Putting the Teeth in Your Compliance Program
That, of course, is the phrase coined by OCIE officials to describe the process of looking back at systematic trends to determine whether a particular compliance policy or procedure is effective.
The phrase has always made IM Insight think of a rubber-gloved law enforcement official carefully tweezing a strand of hair off a crime scene.
Apparently, we’re not alone.
"We all understand what forensic testing means from TV, where they find a body and they find the teeth, and by examination of the teeth, they can identify the body," said Kenneth Rathgeber, CCO of Fidelity Mutual Funds, at last month’s SIA mutual fund conference. That, he said, is a pretty good analogy for what goes on in forensic testing. Instead of teeth, he explained, "we find a transaction." Looking backward, "we can help identify what they should have done, what the rule was, and find out if in fact we had policies and procedures in effect."
Rathgeber’s co-panelist, Oppenheimer Funds general counsel Robert Zack, asked him whether, in his forensic testing, he had ever have found any bodies.
"We found a lot of teeth," quipped Rathgeber.
On a serious note, Zack pointed out that the SEC’s compliance program rule does not contain a definition of forensic testing. "We’re all struggling in the industry to put some ‘teeth’ into our understanding of what that possibly can mean." He noted that forensic testing has been defined as collecting data points over a period of time and analyzing them in order to evaluate the firm’s activities.
Zack agreed that "data is good" and that many large shops are moving towards using sophisticated computer systems to test and evaluate collected data. But, he added, the data also has to be evaluated, by humans, not machines, to see if patterns emerge. "It’s not just collection of data fed into the computer and out pops a violation report, all the time" he said. For example, he said that his firm looks at personal trading within restricted blackout periods, but also looks outside the specific limits to see if any employees appear to be "gaming the system" by waiting a day or so before or after the blackout period to make their trades. "We do look at standards that go beyond just what the data points would be that appear in the system," he said.
To spot trends, firms need to have compliance personnel who are able to exercise judgement and "not merely apply cut-and-dry standards to compliance reviews," Zack added. If not, he warned, "you are possibly going to miss those types of trends or out-of-the ordinary transactions that perhaps [looking only at] computer data points would not reveal."