Compliance staff can help their firms by reflecting regulators’ expectations, SEC enforcer says
By Stuart Gittleman, Compliance Complete
NEW YORK, Oct. 16 (Thomson Reuters Accelus) – Regulators and compliance and ethics officers share the goals of preventing unlawful or improper conduct and cultivating effective cultures that promote integrity and respect for the law, a Securities and Exchange Commission official said.
These goals can be better achieved through “a good compliance program” that extends throughout the business and protects it by reflecting the SEC’s expectations, Stephen L. Cohen, an SEC associate enforcement director, told members of the Society of Corporate Compliance and Ethics last week.
A key function of compliance staff that companies should recognize and support, he said, making sure senior management and boards understand the compliance risks they face. “Companies are well served by having professionals like you at the table where key decisions are made. They benefit when they consider you as trusted advisors and give you the necessary authority and independence to help lead your organization,” he said.
The content of Cohen’s talk is not new – it reflects longstanding SEC priorities – but a more aggressive enforcement stance since SEC Chair Mary Jo White assumed her post this year is making it more important than ever.
Working with organizations like the SCCE to develop good compliance programs can also help the SEC dispel the idea “that the regulator and law enforcement community does not speak enough about the importance of the compliance profession,” Cohen added.
Successful companies have effective risk management processes throughout their business lines; managing regulatory risk should be no exception, especially because it has come to the forefront “in a post-financial crisis, post-Dodd-Frank world,” Cohen said.
And the significance of regulatory risk “is only magnified when the SEC or [the Department of Justice] files a case where issues were not discovered, not escalated, or where management ignored push-back from compliance staff,” Cohen added.
The top of the list of risks includes “companies that do not take compliance seriously until misconduct comes to light; where internal controls are insufficient for the size of a company’s risk; or when management simply leaves the impression that these issues are not important,” Cohen said.
For example, Cohen said, JPMorgan lost $6 billion in risky trading that was poorly supervised and inadequately disclosed to its investors and its board. The loss was augmented by a $920 million partial regulatory settlement for violating securities laws over its breakdown in internal controls when senior management discovered these issues but deprived its board of the information needed to assess the problems and determine an appropriate response.
Such a course of conduct “does not inspire confidence that management takes ethics and compliance issues seriously,” Cohen said.
One of the benefits compliance professionals bring is their “knowledge of how law enforcement and regulatory agencies value the genuine efforts undertaken by companies to generate a culture of integrity and respect for the law” and that they “care and give credit for those efforts,” Cohen said.
Topping this list is developing and implementing effective programs before problems arise, and when they inevitably are found, fixing the problem, making appropriate disclosures to investors and regulators, strengthening compliance and remediating any harm – before the regulators come knocking, Cohen said. Companies will still get credit for cooperating in the regulatory investigation and strengthening compliance after the fact as part of a settlement offer, but more reluctantly and not as much.
Moreover, “ignoring or merely paying lip service” to compliance principles creates distrust that can impede a settlement and can taint the company’s future interactions with regulators, Cohen said.
Cohen offered a message for compliance officers to take to senior management and the board: it is cheaper and better to frontload compliance than to offer to do so after violations have occurred, and even more so – much more so – after they have been discovered.
And it is much more likely that violations will be discovered because of the SEC’s more aggressive approach to enforcement and its outreach to employees and other whistleblowers for information on potential securities violations, Cohen added.
Cohen urged compliance officers to use their knowledge of a more vigorous regulatory environment that credits cooperation and remediation before violations are discovered to pry resources from the board before headlines make it too late to get as much benefit.
Cohen suggested sharing with the board the U.S. Sentencing Commission guidelines, the SEC’s framework for considering corporate cooperation, its use of tools such as deferred and non-prosecution agreements and declinations to prosecute, the November 2012 SEC-DoJ FCPA Resource Guide, and the declination to charge Morgan Stanley and Ralph Lauren for violations by rogue employees who subverted the companies’ otherwise effective programs.
These resources will show the board that a good, effective compliance program will make it more likely that violations are outliers, that charges will be reduced and even waived in appropriate circumstances, and that companies will get real credit for self-policing and reporting, Cohen said.
But the SEC can tell whether a program is just a paper tiger and will not be fooled by it, Cohen warned, saying, “Let me emphasize that it is deeds and not words that count most.”
The SEC’s August ban of a Colorado portfolio manager from the securities industry for five years for misleading and obstructing a chief compliance officer “should send a clear message to the securities industry that professionals have an obligation to adhere to compliance policies, and that the [SEC] will not tolerate interference with CCOs who enforce those policies, Cohen said.
And the SEC will hold directors as well as accountants and attorneys accountable for failing to satisfy their responsibilities, he added.
Red flags and green lights
The SEC is conducting several initiatives to ensure that firms have effective compliance programs before violations arise, Cohen said. These include examining investment advisers, especially newly registered advisers to private funds, to ensure that they have effective compliance programs and procedures – and bringing enforcement cases when they do not – and meeting with senior leaders, boards and compliance personnel to assess the firm or company’s culture of compliance and ethics.
“These assessments can factor into the level of risk the staff ascribes to a firm, which can affect how frequently they are examined. And, they do not hesitate to emphasize the importance of supporting these functions through enforcement if necessary,” Cohen said.
The examinations have helped the SEC identify markers of inadequate as well as effective programs, including:
- Pushing the envelope through excessive risk-taking as to the firm’s legal and ethical obligations, which “invariably leads to bad outcomes. Any company or person prepared to come close to the line when it comes to legal and ethical standards is already on dangerous ground.”
- “Overly technical” compliance that disparages or minimizes the importance of respecting the law and protecting the entity from reputational harm.
- A lack of skepticism, swallowing explanations that defy common sense, and failing to follow up on hunches until it is too late. “If someone explains something to you in a way that you don’t understand, don’t accept it.”
- A lack of empowerment that limits the access of the legal and compliance staff to the firm or company’s senior leadership.
- A weak governance structure, such as a lack of “a tone at the top built on actions rather than words,” that does not provide the compliance and ethics program with the resources, independence, standing and authority it needs to be effective. In making this assessment, the SEC will ask whether the chief ethics and compliance officer is a senior manager who has access to the board or its audit committee and has their support for his or her disciplinary recommendations and has a “clear, unambiguous mandate.”
- Culture and values that ask “not just ‘can we do this,’ but ‘should we do this?'”
- Measurable practices that encourage and reward – or discourage and punish – speaking up and doing the right thing.
- Effective processes for confidential reporting with strong deterrence against retaliation, thorough escalation and investigation, and consistent and fair discipline of potential violations to show that the entity is not just paying lip service to compliance and ethics. Cohen warned that a hot topic is when an entity that does not have a clear record of consistent discipline charges, for the first time, “a supposedly bad employee … after they blow the whistle.” Firms doing this should not expect the SEC to believe they have an effective program.
- Continual self-evaluation and improvement that focuses on emerging and evolving risks such as changes in business models, privacy and the use of social media. “Leading organizations ensure that they stay in front of these changes through a process of ongoing improvement that leverages new technology and best practices,” Cohen said.
It’s not just about keeping the regulators at bay, Cohen said.
Effective and proactive compliance and ethics programs provide direct economic benefits by helping the business manage all of its risks better. And when there is a problem, the sanctions will be less severe and more focused on future compliance than on past misconduct, he added.
(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)