U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

Speech by SEC Staff:
"Comprehensive Compliance Examinations for Securities Firms"


Mary Ann Gadziala

Associate Director
U.S. Securities and Exchange Commission

Compliance Management and Structure Conference1
Washington, DC
May 16, 2006

The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of the author and do not necessarily reflect those of the Commission, the Commissioners or of the author's colleagues on the staff of the Commission.

Thank you for inviting me to share my views on compliance for securities firms. Since we have representatives of the NYSE and NASD on our panel, I will not discuss specific SRO compliance rules. Rather, I will focus on more general laws and on what we, in the SEC exam program, view as effective compliance programs based on our examinations in the area.

The Securities Exchange Act of 1934 notes that transactions in securities are affected with a national public interest, making it necessary to provide for regulation and control and to impose requirements in order to protect interstate commerce and insure the maintenance of fair and honest markets in such transactions. Similar language is found in the Investment Company Act of 1940, which also enumerates actions that adversely impact the public interest and the interest of investors. These general mandates and other provisions require that market participants operate in compliance with all laws and rules intended to achieve these goals. In order to maintain compliance with the laws and rules that govern the conduct of securities firms, firms need comprehensive compliance systems. To create and maintain such a system, a firm needs to first identify compliance risks and to evaluate controls to address these risks. Firms may do this in any number of ways. In general, they are conducting regular risk assessments. The next step is to implement appropriate controls designed to prevent violations, promote compliance, and identify and address compliance failures. While there are some rules mandating certain compliance programs or aspects of a compliance program, much is left to the firm's development of a compliance culture and policies, procedures, and practices customized to the firm's own business. I will discuss this in more detail later in my presentation.

Some laws and rules recently promulgated require effective ethics and compliance programs for public companies. For example, section 406 of the Sarbanes-Oxley Act directed the Securities and Exchange Commission (SEC or Commission) to issue rules requiring each issuer to disclose whether it has established a code of ethics for its senior financial officers, and if not, the reason therefore. Among the requirements specified in the law to comply with section 406 are standards reasonably necessary to promote compliance with applicable governmental rules and regulations. SEC rules have been issued to implement these provisions (Sections 228. 406 of Regulation S-B and 229.406 of Regulation S-K). There are also laws requiring compliance programs for regulated entities in specific areas. For example, the PATRIOT Act requires securities firms to implement compliance programs with respect to anti-money laundering requirements. In December 2003, the SEC adopted Rule 38a-1 under the Investment Company Act of 1940 and Rule 206(4)-7 under the Investment Advisers Act of 1940. These rules require each registered investment company and investment adviser to adopt and implement written policies and internal control procedures reasonably designed to prevent violation of the federal securities laws, to review the policies and procedures annually for adequacy and effectiveness, and to designate a chief compliance officer. In July 2004, the Commission adopted Rule 204A-1, requiring each registered investment adviser to adopt a written code of ethics that sets forth standards of conduct expected of advisory personnel and addresses conflicts that arise from personal trading by them.

Like other risk management systems, there is no standardized compliance program that can be designed to fit the needs of every securities firm. A firm should design its compliance system based upon its own business operations, structure, customer base, size, complexity, product mix, geographic dispersion, and other factors related to the firm. A firm may choose to address compliance requirements through personnel other than those in its "compliance department." Other independent control areas may be better suited to address specific compliance needs and responsibilities. In addition, while a particular sound practice may work well for a large firm, the same approach may not be effective or economically feasible for a smaller firm. The reverse may also be true. Regulators do not dictate one standard program that will work for every firm — it is up to each firm to evaluate its own compliance risks and adopt procedures and controls that are effective for that firm. In any event, to the extent there are specific laws and rules, securities firms must, of course, comply with both the letter and the spirit of those laws.

Notwithstanding the lack of a specific and complete blueprint for compliance programs, there is some general guidance that may assist firms in their compliance evaluations. For example, the industry itself, through the Securities Industry Association's Compliance and Legal Division, issued its "White Paper on the Role of Compliance" in July 2005. In addition, the Standing Committee 3 on Market Intermediaries of the International Organization of Securities Commissions published a report in February 2006 entitled the "Compliance Function at Market Intermediaries" ("IOSCO Report"). Similarly, the Basel Committee on Banking Supervision issued a paper ("Basel Report") on compliance risk and the compliance function in banks. The IOSCO Report and the Basel Report rely on the same definition of the compliance function: a function that, on an on-going basis, identifies, assesses, advises on, and monitors and reports on a market intermediary's compliance with securities regulatory requirements. This includes whether there are appropriate supervisory procedures in place. These are three reports you might consider in assessing compliance programs at securities firms. The remainder of my remarks on compliance programs are based principally on examination findings at broker-dealers.

1. Compliance Culture

The most important aspect of compliance at a firm is not simply how elaborate its system may be or how voluminous its written procedures may be. What is most important is the permeation throughout the firm of a "compliance culture." A "culture" of compliance at a firm is an overall environment that fosters ethical behavior and sensitivities to compliance with the law in all decision-making. It should not be a short-term fix to satisfy SRO rules or SEC deficiency letters following an examination. Rather, it should be a well-thought out, comprehensive system with a long-term strategy. A firm's senior management should focus the same attention on its compliance and supervisory programs as it devotes to its business profit centers. Compliance should also be the responsibility of every employee of the firm, not just compliance personnel.

Some elements examiners may expect to find in an effective compliance culture include: the identification and control of compliance risks; implementation of effective compliance and supervisory systems; a well resourced and effective compliance function with compliance leadership recognized at the same level as business heads; participation of compliance persons in assisting and overseeing proactive business supervisory activities; effective reporting and resolution of significant compliance issues; and training and monitoring employees in the performance of their duties.

2. Comprehensive Identification and Control of Compliance Risks

As I mentioned earlier, the first component of an effective compliance program is the comprehensive identification and evaluation of compliance risks and controls. Compliance risks arise from all relevant laws, rules and regulations applicable to a firm. While the focus of the Commission examination program is the securities laws and rules and SRO rules, effective firm compliance programs assess all applicable laws, whether related to employment, tax, or any other areas; firms may seek guidance from experts for legal requirements outside the area of securities compliance. This first component of an effective compliance program involves identification of all laws and rules that apply to the firm, an evaluation of controls, and a gap analysis of weaknesses that should be addressed. There should be an effective mechanism for addressing the control gaps and tracking resolution of open issues. A firm should also be cognizant of actions that might be viewed as assisting potential violations by their customers, in order to avoid charges of aiding and abetting such violations. The Enron experience is a prime example of this compliance risk. You might refer to letter from Annette L. Nazareth, Director of Market Regulation, Securities and Exchange Commission, to Richard Spillenkothen and Douglas W. Roeder, dated December 4, 2003 (http://www.federalreserve.gov/boarddocs/srletters/2004 and www.occ.treas.gov).

The greater the compliance risk, the more the firm should focus on compliance in the area. The identification of compliance risks and corresponding changes to the compliance system should be a dynamic process designed to ensure that the firm's compliance controls remain responsive to changes in laws as well as in the activities of the firm.

3. Compliance Program

Now, let's look at the compliance program itself. While ultimate responsibility for compliance remains with the broker-dealer and with the designated principal officer, senior management generally delegates substantial responsibility for establishing, maintaining, and monitoring its supervisory and compliance program responsibilities. In an effective program, these delegations are specific, in writing, and clearly identify the person or persons with authority and responsibility for the function.

Some core compliance functions are:

  • Identification, measurement, and assessment of compliance risk.
  • Managing compliance risks, addressing compliance concerns, and validating corrective plans.
  • Working with top business management to report on and maintain compliance, and escalate compliance failures.
  • Acting as liaison with regulators and other compliance officials.
  • Complying with requirements of specific statutory compliance program mandates.
  • Establishing and implementing compliance policies and procedures, and standards and controls.
  • Overseeing complete and current written supervisory procedures, timely disseminating them to employees, and monitoring, surveilling, and overseeing business supervisory activities.
  • Detecting, preventing and managing conflicts of interests.
  • Training and education of firm employees.
  • Overseeing employee-related matters, such as registration, licenses, regulatory filing, and employee trading.

You might review the SEC Division of Market Regulation's "Guide to Broker-Dealer Registration" (http://www.sec.gov/divisions/marketreg/bdguide.htm), and the NASD's "Written Supervisory Procedures Checklist" (www.nasd.com/web/groups/corp_comm/documents/
home_page/nasdw_009839.pdf) for information on what may be included in a firm's compliance program.

Effective compliance functions are independent from the businesses of the firm. This covers not only formal reporting lines. Other relevant factors may be: to whom are compliance concerns reported and who is required to resolve compliance issues; who sets compensation, bonuses, and performance ratings for compliance personnel; and whether compliance personnel compensation reflects profits of the specific business for which the compliance person has responsibility. Despite the separation from business profit centers, the compliance function should have adequate resources, appropriate automated systems and experienced personnel to effectively accomplish its goals. To the extent a firm has large diversified operations, it has been examination staff experience that a centralized or comprehensively coordinated compliance program may be most effective.

Let's now turn to subject matter areas as opposed to functions. The list of subject areas that may be covered by the compliance program has been steadily developing over the past several years. A quite lengthy list can be found in Appendix C of the IOSCO Report. The SROs also have issued substantial information in this area. Among the subject areas that may be included in a compliance program are:

  • regulatory capital compliance and financial responsibility
  • suitability, switching between products, churning, fee based accounts, margin, short sales, unauthorized trading, parking, late allocations, misappropriation
  • trade errors and corrections
  • best execution
  • market manipulation and insider trading
  • protection of confidential customer information, privacy issues and data security
  • books and records
  • commissions, gifts or entertainment
  • information barriers and employee trading
  • business conduct rules and ethics
  • branch office reviews
  • customer complaints, client marketing, advertising, and communications
  • transfer of funds and customer address changes
  • anti-money laundering compliance

4. Supervisory Function

The compliance function and the supervisory function have different purposes. As an independent area, the compliance function is designed to perform broad-based reviews, absent conflicts that may arise from compensation or other connections to the underlying activity. The supervisory function, on the other hand, is typically business-oriented and is responsible for day-to-day real time review of transactions and activities with the direct knowledge of the employee's activities. All business activities of a firm should be covered.

Pursuant to Exchange Act Section 15(b), a broker-dealer and any person associated with a broker-dealer may be censured, among other things, by the Commission if the Commission finds that the broker-dealer or associated person failed reasonably to supervise, with a view to preventing violations of the provisions of the federal securities laws, another person who commits such a violation, if such other person is subject to his supervision. Under Exchange Act Section 15(b)(4)(E), a defense exists if "(i) there have been established procedures, and a system for applying such procedures, which would reasonably be expected to prevent and detect, insofar as practicable, any such violation by such other person, and (ii) such person has reasonably discharged the duties and obligations incumbent upon him by reason of such procedures and system without reasonable cause to believe that such procedures and system were not being complied with."

Broker-dealers assign a supervisor to every registered employee. In designing the supervisory system, responsibilities of each supervisor should be clear and the supervisor should have appropriate tools to reasonably perform the responsibilities assigned. Consideration should be given to factors impacting the supervisor's ability to perform assigned duties, such as conflicts with other activities of the supervisor, limitations on time, and remoteness from the person being supervised. In the area of supervision of remote offices, the SEC's Division of Market Regulation issued Staff Legal Bulletin No. 17 (March 19, 2004). The bulletin discusses issues related to inspections, off-site review of activity, designation of supervisory responsibility, the hiring process, and control procedures over customer accounts.

Firms should have written supervisory procedures tailored to the firm's business. They should be updated to reflect any changes to the supervisory system. And they should describe steps the firm will take when potential deficiencies are identified. SRO Rules and interpretations deal with this area in more detail. Compliance generally monitors and oversees the supervisory function.

5. Employee Supervision

Another broad area involving the compliance function involves aspects of employee supervision. These may include: oversight for appropriate background checks in the hiring process; monitoring registration of appropriate employees; ensuring implementation of an appropriate program for heightened supervision of problem employees; producing written compliance for employees, and assisting in creating a code of ethics; implementing employee training programs; and conducting employee trading reviews. While some of these requirements apply only to registered employees, firms should consider whether similar practices should be extended to non-registered employees who may perform functions critical to the firm's business or otherwise create compliance risks. And again, these compliance-related functions may be carried out by independent control personnel other than those in the compliance department, as appropriate.

6. Priorities

As I mentioned earlier, compliance should particularly focus on areas with the greatest compliance risks. This may include areas where problems have occurred in the firm or at other firms, where new rules have been imposed, where the firms sell new products or where sales of products in a particular area are growing dramatically. Some priority areas for broker-dealers from the SEC exam program perspective are:

  1. Supervision, with a focus on branch offices, independent contractors, and comprehensive and effective coverage of all business areas.
  2. Risk management and internal controls, with a focus on liquidity, conflicts of interests, new products and complex structured finance transactions.
  3. Sales practices and suitability; some areas that may require extra attention are fee-based accounts; separately managed accounts; variable annuities; penny stocks, private placements, illiquid securities, volatile securities, and hedge funds.
  4. Fixed income-markups, trade reporting, and best execution.
  5. Undisclosed compensation and solicitation agreements.
  6. Books and records, and email retention.
  7. Outside business activities of registered representatives, including mortgage brokers and sellers of hedge funds and variable insurance products.
  8. Sales and marketing to senior citizens.
  9. Business Continuity Practices (BCP), including meeting standards of the Interagency Whitepaper on Market Resilience by "significant firms", and BCP plans for all firms.
  10. All aspects of anti-money laundering compliance.

Finally, I would like to say a few words about self-reporting compliance problems and cooperating with the SEC in investigating and resolving problems. In October 2001, the SEC issued a "Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions" (Exchange Act Release No. 44969, October 23, 2001). This explained the reasons for the SEC decision not to take enforcement action against a company it had investigated for financial statement irregularities. The Press Release announcing the Report (Release No. 2001-117, October 23, 2001) summarized the Report's four broad measures of a company's cooperation to include the following:

  • Self-policing prior to the discovery of the misconduct, including establishing effective compliance procedures and an appropriate tone at the top;
  • Self-reporting of misconduct when it is discovered, including conducting a thorough review of the nature, extent, origins and consequences of the misconduct, and promptly, completely, and effectively disclosing the misconduct to the public, to regulators, and to self-regulators;
  • Remediation, including dismissing or appropriately disciplining wrongdoers, modifying and improving internal controls and procedures to prevent recurrence of the misconduct, and appropriately compensating those adversely affected; and
  • Cooperation with law enforcement authorities, including providing the Commission staff with all information relevant to the underlying violations and the company's remedial efforts.

The criteria are set forth in greater detail in the 21(a) Report. Reduced charges, lighter sanctions, or mitigating language in documents the Commission uses to announce and resolve enforcement actions are examples of possible results of cooperative behavior and self-reporting. Enhanced communications between financial firms and regulators is another positive step in maintaining compliance in the securities industry through appropriate prompt responses to compliance issues and early resolution of problems.

In conclusion, I hope my remarks have offered some insights on what we have seen in effective compliance programs at broker-dealers. I have personally seen significant progress over the past few years by many firms in building effective compliance programs. Open communications and constructive cooperative efforts between regulators and the industry have significantly contributed to these efforts. This should maintain the highest level of proactive and effective compliance in the securities industry. Thank you very much for allowing me to share my thoughts with you on this very important regulatory area. I would be happy to take your questions.



Modified: 05/17/2006