SEC’s Donohue: If I Were a Chief Compliance Officer
Andrew "Buddy" Donohue, now back at the SEC as chief of staff, has some sage advice to compliance professionals: the nine categories in which he would focus his time if he were a chief compliance officer. Given his history at the agency and his current role, it might be wise to pay attention.
Donohue’s return to the SEC was announced this past May. He left in 2011 after serving approximately five years as director of the Division of Investment Management. He was also responsible for compliance and legal functions at several large financial institutions, including Goldman Sachs, Merrill Lynch and Oppenheimer Funds, so he has some credentials to speak, which he did October 14 at the National Regulatory Services 30th Annual Fall Investment Adviser and Broker-Dealer Compliance Conference.
At the conference, Donohue addressed a variety of compliance topics, including CCO fear of liability, how the SEC’s Office of Compliance Inspections and Examinations identifies risk, and the SEC’s use of data and technology to collect information.
Industry professionals took differing views on what Donohue had to say.
"CCOs and others involved in supporting the culture of compliance in investment advisory firms will want to pay careful attention to Donohue’s observations and guidance," said Sidley Austin partner Jonathan Miller. "He speaks not only with the authority of his current position as chief of staff, but also from long experience as a regulator and in the private sector of the investment management industry."
"It’s a tall order," said Investment Adviser Association president Karen Barr. "In a perfect world, this is what you would want. But it’s a lot to put on one human being, the chief compliance officer."
"The speech is a nice starting point for compliance professionals," said Mayer Brown partner Richard Rosenfeld. "The list of considerations Donohue offers is useful, but in the current atmosphere where ‘broken windows’ technical cases are an ever increasing part of the regulatory enforcement landscape, his final bullet, asking CCOs to learn what they don’t know, is increasingly the argument that securities regulators use to extract settlements from market participants."
"Regulators are increasingly bringing enforcement actions in cases where there is no knowledge or intent of wrongdoing," Rosenfeld said. "In these increasingly common cases, there is often, at most, a technical unintended misstep by a good, well-meaning market participant. The problem is not that inadvertent technical faults can never be violations, but rather that the enforcement climate has moved from addressing these issues through a telephone call to bringing the full weight of a public settlement down upon a market participant ‘for the good of the market.’"
What Donohue would do
"If I were a chief compliance officer, I would consider my role in terms of the following categories," Donohue told the attendees, adding that the list was "non-exhaustive," meaning that the categories listed are just some of the areas CCOs should address:
Laws, regulations and other requirements. "I would need to have first-hand knowledge of the various laws and regulations that apply to my firm and its activities as well as any particular conditions or requirements of exemptive orders or other compliance requirements," Donohue said. Included in this knowledge, he said, would have to be an understanding of the "interplay of the requirements of the various regulatory regimes applicable to the firm based on its business model and the jurisdictions in which the firm operates." Certainly it’s important for CCOs to know applicable domestic laws and regulations, said Barr, but it may not be realistic for them to know "the intricacies of foreign regulations in jurisdictions around the globe." The answer, she said, is for Donohue and others at the SEC to say that "you are allowed to rely on others," such as in-house counsel and external law firms. "It’s not a one-man or one-woman show."
Organization and operations of the firm. A deep understanding of the firm, its structure, and internal operations would be necessary, Donohue said. "I would also need to develop a working knowledge or roadmap of how the different areas of the firm interacted with, or were dependent upon, other areas of the firm." Finally, he said that a detailed knowledge of the supervisory structure of the firm would be "essential."
Conflicts of interest. "I would need to have a clear understanding of how the firm identifies all of the conflicts of interest that might exist; how frequently potential conflicts are reviewed; and, when conflicts are identified, how they are resolved and by whom," Donohue said. In a situation where resolution requires disclosure, he said, "I would want to understand who drafts the disclosure and how and when it is effectively communicated to clients/customers."
Clients of the firm. Donohue said that in order to effectively discharge his responsibilities, a detailed understanding of who the clients of the firm are and the products and services that are being provided to them would be necessary. "I would also need an understanding of the profitability of these products and services for the firm and the firm’s registered representatives" in order to conduct "a robust analysis of potential conflicts," he said. "Reviewing offering and sales materials and related documents on a regular basis would help inform this view."
Compliance and other systems. A deep understanding of the compliance and other technology platforms utilized by the firm and an appreciation of the implications they pose for developing and implementing a robust compliance program would be something to learn, Donohue said. "After all, you can develop great procedures, but they need to be able to be implemented within the constraints of the compliance and other systems of the firm. An understanding and appreciation for key dependencies of your program and of the firm is very important."
Policies and procedures. "I would need to have a detailed knowledge of the policies and procedures of the firm and an appreciation of how they are applied and monitored," he said. In addition, Donohue said he would also need to develop "an understanding of how they interacted with each other and the intended goal for each."
Markets and business practices. An understanding of the various markets in which the firm operates is something he would need to develop, Donohue said. Such an understanding would need to include any specific practices in those markets and areas that might raise concerns. "A detailed understanding of the types of investment products and strategies involved and their potential issues would also be essential," he said.
Culture of the firm. This is something that Donohue said he "would absolutely need to grasp. I would insist that the customer/client comes first and that the firm will endeavor to ‘do the right thing.’" CCOs, he said, instead of fostering a culture of "can I do this?" should want to develop a culture of "should I do this?" "The firm would also need to devote sufficient resources to compliance and empower the CCO to provide the proper stature to the compliance area and its critical mission," he said. Barr noted that while this goal is important, "the chief compliance officer alone cannot develop the culture. The entire ownership and management team must do so."
Learn what I don’t know. "It is very important that, as a CCO, I have an appreciation for what I don’t know or recognize when I am relying on the knowledge or expertise of others," Donohue said. "This involves constantly challenging yourself and your colleagues to identify potential risks." CCOs, he said, need to create an environment of open communication and freedom to ask the tough questions: "What is going on of which I am unaware? What aspects of the markets, financial products or strategies am I not well versed in? Where are there gaps in what I am covering, in my knowledge or in our programs?"
"Donohue’s speech emphasizes the importance of the CCO ensuring that the compliance function not be a silo within the firm," Miller said, "although it is, of course, at least as important that the CCO operate with the independence and authority necessary for a robust culture of compliance from the top down."
Donohue sought to calm CCO concerns that the SEC might hold them personally liable if they take more of a pro-active role in their compliance activities. "Some of you may be wondering whether this elevated role could expose you to increased personal liability. In my opinion, the answer to this question is no," he said.
Some of this concern came from action the Commission took earlier this year against three CCOs for not meeting Advisers Act Rule 206(4)-7, the Compliance Program Rule, which requires advisers to adopt and implement written compliance policies and procedures.
"Following these cases, there was a lot of discussion about whether the Commission was targeting CCOs," he said. "From my point of view, the Commission is not targeting – and has not targeted – compliance personnel." He quoted SEC chair Mary Jo White as saying that it is not the SEC’s intention to use its enforcement program to target compliance professionals and that the SEC does not bring cases based on second guessing compliance officers’ good faith judgments.
Nonetheless, he did note that White said that "being a CCO obviously does not provide immunity from liability," and that Division of Enforcement director Andrew Ceresney outlined three situations in which action may be taken against a CCO. These are when a CCO affirmatively participated in misconduct, helped mislead regulators, or had clear responsibility to implement compliance programs and policies and failed to do so.
That third condition – when a CCO failed to implement compliance programs and policies – raised a concern from Barr, who said that CCOs "are concerned that the SEC will look back in hindsight" after it finds some violations and blame the violations on a failure on the part of the CCO. "It’s one thing to say that the firm didn’t follow the policies and procedures. It’s another to turn it all on the chief compliance officer."