Vigilant compliance must be grounded by ethics

The following is an edited version of an Oct. 17 speech by Carlo V. di Florio, director of the Securities and Exchange Commission's Office of Compliance Inspections and Examinations, at the annual meeting of the National Society of Compliance Professionals in Baltimore
OCT 31, 2011
By  MFXFeeder
The following is an edited version of an Oct. 17 speech by Carlo V. di Florio, director of the Securities and Exchange Commission's Office of Compliance Inspections and Examinations, at the annual meeting of the National Society of Compliance Professionals in Baltimore. Today I would like to address two related topics that are growing in importance: the heightened role of ethics in an effective regulatory compliance program, and the role of both ethics and compliance in enterprise risk management. The views that I express here today are, of course, my own and do not necessarily reflect the views of the commission or of my colleagues on the staff of the commission. In the course of discussing these two topics, I would like to explore with you the following propositions: • Ethics are fundamental to the securities laws, and I believe ethical culture objectives should be central to an effective regulatory compliance program. • Leading standards have recognized the centrality of ethics and have explicitly integrated ethics into the elements of effective compliance and enterprise risk management. • Organizations are making meaningful changes to embrace this trend and implement leading practices to make their regulatory compliance and risk management programs more effective. The debate about how law and ethics relate to each other traces all the way back to Plato and Aristotle. I am not the director of the Office of Legal Philosophy, so I won't try to contribute to the received wisdom of the ages on this enormous topic, except to say that for my purposes today, the question really boils down to staying true to both the spirit and the letter of the law. Framed this way, ethics are a topic of enormous significance to anyone whose job it is to seek to promote compliance with federal securities laws. At their core, federal securities laws were intended by Congress to be an exercise in applied ethics. As the Supreme Court stated almost five decades ago, “[A] fundamental purpose, common to [the federal securities] statutes, was to substitute a philosophy of full disclosure for the philosophy of caveat emptor and thus to achieve a high standard of business ethics in the securities industry. It requires but little appreciation ... of what happened in this country during the 1920s and 1930s to realize how essential it is that the highest ethical standards prevail in every facet” of the securities industry. Of course, what has happened through the financial crisis, I believe, is yet another reminder of the fundamental need for stronger ethics, risk management and regulatory-compliance practices to prevail. Congress has responded once again, as it did after the Great Depression, with landmark legislation to raise the standards of business ethics in the banking and securities industries.

THE SEC FIDUCIARY-STANDARD STUDY

The manner in which federal securities laws are illuminated by ethical principles was well-illustrated by the study on investment advisers and broker-dealers that the commission staff submitted to Congress earlier this year, pursuant to Section 913 of the Dodd-Frank Act. As described in the 913 study, in some circumstances, the relationship is explicit, such as the requirement that each investment adviser that is registered with the commission or required to be registered with the commission must also adopt a written code of ethics. These ethical codes must address, among other things, a minimum standard of conduct for all supervised persons reflective of the adviser's and its supervised persons' fiduciary obligations. In other circumstances, an entire body of rules is based implicitly on ethical precepts. This is the case with the rules adopted and enforced by [the Financial Industry Regulatory Authority Inc.] and other self-regulatory organizations, which “are grounded in concepts of ethics, professionalism, fair dealing, and just and equitable principles of trade,” giving the SROs authority to reach conduct that may not rise to the level of fraud. This has empowered Finra and other SROs to, for example, not require proof of [previous knowledge] to establish a suitability obligation; to develop rules and guidance on fair prices, commissions and markups that takes into account that what may be “fair” (or reasonable) in one transaction could be “unfair” (or unreasonable) in another; and to require broker-dealers to engage in fair and balanced communications with the public, disclose conflicts of interest and to undertake a number of other duties. In addition to approving rules grounded on these precepts, the commission also has sustained various Finra disciplinary actions utilizing Finra's authority to enforce “just and equitable principles of trade,” even where the underlying activity did not involve securities, such as actions involving insurance, tax shelters, signature forgery, credit card fraud, fraudulent expense account reimbursement, etc.

'SHINGLE' MEANS FAIR DEALING

Other ethical precepts are derived from the anti-fraud provisions of the federal securities laws. The “shingle” theory, for example, holds that by virtue of engaging in the brokerage business, a broker-dealer implicitly represents to those with whom it transacts business that it will deal fairly with them. When a broker-dealer takes actions that are not fair to its customer, these must be disclosed to avoid making the implied representation of fairness misleading. A number of duties and conduct regulations have been articulated by the commission or by courts based on the shingle theory. Another source by which ethical concepts are transposed onto federal securities laws is the concept of fiduciary duty. The Supreme Court has construed Section 206(1) and (2) of the Investment Advisers Act [of 1940] as establishing a federal fiduciary standard governing the conduct of advisers. This imposes on investment advisers “the affirmative duty of utmost good faith, and full and fair disclosure of all material facts,” as well as an affirmative obligation to “employ reasonable -care to avoid misleading” clients and prospective clients. As the 913 study stated: “Fundamental to the federal fiduciary standard are the duties of loyalty and care. The duty of loyalty requires an adviser to serve the best interests of its clients, which includes an obligation not to subordinate the clients' interests to its own. An adviser's duty of care requires it to “make a reasonable investigation to determine that it is not basing its recommendations on materially inaccurate or incomplete information.” While broker-dealers are generally not subject to a fiduciary duty under federal securities laws, courts have imposed such a duty under certain circumstances, such as where a broker-dealer exercises discretion or control over customer assets, or has a relationship of trust and confidence with its customer.” The 913 study, of course, explores the principle of a uniform fiduciary standard. Concepts such as fair dealing, good faith and suitability are dynamic and continue to arise in new contexts. For example, the Business Conduct Standards for Securities-Based Swap Dealers and Major Security-Based Swap Participants, required by Title VII of the Dodd-Frank Act and put out for comment last summer, include proposed elements such as: • A requirement that communications with counterparties are made in a fair and balanced manner, based on principles of fair dealing and good faith. • An obligation to disclose to a counterparty material information about the security-based swap, such as material risks, characteristics, incentives and conflicts of interest. • A determination by securities-based swap dealers that any recommendations that they make regarding security-based swaps are suitable for their counterparties. Of course, the Business Conduct Standards have not been finalized, but the requirements of Title VII requiring promulgation of these rules, as well as the content of the rules as proposed, illustrate that ethical concepts continue to be a touchstone for both Congress and the commission in developing and interpreting federal securities laws. Ethics is not important merely because federal securities laws are grounded on ethical principles. Good ethics are also good business. Treating customers fairly and honestly helps build a firm's reputation and brand, while attracting the best employees and business partners. Conversely, creating the impression that ethical behavior is not important to a firm is incredibly damaging to its reputation and business prospects. This holds true equally for individuals, and there are plenty of enforcement cases that tell the story of highly talented and successful individuals who were punished because they violated their ethical and compliance responsibilities. Another way of saying this is that a corporate culture that reinforces ethical behavior is a key component of managing risk effectively across the enterprise. As [the Committee of Sponsoring Organizations of the Treadway Commission] put it in articulating its well-established standards of internal control and enterprise risk management: “An entity's strategy and objectives, and the way they are implemented, are based on preferences, value judgments and management styles. Management's integrity and commitment to ethical values influence these preferences and judgments, which are translated into standards of behavior. Because an entity's good reputation is so valuable, the standards of behavior must go beyond compliance with the law. Managers of well-run enterprises increasingly have accepted the view that ethics pays and ethical behavior is good business.” In the wake of the financial crisis, enterprise risk management is a rapidly evolving discipline. Organizations such as COSO, the Ethics Resource Center, the Open Compliance & Ethics Group and the Ethics & Compliance Officer Association have developed detailed guidance, from the boardroom to business units and key risk, control and compliance departments, on implementation of effective enterprise risk management systems. Industry- and sector-specific guidance has flowed from these general standards. As COSO notes, integrity and ethical values are the pillars of an effective compliance culture. The effectiveness of enterprise risk management cannot rise above the integrity and ethical values of the people who create, administer and monitor entity activities. Integrity and ethical values are essential elements of an entity's internal environment, affecting the design, administration and monitoring of other enterprise risk management components. Nowhere should this be more true than in financial services firms today, which depend for their existence on public trust and confidence to a unique degree. Expectations are rising around the world for a stronger culture of ethical behavior at financial services firms of all types and sizes. As the Basel Committee on Banking Supervision recently stated: “A demonstrated corporate culture that supports and provides appropriate norms and incentives for professional and responsible behavior is an essential foundation of good governance. In this regard, the board should take the lead in establishing the "tone at the top' and in setting professional standards and corporate values that promote integrity for itself, senior management and other employees.”

EFFECTIVE COMPLIANCE

In my first speech here at the SEC, I outlined 10 elements I believe make an effective compliance and ethics program. These elements reflect the compliance, ethics, and risk management standards and guidance, noted above. They also reflect the Federal Sentencing Guidelines, which were revised in 2004 to explicitly integrate ethics into the elements of an effective compliance and ethics program that would be considered as mitigating factors in determining criminal sentences for corporations. These elements include: • Governance. This includes the board of directors' and senior management's setting a tone at the top and providing compliance and ethics programs with the necessary resources, independence, standing and authority to be effective. • Culture and values. This includes leadership promoting integrity and ethical values in decision making across the organization, and requiring accountability. • Incentives and rewards. This includes incorporating integrity and ethical values into performance management systems and compensation so the right behaviors are encouraged and rewarded, while inappropriate behaviors are firmly addressed. • Risk management. This includes ensuring effective processes to identify, assess, mitigate and manage compliance and ethics risk across the organization. • Policies and procedures. This includes establishing, maintaining and updating policies and procedures that are tailored to your business, your risks, your regulatory requirements and the conflicts of interest in your business model. • Communication and training. This includes training that is tailored to your specific business, risk and regulatory requirements, and which is roles-based so that each critical partner in the compliance process understands his or her roles and responsibilities. • Monitoring and reporting. This includes monitoring, testing and surveillance functions that assess the health of the system and report critical issues to management and the board. • Escalation, investigation and discipline. This includes ensuring there are processes by which employees can raise concerns confidentially and anonymously, without fear of retaliation, and that matters are effectively investigated and resolved with fair and consistent discipline. • Issues management. This includes ensuring that root cause analysis is done with respect to issues that are identified so effective remediation can occur in a timely manner. • An ongoing improvement process. This includes ensuring the organization is proactively keeping pace with developments and leading practices as part of a commitment to a culture of ongoing improvement. In addition to the effective practices above, the [SEC's national exam program] has also seen firms that have focused on enhancing regulatory compliance programs through effective integration of ethics principles and practices. These include renaming the function and titles to incorporate ethics explicitly, elevating the dialogue with senior management and the board, implementing core values and business principles to guide ethical decision making, integrating ethics into key leadership communications, and introducing surveys and other mechanisms to monitor the health of the culture and identify emerging risks and issues.

RISK GOVERNANCE

We can expand the discussion beyond compliance and ethics to address enterprise risk management and risk governance more broadly. These same program elements, and ethics considerations, are equally critical, but the scope of risks expands beyond regulatory risk to include market, credit and operational risk, among others. The roles and responsibilities also expand to include risk management, finance, internal audit, and other key risk and control functions. Whether we're talking about compliance and ethics or we're talking about [enterprise risk management], it is important to clarify fundamental roles and responsibilities across the organization. • The business is the first line of defense responsible for taking, managing and supervising risk effectively and in accordance with the risk appetite and tolerances set by the board and senior management. • Key support functions, such as compliance and ethics or risk management, are the second line of defense. They need to have adequate resources, independence, standing and authority to implement effective programs and objectively monitor and escalate risk issues. • Internal audit is the third line of defense and is responsible for providing independent verification and assurance that controls are in place and operating effectively. • Senior management is responsible for reinforcing the tone at the top, driving a culture of compliance and ethics, and ensuring effective implementation of enterprise risk management in key business processes, including strategic planning, capital allocation, performance management and compensation incentives. • The board of directors is responsible for setting the tone at the top, overseeing management and ensuring that risk management, regulatory, compliance and ethics obligations are met. While compliance and ethics officers play a key role in supporting effective ERM, risk managers in areas such as investment risk, market risk, credit risk, operational risk, funding risk and liquidity risk also play an important role. As noted above, the board, senior management, other risk and control functions, the business units and internal audit also play a critical role in ERM. Understanding and managing the inter-relationship among risks is a central tenet of effective ERM. One needs only to reflect on the financial crisis to understand how the aggregation and interrelationship of risks across various risk categories and market participants created the perfect storm. As I discussed earlier, there is an ethical component to many federal securities laws. When the [national exam program] staff examines, for example, an investment adviser's adherence to its fiduciary obligations, or a broker-dealer's effective development, maintenance and testing of its compliance program, our examiners are looking at how well firms are meeting both the letter and spirit of these obligations. In addition, our examiners certainly examine specific requirements for ethical processes, such as business conduct standards.

EXAMINATION PROGRAM

There is another way in which the ethical environment within a firm matters to us. As you know, our examination program has greatly increased its emphasis on risk-based examinations. How we perceive a registrant's culture of compliance and ethics informs our view of the risks posed by particular entities. In this regard, we have begun meeting boards of directors, chief executives and senior management to share perspectives on the key risks facing the firm, how those risks are being managed and the effectiveness of key risk management, compliance, ethics and control functions. It provides us an opportunity to emphasize the critical importance of compliance, ethics, risk management and other key control functions, and our expectation that these functions have sufficient resources, independence, standing and authority to be effective in their roles. These dialogues also provide us an opportunity to assess the tone at the top that is shaping the culture of compliance, ethics and risk management in the firm. If we believe that a firm tolerates a nonchalant attitude toward compliance, ethics and risk management, we will factor that into our analysis of which registrants to examine, what issues to focus on, and how deep to go in executing our examinations. Finally, I would end by sharing with you that we are also embracing these leading practices. We recently created our own program around compliance and ethics. For the first time, we have a dedicated team focused on strengthening and monitoring how effectively we adhere to our own examination standards. We are in the process of finalizing our first exam manual, in which we set forth all of our key policies and standards. We also have established a senior management committee with oversight responsibility for compliance, ethics and internal control. We have recruited individuals with expertise and established a senior-management-oversight committee here as well. In short, we are also committing ourselves to a culture of ongoing improvement and leading practices.

Latest News

The power of cultivating personal connections
The power of cultivating personal connections

Relationships are key to our business but advisors are often slow to engage in specific activities designed to foster them.

A variety of succession options
A variety of succession options

Whichever path you go down, act now while you're still in control.

'I’ll never recommend bitcoin,' advisor insists
'I’ll never recommend bitcoin,' advisor insists

Pro-bitcoin professionals, however, say the cryptocurrency has ushered in change.

LPL raises target for advisors’ bonuses for first time in a decade
LPL raises target for advisors’ bonuses for first time in a decade

“LPL has evolved significantly over the last decade and still wants to scale up,” says one industry executive.

What do older Americans have to say about long-term care?
What do older Americans have to say about long-term care?

Survey findings from the Nationwide Retirement Institute offers pearls of planning wisdom from 60- to 65-year-olds, as well as insights into concerns.

SPONSORED The future of prospecting: Say goodbye to cold calls and hello to smart connections

Streamline your outreach with Aidentified's AI-driven solutions

SPONSORED A bumpy start to autumn but more positives ahead

This season’s market volatility: Positioning for rate relief, income growth and the AI rebound