Ameritrade CCO Shares Compliance Tips
Thereís nothing like hearing from someone in the trenches.
Ameritradeís CCO, Tracy DeWald, spoke September 21 at the "Legal and Regulatory Compliance in Information Management Forum," jointly sponsored by IDC and Kahn Consulting. Although his remarks were geared towards companies that are new to dealing with compliance issues, he offered a number of practical tips that even the most experienced advisory firm CCOs may find helpful:
Add plaintiffsí lawyers to your list of regulators. If you think you are only regulated by the regulators, think again. When evaluating risks, DeWald said that in addition to considering "what the SEC is going to say," he asks "whatís the plaintiffís lawyer going to say?" How would a plaintiffís lawyer look "at this process, this policy, how Iím doing my business?"
Involve senior management. Yeah, yeah, youíve heard it before. But how do you know if youíve got someone "senior" enough? DeWaldís handy rule of thumb: "You need to have somebody who has been invited to the CEOís Christmas party." He noted that people within organizations "really donít like compliance projects" (particularly if the company is new to compliance and senior management does not yet appreciate its significance) and therefore it is imperative that CCOs get somebody important on board. "If you are trying to drive change and youíre not that person, or you donít have the support of that person, youíll absolutely fail," he warned.
Talk like a business person. Frustrated by seeing your revenue-generating business counterparts get the resources they need at the drop of a hat, while you always seem to have to scrape? DeWaldís advice: "Market yourself!" If you go meekly go into a meeting with your hand out, tentatively asking for new resources or support because "the government says so," he said, "youíll get a little piece of something, but youíre not going to get the whole banana of what you need." Instead, DeWald urged legal and compliance to "play the game" and make a case for the business benefits that will flow from the new compliance initiative. For example, he said that at a former employer he determined that manually checking names against OFACís (Office of Foreign Assets Control) compliance took 15 seconds per new account. However, his firm opened an average of 10,000 accounts a month. He presented the choices as follows: the firm could purchase OFAC software for $25,000, or spend the equivalent of over a million hours in full-time equivalents to accomplish the same result. "Show them what youíre saving," he said. "Show them the value that you are providing for the company." Another example: when explaining the new customer identification program requirement for broker-dealers, DeWald pitched it as "We are now going to verify the identities of everybody who is going to do business with us! Think of the fraud weíre going to prevent!" He urged compliance officers to take the same approach that business people do when requesting new resources: "Have a plan" before you go to senior management. Compliance officers, he suggested, could team up with a business person who has experience putting together a presentation with ROIs and "all these matrices and things because they do it all the time." The key: "Have numbers, justify what you want to do."
Hire the right staff and give them responsibility. Even though DeWald is a lawyer, and some of his best friends are lawyers, heís not necessarily going to let one run a compliance project. "If you let a lawyer drive the boat, itís going to sink," he said. In contrast, DeWald said he loves to hire people with technology and project management backgrounds for compliance-related positions. Those folks "know how to do a process and get things done." Offline, DeWald explained that while lawyers have the legal background to help draft and formulate procedures, itís a good idea to have someone with a deep understanding of the inner workings of the business manage the implementation of a compliance project. DeWald added that he liked to staff his group in a way that when each person wakes up in the morning, "somethingís their responsibility." CCOs, he said, canít be responsible for everything. Give your staff "enough authority so that itís their headache," and "they know that itís up to them."
Stick your nose under every tent. DeWald urged CCOs to attend or send staff to planning meetings. If not, he warned, "youíre going to miss something." He said that he has two people on his staff whose full-time job is to serve as project liaisons. "They go to every project in the company" and spot issues "like a law student during an exam" and bring them back to compliance. One way or another, "you have to be at that table," he said. "Make sure that records, compliance, and law are part of every project. Nobody works in a vacuum anymore. Weíre all impacted by these laws . . . .You have to be your own camel and stick your nose under every tent."
Itís okay to ask for help. "Sometimes you donít know what you donít know," DeWald said. Vendors and other service providers can "give you some good ideas" and help you "think about things you havenít thought of before."
Keep your procedures reasonable. When it comes to drafting procedures, remember the old saying that "the perfect is the enemy of the good." DeWald said that a colleague recently showed him a 40-page records management policy drafted by a major law firm. "It was ridiculous," he said. If his firm would have had to implement the policy, he said, "we would have had to hire twenty people and the business people would kill us." His advice: keep it simple. "If I try to be perfect, Iím going to have some problems," he said. Stick to the tried-and-true, rather than complicating what could be a simple policy with extras that confuse and distract people with the real task at hand, he explained.
Develop processes. Build a database or develop a management process so that "you donít have to rely on somebodyís memory or their in-box to document that you have a process." One example: he said that his former company, an insurance firm, was affected by a "thousand" new laws a year. He said he developed a simple, LotusNotesô database tool to communicate the new laws to the affected staff. Basically, they identified employees in each of the business areas to receive the laws. When a new law was identified, DeWald prepared a brief summary, and would push out the new law and the summary with a message that said, in effect, "you need to read this because we think this new law affects your area." The person would then be asked to asked to click on one of the following responses: either they already were compliant, were not affected, or needed to develop a compliance plan. If they checked that last option, "the system kept bugging them" until they indicated that they had done so. If they indicated that they had to make changes, they had to attach a copy of their changed procedures.
The goal, said DeWald, was that at end of the day when an examiner walked in and asked "whatís your process?" the firm could say, "hereís the process we built." His firm could demonstrate the law being pushed out to the appropriate areas, that employees had read it and acknowledged receipt, and, where required, had made changes in their policies and procedures. And, added DeWald, "itís all kept in a database."
He urged compliance officers to adopt practical approaches to compliance issues. "This is not rocket science," he said. "Weíre not splitting the atom here." When the SEC comes in and says, "show me that you did it," he added, "itís not enough that you did the right thing, you have to demonstrate that you did the right thing."
Maximize your use of technology. But when making purchasing decisions, be careful of the one-trick pony, DeWald warned. If you buy one piece that does one thing, in four or five years "you may end up with fourteen different ones." Instead, try to find a vendor solution that is flexible and gives you the ability to adapt to changes.
And lastly . . . Hereís an anecdote that may ring true for many of you: DeWald noted that he has been in the securities industry for almost 20 years. When he first started, he was amazed at the amount of new regulation that seemed to be piling up. "I canít believe the amount of regulation weíve had in the past three years!" he recalled saying. "Itís unbelievable!"
Since then, heís found that every three years or so he makes the same statement: "Can you believe the amount of regulation weíve had in the past three years?! This is unbelievable!"