Richard Ketchum Keynote from the Compliance Week Conference

compliance-week-green

My notes, live, from the Richard Ketchum keynote at the Compliance Week Conference. Mr. Ketchum is the newly named chairman and CEO of FINRA.

It is a terribly important time as financial markets are in the process of transformation. It was two years ago when the first signs of the credit crisis appeared. The silver lining is that the crisis offers an opportunity to reform the financial markets.

Mr. Ketchum moved onto the idea of a systemic risk regulator. He thinks some regulator will be in place. As to whether it is a single entity or a council of regulators, Mr. Ketchum stated that some of the risk and problems came from loosely regulated entities and in transactions that were not transparent. He thinks value of a systemic regulator is good but thinks we need to focus on the function of this new regulator. He wants to avoid duplication and also to avoid things falling through the cracks.

He looked to the Federal Reserve as regulator that had a broad mandate to see big problems. They were less able to focus on the detail of regular reporting and maintenance. He thinks the new systemic regulator should not replace existing regulators. He also did not seem to like the idea of breaking up the SEC. They are very involved in many aspects of the markets and have a breadth of experience and controls in place.

He moved on to the issue of short selling in the marketplace.  There are several proposals being reviewed as a result of the fierce short-selling that happened in September and October. He thinks the selling that happened during that time was most long sellers, not short sellers. Short selling may have caused the disappearance of any buyers. He seems to be leaning toward a circuit-breaker when a company’s stock is under pressure. He did not seem to give a straight answer.

He moved onto the subject of derivatives. The market provides a great deal of leverage, has a great deal of inefficiency and is very transparent. The derivatives markets also react quicker than the equity markets. He thinks the key is transparency so we can see the movement and the risk. The opacity of the derivatives markets contributed to the plunge in the investment markets.

He moved onto the lessons we could learn from volatile markets. He thinks we need to revisit diligence and reduce our reliance on ratings to get a better understanding of the security (in particular asset-backed securities). You need to keep the creators of the securities away from the ratings of the securities.

He thinks compliance needs to be infused into more functions. He thinks compliance officers can look at the risks and not rely on assumptions. You need to make sure that decisions that benefit the company do not come at the expense of the company’s clients or customers.

Nobody feels good about the implosion of the financial markets. FINRA is re-evaluating their internal processes to see what they could do better. He pointed out the new FINRA Whistleblower hotline. FINRA is looking at ways to make sure things do not fall through the cracks.

He thinks the biggest gap is the different regimes between broker-dealers and investment advisers. He thinks investment advisers need to be more regulated and more closely examined. he does recognize that there are different risks and different concerns. You can’t throw the same rulebook at them, but he thinks you need to keep a closer eye on them.

The keystone moving forward is winning back the trust of investors. Without trust, the markets are paralyzed. Fraud impoverishes the few; distrust impoverishes many.

In the chat session, Matt put the Madoff scenario in front of Mr. Ketchum. He thinks that is the great example of having different regimes for broker-dealers and investment advisers. FINRA could not look over the wall at the advisory side of the business.

There is no definition of a systemic risk. Mr. Ketchum thinks it is one that can impact the financial marketplace as a whole and not just an individual institution.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Self-Assessments: Criteria and Procedures for Evaluating GRC Programs

compliance-week-dark-blue

My notes, live, from Self-Assessments: Criteria and Procedures for Evaluating GRC Programs, with Gracie Fisher Renbarger, Chief Ethics and Compliance Officer of Dell; Nan Stout, Vice President Business Ethics of Staples; and Carole Stern Switzer, President of OCEG.

Carole started off with two observations:

  • Designing, implementing, and improving a governance, risk management and compliance (GRC) system is a time and resource-intensive proposition.
  • Periodically evaluating the design and operation of the system is essential to demonstrate that the organization’s GRC initiatives are delivering outcomes that really matter.

Carole pointed out that GRC is more than Governance, Risk and Compliance, but it is really awkward to have a 13 letter acronym.

She turned to design effectiveness. “Given our objectives and all of the risks and requirements related to these objectives, do we have controls, incentives and other structures in place that will provide reasonable assurance that we will meet these objectives?” You can also have less ambitious goals for our evaluation:

  • I’d like a “gut check” on how my hotline is designed
  • I’d like a high-level assessment of whether our risk identification has captured all of the right risks and requirements compared with my peers

Or more ambitious goals:

  • Is this compliance program deemed “effective” by an enforcement agency or external monitor?

How do you evaluate to address effectiveness? Start by determining what to evaluate and the scope of the risk assessment. One of the issues is that your effectiveness is based on the negative. It is hard to prove that something did not happen because of the program.

You want to ask:

  • Do we have SOMETHING in place?
  • Do we have the ENOUGH in place?
  • Do we have TOO MUCH in place?

The next step is to design for performance. You want to be effective, but you also want to be efficient and responsive. “There’s no point in measuring something you can’t fix.”

Carole used a standard for performance called SMART:

  • Specific/simple
  • Measurable
  • Actionable
  • Relevant
  • Timely

Not having data available is a challenge in some organizations. You need to measure perception and compare it to facts. You can say that you have a non-retaliation policy. But that does not do any good if people perceive that they will be fired for reporting a problem.

Next up was Nan to talk about their beta test of OCEG’s Burgundy Book. She thought is was important to give employees multiple ways to report problems, but wanted to store all of that information in one place.

Gracie shared her experiences with the OCEG certification at Dell. The objective of Dell’s FCPA Compliance Program is to be “Effective” and “Aligned.” “Effective” means program meets the US Federal Sentencing Guidelines’ definition of an effective compliance program. “Aligned” means program activities address actual risks and are aligned to Dell’s business objectives.

The following Elements are assessed:

Culture:

  • Processes established to monitor and address cultural indicators to ensure program is operating in a culture of integrity (i.e., employee surveys, compliance training tracking, etc.)
  • Defined program goals and objectives that align to organization objectives and strategic business initiatives (i.e., supports Dell’s profit and business goals related to “emerging market” expansion, etc.)

Organize & Oversee:

  • Defined roles and responsibilities for program oversight, assurance and day-to-day management (i.e., AC, GECC, Ethics & Compliance Office, etc.)

Assess & Align:

  • Process for identifying and assessing FCPA risk (i.e., identify whether operating in countries with high level of perceived corruption, etc.)
  • Plan to deploy program initiatives in response to risk assessment results (i.e., education rollout in China, etc.)

Prevent & Promote:

  • Existence of Code of Conduct and FCPA Compliance Policy
  • Process for policy development (i.e., executive management approval, etc.)
  • Process for deployment of policy (i.e., website repository and blog communication, etc.)
  • Education plan (i.e., maximum, heightened, general awareness, etc.)

Detect & Discern:

  • Intake and investigations (i.e., employee reporting, investigation process, etc.)

Respond & Resolve:

  • Infrastructure for intake, investigation and resolution of incidents (i.e., staffing, case management system, etc.)
  • Remediation (i.e., discipline, recommended preventative controls, etc.)

Monitor & Measure:

  • Monitor feedback and strive for continuous improvement of the program (i.e., feedback to Ethics Managers and formal employee inquiry/response process, etc.)

Inform & Integrate:

  • Process for communicating program (i.e., blog, cascaded communications, etc.)

A question from the audience: Can you measure the change in culture? It is hard. You need to always look for indicators. Some are lead indicators and some are trailing indicators. One goal of GRC is to pull as much information as possible into one place so those indicators are in one place.

The emphasis of the session was not to advocate a specific framework, but the importance of having a process.

A key to modifying behavior is to make non-compliance more painful than compliance. But you want more than a fear of being caught. You want your employees to strive for better behavior.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Vetting Business Partners

compliance-week-blue

My notes, live, from Vetting Business Partners, with Alexandra Wrage of Trace International to talk about how leading companies have approached this challenge in a global company.

Due diligence on business partners is one of the most important things a company can do, but also one of the least interesting things. She points out that the FCPA has a “should have known” standard. So ignorance is not a defense.

Sales consultants are some of the higher risk because they are usually paid on a commission basis. Consultants, paid by the hour, are a lesser risk merely because of the different compensation model. Distributors and resellers can be a risk. Merely having a third party in between your company and the corrupt official is still bad and is not a defense to charges.

Resellers are a new problem. The take title to your product and are your customer. But if there is evidence that the resellers are paying bribes to their customers, your company can be potentially be pulled in.

She turned to focus on some problem areas in due diligence when working with third parties.

Ownership – This is the most important and should be a deal-breaker if true beneficial ownership is not disclosed. (You can also work in the negative- not a government official or blocker person. This is not a good practice. The hidden identity should be a red flag. It would certainly be a red flag in a government investigation.)

Government relations. You need to find out if a clse relative is in the government. It is not a deal-breaker, but you need to be aware of the relationship.

Expertise. What is this person being paid to do if they do not have any particular expertise.

Financial stability. If they are acting as your agent, their financial failing will rub off on you.

Media searches. You need to know if your business partner is in the headlines.

Training. You need to letting them know what they need to do.

Periodic review and certifications. You want to make sure that you update things when the contract is renewed. You also want to check periodically to make sure there has not been a big change in the business partner. Certifications can be included on each invoice so they certify each time they paid that they have not bribed a foreign official.

It is important to keep red flags in mind, but you should standardize your contracts and review and not target specific areas. Many of the biggest FCPA cases have come from individuals acting in countries that are not known for being corrupt.

You can have a tiered due diligence program, depending on the nature of the relationship, the basis of compensation,and  the reputation of the company. The most common is three tiers: not risky, standard, and more risky. That allows you to target your resources.

She sees the divide in the DOJ cases where companies are either do due diligence or not doing any diligence. Not doing diligence almost moves you into a strict liability position. You have no defense.

There has been a surge in FCPA cases over the last few years. Most involved problems with intermediaries.

She points out that corruption due diligence is a two-way street. Increasingly, foreign companies are conducting due diligence on American companies.

She also takes a controversial position that you may be better off not having audit rights if you do not intend to actually do audits. She advocates triggered audit rights instead of a matter of course if you are not going audit on a regular basis. You want to have a meaningful conversation with your intermediary that these audit rights are real.

There is an increasing turf battle on international enforcement. The SFO (Britain’s version of the DOJ) has stated that reporting to the DOJ first is not a voluntary disclosure for their purposes and reserve the right to still enforce.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Luis Aguilar Keynote at Compliance Week Conference

compliance-week-purple

My notes, live, from the keynote by SEC Commissioner Luis A. Aguilar:

James Doty of Baker Botts introduced the Commissioner. (A disclaimer from the Commissioner: the speech is his opinion alone and not necessarily the view of the SEC.)

The Commissioner titled his presentation “Reversing Course: Putting Investors First.” The focus should be on protecting investors and restoration of stability to the capital markets. We need to restore trust in the markets. That means regulatory reform.

First, we need a search and inquiry into the cause of the crisis. Blaming the regulatory market is not responsive. Perhaps it was an unwillingness to exercise their management and look deeper into the markets. He is enthusiastic about a bi-partisan panel to look into the crisis. Too much regulatory reform focused on how it would help the financial firms and not how they would help investors. We need to look at the intrinsic risks and conflicts in the system. He saw pattern of de-regulation that help financial firms with little examination of how they would affect investors. Modernization of the markets has been used as a disguise for de-regulation.

He moved onto the need for a systemic risk regulatory body. He thinks we need some clarity on what we mean by systemic risk. He does not like the focus on “Too big to fail” and its focus on particular entities. He thinks the focus needs to be key functions in the market not the entity. He would want to isolate these functions in the entity.

Instead of a new regulatory body, he prefers a council of different regulators with different expertise would work better. It is better to have several sentries instead of just one monolithic guard. It would also avoid the conflicts inherent in the mandates of a particular regulator. There is a question of the particular powers of the council and the procedures for the council.

He moved onto the idea of a financial product safety commission. There is an idea that financial products get rated as safe or unsafe. The Commissioner does not like this idea. He draws a line between investment financial products and non-investment financial products. For non-investment products like credit cards and mortgages, the terms are set at the outset. However, with an investment financial product has values that will fluctuate and the risks will change over the course of time.

Investor protection is different than consumer protection. Removing products from a regulatory scheme could result in regulatory arbitrage.

What about a U.S. FSA, a single regulator for all of the financial markets? Commissioner Aguilar has concerns about this model. Could a regulator responsible for keeping financial institutions viable also be aggressive in pursing consumer claims of misdeed against the institution? The Commissioner does not think so. It can also increase systemic risk. If the single regulator gets it wrong, there is no fall back protection or other bodies to step into the gap.

He does like the idea of a single regulator for all of the capital markets. He does not like the split between the CFTC and SEC with the regulation of derivatives separate from the regulation of the underlying securities.

He advocates self-funding the SEC. He alludes to reductions in the budget of the SEC has affected the effectiveness of the SEC.

The Commissioner think the staff of the SEC has been unduly tarnished.

After his speech, the Commissioner sat down for a fireside chat with Matt Kelley, the Editor-in-Chief of Compliance Week, taking questions from the audience.

He expects enforcement to be quicker than in the past.

He went back to the self-funding part of this speech. He compares the big staff of the FDIC to the SEC. The FDIC has more people and keeps tabs on fewer institutions. The SEC needs more resources.

It sounds like the IFRS may be a lesser priority under the new administration.

It was a nice speech and chat by the Commissioner.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)