Compliance Programs | Training

7 Ugly Truths About Compliance: a Primer for new Chief Compliance Officers

7 Truths About Compliance

By:  Jaqueline M. Hummel, Managing Director

February 11, 2016

Many compliance officers live in hope that if they ramp up their persuasive skills, engage employees with spectacular training presentations, and provide succinct and prompt advice, they will receive the respect and recognition that they deserve.  Unfortunately, despite all best efforts, compliance officers will struggle to be heard.

For those that have just received the dubious honor of Chief Compliance Officer at an investment advisory firm, here are seven ugly truths you should understand on day one.

  1. No one reads the compliance manual.

Despite all the hard work compliance officers put into the manual, no one reads it.  That may be an overstatement, but aside from the many questions received regarding the Code of Ethics and employees’ personal securities transaction reporting obligations, the rest of the manual remains unread.  Employees remain blissfully unaware that the manual contains policies and procedures for many daily activities, until the Chief Compliance Officer discovers an issue, or the SEC staff points out a specific passage during an exam.

As discussed in my prior post, Write the Best Compliance Manual Ever!, compliance officers should consider engaging employees in the drafting and revision of the manual. Set up a meeting with each area within the firm to go over the sections of the manual that apply to that area.  Revise the procedures based on input received, and require supervisors to review and approve them.  Supervisors then have accountability for those procedures.

Another approach is to read the manual to the employees by providing frequent training.  Having short, focused training presentations can be very effective.  (Free food is also a big draw.)  Consider tailoring training to specific areas of the firm, and work with the supervisor to set the agenda and the best date and time for the presentation.  Schedule training during periods when the attendees are generally less busy.  Request input from the supervisor to ensure you cover topics that he or she identifies as problem areas, even if they may not necessarily be compliance related.  Show your willingness to help advance firm-wide goals, as well as your own.

Development of a good compliance program is a process; it takes time for everyone to understand their roles.   By presenting yourself as a resource and taking the time to discuss the goals of the program, the more buy in you will get.  This process can take years, so be patient.

  1. Compliance officers don’t get any respect.

Being challenged on your opinions or advice is a fact of life for most compliance officers.  Executives, portfolio managers and other investment professionals want data and facts to support a recommended course of action.  Unlike other financial professionals, we don’t have an easily understood track record or a way to compare our services to an existing benchmark.  It is not particularly confidence-inspiring to tell a future employer or client:  The deficiency letter for my last SEC exam I was involved in was only 12-pages long.”  Or “No firm ever got referred to the SEC’s enforcement division on my watch.”

To make matters worse, the regulatory rules are vague and advice from the SEC is piecemeal, culled from speeches, no-action letters and administrative actions.  Advice from experts may not be specific enough to deal with your firm’s situation.

Consequently, compliance officers (and consultants) have to earn respect on a daily basis.  This can be accomplished not only through knowledge and experience, but by providing concise and useful advice.   Knowledge and experience are meaningless if you can’t deliver your message in a way that your client understands.

My advice is to be prepared.  In areas where you know you are going to get push back, read the underlying rule.  Consult your firm’s policy and procedure.  Read any SEC no-action letters, speeches and administrative actions relating to the issue.  Look through the materials from the last industry conference you attended.  Search the internet for articles written by law firms and other industry experts.  Call your contacts at other firms to see how they deal with similar issues.  Even if you have dealt with similar issues time and again, it is still helpful to refresh your memory and to see if there are any new interpretations.

There may not always be time to do the legwork, and even if you can, there may not be a clear answer.  These are the times when you must go with your gut – provide your initial thoughts on how a regulator might view the situation and a recommended course of action.  But be prepared to back it up.  For high risk issues where there is no clear path, call in an expert.   There are two benefits to this approach: first, you will find out whether the advocate of a particular action is serious enough to spend some money for advice from a knowledgeable law firm or consultant, and second, you will have proof for regulators that you acted reasonably under the circumstances by consulting an expert.  At best, the expert will back up your opinion, or at worst, you will learn the options available.

It also helps to keep up with regulatory issues on a daily basis.  Subscribe to blogs, law firm newsletters, SEC updates and read the news.  There are many free sources of information to help compliance professionals keep abreast of regulatory developments.  Knowing your stuff adds to your credibility.

Once you are ready to give your advice, boil it down to its essence, with specific action items and recommendations.  Those seeking your advice generally do not want to read the regulations or understand all the legal and regulatory fine points.  They want to know what they need to do to solve the problem.   Giving constructive, actionable advice demonstrates that you can help the firm reach its goals.

  1. No one reads past the first three lines of your email.

This is a corollary to item 2 above, but is important enough to require further discussion.  Many compliance officers love the details and have difficulty boiling messages down to their essentials.  But people get bombarded by emails, so it’s important to be clear and concise.  When a response is required, say that upfront.  I recommend using all caps in the subject line:  RESPONSE REQUIRED BY FEBRUARY 3, 2016.  And then flag these emails with a reminder for yourself, and a reminder for the recipients, to follow up by the deadline.

In the body of the email, make sure you get to the point within the first sentence or two.  Resist the temptation to provide a detailed explanation.  Readers often suffer from email fatigue and seeing more than a screen of text may cause them to hit the “delete” button.  If you are responding to a question, the answer should be in the first line of the email.  If you need approval or feedback, tell the reader that you need their input on the issue to go forward.  Bullet points are also useful to make points without overwhelming the reader with text.

You can always attach a detailed explanation to the email; just do not expect that the attachment will be read.

  1. If it’s not important to the boss, it’s not important to the employee.

This is a hard lesson.  When firm management says compliance is important but takes no action to support this statement, the compliance officer’s job is much more difficult.  If management is unwilling to put their money where their mouth is where compliance is concerned, the compliance officer’s only leverage are threats of potential repercussions in the event of an SEC exam.  For example, if compliance training is mandatory, but the executives do not attend, they send the message that it is not important.

On the other hand, if the Chief Executive Officer says that failure to complete annual holding reports in a timely manner will result in a reduction in an employee’s bonus, employees will be knocking down the Chief Compliance Officer’s door in an effort to meet the deadline.

Getting management to buy in to compliance initiatives is a topic that requires more space that I can devote here.  It’s good for business (see prior blog post) because it can help limit liability and preserve a firm’s good reputation.  The SEC also holds executives personally liable for failure to adequately support a firm’s compliance program, as evidenced by a recent administrative action, In re Pekin Singer Strauss Asset Management, Inc.(discussed in a recent blog post).

Perhaps a more chilling example is the Volkswagen’s recent scandal.   In September 2015, the Environmental Protection Agency (EPA) found that VW diesel cars being sold in the United States had software installed that detected when the cars were undergoing emissions testing, and adjusted the car’s performance to improve the results.  Ultimately, Volkswagen admitted to cheating emissions tests in the United States.  Since then, the firm’s stock price has plunged, the CEO was forced to resign, the EPA plans to impose fines, and car owners and shareholders are lining up to sue.  Although all the facts are not in, it’s entirely plausible that VW’s management approved the installation of the cheating software.   And even if management was not aware of the details, the firm fostered an environment that encouraged cheating to boost sales.

This is a worst case scenario, and it demonstrates how management’s failure to support and encourage ethical behavior can lead to much more significant financial woes than disappointing sales.

  1. You don’t know what you don’t know.

Even the most experienced compliance officers can fall into the trap of making assumptions about a firm’s operations and processes.  The truth usually comes out as a result of a trading error, client complaint, or, in the worst case scenario, regulatory action.

Here’s an example.  A firm adopts a policy that it will not vote proxies for its clients.  The policy is disclosed in the Form ADV Part 2A, and in the firm’s standard investment management agreement. The compliance officer walks by operations one day and sees an employee throwing a bunch of proxy solicitations in the trash.  When the compliance officer asks why, the employee says that the firm is not responsible for voting proxies, so the solicitations are not relevant.  The compliance officer recognizes that this is an issue, and has a discussion with the operations team.  The next steps recommended by the compliance officer include forwarding proxy solicitations to clients and instructing custodians to send proxies directly to clients.  In this situation, the account set up process did not address how to deal with proxy votes.

There will always be unpleasant surprises like these in the life of a compliance officer.  The best way to deal with them is to keep an open mind, and be willing to dig down through the smallest details to understand a process.  This means developing standard operating procedures for all areas of the firm, and understanding the root cause of failures.

Although it’s not the compliance officer’s job to write all the SOPs for the firm, you can review and test these procedures to see if they are sufficiently detailed and robust.   The compliance officer can also listen and observe.  Have the employee responsible walk you through the process step by step, and ask questions.  Watching the process from start to finish, or even performing the task yourself, may help you learn what you don’t know.

It’s also a good idea to leave your desk and walk around the office regularly.  Attend other departmental meetings and listen.  Build relationships with people from all levels of the organization.  By making yourself available and visible, people will bring their concerns to you.

  1. If it’s not documented, it didn’t happen.

This is a lesson learned from numerous SEC examinations.  Although an investment adviser might do the right thing, if there is no documentation to show that it was done, for all practical purposes it did not happen.

Most advisers maintain the required records described in Rule 204-2 of the Investment Advisers Act of 1940.  The SEC, however expects advisers to maintain other records, as evidenced in a typical SEC examination document request list.  Here are a few examples of records that are not on many investment advisers’ radar screens:

  • A current inventory of the firm’s compliance risks that forms the basis for its policies and procedures
  • The names and location of all service providers and the services they perform and for both affiliated and unaffiliated providers, information about the due diligence process to initially evaluate and monitor thereafter the work provided and how potential conflicts and information flow issues are addressed
  • Documentation of controls of employee access (i.e., electronic key card entry, locks, security cameras and guards) to physical locations containing customer information (i.e., buildings, computer facilities and storage record facilities)
  • Information about the oversight process the Adviser uses for any remote offices and/or independent advisory contractors, and any policies and procedures with respect to such oversight.

Compliance officers should look for copies of SEC examination document requests and any SEC pronouncements relating to the latest hot button issues to identify what regulators will expect to see.

  1. It’s easy to say no, hard to say yes.

Most compliance officers are aware of this truth – this is a lesson for the rest of the firm.  Saying no is easy; it requires no additional work or thought on the part of the compliance officer, and eliminates risk.  To say yes, a compliance officer has to think, research and provide options, which takes time and effort.  Given the SEC’s willingness to hold compliance officers personally liable for compliance breaches, saying yes can be a risky and expensive proposition.

If you always say no, however, firm employees will stop coming to you for advice and guidance.  You will not be consulted when new products are being developed, new marketing efforts are proposed, new types of clients are being sought, and new technologies are being explored.  If the compliance officer is not aware of what the firm is doing, then he or she is not going to be effective.

My advice is to take advantage of teachable moments.  For example, the marketing team asks you, as compliance officer, whether they can use back tested performance for a client presentation.  If the team wants the answer today, the answer is no.  But, if they are willing to wait, you will work with them to come up with a way to get the same message across by using extensive additional disclosure, or by using a different approach.

The goal is twofold: getting firm employees to consult you early in the process, and demonstrating your willingness the find solutions to meet their goals.

Coming to terms with these ugly truths is not easy.  But if you accept them and manage your expectations accordingly, you will decrease your stress level and be more effective in your job.