Speech by SEC Staff:
The Role of Compliance and Ethics in Risk Management
Carlo V. di Florio
Director, Office of Compliance Inspections and Examinations1
NSCP National Meeting
October 17, 2011
Thank you for inviting me to speak at this event. The work you all do is incredibly important, and we appreciate and respect your critical contributions to investor protection and market integrity. Today I would like to address two related topics that are growing in importance: the heightened role of ethics in an effective regulatory compliance program, and the role of both ethics and compliance in enterprise risk management. The views that I express here today are of course my own and do not necessarily reflect the views of the Commission or of my colleagues on the staff of the Commission.
In the course of discussing these two topics, I would like to explore with you the following propositions:
- Ethics is fundamental to the securities laws, and I believe ethical culture objectives should be central to an effective regulatory compliance program.
- Leading standards have recognized the centrality of ethics and have explicitly integrated ethics into the elements of effective compliance and enterprise risk management.
- Organizations are making meaningful changes to embraced this trend and implement leading practices to make their regulatory compliance and risk management programs more effective.
Ethics and the Federal Securities Laws
The debate about how law and ethics relate to each other traces all the way back to Plato and Aristotle. I am not the Director of the Office of Legal Philosophy, so I won’t try to contribute to the received wisdom of the ages on this enormous topic,2 except to say that for my purposes today, the question really boils down to staying true both the spirit and the letter of the law.
Framed this way, ethics is a topic of enormous significance to anyone whose job it is to seek to promote compliance with the federal securities laws. At their core, the federal securities laws were intended by Congress to be an exercise in applied ethics. As the Supreme Court stated almost five decades ago,
[a] fundamental purpose, common to [the federal securities]… statutes, was to substitute a philosophy of full disclosure for the philosophy of caveat emptor and thus to achieve a high standard of business ethics in the securities industry…. “It requires but little appreciation . . . of what happened in this country during the 1920's and 1930's to realize how essential it is that the highest ethical standards prevail” in every facet of the securities industry.3
Of course, what has happened through the financial crisis I believe is yet another reminder of the fundamental need for stronger ethics, risk management and regulatory compliance practices to prevail. Congress has responded once again, as it did after the Great Depression, with landmark legislation to raise the standards of business ethics in the banking and securities industries.
The manner in which the federal securities laws are illuminated by ethical principles was well illustrated by the Study on Investment Advisers and Broker-Dealers that the Commission staff submitted to Congress earlier this year pursuant to Section 913 of the Dodd-Frank Act (“913 Study”).4 As described in the 913 study, in some circumstances the relationship is explicit, such as the requirement that each investment adviser that is registered with the Commission or required to be registered with the Commission must also adopt a written code of ethics. These ethical codes must at a minimum address, among other things, a minimum standard of conduct for all supervised persons reflective of the adviser’s and its supervised persons’ fiduciary obligations.5
In other circumstances, an entire body of rules is based implicitly on ethical precepts. This is the case with the rules adopted and enforced by FINRA and other self-regulatory organizations, which “are grounded in concepts of ethics, professionalism, fair dealing, and just and equitable principles of trade,” giving the SROs authority to reach conduct that may not rise to the level of fraud.6 This has empowered FINRA and other SROs to, for example, not require proof of scienter to establish a suitability obligation,7 to develop rules and guidance on fair prices, commissions and mark-ups that takes into account that what may be “fair” (or reasonable) in one transaction could be “unfair” (or unreasonable) in another,8 and to require broker-dealers to engage in fair and balanced communications with the public, disclose conflicts of interest, and to undertake a number of other duties.9 In addition to approving rules grounded on these ethical precepts, the Commission has also sustained various FINRA disciplinary actions utilizing FINRA’s authority to enforce “just and equitable principles of trade,” even where the underlying activity did not involve securities, such as actions involving insurance , tax shelters, signature forgery, credit card fraud, fraudulent expense account reimbursement, etc.10
Other ethical precepts are derived from the antifraud provisions of the federal securities laws. The “shingle” theory, for example, holds that by virtue of engaging in the brokerage business a broker-dealer implicitly represents to those with whom it transacts business that it will deal fairly with them. When a broker-dealer takes actions that are not fair to its customer, these must be disclosed to avoid making the implied representation of fairness not misleading. A number of duties and conduct regulations have been articulated by the Commission or by courts based on the shingle theory.11
Another source by which ethical concepts are transposed onto the federal securities laws is the concept of fiduciary duty. The Supreme Court has construed Section 206(1) and (2) of the Investment Advisers Act as establishing a federal fiduciary standard governing the conduct of advisers.12 This imposes on investment advisers “the affirmative duty of ‘utmost good faith, and full and fair disclosure of all material facts,’ as well as an affirmative obligation to ‘employ reasonable care to avoid misleading’” clients and prospective clients. As the 913 Study stated,
Fundamental to the federal fiduciary standard are the duties of loyalty and care. The duty of loyalty requires an adviser to serve the best interests of its clients, which includes an obligation not to subordinate the clients’ interests to its own. An adviser’s duty of care requires it to “make a reasonable investigation to determine that it is not basing its recommendations on materially inaccurate or incomplete information.”13
While broker-dealers are generally not subject to a fiduciary duty under the federal securities laws, courts have imposed such a duty under certain circumstances, such as where a broker-dealer exercises discretion or control over customer assets, or has a relationship of trust and confidence with its customer.14 The 913 Study, of course, explores the principle of a uniform fiduciary standard.
Concepts such as fair dealing, good faith and suitability are dynamic and continue to arise in new contexts. For example, the Business Conduct Standards for Securities-Based Swap Dealers (SBSDs”) and Major Security-Based Swap Participants (“MSBSPs”), required by Title VII of the Dodd-Frank Act and put out for comment last summer, include proposed elements such as
- a requirement that communications with counterparties are made in a fair and balanced manner based on principles of fair dealing and good faith;
- an obligation to disclosure to a counterparty material information about the security-based swap, such as material risks, characteristics, incentives and conflicts of interest; and
- a determination by SBSDs that any recommendations that they make regarding security-based swaps are suitable for their counterparties.
Of course the Business Conduct Standards have not been finalized, but the requirements of Title VII requiring promulgation of these rules, as well as the content of the rules as proposed, illustrate that ethical concepts continue to be a touchstone for both Congress and the Commission in developing and interpreting the federal securities laws.
The Relationship Between Ethics and Enterprise Management.
Ethics is not important merely because the federal securities laws are grounded on ethical principles. Good ethics is also good business. Treating customers fairly and honestly helps build a firm’s reputation and brand, while attracting the best employees and business partners. Conversely, creating the impression that ethical behavior is not important to a firm is incredibly damaging to its reputation and business prospects. This, of course, holds true equally for individuals, and there are plenty of enforcement cases that tell the story of highly talented and successful individuals who were punished because they violated their ethical and compliance responsibilities.
Another way of saying this is that a corporate culture that reinforces ethical behavior is a key component of effectively managing risk across the enterprise. As the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) put it, in articulating its well-established standards of Internal Control and Enterprise Risk Management:
An entity’s strategy and objectives and the way they are implemented are based on preferences, value judgments, and management styles. Management’s integrity and commitment to ethical values influence these preferences and judgments, which are translated into standards of behavior. Because an entity’s good reputation is so valuable, the standards of behavior must go beyond mere compliance with the law. Managers of well-run enterprises increasingly have accepted the view that ethics pays and ethical behavior is good business.15
In the wake of the financial crisis, enterprise risk management is a rapidly evolving discipline that places ethical values at the heart of good governance, enterprise risk management and compliance. For example, organizations such as COSO, the Ethics Resource Center (ERC), the Open Compliance and Ethics Guidelines (OCEG) and the Ethics & Compliance Officer Association (ECOA) have developed detailed guidance, from the board room to business units and key risk, control and compliance departments, on implementation of effective enterprise risk management systems. Industry and sector specific guidance has flowed from these general standards. As COS notes, integrity and ethical values are the pillars of an effective compliance culture.
The effectiveness of enterprise risk management cannot rise above the integrity and ethical values of the people who create, administer, and monitor entity activities. Integrity and ethical values are essential elements of an entity’s internal environment, affecting the design, administration, and monitoring of other enterprise risk management components.16
Nowhere should this be more true than in financial services firms today, which depend for their existence on public trust and confidence to a unique degree. Expectations are rising around the world for a stronger culture of ethical behavior at financial services firms of all types and sizes. As the Basle Committee on Banking Supervision recently stated:
A demonstrated corporate culture that supports and provides appropriate norms and incentives for professional and responsible behaviour is an essential foundation of good governance. In this regard, the board should take the lead in establishing the “tone at the top” and in setting professional standards and corporate values that promote integrity for itself, senior management and other employees.17
As the standards for ethical behavior continue to evolve, your firms’ key stakeholders – shareholders, clients and employees will increasingly expect you to meet or exceed those standards.
In my first speech here at the SEC I outlined ten elements I believe make an effective compliance and ethics program. These elements reflect the compliance, ethics and risk management standards and guidance noted above. They also reflect the U.S. Federal Sentencing Guidelines (FSG), which were revised in 2004 to explicitly integrate ethics into the elements of an effective compliance and ethics program that would be considered as mitigating factors in determining criminal sentences for corporations. These elements include:
- Governance. This includes the board of directors and senior management setting a tone at the top and providing compliance and ethics programs with the necessary resources, independence, standing, and authority to be effective. NEP staff have begun meeting with directors, CEOs, and senior management teams to better understand risk and assess the tone at the top that is shaping the culture of compliance, ethics and risk management.
- Culture and values. This includes leadership promoting integrity and ethical values in decision-making across the organization and requiring accountability.
- Incentives and rewards. This includes incorporating integrity and ethical values into performance management systems and compensation so the right behaviors are encouraged and rewarded, while inappropriate behaviors are firmly addressed.
- Risk management. This includes ensuring effective processes to identify, assess, mitigate and manage compliance and ethics risk across the organization.
- Policies and procedures. This includes establishing, maintaining and updating policies and procedures that are tailored to your business, your risks, your regulatory requirements and the conflicts of interest in your business model.
- Communication and training. This includes training that is tailored to your specific business, risk and regulatory requirements, and which is roles-based so that each critical partner in the compliance process understands their roles and responsibilities.
- Monitoring and reporting. This includes monitoring, testing and surveillance functions that assess the health of the system and report critical issues to management and the board.
- Escalation, investigation and discipline. This includes ensuring there are processes where employees can raise concerns confidentially and anonymously, without fear of retaliation, and that matters are effectively investigated and resolved with fair and consistent discipline.
- Issues management. This includes ensuring that root cause analysis is done with respect to issues that are identified so effective remediation can occur in a timely manner.
- An on-going improvement process. This includes ensuring the organization is proactively keeping pace with developments and leading practices as part of a commitment to a culture of ongoing improvement.
In addition to the effective practices above, the NEP has also seen firms that have focused on enhancing regulatory compliance programs through effective integration of ethics principles and practices. These include renaming the function and titles to incorporate ethics explicitly; elevating the dialogue with senior management and the board; implementing core values and business principles to guide ethical decision-making; integrating ethics into key leadership communications; and introducing surveys and other mechanisms to monitor the health of the culture and identify emerging risks and issues.
The Relationship of Compliance and Ethics with Enterprise Risk Management.
We can expand the discussion above beyond compliance and ethics to address enterprise risk management and risk governance more broadly. These same program elements, and ethics considerations, are equally critical, but the scope of risks expands beyond regulatory risk to also include market, credit and operational risk, among others. The roles and responsibilities also expand to include risk management, finance, internal audit and other key risk and control functions. Whether we’re talking about compliance and ethics or we’re talking about ERM, it is important to clarify fundamental roles and responsibilities across the organization. .
- The business is the first line of defense responsible for taking, managing and supervising risk effectively and in accordance with the risk appetite and tolerances set by the board and senior management of the whole organization.
- Key support functions, such as compliance and ethics or risk management, are the second line of defense. They need to have adequate resources, independence, standing and authority to implement effective programs and objectively monitor and escalate risk issues.
- Internal Audit is the third line of defense and is responsible for providing independent verification and assurance that controls are in place and operating effectively.
- Senior management is responsible for reinforcing the tone at the top, driving a culture of compliance and ethics and ensuring effective implementation of enterprise risk management in key business processes, including strategic planning, capital allocation, performance management and compensation incentives.
- The board of directors (if one exists in the organization) is responsible for setting the tone at the top, overseeing management and ensuring risk management, regulatory, compliance and ethics obligations are met.
While compliance and ethics officers play a key role in supporting effective ERM, risk managers in areas such as investment risk, market risk, credit risk, operational risk, funding risk and liquidity risk also play an important role. As noted above, the board, senior management, other risk and control functions, the business units and internal audit also play a critical role in ERM. As ERM matures as a discipline, it is critical that these key functions work together in an integrated coordinated manner that supports more effective ERM. Understanding and managing the inter-relationship between various risks is a central tenet of effective ERM. One needs only reflect on the financial crisis to understand how the aggregation and inter-relationship of risks across various risk categories and market participants created the perfect storm. ERM provides a more systemic risk analysis framework to proactively identify, assess and manage risk in today’s market environment.
As I discussed earlier, there is an ethical component to many of the federal securities laws. When NEP staff examines, for example, an investment adviser’s adherence to its fiduciary obligations, or a broker-dealer’s effective development, maintenance and testing of its compliance program, our examiners are looking at how well firms are meeting both the letter and spirit of these obligations. In addition, our examiners certainly examine specific requirements for ethical processes, such as business conduct standards.
There is another way in which the ethical environment within a firm matters to us. As you know, our examination program has greatly increased its emphasis on risk-based examinations. How we perceive a registrant’s culture of compliance and ethics informs our view of the risks posed by particular entities. In this regard we have begun meeting boards of directors, CEOs and senior management to share perspectives on the key risks facing the firm, how those risks are being managed and the effectiveness of key risk management, compliance, ethics and control functions. It provides us an opportunity to emphasize the critical importance of compliance, ethics, risk management and other key control functions, and our expectation that these functions have sufficient resources, independence, standing and authority to be effective in their roles. These dialogues also provide us an opportunity to assess the tone at the top that is shaping the culture of compliance, ethics and risk management in the firm. If we believe that a firm tolerates a nonchalant attitude toward compliance, ethics and risk management, we will factor that into our analysis of which registrants to examine, what issues to focus on, and how deep to go in executing our examinations.
Finally, I would end by sharing with you that we are also embracing these leading practices. We recently created our own program around compliance and ethics. For the first time, we have a dedicated team focused on strengthening and monitoring how effectively we adhere to our own examination standards. We are in the process of finalizing our first Exam Manual, which we set forth all of our key policies and standards in one manual. We have also established a senior management committee with oversight responsibility for compliance, ethics and internal control. On the risk management front, we are also making good progress. We have recruited individuals with expertise and established a senior management oversight committee here as well. In short, we are also committing ourselves to a culture of ongoing improvement and leading practices.
Thank you for inviting me to speak here today. I hope that my remarks will be helpful to you and help you to perform your critical compliance functions more effectively. I invite your feedback, whether regarding the points that I made, or the points that you think I missed. I now invite your questions.
1 The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private statements by its employees.
2 For a deeper plunge into the relationship between law and ethics, a classic exchange on this subject can be found in Positivism and the Separation of Law and Morals, H.L.A. Hart, 71 Harvard L. Rev. 529 (1958) and Positivism and Fidelity to Law: A Reply to Professor Hart, L.L. Fuller, 71 Harvard L. Rev. 630 (1958).
3 SEC v. Investment Research Bureau, Inc., 375 U.S. 180, 186-87 (1963), quoting Silver v. New York Stock Exchange, 373 U.S. 341,366 (1963).
4 Study on Investment Advisers and Broker-Dealers as Required by Section 913 of the Dodd-Frank Wall Street Reform Act (January 2011) at 62 (available at http://www.sec.gov/news/studies/2011/913studyfinal.pdf) (“913 Study”).
5 Advisers Act Section 204A, and Advisers Act Rule 204A-1.
6 913 Study at 51.
8 Id. at 66.
9 Id. at 52.
10 Id. at 52-53 and cases cited therein.
11 Id. at 51, citing Guide to Broker-Dealer Registration (April 2008), available at http://www.sec.gov/divisions/marketreg/bdguide.htm.
12 SEC v. Capital Gains Research Bureau, Inc., 375 U.S. 180, 194 (1963); 913 Study at 21.
13 Id. at 22 (quoting Concept Release on the U.S. Proxy System, Investment Advisers Act Release No. 3052 (July 14, 2010) at 119.
14 Id. at 54 and cases cited therein.
15 Enterprise Risk Management- Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission (September 2004) at 29.
16 Id. at 29-30.
17 Basel Committee on Banking Supervision, Principles for Enhancing Corporate Governance (October 2010) at 8.