Compliance Empowered By New Rule, Says Walsh
Compliance has changed for the better.
That was the theme of a speech delivered by John Walsh, chief counsel of the SEC’s Office of Compliance Inspections and Examinations, at last week’s NRS conference.
Walsh began by acknowledging that there is more pressure on compliance officers than ever before. "Frankly, I think, the stakes are higher," he said. Because compliance professionals are "in the center of the action," they are "feeling the heat." Walsh reported that he’s heard from many compliance professionals who are feeling overwhelmed. And, he added, it’s not just in-house folks who are feeling stretched. He said he’s heard from SEC and SRO regulators, as well as outside lawyers, who are struggling with the pace. "The only people today who seem really happy are consultants," he said.
But in Walsh’s view, these tough times may, in retrospect, turn out to be the gold old days. "Someday we are going to look back on this period as the most exciting period in our careers," he said. "We are taking steps today that are fundamentally changing our profession. Because of the things we have done and are doing in 2004, compliance will be very different in 2005 and going into the future."
The changes he was referring to, he explained, aren’t the many substantive rules that have come down the pike. Instead, he said, he was referring to the basic change in the way the compliance function operates, "the way compliance conducts its business." He gave three examples.
First, he said, the new compliance program rules have given compliance a more formal institutional structure. The new framework, he said, will enable firms to deal with new challenges in the future. Moreover, he added, the structure imposed by the new rules "codifies" the status of compliance officers in the securities business.
Second, the changes make compliance officers more powerful. He was quick to clarify that he was not referring to supervisory power, but rather the power to be heard within the organization. "People frequently underestimate how important this power is," he said. "In every organization, there is the natural phenomena that good news tends to travel up, and bad news tend to travel down." Compliance officers, who are often "first responders" to a problem, "may have to reach high up into the organization to get the problem fixed." In doing so, he said, they are "moving against the natural flow." Because people "don’t like bad news traveling up," compliance officers traditionally have been challenged when attempting to surface issues. Some, he said, even have faced actual obstruction (in those instances, he said, "reaching up" actually involves "reaching around" someone with a lot of power within the organization). Walsh explained that the new framework is designed to address this by requiring the CCO to have sufficient stature and access. Moreover, the rules contain safeguards so that the CCO cannot be silenced, and impose various reporting requirements. As a result, he said, "compliance cannot be silenced in the lower reaches of the organization."
On that note, he shared a tip for compliance officers: get senior management to sign off on escalation procedures in advance, so that when a problem does arise, CCOs have a clear roadmap of steps to take to raise the issue up within the organization.
Third, Walsh pointed to the annual review as a new tool that compliance professionals can use to accomplish project goals. The annual review, he said, "is going to be a pretty substantial review." Although he acknowledged that it presents a new obligation, he predicted that eventually, "most compliance professionals will view this . . . as one of their most powerful tools." It will give compliance officers the opportunity to regularly revisit their programs, stay current on new business and regulatory developments, and help set a schedule for resolving lingering issues and completing capital projects, he said. At some point in the future, many compliance officers may find themselves saying, "We’ve got do ‘X’ and we’ve got to wrap it up now because I’m about to have my meeting with the CEO or the board. . . . and I don’t want this lingering while that’s going on." He encouraged compliance officers to think along those lines: "Using the self-assessment that way is a very appropriate use of the new rule."
Walsh also noted that compliance was fundamentally changing within the SEC. As part of the SEC’s new risk assessment program, he said, each SEC examiner was asked to identify risks that they had spotted in the field, as well as those that "kept them awake at night." The operating theory: "Every risk that was spotted by an examiner anywhere should be factored into the inspection program." Risks that came up multiple times in different parts of the country were categorized as "national risks." Risks that came up only a few times were identified as emerging risks. The goal, said Walsh, is not just finding problems. "It’s finding them and fixing them soon enough so that people are not hurt." In some instances, after taking a closer look at a risk, OCIE concluded that it was not, in fact, a risk, and closed out the issue.
Walsh highlighted a number of focus areas in examinations, primarily on the broker-dealer side:
Broker-dealer soft dollar practices.
Brokerage commissions paid by index funds. ("Are index funds paying up to obtain research and if so, what do they need it for?" asked Walsh. He said that OCIE is working "very carefully" with other SEC offices on this point, in particular, the agency’s Office of Economic Analysis.)
Sarbanes-Oxley Section 404 compliance.
Sales of 529 plans to out-of-state residents.
Mortgage financing for securities purchases.
He also touched on the different types of exams that OCIE is currently conducting:
Internal control reviews;
Wall-to-wall fund reviews ("which is relatively new, where we pick out a fund and comprehensively review every aspect of it regardless of the risk assessment. This serves to validate the assumptions that the fund is building into its own internal control system.")
Safeguarding reviews, which generally require an extended period of time to complete.
What about so-called "scorecard" reviews? Walsh said that components of those reviews are being incorporated in other reviews, and said that OCIE was not "undoing" scorecard reviews.
Walsh also said that OCIE was working to ensure that mini-sweeps (which he referred to as "risk-coordinated reviews") are fully coordinated. He noted that a number of different regional offices have been conducting sweeps and using different document request lists that ask for overlapping information. "We’re working really hard to make sure that that does not happen [and] that these reviews are being coordinated. I want to thank the people in the industry who let us know that this issue needed more attention."
Along the same vein, Walsh emphasized the staff’s willingness to hear from registrants. "We are very open to hearing from you," he said. He acknowledged that people in the industry are sometimes reluctant to contact the staff to provide suggestions or lodge complaints, but added that "we really want to hear from you." After giving out his direct phone number, he urged attendees to "pick up the phone" and give him a call. "We will not hold it against you. In fact, just the opposite: if there’s an issue, we should know about it."
In conclusion, he urged compliance officers, once the "dust settles" and they have a "moment of tranquility," to reflect back on the changes of the past year. "If all of these developments work out the way they are supposed to," said Walsh, "then I think the hectic period we are passing through right now will have been well worthwhile."