Speech by SEC Staff:
Remarks before the National Society of Compliance Professionals National Membership Meeting
Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission
October 25, 2005
Better Than 'Business as Usual'
Thank you. It is a pleasure and a privilege to be here with you again at the NSCP's annual meeting. I want to thank Joan Hinchman, the NSCP's executive director, for the invitation, as well as for the NSCP's commitment to furthering the compliance profession over the years.
First, as required by my own compliance rules, I must tell you that the views I'm about to express are my own, and not necessarily those of the Commission, the Commissioners, or my colleagues on the Commission's staff.1
I'm always pleased to meet with this group. But I must admit, over the last several years, some of our meetings have been difficult. Terrible scandals had come to light, with large scale dishonesty, serious breaches of fiduciary duty, violations by well-known leaders of the securities industry, and misconduct of some audacity. I often had the unfortunate duty of asking you - "where was compliance?" Specifically I asked: "Where was compliance when these problems arose, took shape, and became entrenched in the offending firms?" I did not like having to ask the question. I'm certain that you did not enjoy it either.
Today, in the fall of 2005, I'm glad to say that we're seeing the market timing, late trading, revenue sharing, and breakpoint failures through to remediation, correction and hopefully elimination. But, we still have compliance issues that we need to address, serious issues, and we must always be vigilant with respect to fraud. Indeed, history shows us that there will always be those who are bent on defrauding investors for their own financial or reputational gain.
During the recent scandals, we learned many important lessons. We need to remember these lessons, and change our "business as usual" to reflect them. If we forget them, or choose to ignore them, then I fear the mistakes of the past will be repeated. Today, I'm going to talk with you about three lessons of our recent past -- first, that "Compliance Matters," second, that we need better communication between the compliance community and the SEC staff, and finally, that compliance programs must be dynamic and "activist."
I. Compliance Matters
First, Compliance Matters. I was fascinated by an article I read a few weeks ago that I know has generated discussion in the industry. A research analyst at a major wire house divided the top 25 fund firms into three groups: those that were very much involved in the fund scandals, those that were somewhat involved, and those that were not touched at all.2 He then calculated the growth rates of the firms in each category in the 18 month period after the scandals came to light. His results are no surprise to us, but they should open some eyes outside of the compliance community. The funds that were very much involved shrank by 24%, while those that were somewhat involved grew by 13%, and those that were not involved at all grew by 15%.
I have long said that what's good for investors is good for firms that do business with investors. The next time someone says to you: "compliance is a cost center, not a business center," you should reply, "when was the last time your department had a 15% impact on the growth of this business?"
Hopefully everyone has learned that Compliance Matters, but that doesn't mean we can rest on our laurels. I saw an article in the trade press recently about a recent survey of investment advisers.3 The survey apparently found that advisers are doing very well financially. Assets are up, income is up, and profitability is up. However, in a jarring note, in this environment of general prosperity, the survey indicated that expenditures for compliance had gone down. Specifically, it found that expenditures for compliance had shrunk from 6% to 4% of total expenditures. At least according to this survey, advisers are now spending more on advertising than on compliance.
I recognize that this news may be nuanced - perhaps all advisory firms have already invested in state-of-the-art compliance systems in preparation for implementing the Compliance Rule and the survey reflects a lower cost of compliance relative to the earlier implementation period. I don't know. Certainly, cost-effective compliance is a good thing, but for compliance to be meaningful and do its job effectively, it must be fully resourced and it must continue to be fully resourced on an ongoing basis. The danger of underfunding compliance is a weak, ineffective compliance program.
In an effort to make sure that new chief compliance officers were receiving the resources and support they need, examiners had sometimes asked, at the beginning of an examination, whether the CCO believed that she/he had sufficient resources and support. It seemed like a good way to ask the CCO directly - "are you getting what you need to do your job?" In practice, however, I understand that it caused a lot of angst. The question placed CCOs in an awkward position. Do they open an exam by criticizing their firm? Members of the compliance community, including the NSCP, informed me that they were troubled by these requests. We'll be a little lower key on this issue - if, during the exam it appears that the compliance function does not seem to have the resources or staff that it needs, either in general or in a particular area, we will raise the issue informally with the CCO.
The people in this room understand that Compliance Matters. But, unless we convince business managers, top level executives, and others, our collective efforts will not be effective. I recently said that for a firm to be compliant "it takes a village." What I meant by that was that compliance professionals are not guarantors for the firm's compliance with the law. They aid, educate, guide, detect, and check, but the firm's business-line employees are first and foremost responsible for their own conduct. Supervisors and managers, and indeed, all employees must view compliance with the law as a given in all forms of business, and they must view compliance professionals as indispensable in helping them to do that.
At this conference a year or so ago, I was asked what a chief compliance officer should do if she worked in an organization that did not respect compliance, and did not respect the importance of her job. I said that it was important for compliance professionals to educate managers about compliance issues, and about the serious ramifications of violating the law. I would hope that compliance professionals would educate their business managers about the importance of compliance - not only to avoid enforcement action by regulators and private actions by aggrieved customers and clients, but the connection to the bottom line. Indeed, I would put it as bluntly possible: your business managers must understand that if they downsize compliance today, they may have to downsize other aspects of the firm tomorrow.
II. Better Communication
Second, another lesson we've learned from the period of scandals and crises: we need each other. Trust me, at the same time I was asking you, "where was compliance?" other people were asking me, "where was the SEC?" Indeed, many compliance professionals were aware of and troubled by the secret market timing agreements, yet did not alert SEC staff. And, many industry people were aware that at some point, industry participants had moved from "considering" past sales of fund shares in allocating fund brokerage to fund brokerage being a quid pro quo for future sales. It seems to me that examiners and compliance professionals need to improve communications and work together to solve problems before they can blossom and become large scale failures and crises. Let me stress that, from our point of view, this is the most desirable outcome. We want to encourage firms to identify and correct compliance problems, and to take proactive steps to reduce the likelihood of compliance problems from occurring in the first place.
How can we work together? The most important way is to establish and maintain open lines of communication. Lines of communication are important to us, because in the examination program, we need to get information from you. We need it quickly, and we need it to be reliable. We need it to conduct risk assessments of firms, to identify issues that require regulatory attention, and to come to appropriate conclusions about deficiencies.
Open lines of communication are also vital to you. In your compliance programs, you need to get information to us. In fact, one of the more important functions of a compliance program is to get information to regulators. Let me give you an example -- let us suppose your firm has had a compliance problem. You look carefully at the situation, fix it, and determine in good faith that it is only 'a bump in the road,' not a 'major accident.' Everyone hits bumps in the road. The compliance rules and the supervision standard reflect this in calling for "reasonable" policies and procedures, not 'perfect' policies and procedures.
But, coming in from the outside, as a regulator, it is often difficult for us to determine what sort of situation you have experienced. Is it a compliance problem that you identified and quickly resolved, or is it an indication of deep-seated or systemic problems at your firm? Your ability to deliver quality information to us about the incident will have an important impact on how we respond. If it appears to us that you have identified the problem and taken appropriate steps to fix it, including by repaying customers or investors when appropriate, our reaction to the problem should reflect that. Indeed, in many, many situations, when we can conclude that the firm promptly and effectively resolved the problem, and when the conduct did not appear to be intentional, we have concluded that enforcement referral is not appropriate. These situations never see the light of day, so you may not know about them. Your ability to deliver that information in an effective and efficient way will be enhanced if we have open lines of communication, if we have a solid professional relationship; and if we have a history of honest and reliable dealings. In short, open lines of communication should be as important to you as they are to us.
How can we establish open lines of communication? We have taken several steps in this direction, let me touch on several briefly:
- We established an Exam Hotline, to make sure you could always reach a senior examination attorney in Washington, D.C. The hot line has been in place for several months. The number is (202) 551-EXAM.
- Senior officials in OCIE and in the field offices have been handing out their personal phone numbers. They also have been receiving calls. Soon, the names and phone numbers of exam program managers in the SEC's field offices will be on the SEC's website. If you have a problem or a question, I encourage you to call them. If you need to call me, my number is (202) 551-6200.
- Our policy is to provide feedback at the end of examinations, both informally via an exit interview with the firm, and then in writing in either a "no further action" letter, or a deficiency letter.
- Finally, we have been conducting Chief Compliance Officer Outreach programs. We want the CCOutreach Program to be a vehicle for meaningful and personal interaction between examiners and compliance professionals. We hope to have effective two-way communication and to talk about compliance issues that are affecting the industry. There will be more opportunities to do so, because we will have a national program in Washington DC on November 8th, and we expect the regional programs to continue next year. We also anticipate a newsletter that will include "hot topics" in compliance. Ultimately, our goal is to help CCOs to have robust compliance programs that prevent, detect and correct compliance problems.
The people in this room today understand that we both need open lines of communication. You have a commitment from me that we will keep the lines open on our end. I hope that I can have a commitment from you that you will do the same on yours.
III. "Activist" Compliance
The third and final lesson that I would like to talk about today is that we can never rest easily in any one place. We must always stay in motion, testing our systems, asking if they are good enough, and thinking of how they can be improved. Your compliance program cannot be static. It can't be "done," "on the shelf," or "fixed." It can't rely on "box-checking." An effective compliance program must be an "activist" -- it must continue to evolve and, to do so, the program must be able to identify, meet, and incorporate changes in your business and changes in your customers, to continue to identify conflicts of interest, to be responsive to changes in the statutory and regulatory regime, and to continually strive to find the best technology and the best people. It must be measured by its results.
Indeed, much of this conference is dedicated to providing practical advice on how to ensure that your compliance program is actively preventing, detecting and correcting securities laws violations. You will hear a lot of discussion about what you need to do in this regard. You'll hear about forensic testing, annual reviews, meetings with the CEO, and other processes. I commend those discussions to you. They are very important.
Just as your compliance programs are never "done" our compliance program is also never "done." Indeed all of you who have had exposure to the SEC's examination program over the years know that we have always sought to apply our oversight resources in the most effective and efficient manner, and that, as the industry has evolved and changed, our oversight processes have changed as well. Indeed, for advisers and funds, we have moved from a once-every-12-24-years exam cycle, to a five year cycle, and now, with the growth in the industry, we have adopted a fully risk-based exam program. While regulators will never detect every violation or every fraud, we have developed our ability to respond quickly and effectively as soon as we identify a serious risk. And, we have opened up our internal lines of communication to make sure the Commissioners and the rest of the staff learn more quickly about what we're finding.
We have also given as much attention to forensic testing in the examination program, as we have urged upon you. It has seemed clear to me that we can't ever be certain that we are effective in our work unless it is somehow tested. So, as we have been talking to you about testing your compliance programs by using forensic tests, we have also been doing the same thing in our program. For your programs and for ours, the rationale is the same -- to be good, to stay good, you must always strive to be better.
A good forensic test has three characteristics. First, it provides a real test. In other words, it does more than simply repeat things you already do. Second, it helps you answer the question: what am I missing? In other words, it covers new material to test and validate the material you usually work with. Third, it adds current value. You can use it in your everyday program.
With these three goals in mind, we have developed a way to conduct a forensic test of our investment adviser examination program. We will use statistical sampling techniques to randomly select a sample of low risk advisers. These are advisers that have not otherwise triggered any of our risk criteria. In other words, if our risk criteria are working the way they should we should not find a lot of serious problems.
What will these statistically driven examinations do? First, they will test the criteria we use to identify compliance risks and higher risk firms. If we find a lot of serious problems, we will need to re-examine and refine those criteria. Second, they will help us learn things we do not otherwise know. Specifically, as comprehensive examinations they will help us identify practices and risks that our other processes have not. Finally, because we will be following statistical methodologies, we are hopeful that we will be able to make inferences from our sample of examinations to the entire community of low risk advisers. In thinking about how we can use our limited resources most effectively, this result makes sense.
In addition to devising a new forensic testing methodology, we have been taking other steps to improve our program. Let me give you a few examples.
- Deficiency letters: we have been reviewing the language in our deficiency letters. We want to make sure that the language we use is appropriate, and fits our findings. Deficiency letters should summarize the relevant rule or standard of conduct, outline the facts found, and indicate the ways in which the conduct found during the exam deviates from that standard.
- Remedial actions: we are also seeking to be clearer in how we describe remedial actions. In many, perhaps even most cases, when we discover a problem, the firm will voluntarily take remedial action. These actions can include improving disclosures, making clients whole, or enhancing internal compliance controls. We believe that voluntary remedial action is a good thing. We encourage firms to take these steps, and we carefully consider such steps when evaluating the risk characteristics of the firm, and deciding whether or not we should refer examination findings to the Division of Enforcement. And, if the firm takes steps to implement remedial action during the exam, before we send the deficiency letter, we will also try to reflect that action in the letter.
- Duplication: we've also been giving careful attention to identifying areas of possible duplication in the examination program and taking steps to eliminate it. This is an issue that seems to have been raised particularly in the context of SEC and SRO sweep examinations. Over the last several months we have worked carefully to develop internal control systems to identify and avoid possible overlap and we've instructed examiners to take all reasonable steps to avoid such overlap. Nonetheless, if a situation arises in which you believe there may be some overlap, let us know. Let us figure out how we can remedy the problem. Importantly in this effort, we've been working internally to develop better technological systems to enhance our ability to share workpapers amongst the staff. When those new systems go into production, hopefully next year, we should be much better able to use records collected in one examination in other, subsequent examinations, thus further reducing any burden or inconvenience to firms.
* * *
In sum, the critical work of compliance goes on. We learned some important lessons, including: that Compliance Matters; that we must communicate effectively with one another; and that our compliance programs must continue to evolve and change. We need to remember these lessons, and ensure that our "business as usual" reflects these lessons -- indeed, our goal should be to be "better than business as usual." Thank you.