Speech by SEC Staff:
Strengthening Investor Confidence Through Sound Compliance and Risk Controls
Mary Ann Gadziala
Associate Director, Office of Compliance Inspections and Examinations
U.S. Securities & Exchange Commission
Remarks before the 5th Annual Regulatory
Compliance Conference for Financial Institutions
September 24, 2003
The Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.
Thank you for inviting me to join you here today. My remarks will focus on examination priorities of the U.S. Securities and Exchange Commission (SEC) covering broker-dealer compliance, risk management, and supervision - controls intended to prevent problems and ultimately to strengthen investor confidence in the securities markets. As executives and compliance professionals in the financial services industry, all of you play a very important role in preserving the integrity of your firms and investor confidence in the capital markets. One way we can work to achieve these goals is to establish and maintain robust compliance and risk controls as key defenses against violations, customer harm and significant financial losses.
The U.S. securities markets have experienced some recent control failures. While significant problems have affected only a small percentage of the total U.S. financial firms, the failures have contributed to what some have called a "crisis of confidence" in the securities industry and capital markets. Concerns have been raised about research analysts' conflicts, overcharges of customer fees, misappropriation of customer assets, inappropriate late trading and timing of trades in mutual funds, and questionable accounting in books and records. These failures send a wake-up call to all of us -- we must all work to make the improvement of compliance and risk controls a top priority.
Enforcement actions send the strongest message about transgressions. However, they take place after the harm has occurred. Control systems, on the other hand, are preventive. At their best, they should allow firms to anticipate potential problems and stop violations and losses before they occur. Systems should include checks and balances along with independent reviews to protect against problems. Firms must be proactive. They should continually reevaluate all areas of their businesses and enhance control systems correspondingly. If problems do occur, then persons in control positions should raise them to the appropriate levels and work to correct the problems as quickly as possible. This will protect the integrity of financial firms and assist in maintaining the public trust in the capital markets.
Now is a particularly challenging time for compliance and risk managment. The challenge is not only to address issues in the recent high profile cases involving regulatory lapses, but also for firms to react to market, regulatory and technological changes that make business operations more complex and diversified. Strong control systems - by preventing problems from occurring or escalating - should serve to strengthen investor confidence at this critical time. In view of this vital role of compliance and risk controls, the SEC dedicates significant resources to examining these areas. Some of our examinations evaluate overall coverage and effectiveness of an organization's controls systems. These are our comprehensive examinations. Others are focused and allow more in-depth reviews of particular issues or concerns.
A. Comprehensive Compliance Examinations
One of our comprehensive examinations is the compliance examination. What do we evaluate during a comprehensive compliance exam? Here we look broadly at the compliance function -- how do firms ensure that their actions and those of their employees are consistent with the law? Our compliance examinations are enterprise-wide, covering all broker-dealers within an enterprise. They are a top-down review of compliance over all business operations throughout the enterprise. As such, they are different from typical examinations that are bottom-up reviews of individual firms, more focused on specific rules and the firm's compliance with its own procedures. In the comprehensive compliance exam, we evaluate the overall compliance "culture" at the enterprise. We assess the adequacy, coverage, and implementation of the compliance program over all business operations at all locations. We look not only at what the organization has in its compliance program, but also make an assessment on what it may be missing. What is not there? What is not adequate or effective? It is only with this kind of review that we can identify problems that may have escaped us in the past and prevent those problems from ever reaching the level of significant violations and customer harm that diminish investor confidence.
Comprehensive compliance is the overall environment or culture in which compliance issues are handled at an organization. Lori Richards, our Director of the SEC Office of Compliance Inspections and Examinations, recently addressed the meaning of the "culture of compliance" in a speech. She told firms:
Certainly, the test for all firms is whether they maintain and each day, reinforce, a culture of compliance which includes a culture of doing not only what is within the strict parameters of the law, but also what is right - whether or not a regulator or anyone else is looking....It is critical that firms establish a strong culture of compliance that guides and reinforces employees as they make decisions and choices each day.
As I mentioned, our compliance examinations evaluate the adequacy of the enterprise-wide compliance function. Let me give you some general insights on how we approach this evaluation.
- First, we gain an understanding of the firm's securities-related businesses and organizational structure. We review board and senior management involvement in compliance. What is the tone from the top? Do they promote a strong and proactive culture of compliance in the firm in setting overall compliance policy? Do they recognize the high priority of compliance and actively work with senior compliance officers?
- Second, we evaluate how the firm fulfills its compliance responsibilities -- the independent oversight of compliance by the firm and its employees. This may be done through a separate compliance department or a number of different areas of the firm. We evaluate the compliance function - coverage, resources, systems, and communications with the board and senior management. We consider the experience and independence of personnel with compliance responsibility.
- Third, we review employee supervision: hiring, registration, licensing, continuing education, personal trading, and training.
- Fourth, we review the supervisory structure since it is closely aligned with compliance. The written supervisory procedures, front line supervision, and branch office supervision are examined.
- Finally, we look at oversight of compliance by the enterprise. We evaluate how the enterprise identifies and addresses compliance risks - how it assesses its own compliance program. This may include: branch exams, audits, new product reviews, surveillance, and even whistleblowing.
There is no standardized blueprint for assuring compliance at a securities firm. It may be accomplished through a centralized department or dispersed among various control units. The design and implementation of a firm's compliance system must take into account such factors as - size and geographic dispersion, types of business activities, products offered and customers of the firm, operations and technology, legal and regulatory issues, market conditions, and other relevant factors. Moreover, compliance must be viewed as constantly evolving - as the environment changes, or as better practices come to light - firms should change their compliance systems accordingly to maintain the highest level of appropriate compliance controls.
Through our comprehensive compliance examinations, we evaluate overall compliance culture and systems at broker-dealers. We will send letters to firms identifying weaknesses -- areas where firms should improve their compliance programs. In addition, we may use results from these exams as roadmaps in future exams - focusing our reviews in areas where controls were found to be weak or lacking. Compliance systems are of critical importance in protecting customers and preventing and controlling losses. Profit-making can never take precedence over compliance with the law. The goals of our comprehensive compliance exams are threefold: to ensure that firms are carrying out their compliance responsibilities through proactive, independent oversight; to promote best practices in compliance; and to encourage senior management to give compliance the high priority that it deserves. As such, comprehensive compliance examinations are an important step in addressing the recent problems and maintaining a high level of confidence in the integrity of our markets.
B. Other Comprehensive Examinations
In addition to the comprehensive compliance exam, we conduct two other types of examinations that give us a broad overview of how well a firm is fulfilling its control responsibilities. These are the risk management examination and the coordinated branch examination. I'll say a few words about each.
Risk Management Examinations
An SEC risk management examination begins with a system overview. We look at organizational structure and the process by which managers identify, assess, monitor and control all risks within the broker-dealer. That includes credit, market, legal and operational risks.
One area of particular focus this year is contingency planning and disaster recovery. While reviews in this area have been a part of our risk management examinations since inception, they have been significantly expanded since the terrorist attacks of September 11. It was a consequence of that unprecedented disaster that we realized our existing systems had unanticipated vulnerabilities. For example, we had not taken into account the potential for such a wide-spread disaster where market and geographic concentrations as well as interdependence exacerbated the impact of disruptions. Among the areas we may consider is the firm's response to the relevant white paper recommendations from government authorities. They delineate structural changes and sound practices intended to improve business continuity planning and the resiliency of the financial sector. It is likely that these efforts contributed to the smooth operation of financial markets during the historic electrical blackout experienced by the U.S. and Canada in August.
Other areas of current risk management focus include aggressive proprietary trading, fixed income in the current market environment, mergers and acquisitions, conflicts of interests, structured finance activities, the transfer of risks, and off-balance sheet activity. Risk management examinations remain a basic foundation of the U.S. SEC examination program.
Coordinated Branch Examinations
The third type of comprehensive examination conducted by the SEC is the coordinated branch exam. The coordinated branch exam begins with a general review of the books and records of the firm. We consider the number of problem registered reps, complaints, and arbitrations, as well as significant changes in business or personnel and other matters at each branch of the firm. With that information, we create a matrix identifying branches that merit special reviews. Examination teams will then visit the selected branches to conduct onsite reviews. We combine the findings of the individual branch exams to develop an overall picture of the effectiveness of supervision at the firm. In a recent example, we worked with three U.S. self regulatory organizations and eleven state securities regulators to conduct simultaneous examinations of 29 branches of a particular firm, combining the findings to evaluate firm-wide supervision. With over 94,000 registered branches and thousands of other remote offices of U.S. securities firms, we continue our focus on supervision, coordinating with other securities regulators to cover more branches while avoiding duplicative examination work.
Our comprehensive examinations are our best tools to gain an overview of a firm's compliance, risk management, and supervision. However, our more focused examinations provide us with the opportunity to probe more deeply into particular areas where appropriate. I will now turn to some of the priorities of the U.S. SEC examination program in more focused areas.
C. Broker/Dealers and Hedge Funds
In view of reduced earnings from traditional activities, some securities firms are competing heavily in new areas. One of these areas is hedge fund business. We recently conducted examinations of seven major broker-dealers that are significantly involved in businesses and services related to hedge funds. We viewed the hedge funds from two perspectives - as counterparties to broker-dealers (financial risk) and as products sold by broker-dealers to investors (investor protection). In this environment there is concern that firms could take excessive credit or market risks or market hedge funds inappropriately to investors.
The areas we examined include:
- services (prime brokerage, advisory, capital introduction, etc.)
- credit and market risks from investments in and lending to hedge funds
- selling and recommending hedge funds to investors
- conflicts of interests in the performance of these various activities.
The SEC is reviewing examination results and issues discussed at the roundtable held earlier this year on investor protection implications of hedge funds. Topics covered by the roundtable included: the structure, operation and compliance activities of hedge funds; marketing; investor protection; the regulatory scheme; and whether additional regulation is warranted. We are currently wrapping up another series of examinations with the NASD and NYSE focused on sales practices with respect to hedge funds investments and related compliance. Finally, a new series of examinations are underway to assess the involvement of hedge funds and other financial firms in after hours trading and timing of mutual fund trades.
D. Mutual Fund Trading and Sales
You have probably seen the recent headline stories on the current probe by U.S. securities regulators of mutual funds and securities firms with respect to potential late trading and timing of mutual fund trades. Illegal late trading is the buying and selling of mutual fund shares after the regular market close at that day's closing price. Market timing is the trading in and out in a short period of time, which can harm the fund's performance. In early September, the SEC requested information from all the major mutual funds and securities firms regarding any arrangements that permit customers to buy or sell mutual fund shares after the 4 p.m. close of regular market trading, or practices that permit mutual fund market timing. Information on the actual trading activities is also under review. The NASD is reviewing similar documentation and trading by additional firms. We are working closely with the New York State Attorney General in this matter.
Another problem involving mutual funds is the failure of some firms to consistently charge investors correct fees on purchases. One focus is front-end sales loads with purchase volume discounts at specified breakpoints. Results of an examination sweep of 43 firms and a subsequent self assessment by over 600 firms confirmed that many firms made a large number of errors in computing sales charges for mutual fund shares. This resulted in millions of dollars in overcharges. Firms have been required to repay with interest customers identified as having been overcharged. A working committee including NASD and groups representing the securities and mutual fund industries explored and recommended ways to prevent abuses and improve systems, investor disclosure, and education. Finally, the SEC and NASD are expected to soon consider staff recommendations for additional action, including disciplinary action, based on the results of the self-assessments by firms. Compliance with breakpoint discounts and other issues involving mutual fund fees continue to be on the radar screen of U.S. securities regulators.
E. Structured Finance Transactions
The next area of examination focus is the review of financial institution participation in complex structured finance products. This review was initiated in part in response to a request from several members of the U.S. Congress following hearings on the Enron transactions. The SEC and the bank regulators have recently concluded a series of examinations of the structured finance activities of eleven financial organizations identified as major players in this market. Our examinations covered design, participation, marketing, advising, and selling complex structured finance products where the counterparty or client is a public company. We are reviewing policies, procedures, and controls used by the organizations to assess accounting and tax strategies, as well as the business purposes and appropriateness of these transactions. We are also looking at the organization's assessment of credit, market, legal and reputational risks associated with the transactions. The examinations have generally concluded and we are working with the banking agencies to analyze our findings and respond to the Congressional request for guidance. There have also been recent enforcement actions in this area, including injunctions, civil penalties, disgorgement, and undertakings to improve credit, legal and reputational risk management.
F. Anti-Money Laundering
Anti-money laundering remains a priority of the SEC exam program. The USA Patriot Act, passed soon after the September 11 attack, imposed a number of requirements on financial firms to prevent and detect money laundering. Financial firms must have anti-money laundering compliance programs, including: (1) adopting policies, procedures and controls specifically designed to detect and prevent money laundering; (2) designating a compliance officer; (3) initiating ongoing training for employees; and (4) providing for independent tests or audits of the program. The requirements to identify concerns and file suspicious activity reports went into effect January 1 of this year. Prohibitions regarding foreign shell banks are also in effect. Informational requirements for certain foreign correspondent accounts and the certification process to achieve compliance with these provisions became effective on March 31. The rule on customer identification and verification was issued and has an October 1 compliance date. These rules serve a very important purpose in combating money laundering and terrorism. Therefore, we expect firms to devote adequate resources and attention to anti-money laundering efforts. We will be monitoring compliance in this area.
G. Conflicts of Interests
A key priority for the U.S. SEC examination program is the review for conflicts of interests. Securities firms and their affiliates sell many different products and engage in many different business activities. When a business or activity produces significant profits or profit potential, there may be an incentive to disadvantage other firm businesses or customers to maintain or increase profits. In addition, securities firms acquire a large amount of confidential and sensitive information in their various roles as advisors and lenders. Such insider information is not available to other market participants and may not be used for trading or other activities. Thus, there is a significant potential for conflicts of interests and the misuse of information or relationships. Firms must have controls to protect against violations in this area.
One recent problem is analysts' conflicts. The basic question is: Do analysts issue fraudulent securities analyses and ratings - perhaps motivated by the desire to generate other firm revenues, such as investment banking fees. On April 28, the SEC, NASD, NYSE, NASAA, and New York Attorney General announced a global settlement with ten top securities firms involving research analysts' conflicts with investment banking. In addition to requiring payments of over a billion dollars for penalties, disgorgement, independent research and investor education, the settlement requires the firms to sever the links between research and investment banking. Examinations continue in this area.
A related area is the general review of information barriers to address potential conflicts of interests. We conduct examinations of the policies and procedures that firms have adopted to prevent the misuse of material non-public information under Section 15(f) of the Exchange Act. Our examinations look at information barriers in light of technological developments, innovative and connected products, and the increased integration of various services that may increase the potential for conflicts. The exams serve two purposes - to evaluate compliance with current rules and guidance, and to evaluate the regulatory guidance in this area, which dates back to 1991. Compliance and controls with respect to information barriers and overall conflicts of interests among the various business activities of firms continue to evolve. We will continue to scrutinize firm compliance and controls with respect to conflicts of interests to protect investor interests and promote fair markets.
In conclusion, my objective this morning has been to give you an overview of what we in the U.S. SEC examination program view as important compliance and regulatory issues. While our examination program covers many other areas, the topics I have highlighted are some of our recent and continuing priorities aimed at evaluating and improving the fulfillment of securities compliance responsibilities by U.S. securities firms. Our examinations serve to identify problems and to promote best practices. There is a cost for building and implementing effective control systems. However, the costs of control failures -- both financial and reputational -- are significantly greater. The prompt and complete response to identified concerns is essential. It is only with strong and effective compliance and risk controls that we can hope to achieve the goals of maintaining the integrity of our securities markets and strengthening investor confidence. Thank you for your time and attention. I'd be happy to respond to any questions.