Speech by SEC Staff:
Compliance: Some Core Principles
Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission
National Regulatory Services' Twentieth Annual Spring Compliance/Risk Management Conference
April 20, 2005
Good Morning. I'm very pleased to be here with you today, I always enjoy speaking to gatherings of compliance professionals. You are a key constituency of the SEC, and we view you as important allies in our work to protect investors. At the outset, let me remind you that the views I express are my own views and not necessarily the views of the Commission, the individual Commissioners or my colleagues on the Commission staff.1
I assume that as compliance professionals in the securities markets, whatever the type or size of the firm that employs you, you are all likely working full capacity, full-tilt, on the various and many compliance issues of the day. It's easy to see these issues in the agenda for this conference: the new "Compliance Rule" for funds and advisers; the new NASD rule requiring broker-dealers to have chief compliance officers and to annually certify the effectiveness of the compliance program; the new code of ethics requirement for advisers; mutual fund and variable annuity sales practices; email retention; best execution and trading procedures; soft dollars; adviser performance claims; and hedge fund adviser registration. These are all topics under discussion and are certainly areas of focus for regulators as well. All of us are immersed in the many discrete compliance issues, and there are more every day, as the minds of men will always develop new and creative ways to evade rules to benefit themselves. Rather than talk with you today about specific compliance issues, I wanted to spend my time with you today talking more broadly about compliance, its role in the securities industry, and some "core principles" in compliance.
I do so against the backdrop of a great deal of international attention to the issue, broadly drawn, of compliance. Earlier this month, the International Organization of Securities Commissions (IOSCO), an organization comprised of over a hundred securities regulators from around the world, published a discussion paper on compliance called "Compliance Function at Market Intermediaries"(available at http://www.iosco.org/pubdocs/pdf/IOSCOPD198.pdf ). Not a very catchy title, but the paper contains a useful discussion and offers some thought-provoking questions concerning the compliance function at broker-dealers, advisers, funds and other so-called intermediaries. It also asks for public comment on these topics.
I was interested in the IOSCO discussion paper because I've been thinking a great deal about compliance and how it operates, or should operate, given the compliance failures of the last few years. Chairman Donaldson and many of us at the Commission have called upon firms to adopt what we call a "Culture of Compliance" in their core business model, a culture that emphasizes doing what's right, even in the absence of regulatory guidance or a clear prohibition. Clearly, regulators from around the world have been giving similar thought to this issue -- the IOSCO paper recognizes that while different jurisdictions may have different approaches and policies to help ensure compliance with their securities laws, regulators share a common belief that the compliance function plays an essential role preventing possible misconduct and in promoting ethical behavior, which can in turn lead to fair and orderly markets and investor confidence in those markets.
The paper sets forth some core principles with respect to compliance, and I wanted to share some of those with you today. The first core principle is a definition of "compliance" and its importance within the firm:
- Each market intermediary should establish and maintain a compliance function. The role of the compliance function is to identify, assess, advise on, monitor and report on a market intermediary's compliance with securities regulatory requirements and the appropriateness of its supervisory procedures.
- The board of directors or senior management is responsible for the firm's compliance, and should establish and maintain the function and assess whether the compliance policies are being observed and are appropriate on an ongoing basis.
I think that these are key principles. Indeed, they underpin some of the most significant new regulatory actions. For example, recent SEC and NASD rules require all broker-dealers, investment advisers and mutual funds to have a chief compliance officer who is responsible for the firm's compliance program. Bolstered by the duty of advisers and broker-dealers to supervise, these rules are designed to recognize the importance of compliance as a distinct function within all firms.
Importantly, the paper also sets forth the need for compliance to be independent of the business units. It states:
- The compliance function should be able to operate on its own initiative, without improper influence from other parts of the business, and should have access to and should report to the board or senior management.
This is a key principle, and warrants some discussion. In examinations, we have seen examples of situations where compliance seemed to be captive to a business unit, and where the legitimate concerns of compliance staff were overridden by -- no surprise here -- the desire to gather assets and increase profitability. As a result, in adopting the new Compliance Rule for investment advisers and investment companies, the Commission stated its intent that the chief compliance officer be independent, and have sufficient seniority and authority to develop and enforce compliance procedures for the firm. To ensure the CCO's independence from the business function, the Commission required that the CCO report directly to the fund's board of directors, and to protect the CCO from undue influence by service providers, it prohibited any action to coerce, manipulate, mislead or fraudulently influence the fund CCO. Similarly, in adopting the rule requiring broker-dealers to have a chief compliance officer and an annual compliance certification, the NASD mandated meetings and discussions between the CEO and chief compliance officer concerning compliance issues, and an annual report to the board or the audit committee. Clearly, these rules reflect the belief that senior level management has ultimate responsibility for compliance.
In light of this, I ask you the following questions:
At your firm, do senior level management and the board actively support compliance? How can you tell? Does compliance report regularly and directly to senior level management and the board about compliance problems, about emerging issues? Is compliance adequately resourced with the tools it needs? Do you have complete access to information, records, and firm personnel? If you have compliance staff embedded in business units, how do you make sure they don't become captive to the business unit? Does compliance have the ability to assure or confirm that concerns have been appropriately addressed? Is your compensation or ability to advance in some way dependent on the profitability of a business unit? If your firm is dominated by a powerful and charismatic business leader, how does compliance function? Can it too easily be overridden by this person? Similarly, does your firm give too much deference in compliance issues to a big producer?
The paper also sets forth the need for high caliber people to perform compliance. It states:
- Staff exercising compliance responsibilities should have the necessary qualifications, experience and professional and personal qualities to enable them to carry out their duties effectively.
Of course, this is a universal truth - the nature of the compliance function dictates that it be performed by highly capable individuals. The Commission has said that CCO's must be "competent and knowledgeable" concerning the securities laws. And of course it's understood that they should possess necessary qualifications and experience. What does it mean though, to say that they should possess the necessary "personal qualities" to enable them to carry out their duties? Doesn't being effective in the compliance profession require a skeptical attitude, an innate curiosity about how firm employees and others might be trying to circumvent the law or the firm's policies and procedures? Doesn't it require the ability to interact effectively with others, particularly when raising difficult issues? Doesn't it require an ability to be persistent, even relentless, when investigating issues and in raising them with senior management? Compliance is not and never was a haven for passive box-checkers.
Next, the paper states that:
- Each market intermediary should periodically assess the effectiveness of its compliance function and should also be subject to review by independent third parties, such as external auditors, self-regulatory organizations or regulators.
Again, the notion that firms should periodically assess their compliance function is one that is fully supported by regulators. Indeed, both the new compliance rule for funds and advisers, and the new NASD compliance rule for broker-dealers, require ongoing, annual reviews of the compliance program.
Moreover, it has seemed to me that a key lesson of recent compliance failures -- from analyst conflicts of interest and the resulting biased research reports, market timing, late trading, breakpoint failures and other problems -- is that the existing compliance program paradigm must be reevaluated and indeed reinvigorated. I am pleased that many firms have been thinking, at very fundamental levels, about the nature of their firm's business, about the conflicts of interest inherent in their obligations, about ways they can mitigate those conflicts, and importantly, about how they can ensure that their compliance functions do not become outmoded, outdated, and static. I have called this the need to have an "activist" compliance program -- one that is animated by a constant effort to identify conflicts of interest and to imagine and investigate the ways in which rules and ethical proscriptions could be subverted. I think that an activist compliance professional carries an attitude of professional skepticism - assuming that individuals will try to subvert rules and act with their own interests in mind, and given this, the activist compliance professional seeks to prevent and detect this conduct.
Assuming that you and your firm have adopted this more activist and invigorated compliance program, and that you are, as the core principle states, periodically assessing its effectiveness, how do you measure your results? I have seen too many compliance programs measure their results by the number of their own activities, say the number of exception reports, the number of investigations commenced, the number of reports to the board, or other numerical measures of their own output. These things are easy to measure, and certainly it can be easy to show increases in these areas. I submit however, that these measures may be misleading, if they don't also tie back to the actual result that they are designed to achieve - detecting and preventing violations. It is possible, and I have seen this in many organizations, to be producing an ever increasing number of exception reports and conducting an increasing number of investigations, and also to have an increasing number of violations! I urge firms to develop measures of compliance that are tied to actual reductions in violations - and to keep your eyes on that result as the ultimate goal, and the ultimate test of your effectiveness.
The core principle also states that the compliance function should be subject to review by independent third parties. I also think that having outside eyes review your compliance program can be helpful, as it can help you to see things in perhaps a different way. And it may also empower compliance within the firm.
Finally, the paper also discusses the role of regulators, and states:
- Regulators' supervision of market intermediaries should include the assessment of the compliance function, taking into account the intermediary's size and business.
- Regulators should take steps to encourage market intermediaries to improve their compliance function, particularly when the regulators become aware of deficiencies. In addition, regulators should have the authority to bring enforcement actions, or other appropriate disciplinary proceedings, against market intermediaries relating to their compliance function.
As you might guess, as a regulator, I have particular views on these principles. When there are egregious failures in compliance, enforcement is a big stick, and can certainly remind firms loudly and quickly of their obligations. But, I believe that the best result is for violations to be prevented in the first place. As an examiner, I like to find vigorous compliance programs and robust supervision. We've determined that this result is best urged along by regulatory oversight of the compliance function - and we've been examining the compliance programs of large broker-dealers, and more recently of mutual funds. We provide the firms that we examine with deficiency letters that describe the shortcoming we observe at that particular firm. Given that there are thousands of firms, and a much smaller number of examiners, however, it seems to me that this process alone is ineffective in encouraging and ensuring robust compliance programs at the vast number of regulated firms.
Chief Compliance Officers play a critical role in ensuring an overall effective compliance program, and as regulators we will hold them to their responsibilities. To assist new mutual fund and adviser CCOs, Chairman Donaldson recently announced what we call the "CCOutreach" program - which entails periodic newsletters concerning compliance issues and hot topics, and regional and national seminars for CCOs to learn about and discuss compliance issues. This is an effort to communicate, to educate, to inform, to alert and to help these new CCOs achieve their important responsibilities.
I also believe that firms' internal auditors can and should do more than they may now be doing to review the firm's compliance and internal controls. If I were an internal auditor, I would think that the compliance failures of our recent past would give me a great deal of pause in carrying out a program that did not evaluate the risk of failures or weaknesses in compliance and other internal controls. I hope that internal auditors would also review the firm's compliance program. Indeed, I would hope that if our examiners could have some degree of confidence in the quality of an internal audit, that we could rely more on this work than we have done in the past.
Too, I think that external auditors can do more. For example, our examinations of mutual fund expenses have sometimes revealed that monies were not being used for their stated purposes. It has seemed to me that a key part of the mutual fund audit should be to confirm that monies taken out of the fund are actually for legitimate and approved expenses. Similarly, a too-frequent finding in our examinations of broker-dealers is a failure to accurately compute assets and liabilities resulting in inaccurate net capital computations. And, lack of controls over valuation remains a serious control risk at firms of all types. I think that these areas should be scrutinized carefully by independent auditors.
* * *
Thank you for your time and your attention this morning. The IOSCO paper provides some interesting core principles worth thinking about, and I hope that you will give some thought to how they apply in your own firms. Clearly, the attention by regulators around the globe on these core principles reflects the increasing focus and importance of your work as compliance professionals.