Home > Uncategorized > SEC Enters US Boardrooms to Assess Compliance – The Impact?

SEC Enters US Boardrooms to Assess Compliance – The Impact?

April 7, 2012

On January 31, 2012, Carlo di Florio, Director, Office of Compliance Inspections and Examinations at the U.S. Securities and Exchange Commission gave a speech, Remarks at the Compliance Outreach Program, Click Here, wherein Mr. di Florio in part stated:

“The Role of Management and the Board in Compliance and Ethics.

Some of you may have noticed that the name of this program has been slightly altered from previous years, from “CCO Outreach” to “Compliance Outreach.” The reason for this change is not because we at the staff are no longer trying to reach out and support chief compliance officers. To the contrary, we continue to be very supportive of the critically important role that they play. Rather, what we are trying to do, both at this conference and generally in the examination program, is to elevate the role of compliance by underscoring that it is not a responsibility that stops at the desk of the CCO.

By engaging senior management and the board at various points in the examination process, our goal is to elevate the role of compliance. Strong risk management controls, including a solid compliance program, are a key responsibility of everyone in a regulated entity, but the right culture and tone at the top are especially the responsibility of senior management and the board. A CCO who does not have the full support and engagement of senior management and the board is not going to be effective, and there is nothing that we want more than to help CCOs to be effective. We will focus most intently on firms where we sense that senior management and the board are not setting the appropriate tone and are failing to support key risk and control functions with adequate resources, independence, standing and authority.

In a speech that I gave a few months ago, I pointed out how deeply the federal securities laws are grounded on ethical principles. This is particularly true of the Investment Advisers Act and the Investment Company Act. But the requirements of the law are far from the only reason why ethics should be profoundly important to a well-run financial institution. Good ethics is vital to business success. Treating customers fairly and honestly helps build a firm’s reputation and brand, while attracting the best employees and business partners. Conversely, creating the impression that ethical behavior is not important to a firm is incredibly damaging to its reputation and business prospects. Moreover, a corporate culture that reinforces ethical behavior is a key component of effectively managing risk across the enterprise. Nowhere should this be more true than in financial services firms today, which depend for their existence on public trust and confidence to a unique degree.

Whether we are talking about compliance and ethics or other key risk and control functions, such as risk management, financial control, or internal audit, it is important to clarify fundamental roles and responsibilities across the organization. An effective risk governance framework includes three critical lines of defense, which are in turn supported by senior management and the board.

  1. The business is the first line of defense responsible for taking, managing and supervising risk effectively and in accordance with laws, regulations and the risk appetite set by the board and senior management of the whole organization.
  2. Key support functions, such as compliance and ethics or risk management, are the second line of defense. They need to have adequate resources, independence, standing and authority to implement effective programs and objectively monitor and escalate risk issues.
  3. Internal Audit is the third line of defense and is responsible for providing independent verification and assurance that controls are in place and operating effectively.

Senior management supports each of these levels by reinforcing the tone at the top, driving a culture of compliance and ethics and ensuring effective implementation of risk management in key business processes, including strategic planning, capital allocation, performance management and compensation incentives. The board of directors is ultimately responsible for setting the tone and the top and ensuring an effective culture of risk management across the organization.

The financial crisis revealed among many other things the need for better oversight of risk at the board and senior management levels, and the need for stronger independence, standing and authority among a firm’s internal risk management, control and compliance functions. As a result, in our examinations we are seeking to engage senior management and the board on critical business, risk and regulatory issues. By doing so we hope achieve two benefits: (i) to reinforce the importance of a robust compliance, ethics and risk management program; and (ii) to assess the culture and tone and the top of the organization.”

More recently, on April 2, 2012, Mr. di Florio di Florio was speaking at Fordham Law School’s Corporate Compliance Conference wherein it has been commented that Mr. di Florio discussed the SEC having more direct communications with board members to assess tone-at-the-top, company culture, compliance efforts, and who is in control.  Click Here for the Reuters article.  Mr. di Florio’s speech hasn’t been posted yet on the SEC’s website so I am unable to directly confirm what Mr. di Florio said and did not say.  But Mr. di Florio’s comments are food for thought.  Historically the SEC does indicate in speeches areas of interest that it intends to pursue.  The board member discussions are in cases that are under investigation, not some other broader initiative.  Certainly in some, and perhaps in many cases under investigation where there are governance and compliance issues relating to who did or did not know what, or who knew or did not know what, discussions with board members could be relevant and could produce information pertinent to the SEC’s investigation.  Of course, just how far these discussions will develop is uncertain.  But boards should at least take notice, in addition to outside auditors, legal counsel and ethics and compliance officers and professionals.  Perhaps a next step might be whether the SEC will begin to include additional discussions about these areas of investigation in its discussions about cases and/or in its statement of fact discussion in cases that are settled.