area, you should make sure that your WSPs are kept current. Areas that have come up recently include: hedge funds; contractual plans; and tenants-in-common real estate offerings.
Beyond holes in the WSPs, several basic controls over registered representatives always seem to come up, and have continued to do so. They include: failing to review outside employment, or, much the same thing, approving outside employment where the description of work is so vague that it is useless; issuing business cards for unregistered offices that do not have supervisor information; failing to obtain and review U-5s for new Representatives, failing to assign representatives to a principal; and failing to adhere to the terms of a regime of special supervision.
The Annual Compliance Meeting is a favorite. I do not know why people have so much trouble getting it right. Recently we have found firms that had no compliance meeting, others that forgot a branch, others that forgot certain representatives, others that failed to document attendance, and others that tried to document attendance, but left the sign-in roster incomplete.
These issues can be serious. Nonetheless, you should be even more concerned if your WSPs give your representatives unsupervised access to the flow of funds or transactions. For example, in some recent examinations we have seen situations where representatives were allowed to deposit checks issued at the firm directly into customers' bank accounts; or where no manager approved trade corrections.
Third: Sales Practices
Sales practices are always an important supervisory area for broker-dealers. The most common problem in this area is sloppy adherence to your own procedures. If you develop an 'expense disclosure checklist,' or a 'mutual fund worksheet,' or a 'suitability disclosure document,' you should make sure that your sales force actually uses it.
Beyond that, an issue that has come up frequently in recent examinations is how you are supervising sales to the elderly. We have found a number of situations where elderly investors were sold products under doubtful circumstances or pursuant to doubtful claims of suitability. Hopefully, if you are selling products to this market segment, you are carefully supervising the sales practices being used.
Another important sales practice area, and one of continuing supervisory interest, is the switching of variable products. In recent examinations we have encountered firms that designed their monitoring systems so they do not capture switches from fixed to variable annuities. As a result, this type of transaction may escape full supervisory review. Other recent issues include: firms that review a switch only when the investor pays a penalty; firms that fail to verify statements made by their representatives after questionable switches, and firms that fail to conduct any suitability reviews for sub-account allocations.
Fourth: Identifying and Responding to Red Flags
For broker-dealers, I saved red flags for last. Identifying them and responding to them is an important part of every compliance and supervisory system. There are several tools in common use, but I will emphasize one: electronic exception reports.
Firms are increasingly relying on electronic exception reports as foundational elements in their supervisory and compliance systems. That is great. These reports can be valuable and can play a very positive role. Nonetheless, you have to use them carefully.
If you set their parameters too high, they could miss important red flags. For example, if you have an electronic report that monitors for investment time horizons, but you assume that only investors under age 50 have investment time horizons, you could miss a lot of red flags relating to the elderly. Also, an electronic report cannot find red flags in data it does not have. For example, if you rely on your clearing broker for mutual fund exception reports, but do most of your business with the fund companies by way of 'check-and-app,' those clearing broker reports will not do you much good. Finally, of course, along with a good design, you need to review the output, and follow-up on it.
That was a fast review of a lot of issues. I hope it helps you put your own review in context. I also hope it makes the point that if you found some of these issues in your review, or during your testing and verification, now is the time to fix them. That leads to our next question.
Second Topic: Implementing Recommendations
When I started I said that this may be the most important time period in the whole review process. One of the reasons I think so, is because I also believe that this may be the riskiest time period. Let me explain.
There is some risk you completely forgot about your regulatory obligations, and simply failed to conduct a review or obtain a certification. Hopefully, for the people here, at a compliance conference, that is a pretty minimal risk.
There is also some risk that you performed a terrible review. This is a risk, but it is a risk that professionals can address on their own. You know what kind of a review you conducted and what kinds of testing and verification you performed.
Finally, there is a risk the risk you face during the next few weeks that all of your work was for naught, that your findings and recommendations will simply die on the vine. If you want to give this a name, you could call it "implementation risk." This risk is probably not in your control. To overcome it you will probably need to get buy-in and support from your business or legal-side executives.
The compliance rules have some formal requirements to help address this risk. For funds and brokers you must now submit a report to your Board. For funds, you have an additional 60 days from completion of the review, and for brokers you have until the next meeting of the Board, or within 45 days of executing the certification, whichever is sooner.
For every type of firm, hopefully you are now going to your business and legal executives, telling them about your review, telling them where the firm could improve, and getting their support. As always happens, sooner or later, we all must become sales people for compliance.
To further this process, I would like to suggest an agenda for your meeting with your executives. It is in the form of ten questions. If the questions sound a little self-serving for compliance, well, there is no harm in that, is there?
Did we meet all regulatory deadlines on time and with full compliance?
In our review did we identify any unique compliance risk exposures created by our personnel, organization, affiliations, or the way we do business, that are not faced by other comparable firms?
After our review, can we demonstrate how specific compliance policies and procedures or WSPs address our specific risk exposures, without any "gaps" between risk and response?
Do our written policies and procedures or WSPs accurately reflect our real practices? Are our real practices better or worse than what we have written down?
During the review, did we bring in outsiders to look at any of our policies, procedures, or WSPs? If yes: why? If not: why not?
What compliance tests did we run that analyze information over time to detect unusual patterns, to test and verify our procedures, or to verify the accuracy of specific disclosures we have made?
What were the worst red flags we identified during our review, and what did we do about them?
Do we have any serious compliance issues that remain open, that have not yet been closed or resolved?
Has anyone been unresponsive, or even tried to block compliance from doing its job, either during this process or during the course of the year?
What can senior executives do, on the business or legal side, to follow-up on the review in a productive and helpful way, and to ensure that it has a lasting and positive impact on the organization?
Let me close the same way I began Congratulations! Now, let us take what has been done and build upon it. Thank you.