"Incentivizing Good Compliance"
Lori A. Richards
Director, Office of Compliance Inspections and Examinations
Securities and Exchange Commission
2008 Willamette Securities Regulation Conference
Willamette University College of Law
October 30, 2008
Good Morning. I'm very pleased to be with you here today. I want to thank Willamette University College of Law, and particularly, Mike Eisenberg and Peter Letsou for inviting me to participate. I know Mike from his days before the SEC, and of course was honored to work with him while he was deputy general counsel and acting director of the Division of Investment Management at the SEC. Mike is keenly protective of investors' interests and was an able advocate for investors while at the SEC, on many issues and on many fronts. I consider Mike a friend and I also respect him for his constant advocacy for doing what's right by investors.
Before I begin, I am required to state that the views I express today are my own, and do not necessarily represent the views of the Commission or any other member of the staff.
This conference is intended to bring together current and former SEC and state securities regulators with leading securities attorneys across the country to discuss current developments in securities regulation, litigation and enforcement. As I speak to you today, our markets are undergoing unprecedented change. Once large firms no longer exist, and others have been acquired or merged. A money market fund has broken a dollar. The government has taken unprecedented steps to guarantee some money market funds, to buy troubled assets and to shore up credit markets.
During this time, the SEC has been aggressively working to police the markets, and to ensure that the "rules of the road" for public companies and market participants include full disclosure to investors and promote healthy capital markets. Addressing the extraordinary challenges facing our markets, the SEC has issued new regulations to strengthen capital markets and protections for investors, taken enforcement measures against market manipulation (including a landmark enforcement action against a trader who spread false rumors designed to drive down the price of stock), initiated examination sweeps, communicated with investors, and collaborated with domestic and foreign regulators around the world.
The SEC has an aggressive enforcement staff too — indeed in just this last year, we brought more than 650 enforcement actions (more than any year but one) involving all types of fraud that harm investors. And, in just the last year alone, we returned over one billion dollars to harmed investors — making the protections of the federal securities laws mean something to those investors who have been defrauded.
In the SEC's Office of Compliance Inspections and Examinations, we are responsible for examining securities firms — advisers, funds, broker-dealers, SROs, transfer agents — for compliance with the law. The examination program is comprised of over 800 examiners, accountants and lawyers across the country. Our job is to conduct examinations to identify compliance weaknesses, deficiencies and violations at SEC-registered firms. An important function of examinations is to identify weaknesses in compliance and other internal controls that could allow fraud and other types of violations to occur down the road — and to encourage and ensure that firms' beef up their internal controls to prevent this from happening. In this way, examiners play a proactive role in the securities markets in helping to prevent problems from occurring at all.
As you might expect, as an examiner my perspective on securities regulation is an acutely practical one. I see every day the way that securities firms go about implementing the securities laws. I see what works and what does not work in practice. So, it's this quite functional, non-theoretical perspective that forms my views.
I wanted to talk with you today about incentivizing compliance. This is an issue that I have been thinking about during the past year, as we've all witnessed compliance breakdowns and failures of various types. I'm referring to: January's revelations of Jerome Kerviel's alleged unauthorized trading at Societe Generale;i in February, the public learned of the fraud allegedly orchestrated by the former Chairman and CEO of Refco, in which he allegedly concealed trading losses and operating expenses during the company's IPO;ii in March, the SEC charged Fidelity with allegedly allowing its traders to accept lavish gifts from brokers courting its trading business and failing to seek best execution;iii in April, the SEC charged stock trader Paul Berliner with allegedly spreading false rumors to intentionally drive down the price of a stock;iv in May, the SEC charged Banc of America Investment Services with allegedly failing to disclose to clients that it favored two of its proprietary mutual funds when it made investments for its wrap fee clients;v in June, the SEC accused Bear Stearns' hedge fund managers with allegedly fraudulently misleading investors about the funds' holdings;vi in July, the SEC charged E*Trade with allegedly failing to have an adequate anti-money laundering compliance program to verify the identities of its customers;vii in August, the SEC's Division of Enforcement reached agreements in principle with UBS, Wachovia and Merrill Lynch to buy back billions of dollars in auction rate securities from retail investors, many of whom believed that they were liquid investments;viii and just last month, the SEC charged AmSouth Bank and AmSouth Asset Management with allegedly defrauding mutual funds by secretly using $16 million of the fund's money to pay for the adviser's marketing and other expenses.ix
As I look back on these and other alleged compliance failures, to me, they reinforce the necessity of organizations having front-end compliance systems that would prevent similar problems from occurring. In any good organization, when things go wrong at the firm or at another firm in the industry — people dissect those incidents, asking "How was this possible?" "What could have prevented it?" "How might we have detected early signs of it sooner?" In this way, compliance failures often lead to stronger preventative controls at other firms in the industry.
The Frank Gruttadauria matter is a case in point. Remember him? He was the registered representative in Ohio who diverted his customers' account statements to his own P.O. box and sent his customers inflated account balances on fake account statements thereby perpetuating a massive fraud? x This incident led to an appreciation of the value of protections over customer changes of address, wire transfers and account statements, and improvements in controls across the industry. It's a perfect example of how compliance breakdowns can lead to strengthened compliance controls.
I don't underestimate the value of this kind of incident-driven learning. It is important and it leads to significant improvements in prevention and detection techniques. But, while we learn from failures, it seems to me that organizations should be focusing more attention on how to better incentivize strong compliance by employees in the first place.
Why Does Compliance Happen?
Stepping back a bit, before thinking about how to incentivize compliance, I think we first need to identify reasons why non-compliance occurs, and, on the flip side of that question, why compliance occurs. I posit that there are many different reasons why people don't comply with an obligation — for example, they may not be aware of an obligation, they may perceive that they will obtain a benefit by not complying, they may think that are unable to comply, and, they may simply disagree with the obligation.
If that's why non-compliance occurs, why does compliance occur? I think that compliance "happens" when three things occur: first, when a person understands what his obligations are; second, when he is able to comply with the obligation; and third, when he is willing to comply with the obligation (simply put, he knows what he has to do, he wants to do it, and he can do it). Let me describe each of these components briefly — and how we at the SEC have sought to address each of them in order to facilitate compliance with the securities laws.
The first requirement for compliance is that a person must understand their obligations. This is obvious to you, I'm sure, but I'm amazed at the number of times that SEC examiners find deficient practices and the person responsible claims they did not understand either that they had an obligation or its precise nature. For example, we often find that firms are not aware of compliance obligations with respect to new rules. It sometimes takes time for people to learn about and understand their obligation. This is why effective education and training are so important. For our part, we've included new rules in our CCOutreach programs, which are designed to help chief compliance officers learn techniques and strategies to strengthen their own firms' compliance programs. We also created a "plain English" summary of key provisions of the Investment Advisers Act and emailed it to some 10,000 advisory firms! In addition, we seek to provide clear explanations of the law and new rules whenever possible.
The second requirement for compliance is that the person must be able to discharge their compliance obligations. Compliance obligations must not be unattainable. At the Commission, the SEC engages in a notice and comment process before implementing new rules, which provides us with input about (among other things) the feasibility of the proposed rule in practice.
It is the third requirement for compliance — a person's willingness to comply — that is perhaps the most complicated because it is inherently human and relies on an individual's own behavioral characteristics. For example, some people will be willing to comply because they place intrinsic value on doing what's right. As well, people's willingness to comply will be greater if they perceive that there is significant downside in not complying. This is why both regulators and compliance personnel spend so much time warning people about the harm that will befall them — for example, losing their job, their reputation, or their freedom — if they don't comply. This is deterrence — the "stick" — and it's a powerful motivator and indispensable in the toolkit of any compliance professional.
In addition to imposing deterrence for non-compliance, I think that people will also be more willing to comply when they perceive that there are positive benefits in doing so. Human beings are purposeful, and will behave in certain ways if they perceive they will be rewarded for doing so. This is where we get to incentives — the "carrot" — the positive reward for undertaking the behavior we seek. I think that there has been limited focus on incentives in securities compliance, and I wanted to discuss some of my thoughts on this topic with you today.
Incentives and Behavior
In the business world, firms provide incentives to their employees to draw performance, to achieve results or to meet other expectations of the organization. Most commonly, and perhaps most powerfully, incentives are financial, salary and bonuses. Incentives also take other forms, and include trips, titles, and other, softer, rewards. Incentives are provided to individual employees and also to groups of employees within divisions or units. Most commonly, incentives are provided to encourage production — production of sales, production of profit, and production of accounts.
Academic literature is filled with studies of how incentives work. There is ample evidence too that incentives can yield unintended results. In his recent book called The Cheating Culture: Why More Americans Are Doing Wrong to Get Ahead, the author David Callahan writes that rampant cheating in American society is due in part to incentive structures that unintentionally reward deception and cheating.xi Callahan provides multiple recent examples of this phenomenon:
- In the 1990s, when a company instituted a production quota for its car repair staff, mechanics began performing unnecessary and costly maintenance.
- In the legal profession, pressed to bill as many hours as possible, ambitious young lawyers overcharge clients.
- In the medical profession, to ensure that insurers won't deny coverage to the patient, doctors exaggerate the symptoms of their patients.
In the corporate world, incentives can also yield unintended results. Incentive compensation plans were often cited as one cause of the financial frauds at Enron and Worldcom. Compensation incentives encouraged employees to achieve results at whatever cost.xii And more recently, stock option compensation plans were gamed by some corporate executives.
In recent years, public policy has recognized the connection between incentives and behavior. Drawing the connection between compensation and compliance, one of the provisions of the Sarbanes Oxley Act, passed by Congress in response to corporate fraud, requires the CEO and CFO to reimburse the company for their bonus or incentive-based compensation if the company must restate its financial statements due to any material noncompliance, misconduct or with a financial reporting requirement (Section 304).
And, following the Sarbanes-Oxley Act, the Federal Sentencing Guidelines were amended to place a greater focus on prevention of violations and conformity with ethical standards, and they made high-level personnel more responsible for implementing and overseeing a compliance program. Added to the Guidelines for an effective compliance and ethics program was a requirement that "[t]he organization's compliance and ethics program shall be promoted and enforced consistently throughout the organization through … appropriate incentives to perform in accordance with the compliance and ethics program …".xiii
More recently, the new Emergency Economic Stabilization Act of 2008 established the Troubled Asset Relief Program (TARP) at the Department of the Treasury. xiv That law contains various standards for executive compensation and corporate governance and draws a linkage between compensation and risk-taking. It requires that any firm that sells troubled assets to the Treasury or participates in the capital purchase program under the TARP have limits on executive compensation that exclude incentives for senior executive officers to take unnecessary and excessive risks that threaten the value of the financial institution.xv John White, the Director of the SEC's Division of Corporation Finance spoke about these new provisions last week, and also announced that the SEC's Division of Corporation Finance will review the annual reports of the largest U.S. financial institutions that are public companies, with particular focus on these firms' disclosures concerning their executive compensation.xvi
Incentives in the Securities Industry
With respect to securities firms and investment advisers that are registered with the SEC (and examined by SEC examiners), there are many examples of incentive-based compensation systems. The most common compensation system historically has been the commission-based sales compensation paid to registered representatives for selling a security. This compensation structure incentivizes sales, but its exclusive focus on sales may encourage sales that are inappropriate for the customer. For example, in order to generate a commission, a registered representative may sell securities that are unsuitable for the customer, or buy and sell securities excessively ("churning"). And, when sales commissions are higher for the sales of certain products, such as variable annuities, a registered representative can be tempted to recommend them over other products that may be more suitable for the customer.xvii The movement to asset-based compensation removed this incentive and hopefully, will reduce some of the sales practice problems that we've seen. Ironically, however, there are also examples of "stale" or inappropriately unmanaged accounts, which may have been incentivized by asset-based fees.
Some investment advisers are compensated based on the performance of their accounts. This structure aligns the performance-interests of the client and the adviser. It can, however, incentivize risk-taking beyond that which is appropriate for the customer or investor and beyond disclosures in order to pull in higher returns. Performance-based compensation could also incentivize the overvaluation of client portfolios in order to generate a higher performance-based fee.
It seems to me that one way to reduce the unintended incentives that can arise in an incentive compensation system is to ensure that the compensation system incentivizes production but in a manner that is consistent with the law, the firm's code of ethics and the internal compliance and risk culture of the firm. If the firm's compensation incentives include only hard production numbers — how many accounts did you open, how much profit did you generate, how many deals did you ink — the firm may encourage employees do so at any cost, and at cost to the firm, to its reputation, and to its customers and clients. We all know the adage "you get what you pay for," but it is perhaps more true that "you don't get what you don't pay for."
The performance that most firms want includes adherence to the firm's own policies and procedures with respect to internal controls and compliance, and it includes adherence to high ethical standards. As a starting point, the firm's compliance and internal controls infrastructure must be strong enough to underpin these incentives — this means that the firm must compensate its compliance staff adequately and ensure that they have sufficient resources to do the job. The responsibility to ensure a strong culture of compliance and a compliant organization, however, rests with managers and leaders of the firm.
Given that firm leaders and managers have this responsibility, why not incentivize it to happen, right along with incentivizing production? Here are some ways that I think securities firms might better incentivize compliance by their employees with the firm's risk and compliance controls:
Be clear about expectations. Managers and employees should be aware that compliance with the firm's internal risk management and compliance policies is expected, and performance expectations should be explicit on this point.
Reward managers who achieve compliance. Managers could be compensated in part based on their branch's or unit's compliance activities (results of surveillance reviews, internal reviews, customer satisfaction levels). Positive results get higher compensation.
Reward managers who cultivate a culture of compliance. Many organizations are measuring their employees' attitudes towards ethics and compliance by the use of surveys. Some firms then tie a component of their senior managers' compensation to the attitudes expressed by their unit's employees. Positive results get higher compensation.
Make strong compliance an advertised goal. In industrial plants, firms advertise the number of days with a "clean" safety record — to remind employees about the importance of safety on the job. Other organizations could take a lesson and publicize the number of days without a customer complaint, arbitration, or aggrieved customer.
Reward employees for considering compliance issues. Employees could be incentivized to approach compliance staff early on with questions about compliance — well before the deal, or the product or the transaction is launched.
Consider new incentives. While sales incentives may be a part of the fabric of the securities business, wouldn't a reward based on the satisfaction levels of the clients of the registered representative or advisory representative be more meaningful? (satisfaction could be measured by, for example, whether the investor believes that the financial adviser understands the investor's needs, objectives, and risk tolerance; is responsive; effectively invests their funds; adequately discloses risks and costs; and provides understandable explanations about investment options). Wouldn't that type of reward incentivize the kind of long-term relationships that firms so want to develop?
Incentives impact risk. Because incentives drive behavior, an organization's risk-assessment process could take into account the incentives that exist that encourage and reward compliance, and could identify areas and employees who do not operate with these incentives. Firms could include the latter as areas that may present higher risk and may warrant closer review. In addition, when organizations conduct special reviews or inquiries of compliance breakdowns, they could include an evaluation of the role that incentives played.
I'm certain that there are other ways too that organizations could better incentivize strong compliance — I hope that organizations will take time to consider how they might better incentivize strong compliance, to help encourage firm employees operate in accordance with the law, the firm's code of ethics and its internal compliance and risk controls.
Thank you for your attention. I have enjoyed speaking with you today about how organizations might better incentivize good compliance. I look forward to hearing from you on this issue — what incentives to foster strong compliance have you observed? What has worked? What does not work? Most importantly, I hope that there will be constructive thinking within securities firms about how they might better incentivize strong compliance practices right from the start.