Speech by SEC Staff:
The Culture of Compliance
Lori A. Richards
Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission
Spring Compliance Conference: National Regulatory Services
April 23, 2003
As a matter of policy the SEC disclaims responsibility for any private statement by any employee. The speaker's views are her own, and do not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.
I'm very pleased to be here today to talk about compliance issues for the registered community for both broker-dealers and investment advisers. We have a terrific opportunity today and over the next few days, to talk about compliance issues in the industry today. I know that you will be spending lots time discussing the particular compliance issues and challenges that confront firms right now --- implementing the new Patriot Act requirements, the new rules governing research analysts, the new broker-dealer books and records rules, the new proxy voting rules for mutual funds, as well as dealing with existing best execution obligations, making contingency plan for disasters, maintaining all required books and records, including emails, and ensuring that you are disclosing all required and material information to your customers and clients.
This morning, however, I'd like to step back from these specific compliance obligations, and talk with you more broadly about the overall environment within which these specific compliance issues are handled. That environment differs perhaps from firm to firm, and I will refer to it this morning as the culture of compliance. This issue involves everyone here, regardless of the nature of your business. All firms have a culture with respect to compliance that may vary the overall culture within which compliance operates can serve to foster and enhance compliance efforts, or, at its worst, it can impede or render compliance efforts meaningless.
The culture of compliance is not a new concept. Hopefully, everyone here is familiar with the idea. For years, you've been told you need one. We at the SEC have been emphasizing that firms need to create a culture of compliance for many years. You've heard it from Chairmen, from Commissioners, and from the staff, and certainly you've heard it from me. If you've been listening, you know it's not enough to have policies. It's not enough to have procedures. It's not enough to have good intentions. All of these can help. But to be successful, compliance must be an embedded part of your firm's culture.
In recent months, we've seen a number of problems at securities firms that reflect very poorly on their cultures of compliance. In many cases it seems clear that the culture of immediate, short-term profit overwhelmed the culture of compliance. In some of these situations, knowledgeable and dedicated compliance staff were ignored, were not relevant, or were too distant from the business unit involved. Scandal teaches that the culture of compliance must be taken seriously. More than that however, having a strong compliance culture is in the best interests of securities firms, because, as I have often said, what's good for investors, is good business for those who serve investors. I strongly believe that having a culture of compliance must be part of every firm's core business model.
That leads me to the topic I want to talk about today: what is a culture of compliance? Today, in the examination program, we're giving this question even more attention than we did in the past. We think it's a timely issue, in light of the failures we've seen, in light of our need to restore the public's confidence, in light of the need to be proactive in averting compliance problems, and in light of our need to stretch our limited examination resources.
Specifically, we've been working on new examination methodologies for both broker-dealers and investment advisers. Our goal is to have a systematic means of assessing your culture of compliance. These projects are underway, and you could see them in an up-coming examination. But before I turn to the projects themselves, let me drill down a bit and take a look at the issue we're trying to address.
Culture is one of those concepts that everyone recognizes, but no one can define. As a Supreme Court Justice once said, in another context, you know it when you see it. Unfortunately, however, this definition leaves a lot of room for disagreement. Some people see culture on a Friday night, at the opera. Others see it on a Sunday afternoon, during the half-time show. Who is right? Which is culture?
Traditionally, the culture of compliance has had the same problem. Up till now, despite its importance, it has always been in the eye of the beholder. It has always been a subjective assessment. Let me give you an example.
It's every examiner's worst nightmare that, in conducting an examination, she will select discrete areas of the firm's business to review, will conclude the examination with a deficiency letter with a few minor issues, and then, shortly thereafter, read in the newspaper that the firm has blown itself up with massive compliance problems in some other area of its business that the examiner did not examine. Therapy for this anxiety requires a strong dose of the culture of compliance. As examiners and given the size and complexities of securities firms today, we know that we cannot be everywhere at once. But we can ask ourselves given the culture of compliance we have observed how likely is this firm to have compliance problems when SEC examiners are not around, in between examinations?
A wise person once said that the test of a truly moral person, is whether he does the right thing when no one is looking. Certainly, the test for all firms is whether they maintain and each day, reinforce, a culture of compliance which includes a culture of doing not only what is within the strict parameters of the law, but also what is right whether or not a regulator or anyone else is looking. This culture underpins your business and the decisions and choices that you make every day, about small and not so small issues. For example, when you are confronted with decisions about how to handle a customer's complaint, how to correct a minor error in pricing or in net asset value, and how you deal with a disclosure issue your decisions are made in the context of your firm's compliance culture. It is critical that firms establish a strong culture of compliance that guides and reinforces employees as they make decisions and choices each day.
At this point, I'm sure you can see where I'm headed. You need a healthy culture of compliance. We rely on your culture of compliance. Yet, despite its importance, it has always been left in the realm of subjective impressions. In the examination program, we think the time has come to evaluate firms' compliance culture with more rigor and objectivity.
Over the last few months, we've been working to take this critical area, and give it the formal and systematic treatment it deserves. Importantly, by making our methodology formal, we hope to give our assessments transparency, so supervisors and headquarters will be able to understand why a particular examiner made a particular assessment; comparability, so we can compare different assessments at different firms; and, perhaps most importantly, we want to achieve the analytical rigor needed to make comments to a firm when we think its culture is deficient.
Our efforts have been somewhat different on the two sides of the program. This is mostly because, as I'm sure you all know, in our oversight of broker-dealers, we can take account of the critically important front-line work of the self-regulatory organizations. For advisers and funds, on the other hand, there is no SRO and we are the sole examining regulator. As a result, different demands are placed on the two sides of the program. However, the two initiatives I'm about to describe have a lot in common. Most importantly, they both take the culture of compliance seriously, as something we need to consider in our own oversight.
Let's start with advisers and funds. Because we have to cover the entire adviser and fund community with very limited examination resources, we must carefully ration the amount of staff time we give to each firm. At the same time, we must provide minimum levels of oversight. In the recent past, we balanced these two goals with a five-year examination cycle. We made the commitment that within a five-year period we would see every adviser and every fund complex.
We think the five-year cycle worked just fine for the time, and we worked hard and successfully, to meet our goal. But, like all across-the-board one-size-fits-all approaches, it had a lot of weaknesses. In adviser parlance, a lot of assets under management went a long time without a visit. In today's fast moving economy, five years is a long time. It also meant that high-risk firms and low-risk firms were treated the same. You could be running a carefully controlled shop, and we would come to visit you as often as your competitor across the street who was running side-by-side hedge funds and registered funds, or whose advisory personal spent most of their day trading their personal portfolios.
We decided that we needed a more sophisticated approach in our targeting. What we want to do assuming we get the additional staff we need, what we will do is to take the twenty largest fund complexes and put them on an automatic two year examination cycle. That will ensure an appropriate level of oversight for the largest concentrations of investor assets. Then, for the rest, we will develop custom cycles. Each adviser and fund complex will be on its own cycle. The cycles will range from two years to four years. So overall, we will reduce the outside cycle to from five years to four years, and many firms will see us much more often than that. How will we decide how long your firm's cycle should be? That's where the culture of compliance comes in.
Remember our typical examiner, worried about whether you will blow yourself up, shortly after she left? Well, that's what we want to prevent on a program-wide basis. In determining how much time we can allow to pass between our examinations, we will assess how well your firm is deterring and detecting problems how sound is your culture of compliance? And can we have some comfort that you will carefully protect your clients and manage your risks between our visits? We think that we should visit firms that have a less than sound compliance culture more frequently than those that have a strong compliance culture, and who can demonstrate that they do not need more frequent visits.
To make this determination, we have prepared a formal approach to assessing your culture of compliance. We think that every good culture of compliance has at least five elements. First, it has a strategic vision. Compliance activities have to relate to some larger strategic goal. Second, it identifies the specific risks that could arise within each strategic area. The devil, as they say, is in the details. Third, it establishes control points for each of these risks. Fourth, it is well documented. Documentation provides transparency, both internal, to senior management, and external, to auditors and regulators. Fifth and finally, specific people are accountable for managing each specific element of the compliance system. You can have the best policies and procedures in the world, but if no one is making them work, they will be useless. Let's look at each of these elements.
First, to identify the strategic goals that should animate a good compliance program, we reviewed SEC enforcement actions against advisers and funds. We asked, what are the problem areas that come up again and again and that have affected investors? As a result of that review, we identified ten general areas that seem to generate most of the problems. A good culture of compliance, we concluded, will, at a minimum, have control processes in place to address these ten strategic areas. They are:
- Portfolio management decisions should be consistent with clients' mandates.
- Order placement practices should be consistent with best execution and disclosures.
- Block and IPO trades should be fairly allocated.
- The personal trading of access persons and advisory representatives should be carefully controlled.
- Client and fund assets should be priced accurately, and fund net asset values should be calculated accurately.
- Custodian records and fund and adviser records should be regularly reconciled, and all discrepancies should be resolved.
- Information should be protected from unauthorized access, alteration and destruction.
- Clients should receive periodic account statements from third parties.
- Performance information should be accurate and fair.
- Transactions should be reconciled on a daily basis to ensure the accuracy of shareholder and cash positions.
The next time you're examined, you should expect to hear a lot about these ten processes. In fact, you'll probably hear about them even before we arrive on-site. We're likely to start the examination by providing you with a new type of document request list. Instead of just requesting detailed classes of documents, we'll ask you to produce documents to demonstrate how you are managing each of these control processes. And by demonstrate, I do not mean tell us. I mean show us.
Second, we expect that you'll be able to show us the specific compliance risks that you face within each strategic area. In other words, given your business model, what specific risks do you think you face? During this part of the exercise, we try and approach your firm with a clean slate. We don't want to prejudge your risk environment. We will be talking to you about these risks in the entrance interview.
Given our experience over time in examining all types of firms, we have an understanding of the typical risks an adviser faces in managing aspects of its business and its relationships with clients. If we notice any missing from your assessment, we'll want an explanation. But the fundamental goal of our inquiry is to find out what risks you face, in your specific circumstances.
Third, we ask what control points you have in place to address each risk. Here, we hope to see a lot of creativity. One of the most important benefits of our open-ended supervisory system is that you're not locked into any specific controls, and in fact we've all seen how new technological compliance tools have changed and enhanced the compliance process. We do expect, however, that your controls will cover the risks. Perhaps the best way to explain this is with an example.
The first strategic control process that we will be evaluating is "consistency of portfolio management decisions with clients' mandates." One of the specific risks that a firm may face in this area is that client portfolios are accidentally managed in ways that deviate from the clients' mandates, thereby exposing client assets to a higher risk of loss. This is obviously a risk that must be controlled. Let's use an example to demonstrate let's say a client has said that he/she does not want the portfolio to invest in certain high-risk derivative products, because the client intends that the portfolio will be low to moderate risk. To control for this specific risk, firms have various controls points, which might include:
- Portfolio managers are given ready access to information on client objectives, restrictions and risk tolerances;
- Portfolio managers and a compliance review person are required to review this information periodically; and
- Changes made by the clients generate notices that the portfolio managers must acknowledge.
As you can see, these are common-sense controls. To adhere to client mandates, portfolio managers must know what they are. A good compliance system makes sure managers receive and acknowledge this information.
Fourth, as I said, a good culture of compliance relies heavily on careful documentation. What kinds of documents do we hope to see? Here again, I think an example would help. Lets continue our example about preventing accidental deviations from client mandates. Based on our reviews, we've seen several useful control documents, including:
- A Portfolio Management Manual containing appropriate policies and procedures;
- A file containing client information, including mandates, and changes to mandates, that is available to the portfolio managers;
- A file containing annual certifications by the portfolio managers that they have reviewed their clients' mandates and notations by portfolio managers documenting their receipt of any changes in the mandates, such as by dating and initialing the notice; and
- A file containing evidence of a compliance person's review of the portfolio for consistency with the clients' mandates, and documenting any findings and steps taken as a result.
Fifth and finally, the firm should have a specific person designated to manage each control point. That person should be accountable for the operation of the control point, and also for the accuracy and completeness of all resulting documentation.
I think that these five points demonstrate the overall approach. We want to see you link specific people, to specific documents, to specific control points, to specific risks, and ultimately, to specific strategic control processes. In a good culture of compliance, this will be seamless web, from the lowest level of detail, to the broadest level of strategic direction. That's what makes this approach different. Ultimately, we want to study that seamless web of controls not just individual controls viewed in isolation.
How are we going to use this methodology in our examinations? Once our examiners have worked their way through each of your control points in each of the ten strategic control processes, they will evaluate the quality of your controls in that area. Areas judged to have weak controls will be probed deeply and thoroughly for violations. On the other hand, if we have some proof that your own compliance and control systems are working in a given area, we will not need to probe and test as thoroughly in that area. Once examiners have reviewed controls in the ten strategic areas I listed, they will then roll up their assessments into a single cumulative evaluation. That cumulative evaluation will represent our views on your overall control environment, or stated another way, your culture of compliance. The deficiency letter we issue to your firm will then describe deficiencies in whatever areas we find to be deficient, and we'll ask for you to respond in writing to us with any changes and improvements you will make. What we won't tell you, however, is when we will be back again for an examination. We believe that all firms should be prepared for an unannounced visit by SEC examiners at any time, and the prospect of that visit we think, frankly, provides a significant deterrent to illegal or unsavory activities.
So, we will utilize our assessment of a firm's overall compliance culture to prepare an examination strategy tailored for that particular firm. The better the assessment, the longer the examination cycle. The poorer the assessment, the shorter the cycle will be, with a greater likelihood of a surprise visit, and a comprehensive examination. We're rolling this program out now, so you should begin to see it in the coming months.
We're also looking at the culture of compliance in the broker-dealer program. Specifically, we recently initiated a series of special examinations to review large broker-dealers' overall compliance programs. This review is being conducted jointly with the NASD and New York Stock Exchange.
We believe that the best way to ensure that problems do not occur, and that small problems do not become large problems, is for firms themselves to maintain robust compliance programs and a strong culture of compliance. The compliance function is critical, and we want to ensure that it is strong, capable and respected within firms.
In these reviews, we are examining the firm's enterprise-wide compliance programs. If the complex has more than one broker-dealer, and many do, we are looking at all of them. In general, we're taking a top-down approach. In other words, to relate this to what we're doing in the adviser and fund program, we're starting at the strategic level and working our way down. How do you set your compliance strategy? How have you institutionalized your compliance function within the enterprise? Of course, as before, details are important. You can expect us to review several specific areas, including compliance for retail operations, and compliance for proprietary trading.
In our top-down review, what kinds of questions will we ask? Here are a few:
- What role does senior management have, including the Board of Directors, in setting compliance strategy?
- Has the firm designated a Chief Compliance Officer?
- Has the firm articulated clear and comprehensive guidance on how the various functional units within the firm are to interface with the compliance function?
- Are all business units included in the compliance strategy?
- How is compliance embedded in the business units?
- Is the compliance function appropriately structured to effectively manage the firm's compliance needs?
- Does it have enough staff and resources to accomplish its stated goals?
- Is the staff adequately qualified to carryout their duties?
These examinations have two fundamental goals. First, as I said, we want to ensure that compliance is a high priority within the firm. Moreover, as we all know, talk is cheap. We want to see more than talk. We want to see enough staff and enough resources devoted to compliance to ensure quality oversight given the nature of the firm's business. Second, we want to ensure that controls are broad enough and deep enough to be effective. We want to see careful consideration of how compliance can be embedded within the business units. We want to see exception reports and other surveillance tools that capture all relevant possible violations or problems. We want to see timely follow-up on issues once they are identified.
Some people have expressed concern that these reviews could force compliance into taking more of a supervisory position within a firm. Not true. We do not want to make all compliance practitioners line supervisors. In fact, a primary goal of these reviews is to look at how the firm, including senior management, view compliance. Is compliance a priority at the highest levels of the firm? Is compliance being provided with the tools it needs enough staff, resources, and authority? While these are fundamental questions, we know that firms operate in different structures and in different ways, and that one size does not fit all. Clearly, how compliance is organized within each firm, and how its functions are allocated between line managers and compliance practitioners remains the choice of that firm.
These reviews are underway now. We anticipate learning a great deal about sound compliance techniques, and that we will highlight any areas of deficiency or where improvement can be made in deficiency letters to the firms we examine.
* * *
In conclusion, the culture of compliance is too important to be left to subjective impressions. Through our new methodologies we are turning it into a formal examination technique. We are taking it very seriously.
And, we hope that you will too. I am always impressed by how much we learn from the firms we regulate. We hope that you will think about the differences between a healthy culture of compliance, and a poor culture of compliance. We hope that you will articulate your ideas, perhaps to your Board, or perhaps to your customers. As the industry thinks and talks about this issue, we will benefit, because it will help us sharpen the focus of our oversight in this area. But more importantly, it will also enhance the protection we deliver to investors, which is after all, the ultimate goal of every culture of compliance.