Stephen L. Cohen, the Securities and Exchange Commission’s (“SEC”) Associate Director of Enforcement, spoke recently at the Society of Corporate Compliance and Ethics’ Annual Conference.  In his remarks he noted what he considers characteristics of effective and ineffective compliance programs and how having a strong compliance program can impact the SEC staff’s decision on whether or not to bring an enforcement case against a firm as well as the extent of penalties and sanctions pursued. Mr. Cohen said: “When evaluating a company’s misconduct, we typically give credit when a company can demonstrate a strong compliance culture”.

Effective and Ineffective Compliance Programs

Mr. Cohen noted in various iterations a characteristic  he considered to be indicative of a strong compliance program; early detection of compliance issues.  In contrast, a hallmark of an ineffective compliance is one which fails to detect issues and where firms “do not take compliance seriously until misconduct comes to light.”  He noted cases brought by the SEC or the Department of Justice “where issues were not discovered, not escalated, or where management ignored push-back from compliance staff.”  The firms considered favorably by regulators are those “that display an exemplary commitment to compliance, cooperation and remediation.”

Culture and Governance

Throughout his remarks, Mr. Cohen mentioned a culture of compliance(a phrase often used by SEC staff) and a firm’s governance (an emphasis of the SEC staff since the fallout of the financial crisis).  He noted that: “A strong compliance and ethics program must start with proper governance, including a tone at the top built on actions rather than words.”  Again, he used a SEC staff buzzword, “tone at the top”, which may seem trite, but  is  assessed by SEC staff and is considered telling.

Distilled from the speech, the following demonstrates a culture of compliance and good governance:

He noted that the staff of the SEC’s National Examination Program is meeting with those who govern an organization, as well as compliance personnel, “to assess the culture of compliance and ethics in the organization” and that the results “can factor into the level of risk the staff ascribes to a firm, which can affect how frequently they are examined.”

Enforcement

While Mr. Cohen noted the benefits and elements of an effective compliance program and of good corporate governance, he said the SEC staff would not hesitate to seek to punish those whose programs had failed to detect issues.  The SEC staff would seek, through enforcement, substantial financial penalties and admissions of wrongdoing in some instances.  He reiterated the benefits of an effective compliance program in relation to possible enforcement action by saying: “Isolated conduct combined with good compliance and internal controls make it less likely that we will bring an action at all.”  He described matters involving two firms, Morgan Stanley and Ralph Lauren, where internal controls, the compliance program, training and risk assessment were instrumental in the SEC not bringing charges against the firms.

The SEC staff, specifically the National Exam Program, Investment Management Division, and the Enforcement Division’s Asset Management Unit, have been “coordinating efforts to identify and bring cases against registered investment advisers who lack effective compliance programs and procedures.”  Mr. Cohen noted six actions that arose out of these efforts and that there are more in the pipeline.  While not mentioned specifically in his remarks, in October, a set of SEC enforcement actions addressed inadequate policies and procedures.  The first is the case of Equitas Capital Advisers, Equitas Partners, its owner, former owner and chief compliance officer and a successor firm named Crescent.  The SEC alleged that they failed to adopt and implement written compliance policies and procedures and conduct annual compliance reviews as required under the Investment Advisers Act of 1940.   In a similar case, Modern Portfolio Management and its owners also allegedly failed to correct ongoing compliance violations at the firm despite prior warnings from SEC examiners and also failed to complete annual compliance reviews.

“Continual self-evaluation and improvement”

How, precisely, does a firm heed Mr. Cohen’s warnings?  A firm should take concrete and demonstrable actions to continually assess the strength of its compliance program, the risks involved in the organization and the compliance program’s ability to identify wrongdoing to correct gaps in the program.  Mr. Cohen noted that firms “must proactively keep pace with developments and leading practices as part of a commitment to a culture of ongoing improvement.”  Not all chief compliance officers are career compliance officers and many have other duties beyond compliance, such as serving as chief financial officers and chief operating officers. This is the case with many recently-registered private fund firms.  Thus, it is recommended that given a lack of a regulatory and compliance background, chief compliance officers should endeavor to educate themselves; share ideas and experiences with colleagues; attend conferences, roundtables and SEC events; and read about developments.

Although often costly, consider bringing in others to evaluate the risks, strengths, weaknesses, effectiveness of the program. Such parties include internal audit, regulatory consultants and attorneys.  Among the methods employed by such parties are mock SEC examinations, targeted reviews of areas of risk for a firm, risk assessments, and reviews of policies and procedures.  Firms that undergo these exercises are often better prepared for a SEC staff examination.  As Mr. Cohen noted, one shouldn’t wait until an enforcement action to change behavior. Unfortunately, many do.