Speech by SEC Staff:
The Enhanced Focus on Risk and Controls: 6th Annual Financial Institutions Regulatory Compliance Summit

by

Mary Ann Gadziala

Associate Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission

Toronto, Canada
September 15, 2004

It's a pleasure to be here to share my views on compliance and risk management. These key concepts continue to rise in importance as our financial markets grow in complexity and size. While the number of U.S. broker-dealers has remained relatively stable at about 8,000, the number of branch offices has grown dramatically, from about 60,000 five years ago to almost 100,000. Assets at broker-dealers have reached $4 trillion. New and increasingly complex products are being developed and marketed by firms, which are also engaging in more and more diverse activities. Advanced technology has also permitted firms to substantially multiply the number of transactions in which they engage and the speed with which those transactions take place.

This combination of circumstances makes it extremely challenging to individually monitor every activity and transaction of financial firms for compliance with every rule. But compliance is not a best efforts endeavor - firms must comply with the law. Firms must also manage all risks associated with their activities, including market, credit, legal and operational risks. Automated surveillance, risk assessment, implementation of effective controls, and appropriate training of employees are useful, and sometimes required, tools that assist in meeting the compliance and risk management challenges of today's complex financial environment. In my remarks today, I will discuss some of my views on important areas of focus for compliance and risk management.

Let's begin with compliance programs at broker-dealers. An effective compliance program is a proactive method to identify and control risks that have the potential to result in violations of the law - violations that could result in investor harm and financial and reputational losses at a firm. Compliance should not be viewed as an isolated activity of the firm, but rather as an intimate part of all business activities. Compliance should be the concern of every employee of the firm and should be the mainstay of the firm culture.

There is no particular standardized compliance and supervision program that would fit every firm. Each firm's programs should take into account firm-specific factors, such as size, diversity of products, types of customers, geographic dispersion, technology and other factors. The structure and organization of the firm is also relevant. For example, some firms may not concentrate all of their compliance functions in the compliance department; some responsibilities may be undertaken by the surveillance group, the legal department, human resources, or some other independent control group. While U.S. firms do have flexibility in designing compliance and supervisory programs, they must comply with all laws and rules specifically dealing with the compliance function. Some examples are found in the Patriot Act, the research analyst rules and NYSE and NASD rules.

As I mentioned earlier, there should be a culture of compliance at the firm. The board and top management are those ultimately responsible for overall compliance and should set the tone from the top with a strong message on the critical importance of compliance. This will help ensure that all firm employees are focused on compliance. Since the compliance program assists in fostering and oversight of the culture of compliance, it is critical that the program have adequate resources, systems, and compensation, and that those responsible for compliance oversight be independent from business units and have access to top management.

What are some areas that should be covered by the compliance program? Employee supervision is one such area. Hiring, background checks, registration, licensing, continuing education, personal trading, training, and heightened supervision are included. The compliance program should oversee the firm's and its employees' compliance with the law through surveillance, exception reports and other monitoring efforts. Oversight of supervision at the firm is also part of the compliance role.

Compliance staff work with firm supervisors, the business management responsible for compliance in day to day business activities. Compliance assists in ensuring that written supervisory procedures are designed and implemented to achieve compliance with all relevant laws. Supervisory procedures should be up-to-date and should cover all aspects of the firm's business. Compliance should also monitor the effectiveness of branch office supervision.

Branch office supervision is an area that has received increased focus in view of significant geographic dispersion and the rapidly escalating number of broker-dealer branch offices in the United States. Staff of the SEC recently issued Staff Legal Bulletin No. 17 discussing supervisory tools which, based on SEC examinations and enforcement actions, are characteristic of good supervisory procedures. I will highlight a few of those for you. The Bulletin states that "clearly articulated and vigorously enforced policies and procedures, with sufficient resources to implement them, are an essential part of a supervisory system". Among the policies and procedures suggested in the Staff Bulletin for an effective supervisory system are the following:

• Firms are urged to conduct random, surprise inspections.
   
• Firms should consider centralized technology to monitor trading and funds transfers, as well as personal computers.
   
• There should be assignment of specific supervisory responsibilities with sufficient resources and independence to implement those responsibilities.
   
• Firms should be cautious about hiring registered reps with a disciplinary history and use heightened supervision as appropriate.
   
• Firms should implement special monitoring procedures for outside business activities of their employees, to detect financial misconduct, to verify customer address changes, to deter misuse of the signature guarantee stamp, and to review incoming and outgoing correspondence.
   

Firms should also have methods to identify and control compliance risks. Among methods used by firms to identify compliance risks are: a general risk analysis, self-assessments, branch exams, audits of compliance functions, new product reviews, surveillance and even whistle blowing. Compliance risks may also be identified through external reviews, such as the SEC compliance exams. Regulators may also call attention to issues that they believe have heightened risks through new regulatory proposals, enforcement actions, and even through speeches. The greater the compliance risk, the more the firm should focus on compliance in the area.

I would now like to turn to risk management. Securities firms are in the business of taking risks - but they must effectively manage and control those risks. Rather than speak generally about risk management, I will discuss three areas where U.S. regulators have focused on increased risk management controls. These are business continuity planning, structured finance activities, and consolidated supervision.

On April 7, 2003, the Federal Reserve, OCC and SEC issued the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System". The paper identified three business continuity objectives for all financial institutions focusing on the post 9/11 risk environment. It also identified four sound practices for core clearing and settlement organizations and firms that play significant roles in critical financial markets intended to ensure the resilience of the U.S. financial system. These practices focus on minimizing the immediate systemic effects of a wide-scale disruption on critical financial markets.

The three business continuity objectives for all financial firms are:

• Rapid recovery and timely resumption of critical operations following a wide-scale disruption;
   
• Rapid recovery and timely resumption of critical operations following the loss or inaccessibility of staff in at least one major operating location; and
   
• A high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible.
   

The four broad sound practices identified in the Interagency Paper for core clearing and settlement organizations and firms that play significant roles in critical financial markets are:

• Identification of clearing and settlement activities in each critical financial market;
   
• Determination of appropriate recovery and resumption objectives for clearing and settlement activities in support of critical markets with overall goals of achieving a two-hour recovery time for core clearing and settlement organizations and a four-hour recovery time for firms that play significant roles in critical financial markets;
   
• Maintenance of sufficient geographic dispersion of resources to meet recovery and resumption objectives; and
   
• Routine use or testing of recovery and resumption arrangements.
   

Firms should adhere to the sound practices specified for their identified groups, and all firms should follow the broad objectives listed earlier. In addition, securities firms must adhere to the requirements of recently issued NYSE and NASD rules that specify the areas firms must cover in their business continuity plans, including mission critical systems and communications with customers, employees and regulators. In view of the unpredictability and potential serious consequences of disasters, all firms should focus on business continuity and disaster recovery.

Another area of regulatory risk management focus covers complex structured finance transactions. On May 13, 2004, the SEC and the federal bank regulators proposed for public comment the "Interagency Statement on Sound Practices Concerning Complex Structured Finance Activities." The Statement describes a number of internal controls and risk management procedures that the agencies believe should assist financial institutions in fully complying with the law and effectively managing the full range of risks. The Statement indicates that financial institutions offering complex structured finance transactions should maintain a comprehensive set of formal, firm-wide policies and procedures that provide for the identification, documentation, evaluation, and control of the full range of credit, market, operational, legal, and reputational risks that may be associated with these transactions. This is intended to prevent the recurrence of violations like those involving Enron.

The Interagency Statement includes examples of characteristics that should be considered by firms in determining whether a transaction or series of transactions might require additional scrutiny. Among these characteristics are:

• Transactions with questionable economic substance or business purpose or designed primarily to exploit accounting, regulatory or tax guidelines;
   
• Transactions using non-standard legal agreements or oral agreements;
   
• Transactions involving multiple obligors, with potentially circular transfers of risks, or otherwise lacking transparency; or
   
• Transactions that raise concerns about how the client will report or disclose the transaction.
   

Since these characteristics may indicate transactions with higher levels of reputational and legal risks, the Statement discusses enhanced controls that may be appropriate. Some examples include:

• Ensuring that staff approving each transaction fully understands the scope of the firm's relationship with the customer and has evaluated and documented the customer's business objectives for entering into the transaction, the economic substance of the transaction, and the potential legal and reputational risks to the firm; where transactions are designed primarily to achieve financial reporting or complex tax objectives, they should also obtain complete and accurate information about the customer's proposed accounting treatment and financial disclosures relating to the transaction;
   
• Ensuring that the transactions receive a thorough review by senior management for credit, market, operational, legal, and reputational risks to the financial institution; and
   
• Ensuring that complex structured finance transactions that are determined to present unacceptable risk to the financial institution or may result in the customer's filing materially misleading financial statements are declined.
   

The comment period for the Interagency Statement has expired. The comments are now under review by the agencies to determine whether any changes to the Statement are appropriate.

The third area of increased risk management focus is consolidated supervision. The U.S. SEC adopted amendments to its net capital rule that create an alternative method of computing net capital requirements for certain large broker-dealers (net capital of at least $500 million and tentative net capital of at least $1 billion) that are part of consolidated supervised entities (CSEs). CSEs are permitted to calculate capital charges using their own internal mathematical models for risk measurement provided that they voluntarily undertake to be subject to consolidated supervision by the SEC. This includes, with some exceptions, being subject to SEC examinations of the ultimate holding company and each of its affiliates, as well as complying with reporting, record keeping and notification requirements, and maintaining consolidated internal risk management controls.

The three risk management areas I discussed - business continuity planning, complex structured finance transactions, and consolidated supervision - are areas of recent focus by regulators. Firms must ensure that they have effective internal controls and risk management, not only in these three areas, but in all areas of risk for the firm. As regulators, we can identify some areas of risk where we have observed or anticipate problems. However, firms are far more familiar with their own activities and potential risks associated with those activities. While it is important for firms to focus on risk areas identified by regulators, it is equally important for firms to conduct their own risk assessments and enhance controls where they see greater risk potential.

Regulators, like firms, also use risk assessments to increase the effectiveness of their oversight, surveillance, and regulatory work. In fact, the U.S. Securities and Exchange Commission recently established a new Office of Risk Assessment. This new office is coordinating internal risk assessment teams, using a "bottom-up" approach, to improve the agency's ability to anticipate potential widespread problems and focus on early identification of fraud or questionable activities. In the examination program, we use risk assessments to help determine examination priorities, to select targets for exams, and to decide the scope of our exams once we have selected a firm for examination.

Some factors examination staff may consider in risk assessments are:

• Trends, market information, new products, and new rules
   
• Surveillance and trading information
   
• Financial reports
   
• Information from prior examinations
   
• Customer complaints
   
• Information from analysts and the market
   
• Information from other regulators
   
• Formal risk mapping and risk assessment.
   

Based upon the staff's risk assessments, we establish examination priorities. Exam priorities include the compliance and risk management issues I discussed earlier. Other priorities of the examination program include:

• Accuracy and reliability of books and records, with special focus on Rent-a-FinOps, compliance with the new books and records rule, and email reviews;
   
• Conflicts of interests - SEC exam staff have asked firms to assess conflicts in their organizations and to take actions to control or eliminate the risks of resulting adverse consequences; examples of potential conflicts abuses may include: inappropriate use of material nonpublic information; sale of proprietary products and affiliate services to clients based on firm profitability rather than customer interests; unfair treatment of one customer to benefit a more profitable customer;
   
• Product-related suitability, disclosure, and supervision, including: for mutual funds - sales load overcharges (breakpoint violations), unsuitable sale of poor performers; for variable annuities - unsuitable switching, unsuitable home equity financing of variable annuity purchases, failure to disclose all relevant fees and risks, and unsuitable sales based on age, liquidity needs, or tax status; for 529 plans - unsuitable sales and inadequate disclosure; for fixed income - excessive mark-ups and inappropriate pricing by brokers' brokers of municipal bonds.
   
• Trading, with particular focus on manipulation in microcap stocks, market timing and late trading, and failure to provide best execution.
   
• Anti-money laundering.
   

I have discussed a number of ways that regulators can send a message to the industry on risk areas that deserve special compliance and risk management attention. Rules, such as that on consolidated supervision or SRO rules on business continuity planning are mandates to do so. Statements and bulletins, such as those on structured finance, disaster recovery, and branch supervision, suggest sound practices. Regulators may ask firms to conduct their own reviews and take action, such as in the area of conflicts of interests. Enforcement actions, such as the research analyst cases, the Enron-related actions, and others send a strong message that every firm should assess the area. And the examination program may focus examination efforts in an area, such as those discussed earlier, which, in turn, will encourage firms to focus on those areas as well.

Firms have been generally responsive to all these regulatory messages. That is a good thing. However, it is critical that firms do more. They should be proactive and conduct their own risk assessments. In that case, the industry can resolve problems before they ever to get the level of requiring regulatory attention. Strong compliance and risk management programs should play a key role in accomplishing that objective.

http://www.sec.gov/news/speech/spch091504mag.htm