Speech by SEC Staff:
Remarks before the Financial Markets Association 2004 Securities Compliance Seminar

by

Mary Ann Gadziala

Associate Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission

Miami, Florida
April 28, 2004

Assuring Comprehensive Compliance; Managing Compliance Risks

Thank you. I very much appreciate this opportunity to discuss compliance from the perspective of the SEC broker-dealer examination program. I'm not telling you anything new when I say that this is a very challenging time for compliance professionals. One reason is the headline grabbing problems we've seen at some securities firms. The fallout from the adverse publicity has had an impact far beyond the firms that have been involved in the violations. We all have to do more to stop the problems and restore lost investor confidence. Effective compliance programs should go a long way in achieving this goal.

The good news is that many firms now appear to be recognizing that their compliance programs are key deterrents to such problems. A number of firms have elevated the chief compliance officer to a top management position and have dedicated increased resources to this important function. Firms are also assessing and improving procedures, controls, and systems to develop more effective and comprehensive compliance programs. This is a major step in the right direction.

One way to keep firms focused on compliance, even after the adverse headlines fade, is for the SEC examination program to focus on the area. As many of you know, SEC staff are conducting comprehensive compliance examinations of broker-dealer organizations. We are coordinating with the Federal Reserve Board and the SROs in this undertaking. This morning, I will discuss these examinations and then spend a little time discussing potential compliance risks.

Before I describe the SEC's comprehensive compliance examination, I would like to say a few words about a related exam - the risk management and internal controls examination. Like the compliance examination, the risk management exam is preventive and also deals with controls at a firm. It complements the compliance examination by covering the firm's systems, procedures, resources, and performance in the assessment, monitoring, and control of all risks at the firm. Among those risks are credit, market, liquidity, operational, and legal and compliance risks. Areas of focus this year in our risk management examinations include: aggressive proprietary trading, structured finance activities, business continuity planning, conflicts of interests, and consolidated supervision. The objective of the risk management examination is to assess, and generate improvements in, the structure and implementation of a firm's overall risk management system. Risk management intersects with compliance with respect to legal and compliance risks.

Our comprehensive compliance examination evaluates how effectively an organization is self-policing its activities. SEC compliance examinations are enterprise-wide, top-down reviews of the overall compliance function. During our exams, we are not looking for any particular standardized compliance and supervision programs. Each firm's programs should take into account firm-specific factors. We also recognize that firms may not concentrate all of their compliance functions in the compliance department. Some responsibilities may be undertaken by the surveillance or control group, the legal department, human resources, or some other independent control group. While firms do have flexibility in designing compliance and supervisory programs, they must comply with all laws and rules specifically dealing with the compliance function. Some examples are found in the Patriot Act, the research analyst rules, and SRO rules. Relevant SRO rules are NYSE Rule 342 and 351 (requiring an annual compliance report, prompt reporting on violations and other concerns, and other compliance and supervisory requirements) and NASD Rule 3010 (covering supervision and compliance). NASD proposed Rules 3012 and 3013 (requiring an annual compliance certification among other things) would also impact compliance programs.

The examination process used with the comprehensive compliance examination is generally the same as that used for other SEC exams. An examination begins when examiners send a first document request letter to the broker-dealers with a required response time for submission of the documents. A date will be set for the commencement of the onsite reviews, and the firms will be asked to have additional documents available at their offices upon the arrival of the examiners. On the first day of the onsite review, the staff will typically hold an entrance interview where senior management will be asked a number of questions on the overall compliance program at the firm. As the exam progresses, other interviews typically follow with firm staff who are involved in the compliance process and with business and supervisory personnel in certain areas. In addition, more documents may be requested as questions arise during the examination. Examiners may also request access to, or a demonstration of, systems used in compliance, and may also visit parts of the firm to observe operations. Once the onsite review is concluded, examiners return to their offices to analyze the information and draft a report.

Upon completion of the report, examiners will hold an exit interview with the firm to discuss the findings and learn if the firm has taken any actions or plans to take any actions to address concerns. The relevant information on these corrective actions, discussed at the exit interview, is included in the letter to the firm describing the findings. Examination findings are handled in one of three ways: first, a letter may be sent saying that no further action is necessary if the examination did not reveal any significant findings; second, a deficiency letter may be sent citing problems found, describing the need for corrective action, and including the information on the firms' responses discussed at the exit interview; and third, serious findings may be referred to the SEC Enforcement Division for further action. When a deficiency letter is sent, the firm is asked to respond within 30 days. Additional meetings, discussions, and correspondence may take place to resolve all issues in connection with the examination.

Now let's turn to the coverage of the compliance examination. The comprehensive compliance examination covers five key areas:

• Compliance culture and board and top management involvement in compliance;
   
• Structure, functions, and coverage of the compliance program;
   
• Supervisory structure and written supervisory procedures
   
• Employee supervision; and
   
• Firm oversight of compliance risks.
   

I'll say a few words about each area. We begin the comprehensive compliance examination by developing an understanding of the business and organizational structure. This helps define the scope of compliance coverage and the compliance control structure of the enterprise. We evaluate the compliance "culture"- that is, the overall environment in which compliance issues are handled. Since the board and top management are those ultimately responsible for overall compliance, examiners will look at compliance policies they issue - the tone from the top. Examiners will also ask top management to self-report on any material compliance breaches and how they are being addressed.

Next we assess the structure and coverage of the compliance program. Adequacy of resources, systems, reports, compensation, independence from business units, and access to top management will be assessed. The compliance program should effectively cover all aspects of the firm's business activities.

The supervisory structure and written supervisory procedures are then reviewed. Supervision complements compliance. Compliance staff work with the supervisors - those with day-to-day business line responsibilities - to help ensure that written supervisory procedures are designed and implemented to achieve compliance with all relevant laws. Among areas reviewed by examiners are: the adequacy and coverage of procedures, the processes to keep informed on legal developments and to update procedures, supervisory controls, exception reports, handling of customer complaints, reports to senior management, systems to monitor supervisory activities, and corrective action.

Employee supervision is covered next. We assess hiring, background checks, registration, licensing, continuing education, personal trading, training, and heightened supervision, if appropriate. We also review the controls in place used by firms to assess consultants and contractors who have access to firm systems and information.

The final part of the comprehensive compliance exam is an evaluation of how the enterprise identifies and deals with compliance risks. Among methods used to identify compliance risks are: a general risk analysis, self-assessments, branch exams, audits of compliance functions, new product reviews, surveillance and even whistle blowing. Compliance risks may also be identified through external reviews, such as the SEC compliance exams. The greater the compliance risk, the more the firm should focus on compliance in the area.

The primary purpose of an SEC comprehensive compliance examination is not to identify violations and make enforcement referrals. Rather the primary purpose is to identify control weaknesses and areas where improvements might be made, in order to prevent violations from occurring.

SEC examiners have concluded a number of compliance examinations. While recent events have caused many firms to reevaluate and improve their compliance programs, examination findings indicate that further improvements can be made. Examples of deficiencies and weaknesses that have been noted during those examinations are:

• Material compliance breaches and new compliance risks were not reported to top management;
   
• The compliance function was limited to only an advisory role, with no role in monitoring or helping to ensure compliance by the firm and employees;
   
• Compliance was not independent from business in reporting and compensation;
   
• Compliance and supervisory procedures were inadequate and not updated;
   
• Surveillance reports did not cover major business areas or were too broad to permit identification of problems; some large firms with significant business activities relied substantially on manual reviews;
   
• Customer complaints rather than surveillance systems were relied upon to identify problems;
   
• Follow-up on exceptions was inadequate and not tracked;
   
• No compliance review was undertaken for new products or new business activities;
   
• Compliance staff were not sufficiently experienced or trained to monitor complex business activities for which they had compliance responsibility.
   

Firms should review their compliance programs to identify weaknesses and deficiencies, and should make appropriate improvements to enhance the compliance function. As I said earlier, compliance programs should cover all aspects of a firm's businesses. An enhanced compliance focus may be appropriate in areas where there may be increased compliance risks. Increased compliance risks may result from a variety of factors, including: new rules, conflicts of interests, product complexities, or other factors. Some areas where there may be increased compliance risks include:

1. Accuracy and Reliability of Books and Records

• Last year 25% of our exams uncovered computational errors.
   
• In 16% of our exams, we found a computational error that had an impact on the net capital calculation.
   
• Use of Rent-a-FinOps may present additional risks.
   
• Another potential risk area is compliance with the new books and records rule; emails also should be an area of focus.
   
• Implementation of the new Basel Capital Accord standards will raise significant challenges.
   

2. Conflicts of Interests

• Recent violations involving IPO allocations, research analysts, late trading in mutual funds, and inappropriate sale of proprietary products - all had some element of conflicts of interests.
   
• We have asked firms to assess conflicts in their organizations and to take actions to control or eliminate the risks of resulting adverse consequences.
   
• Self-reporting on problems and compliance breaches is strongly encouraged.
   
• Examples of potential conflicts abuses are -
   
• Material nonpublic information from credit, investment banking, or other activities may be used inappropriately, for example for trading;
   
• Proprietary products and affiliate services may be sold to clients based on firm profitability rather than customer interests;
   
• One customer may be treated unfairly to benefit a more profitable customer in the allocation of products and services.
   

3. Product-Related Suitability, Disclosure, Supervision, and Books and Records

Examples of compliance problems include:

• For mutual funds - sales load overcharges, market timing, late trading, sale of poor performers.
   
• For variable annuities - unsuitable switching, unsuitable sales based on age, liquidity needs, or tax status; unsuitable home equity financing of variable annuity purchases; failure to disclose all relevant fees and risks.
   
• For fixed income - excessive mark-ups; circumvention of G-37 concerning political contributions and municipal securities business.
   
• Sales of hedge funds, security futures products, and Section 529 plans also may raise increased compliance risks.
   
• Supervision, particularly at all branches and remote offices, offers compliance challenges.
   

4. Trading

Examples of compliance problems include:

• Manipulation - particularly in microcap stocks; we have seen a significant number of naked short sales and fails in certain microcap stocks;
   
• Front running and trading ahead;
   
• Market timing and late trading;
   
• Failure to provide best execution; compliance with Exchange Act Rules 11Ac1-5 and 11Ac1-6 should be carefully monitored.
   

Compliance examinations conducted by SEC staff to date have focused on the largest organizations. We are currently compiling the findings of both good and bad practices that we have observed and considering whether a public staff report on the findings would be helpful. Our next round of compliance examinations will focus on problem firms. We will target firms that have a history of disciplinary actions, significant deficiencies identified in prior exams, a large number of customer complaints, and other problems. It is likely that these firms do not have effective compliance programs. Therefore, they are more likely to have future problems, unless the weaknesses in their compliance programs are identified and corrected. We look to accomplish that with our examinations. We've already seen some positive signs with respect to improved and higher profile compliance programs. It's in all our interests to work towards making sure this positive trend in compliance continues. Thank you for your time and attention.

http://www.sec.gov/news/speech/spch042804mag.htm