The SEC’s CCOutreach National Seminar: Two Thumbs Up
As conferences go, the SECís CCOutreach National Seminar was quite good.
And you couldnít beat the price.
While some CCOs complained that the November 8 program was "too basic," or that the SEC staff simply got up and "preached" without presenting any new information, most of the CCOs who attended seemed to appreciate the SECís efforts. "The pluses clearly outweighed the minuses," said one attendee. He described the program as "valuable" and worth his time to attend. "The mix between industry speakers and regulators and between large and small firms was particularly useful," he said. Other attendees similarly praised the event, with several noting that the first two panels were especially helpful.
There were less tangible benefits, as well: One CCO said that his attendance would be viewed favorably by his firmís senior management (and, he claimed, by the SEC). It also seemed to be a terrific networking opportunity: with no vendors or refreshments to distract them, and knowing that everyone shared the same job title, attendees appeared especially eager to engage in conversations during the breaks. (A demographic note: the audience of 500-plus CCOs was overwhelmingly male, in contrast to the usual 50/50 gender split seen at industry compliance conferences.)
If you missed it, you can catch another CCOutreach event at a city near you. The SEC will begin a new round of CCOutreach regional seminars this spring.
While CCOs generally praised the National Seminar, some complained that OCIEís Washington, D.C. staff had not done enough to carry the CCOutreach "kinder and gentler" message out to the SECís regional offices. One CCO reported that after the program, "people were saying that despite what they are hearing from the Washington office, things are not changing." The CCOs discussed instances where regional examiners have continued to make burdensome exam requests, and have not shown flexibility, the CCO said. "People were very frustrated because they feel like the home office is not communicating" with the regional staff.
Kevin Goodman, the assistant regional director of the SECís Pacific Regional Office, has clearly gotten the message. His presentation, which focused on the staffís perspective when conducting exams, was the best example of "reaching out" during the entire National Seminar:
"We have to have a healthy degree of skepticism," Goodman began. "We have to come in and we have to ask tough questions. We have to ask for a lot of documents. We canít separate out the 99 percent of all of you that are honest and running a great shop from the one percent that might be doing something really bad and nefarious. If we come in and we just interview you and accept all of your answers and donít follow up, we wouldnít really be doing our job. I would like all of you to accept that, if you can, as a reality of how we must do business."
When examiners ask tough questions, said Goodman, CCOs should try not to view them as being confrontational. Similarly, CCOs should not assume that examiners are not trusting the CCO personally when they ask for documents or ask the same question another way. "We are simply trying to fulfill a very tough job," he said. Examiners have to come in with minimal knowledge about a firm and very quickly get up to speed about a firmís operations, risks, and compliance program, he explained. "Itís very difficult to do that and be as accommodating as we would like to be at times."
Goodman acknowledged that the SECís exam request list is "daunting." He said that examiners will try to work with registrants, to the extent possible, to minimize the burdens imposed by the list. His office encourages examiners, when they call firms to inform them that they have been scheduled for an exam, to invite feedback on the request list. "I think itís important that you all are free to give feedback to us," he said. "We welcome the conversation."
When a firm asserts that a particular item is overly burdensome, he said, the staff will try to accommodate the firm, if possible. "We canít promise you that weíll simply strike something from the request list because itís a burden," said Goodman, noting that the item may be very important given the scope of the particular exam. However, he said, "if we have a dialogue," there may be a way to work around the issue. "Maybe thereís something else that you can prepare much more easily" that would meet the examinersí information needs, he said.
Goodman noted that many CCOs have wondered why the staff canít be more flexible when scheduling exams. Once the staff has called a firm to announce an exam, he explained, "itís really almost impossible for us in most circumstances" to reschedule it. "We have to use our resources very efficiently. Usually by the time weíve called you, weíve done some advance preparation," such as assembling a team of examiners and blocking off their schedules. Moreover, as a matter of audit procedure, "itís a dangerous thing for us to call firms and announce that we are going to do an exam and then put it off for an extended period of time." If the CCO was on vacation, he added, "we would look at the circumstances," noting that it is more likely that the staff would reschedule an exam with a smaller firm, where all of the key people are out of town. On the other hand, if the firm doesnít want the SEC to visit because it has other auditors in at the same time, "thatís not a very compelling reason."
Goodman said that the staff tries to provide as much notice as it thinks the firm reasonably will need to put requested documents together, without providing enough time for a firm to revamp all of its compliance procedures. "All else being equal, a larger firm will get more notice than a smaller firm," he said. Goodman noted that the less notice the staff provides, the less prepared a firm is going to be. "Itís not fair for us to call you on Thursday afternoon and tell you weíre going to be there on Monday, and expect you to have everything waiting for us, all buttoned down," he said.
Other interesting discussions at the CCOutreach National Seminar:
Examiners will be assessing CCOsí knowledge and competency. SEC examiners will probe whether the CCO is knowledgeable, competent, and empowered, and whether he or she has sufficient resources.
But they will be gentle.
OCIE associate director Gene Gohlke said that examiners will test the CCOís knowledge and empowerment, but will "try to do that generally with a light touch." Instead of asking CCOs formally, in writing, about their abilities or their view of the resources available to them, examiners will to try to obtain information about the CCO from discussions with the CCO and firm management, and from reviews of documents that are already in existence, such as fund board minutes, budget documents, and organizational charts.
Interestingly, James Davis, director of global compliance for Franklin Templeton Investments, suggested that examiners shouldnít try to assess a fund CCOís competency. Itís "a little bit of a waste of the staffís time," he said, since the fund board is responsible for determining who should be the fundís CCO. "It seems to me that if they made a decision that this person, whoever that person might be, is qualified to be the fundís CCO, I donít see the value added by the SEC reviewing that process," he said.
However, Brandywine Asset Management CCO Aaron DeAngelis noted that in the case of smaller advisers, the firmís office manager might have been tapped to be the CCO. With those advisers, he said, the SEC "is within their means" to assess the CCO.
Gohlke said that examiners use a risk-based approach to reviewing the CCO. In larger fund groups, he noted, the CCO may have been in place for years, and may even be known to the SEC exam staff. In those instances, examinersí oversight of such a CCO will be minimal. "On the other hand," added Gohlke, "we have maybe 4,000 [or] 5,000 advisers with five or fewer people." He indicated that CCOs at those firms may receive greater oversight from examiners.
To be effective, CCOs must understand their business colleagues and work with them to find solutions. As Gohlke put it, the CCO canít be a "No" person. He urged CCOs to work to understand their business colleaguesí concerns and, where possible, find solutions that are beneficial from both a compliance and business perspective. "You need to be able to know where the line is, and facilitate the business people getting their job done, but at the same time making sure that the compliance with the firmís policies and procedures is recognized."
SEC associate director Robert Plaze agreed. He pointed out that a CCO who always says "No" is not going to be effective.
DeAngelis noted that even though he is in the position of telling the business line what they can and canít do, it is important for him to be viewed as "part of the team." When presented with an issue, he tries to find out from the business side what they are trying to accomplish. He presents his compliance concerns, and then he and the business side work together to find a solution. The goal, he said, is to have business people walk away from the interaction feeling that they have been heard, so that they will continue to consult with compliance in the future.
DeAngelisís advice: "Listen to all the facts and circumstances," and then "come to a solution that is good for everybody."
In Davisís view, "by far the most important aspect of the role of the CCO" is being part of the information flow within the firm. CCOs in larger organizations, he said, simply cannot get directly involved in many aspects of the business. As a result, he warned, a CCO that is not involved in the information flow will be isolated and will not be effective.
The CCO is not responsible for Ďdoingí compliance. Panelists agreed that while CCOs are responsible for "managing" or "administering" the compliance program, the day-to-day compliance functions should be performed by the firmís operational units.
"CCOs really donít Ďdoí compliance," explained Gohlke. "Itís not really the CCOís task." Instead, he said, the CCOís job is to "facilitate" compliance: "They should consult with others in the firm on how to carry out compliance [and] cajole people into doing compliance," he said. Compliance, said Gohlke, has to be the work of every business person in the firm. The business people should be responsible for ensuring that the operations in their area comply with the firmís policies and procedures, he said.
DeAngelis recalled that at his firm, one portfolio manager initially didnít understand DeAngelisís role as CCO, and assumed that DeAngelis would be taking care of portfolio compliance. "I explained to him that Iím more of the watchdog, more of the person who comes in and tests whatís being done." In fact, at his firm, there are two individuals, who report to the firmís CFO, responsible for portfolio management compliance (one for fixed income, one for equity). "My function is to interact with them and test what they are doing," and to make sure that polices and procedures are being followed, he explained. "Iíll grab maybe 20 or 30 clients, Iíll pull their investment objectives out of their guidelines, and Iíll test to make sure that they are coded in the system properly," he said. "I also monitor any types of overrides" of client investment guidelines.
After showing the portfolio manager a written description "of what I did for his area," added DeAngelis, "it just seemed like the light went on for him." At that point, he said, the manager "truly understood" the CCOís function.
CCOs shouldnít hand down procedures from above. Panelists agreed that CCOs should not write policies and procedures in isolation and then push them onto the various business lines.
"I really donít think that CCOs should be writing policies and procedures," said Davis. "Advise and counsel? Absolutely. But write them? No." When a CCO unilaterally writes procedures, said Davis, it "undermines" the role of the business line in being responsible for their own compliance. And, it gives employees an excuse: When a CCO-written procedure isnít being performed correctly, the business line can come back with "Frankly, you wrote the procedure, so why donít you tell us how we should have done it?" It is also hard for CCOs to critique their own policies and procedures, he said.
DeAngelis agreed, noting that simply writing a procedure and putting it in front of a business unit will result in employees "yes, yes"-ing the CCO to his face. Once the CCO leaves, however, "theyíre not going to look at that procedure whatsoever." Without employeesí buy-in and participation in the drafting and implementation of procedures, he warned, "itís never going to happen." Even if the employees come up with "two bullet points," the CCO can polish them into formal procedures that are followed by the employees, he said.
On an ongoing basis, DeAngelis said that he reviews policies and procedures to ensure that they reflect current rules and business practices. He also looks at them from an efficiency standpoint, and revises them to eliminate redundancies.
CCOs should ensure that their communications to boards and senior management are effective. How frequently, and in what form, should CCOs communicate compliance findings to their senior management or fund boards?
Plaze noted that the fund compliance rule was specifically designed to provide flexibility to fund boards and CCOs to determine the frequency and nature of their communications. Determining when to notify the board of a compliance matter "is a judgment call," said Plaze. While normally, you donít want to be calling up the board at 2:00 am, "if somebody took the money and is Tierra Del Fuego, youíve got to make that phone call."
Apparently, the ruleís requirement that fund CCOs report directly to fund boards is having the intended effect: "Nothing gets the attention of management," observed Davis, like a CCO who is meeting in executive session with the independent directors "and youíve got something to tell them."
Davis noted that whether a compliance violation is material may not necessarily correspond to the dollar amount at issue. For example, a $500 trade error that "someone tried to bury" may be "far more important" than a $1 million trade error that was properly detected and timely corrected per the firmís error correction procedures, he said. Plaze concurred, adding that "itís not clear" that the promptly detected and corrected $1 million trade error would even be viewed as a compliance violation.
Panelists agreed that CCOs should not bury significant information in a larger annual review report. "Itís a balancing act," said Davis. A written annual report should not contain "so much detail, so much minutiae," that fund directors or senior management "do not see the forest for the trees."
CCOs also should avoid burying "some type of bomb" in the report, as Davis put it. "If the Commission staff were to see these large reports with the information buried somewhere in the midst of it," noted Plaze, "Iím fairly certain that you would see an assertion that [the information] was not effectively communicated to the board of directors."
DeAngelis said that he reports to his firmís executive committee as issues occur, and then also on a quarterly basis and in summary form at the end of the year. He tries to make his communications "short and sweet," while still providing enough facts and circumstances so "that they understand whatís going on."
Firms can hire third-party CCOs, but should be aware of the challenges those arrangements present. Plaze noted that the compliance program rule requires firms to designate a "supervised person" as the CCO. That, he said, does not necessarily mean that an adviser is limited to selecting a CCO from among its existing pool of supervised persons. Rather, an adviserís CCO becomes a supervised person by virtue of being selected as the CCO. That, said Plaze, is a "more appropriate interpretation of the rule."
Plaze confirmed that advisers can hire a consultant or other third party to serve as the firmís CCO. An outside CCO may make sense, he said, for smaller firms, or for firms that donít have any employees willing or able to take on the CCO responsibility. Another example: a small hedge fund "that is operated out of the cubicle of the prime broker." There, noted Plaze, the prime broker may be motivated by its own business risks to provide strong compliance oversight.
Gohlke questioned whether an outside CCO truly would be empowered to compel compliance or be effective in making sure that employees understand the importance of compliance. How, he asked, could an outside CCO be a "go-to person" with respect to compliance? As DeAngelis noted, being physically present has its advantages. "I canít tell you how many times by dumb luck I happened to walk by and see something or overhear something that could have potentially been a problem," he said.
Plaze acknowledged that an outside CCO "presents challenges and it may not be the optimal situation." When an outside CCO is used, the executive of the adviser must take steps to assure that the CCO does in fact have the requisite authority and is on the premises of the adviser for a sufficient amount of time to do his job, he said.
CCO liability: urban legend? The idea that CCOs have a target painted on their back "is a myth," said Plaze. He noted that a CCO, in his role as a compliance officer, "really doesnít do things that tend to get you in trouble," such as preparing marketing materials or managing portfolios. To become the subject of an SEC enforcement action, he said, a CCO would generally have to participate in the fraud, facilitate the fraud, or after the fraud, move to cover it up. Most of the SECís cases involving compliance officers relate to the compliance officerís performance of some other function, he explained. "Donít just have a gut reaction" that because a case names the CCO, the SEC is "coming after us."
However, he added, "itís really tough" for CCOs to argue that they didnít know something was a violation. "After all, you are presumed to be knowledgeable, competent, and empowered." For that reason, said Gohlke, it "behooves" CCOs to be aware of red flags. "Just donít pass them over," he said. "If it seems that there may be a problem, there probably is a problem, and somebody ought to take a look at it."
What if a CCO knows about a compliance matter, but has not yet resolved it? Plaze indicated that just because a problem is percolating along, the CCO is not necessarily "facilitating" it. "Thereís always a period of time between when one discovers and when one resolves," he said.
Detail and tone are important in deficiency letter responses. After an exam, the vast majority of firms will receive a deficiency letter within 60 to 90 days, and the SEC will ask for a response within 30 days. In reviewing deficiency letter responses, Kimberly Garber, a branch chief in the SECís Fort Worth office, said that the staff will look to see whether the firm has taken deficiency comments seriously and has responded appropriately. The staff, she said, prefers to see a "very solid response," detailing the steps the firm will take, rather than a broad statement that the firm will address the staffís concern. "If you are batting around steps you want to take or action you might take to respond to our concerns, you can certainly call us," she said. Garber also noted that the staff prefers to get a response from an officer of the firm who actually will be responsible for ensuring that the promises made in the response are implemented, rather than by outside counsel.
Goodman said that he has no problem with firms that point out errors in deficiency letter comments, "especially if we are wrong." Every organization, he noted, is going to be wrong sometimes. "When we are, itís our job to realize that." However, Goodman added, "what I donít like" is when a firm has clearly had violations and submits a deficiency letter response that goes on "at great length" about how the firm doesnít believe there are violations, but nonetheless is making changes to pacify the staff. "I donít think that gives us a good feeling about the risks inherent in your firm," he said. Goodman acknowledged that firms may not want to detail their bad acts in deficiency letter responses, which may be read by clients and others. However, he said, "we do want to see that you understand" the staffís concerns.