Photo: Chip Somodevilla / Getty
On January 31, the SEC held an all-day conference to deliver a clear message: CEOs and senior management will be held responsible for creating, managing, and maintaining an effective control environment. The SEC called for business and control functions to work together and to interact effectively. Collaboration was a central theme of the conference. Speakers stressed the need for senior management to build a robust governance program that addresses all the risks within their organisation in a repeatable manner. The ability and willingness to escalate critical issues in a timely fashion was highlighted, as was the role of internal audit. The SEC also discussed the role senior management and directors must play in driving processes, a critical assessment of strategy, and an evaluation of business units on overall performance (not just financial results).This is consistent with the changing expectations of regulators worldwide. In a recent Cayman Islands’ development, the liquidators of a fund brought a case against the fund’s independent directors for willful neglect of their duties. This was the first time a Cayman Islands court held directors personally liable for the losses of a fund. Additionally, the U.K. Financial Services Authority (“FSA”) recently fined a senior manager at UBS AG for failing to prevent unauthorised trading at the bank’s wealth- management unit in London. In court filings, the FSA alleged that the manager failed “to carry out an adequate initial assessment,” and to monitor business processes. If he had done so, he “would have identified serious flaws in the design and operational effectiveness” of his firm’s governance and risk management framework.
These actions send an unambiguous message. As a manager, you must focus your team on doing the right thing both for the firm and for your clients. You can demonstrate the importance of enterprise risk management by honestly assessing the risks facing your firm and evaluating whether its business processes are sufficiently robust to protect you, your firm, and your investors. You may believe it is more difficult to evaluate the effectiveness of your firm’s compliance and other risk management initiatives. After all, laws and regulations can be technical, complex, and dense. What if you do not have direct expertise on these fronts?
A short set of questions that can help you make this assessment can be found close to the end of this article. These questions will clearly highlight those areas that warrant additional emphasis on compliance, risk, and governance.
For those who want to know why this exercise is important, we answer below the following two questions:
1. How is the current regulatory landscape changing? 2. Without being a legal expert, how do I know if I’ve done enough and that my compliance program is effective?
Even before the SEC held its program on Tuesday, the regulatory landscape was changing to hold senior management accountable for business governance and compliance oversights. In the U.S., the level of regulatory activity is partially motivated by the immense public pressure the SEC received in response to the Madoff scheme and the “flash crash” of 2010. The CFTC also faced major scrutiny during Congressional hearings on the collapse of MF Global and its missing customer funds. The court of public opinion and the U.S. Congress continue to put an unprecedented level of pressure on regulators.
Are you familiar with the following regulatory developments?
1. A more robust SEC. In 2010, the U.S. SEC’s enforcement division created five new units dedicated to the following areas: (1) asset management and mutual funds, (2) illegal trading and other market abuses, (3) structured and new products, (4) foreign corrupt practices, and (5) municipal securities and public pensions. These units provided the staff with much needed specialised knowledge and expertise. You do not want their attention directed at you. Moreover, a substantial portion of the SEC’s January compliance outreach program was dedicated to the need for trading and operations staff to fully understand legal requirements and to internalize their obligations thereunder.
2. Focus on investment advisers. A former assistant director of the SEC’s asset management unit recently warned “[t]he world is about to change for investment advisers.” Last year, the SEC filed a single-year record of 146 enforcement actions against investment advisers and investment companies (a 30% increase from 2010). In some of these cases, the SEC ordered the dissolution of the firms for blatantly failing to remedy compliance deficiencies that examiners had previously warned about. During the January program, the SEC mentioned three specific cases: one involving a Ponzi scheme, one focused on valuations, and the third involving the failure of a firm’s escalation process. In the third case, the firm’s business unit was so forceful and influential that it prevented the firm from appropriately addressing a problem with a trading algorithm.
Admittedly, these fact patterns are extreme; do not let that lull you into a false sense of security. Regulators frequently start with egregious situations and move to less obvious ones. Last year’s activities are a clear indication that the SEC is serious about examinations and the remediation of compliance deficiencies.
3. More onerous penalties. Mary Schapiro, the SEC’s chairman, has proposed legislation to increase the penalties for violations of the securities laws, noting that the Commission’s statutory authority to obtain civil money penalties “with appropriate deterrent effect” is limited in many circumstances. She would increase the statutory limits on civil money penalties, more closely link the size of the penalties to the harm faced by investors, and substantially raise the stakes for recidivists. Specifically she proposed increasing the penalties for the most egregious conduct to $1 million per violation for an individual and $10 million per violation for an entity, and allowing penalties equal to three times the amount of pecuniary gain in certain instances.
There is precedent for this in the U.S. In 1989, following the failure of savings banks throughout the U.S., Congress passed the Financial Institutions Reform, Recovery and Enforcement Act (“FIRREA”). This granted the FDIC the power to charge bank board members, employees, and consultants with civil money penalties ranging up to $1 million per day for reckless or willful violations of law. Additionally, the ability of such individuals to benefit from coverage under indemnification and insurance policies was limited in certain situations. It is not clear whether Congress will choose to go down this path, but it cannot be ruled out, especially if more incidents like MF Global should occur.
While the SEC does not currently possess the same draconian powers that the bank regulators have under FIRREA, it does have the authority to bring actions against management for failures to supervise under Rule 204A of the Investment Advisers Act of 1940. Any officer can be the target of an enforcement action. Last year, the SEC charged more than 80 individuals and entities — nearly half of whom were CEOs, CFOs, and other senior management — with wrongdoing in the financial crisis.
In the face of this changing environment, as noted above, it’s important for you to determine that your compliance program is adequate to protect you and your firm. Honestly answering the following questions is the first step in making this assessment.
The above questions are designed to identify factors that are important to an effective and robust compliance program.
1. Culture of Compliance. Every firm has a different approach to compliance. As every compliance officer knows, a firm’s culture can support compliance efforts, or, at its worst, can render compliance efforts virtually meaningless. The SEC emphasised the importance of a culture of compliance repeatedly during its January outreach program. Staff and other program speakers noted several times that the true test of a culture of compliance is not with the support staff – it is whether there is meaningful buy-in from profit centres and investment personnel. For this to occur, business personnel must understand that doing the right thing is important to senior management. They must respect the compliance personnel, and the compliance personnel must feel empowered to speak up, even when profits are at stake.
2. Organizational Structure. An appropriate organizational structure provides for proper processes to address compliance deficiencies. While not every regulatory regime requires the chief compliance officer to have direct access to the governing body, it is specifically required in the U.S. Federal Sentencing Guidelines. Likewise, an organisation needs to make an effort to determine which laws apply to it. Without such an effort, an adviser cannot know whether it is operating in compliance with legal requirements. Conducting a risk assessment initially and updating it periodically allows the firm to develop procedures tailored to its organisation. Once the firm has implemented a system for complying, it must have a method for keeping up-to-date on new or changing rules and regulations so that senior management can consider the implications for the organisation. Lastly, an effective framework must be established to coordinate the work throughout the firm, reinforce the message and facilitate escalation of issues – particularly in those instances where business and control groups may have differing viewpoints.
3. Compliance Manual. Sometimes managers think that it is enough if their firm has a compliance manual. Many times these manuals, if for a US-based adviser, focus only on Advisers Act rules and regulations, without trying to provide a broader viewpoint on the key risks facing the firm. Simply having a compliance manual is not the “be all, end all.” Many firms have compliance manuals, but they are esoteric, outdated, and ignored. Furthermore, an off-the-shelf compliance manual that is not customised to the business is insufficient. When examining the effectiveness of the firm’s compliance manual, it is important to check whether it is meaningful to the business and actually followed by staff. It is a key building block to an overall enterprise-wide governance program.
In short, an effective compliance program can be an effective shield. It can help avoid reputational damage at a time when investors have become increasingly critical. Institutional investors and their consultants expect, value, and embrace the protections such a program offers. Moreover, as noted above, the existence of a robust compliance program can help a firm avoid prosecution. Or, if the worst should occur, it can mitigate the seriousness of fines and penalties imposed. A criminal charge could easily end a manager’s career. But even at a more pragmatic level, insurance policies and indemnification provisions may have limits or exclusions that are triggered by legal and regulatory missteps.
It is crucial to understand that regulators and investors are looking for an understanding of the key risks, an awareness of the law and a willingness to comply with legal requirements. This is most easily demonstrated by implementing and testing robust, repeatable, and documented processes within your organisation. While this is a challenging endeavour, building a governance infrastructure now will serve your firm well by providing confidence to investors, enhancing regulatory relations, and creating a foundation for future growth.