Lessons from 2015: investor-centered compliance takes center stage in U.S.

January 13, 2016

By Julie Dimauro, Regulatory Intelligence

The course of regulatory developments in the United States in 2015 showed a decided focus on investor protections, tracking illicit financial flows, protecting data and ensuring overall cyber security. Furthermore, there was continuing discussion of the independence and financial commitment firms must give to compliance leadership.

At this point in the new year, a look back at the challenges of 2015, lessons learned and accomplishments can give firms an opportunity to fine-tune their compliance program’s policies, procedures and controls.

Protecting investors

Enforcement cases last year underscored the importance that regulators and policymakers are placing on consumer protection. Firms need to base their compliance approaches on the premise of the need for good customer outcomes. They need to create in-house rulebooks that not only uphold the required customer protections in print, but also in practice.

In October, the Securities and Exchange Commission (SEC) fined the private equity firm Blackstone $39 million after three of its affiliates overcharged portfolio companies for consulting and monitoring fees when the companies were sold. For failing to disclose how and when the fees would be deducted, the firm had to pay $26.2 million of ill-gotten gains, plus prejudgment interest of $2.6 million and a $10 million civil penalty.

The case marked the fourth enforcement the SEC had brought against private-equity companies over disclosure failures in the previous 12 months.

In August, the swap dealing unit of INTL FCStone Inc. reached a $200,000 settlement over civil charges that it failed to diligently supervise traders. The case represented the first enforcement action by the Commodity Futures Trading Commission (CFTC) over its rules imposing supervisory standards specifically applicable to swaps dealers.

Failing to use its own procedures for the supervision of swaps sales activities, or create adequate policies to oversee its employees, FCStone’s traders engaged in unauthorized transactions in customer accounts without first getting verbal authorization.

In June, 36 municipal bond underwriters collectively paid about $9 million to settle civil charges over fraudulent offerings, as part of the first pact of its kind with U.S. regulators.

The SEC said the charges stemmed from a March 2014 invitation to brokers and bond issuers to voluntarily report their disclosure violations, such as material misstatements and omissions, in offering documents.

In exchange for self-reporting, issuers and underwriters were told they would receive favorable settlement terms. The 36 cases were the first under the program intended to increase transparency in a lightly regulated sector.

Among the firms charged were units of Bank of America Merrill Lynch, BNY Mellon, Goldman Sachs, Citigroup, JP Morgan, Royal Bank of Canada and Morgan Stanley.

A case settled by the SEC in March against Stilwell Value, New York City-based investment adviser and its owner, offers lessons in mitigating conflicts of interest and providing adequate disclosure to investors. More strikingly, it underscores the point the agency is increasingly making these days and one that firms should heed: The lack of any money damages to investors in a case featuring a subpar compliance program is almost besides the point.

The Stilwell case demonstrates what the SEC will be targeting first and foremost – and that is the weak compliance program. The agency noted that it was not alleging significant damages in its case against the firm. The loans were all repaid.

The main violation in the SEC’s eyes was that the inter-fund loans were not sufficiently disclosed to investors, pointing to a dangerous deficiency in the compliance program and the potential for investor harm.

Anti-money laundering controls

At the end of the third quarter, the U.S. Treasury announced a proposal that would require certain investment advisers to adopt AML policies and procedures. The proposal was 12 years in the making and is more exhaustive than prior attempts, meriting close attention from investment advisers who are just considering the creation of an AML program or are already enforcing a voluntary one.

On December 1, the New York Department of Financial services (NYDFS) proposed a new AML rule that would require state-chartered banks to tighten the transaction-monitoring systems they use to detect money laundering and terror finance. It would also require such institutions’ compliance officers to make an annual attestation as to the institution’s compliance with the requirements of this new regulation. There would be potential criminal penalties for the officer if the certification is “incorrect or false.”

Also in December, the Financial Action Task Force, the international body that sets anti-money laundering standards, announced that it plans to develop an up-to-date list of “indicators” of terror finance involving Islamic State and other groups, and it will discuss its findings in a February meeting with the private sector.

A key finding of the meeting was that more information must be shared among business and government entities as the world seeks to do a better job of keeping money out of the hands of Islamic State terrorists.

Anti-money laundering controls in a business cannot be pushed to the sidelines when it comes to appropriate funding and board attention. Although tighter controls cost money, the recent enforcement actions and regulatory proposals indicate an increasing focus on what companies have done to prevent or remediate any money laundering incidents.

Vulnerability on the part of businesses can lead not only to financial penalties but the poor customer outcomes that draw the ire of regulators degrade corporate reputations.

Cyber resiliency

As the year ended, President Barack Obama signed legislation that would give companies that share data with the U.S. government for cyber security purposes more protection from consumer lawsuits. The measure was tucked into a massive federal spending bill. The measure amounted to Congress’s first major policy response to hacking attacks of the sort that have hit JPMorgan Chase, Target, and Sony Pictures, as well as several government agencies.

The proposal would widen protections from privacy lawsuits for companies that voluntarily share cyber-threat data with the government through the Department of Homeland Security. The data includes IP addresses and routing information that the bill’s backers say could be useful in spotting or blocking computer intrusions.

In February, the SEC released publications that address cyber security at brokerage and advisory firms and provide suggestions to investors on ways to protect their online investment accounts.

The publications, a Risk Alert containing observations based on examinations of more than 100 broker-dealers and investment advisers, and an Investor Bulletin offering tips to help investors safeguard their online investment accounts, provide market participants and investors with information on how to guard against cyber threats.

That same month, the Financial Industry Regulatory Authority (FINRA) announced that it was looking at the measures that brokerages are taking to protect their businesses and customers against cyber security threats, while the SEC recently examined 57 registered broker-dealers and 49 registered investment advisers to assess the same.

Hoping to provide some further comfort to consumers, The White House released draft legislation in late February that would give them more control over how the trail of data they leave behind them on the Internet is used, stored and sold.

The 24-page “discussion draft” on data privacy immediately sparked sharp reaction from the technology industry, which said the proposal would hurt innovation, and also from privacy advocacy groups that said it did not go far enough.

Obama also announced the creation of a new federal intelligence agency to coordinate the analysis of cyber-threats that has been dubbed the “Cyber Threat Integration Center.”

It is crucial for small financial firms to take proper cyber security measures to protect their customers, their firm, their partners and the markets in which they operate. This is not considered an optional cost center any longer. It is now a regulatory obligation rooted in requirements to take well-documented steps to prevent computer hacking and have a well-crafted plan for when hackers succeed.

Shoddy, outdated security policies will not be tolerated by regulators, shareholders or the investing public, nor will a firm’s lack of attentiveness to warnings of cyber attacks.

Role of the CCO

Deputy Attorney General Sally Quillian Yates in November announced revisions to the U.S. Attorneys’ Manual (USAM) designed to flesh out her earlier “Yates Memo” that pledged an increased emphasis on individual accountability for corporate wrongdoing.

One of the most important revisions is in how prosecutors value cooperation by firms. The revised Principles of Federal Prosecution of Business Organizations now state that a company seeking to receive any consideration for cooperation must identify all individuals involved in or responsible for the misconduct at issues, regardless of their position, status or seniority, and provide to the Department of Justice (DOJ) all facts relating to the misconduct.

Also in November, DOJ’s Fraud Section disclosed the hiring of Hui Chen, who most recently served as global head of anti-bribery and corruption at Standard Chartered, to fill the new role of in-house compliance counsel.

Chen would “offer insights on issues such as whether the compliance program truly is thoughtfully designed and sufficiently resourced to address the company’s compliance risks,” according to aNovember speech by Leslie Caldwell, Assistant Attorney General of the Justice Department’s Criminal Division.

There is a clear message underscored by this appointment and the revisions to the U.S. Attorneys Manual, as the DOJ and the financial industry regulators have been touting all year: Effective compliance has a big return on investment.

To build such a program, a compliance chief needs first-hand knowledge of applicable law and regulations and a deep understanding of the firm and its internal operations to be successful. This deep understanding depends on sufficient resources and clear support in the institution for the CCO’s role. The compliance chief must be regarded as the manager who married institutional knowledge with evolving regulatory obligations.

The CCO must report to officers or directors of the firm regularly on the state of the firm’s compliance health and advocate for enhanced compliance resources as the business grows.

This is especially true early in the new year as firms set their calendars and start executing budgets, while looking to their CCO to prepare for the national regulators’ January lists of exam priorities.

(This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Jan. 5. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @RiskMgment)

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/