Speech by SEC Staff:
Remarks at the CCOutreach National Seminar

by

Carlo V. di Florio¹

Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission

SEC Headquarters
Washington, D.C.
February 8, 2011

I would like to thank Chairman Schapiro and Rick Ketchum for their excellent keynote remarks.

I share their sentiment and respect for the incredibly important role that Chief Compliance Officers play in protecting our capital markets. I also share the sentiment of the fundamental principle that both of these speakers have often articulated — that investor interests should come first.

As you know, the views that I express here today are my own and do not necessarily reflect the views of the Commission or of my colleagues on the staff of the Commission.

Twenty five years ago last May, an obscure event occurred that highlights many themes that are important in today’s conference. As described in the book Den of Thieves by James B. Stewart, it was then that a Merrill Lynch compliance officer in New York received an anonymous tip, handwritten in broken English and postmarked Caracas Venezuela, about Carlos Zubillaga, a Merrill employee in Caracas. The letter highlighted suspicious trading activity by Zubillaga. Merrill conducted an internal investigation, which identified suspicious personal trading activity and violations of firm policy by other current and former Merrill employees connected to Zubillaga. Merrill terminated the employees involved, and turned the letter and its investigation over to the SEC. The Commission’s investigation eventually identified US investment banker Dennis Levine as the source of the inside information. Stewart’s account describes how Levine then implicated Ivan Boesky, and Boesky led the SEC to Drexel Burnham and Michael Milken. This incident has many lessons for effective compliance and enforcement. First, tips, complaints and referrals are critical to identifying problems and ferreting out wrongdoing. Second, diligent internal compliance, supported by a firm’s senior management, is an important line of defense. It is important to note that Merrill’s compliance department on this occasion had sufficient support from management to be able to summon employees from Caracas to New York to answer questions based largely on information from an unknown source, that management was willing to take strong disciplinary action, and that Merrill elevated the issue to its regulator. Third, aggressive and well-focused investigation by the regulator is also enormously important. The SEC and US Attorneys’ office did not rest in pursuing this investigation until every avenue was explored. Finally, crime does not pay!

I trust that many of you share the appreciation that, to be effective, compliance and ethics programs cannot exist in silos. Instead, I believe they need to be ingrained in the DNA of the organization and the decision-making framework of the organization. They need to be imbedded in the business process and at the table when strategic decisions are being made and new products are being developed. They need to be an integral part of performance measurement and management processes. And, they need to be part of the way business is done. After all, compliance programs and the work that you do every day add tremendous business value. They protect the business, they enhance the brand, they ensure that reputation is protected and that reputation risk is managed.

In Chairman Schapiro’s remarks, and in the panel to follow, you have heard and will hear a great deal about the Dodd-Frank Act, and the challenges and opportunities that it poses, for the compliance community as well as for the regulators. There are a great many ways that the Dodd-
Frank Act impacts our work. These will be discussed in detail in the coming panels, so I won’t review them all here. Instead, I will talk about the changes that we are making to our National Exam Program, which will help us in many ways, not least by giving us a better chance to reconcile the demands of Dodd-Frank and the resource limitations that we currently face under a flat budget. I will also sketch some of the focus we are placing on governance and enterprise risk management. Finally, I will talk about some of our specific current priorities in the broker-dealer exam program, including AML.

Building a National Exam Program.

Since I joined the SEC a year ago, we have undertaken a comprehensive self-assessment of our strategy, structure, people, processes and technology. We identified numerous improvements and have initiated a transformation plan to implement these improvements in a structured and phased manner. Some highlights are noted below.

Strategy — Clarifying Our Mission and Risk-Focusing our National Exam Program

First, we are implementing a number of reforms to build an integrated National Exam Program that ensures consistency, effectiveness and efficiency. Second, we are implementing an enhanced risk-focused exam strategy that will enable us to better allocate and leverage our limited resources to their highest and best use as we work to protect investors, help to ensure market integrity and support capital formation. We have identified four key objectives to support this mission through our exam program:

• Improve industry compliance with the securities laws and industry governance, risk management and compliance practices through exams and industry dialogues and outreach programs
   
• Identify and prevent fraud through risk-targeted exams and better coordination with the Division of Enforcement in the identification, investigation and enforcement of fraud actions
   
• Monitor new and emerging risks to investor protection and market integrity through joint initiatives with our new Division of Risk, Strategy and Financial Innovation. This includes the development of new risk assessment and surveillance models and risk analytics
   
• Inform policy as the eyes and ears of the SEC in the field, through structured involvement in the rule-making process from start to finish, and with a dedicated policy support teams on key regulatory reform rules, studies and initiatives.

We have also developed Key Performance Indicators to help us to measure our performance and impact of our National Exam Program relative to our mission objectives.

Structure — Strengthening Expertise in Critical Risk Areas

We are implementing numerous structural enhancements to support the implementation of a National Exam Program and a risk-focused exam strategy. These improvements are designed to facilitate teamwork and collaboration, and drive greater consistency, scale and accountability. Here are a few examples:

• We have put a new national governance model in place that includes regional leadership in key strategic planning, policy setting and performance management initiatives
   
• We have a new Risk Analysis and Surveillance Unit to enhance our ability to identify the highest risk firms we should be examining and the highest risk issues to focus on in our exams of those firms
   
• We have launched new Specialization Working Groups dedicated to enhancing our ability to identify, understand and proactively examine new and complex industry developments. These groups are already informing our risk assessments, exam modules, training programs and inspections. The initial specialized groups are focused in the following areas:
   
  
  • New and structured products
     
  • Valuation
     
  • Equity market structure and trading practices
     
  • Fixed income securities, including municipal securities
     
  • Microcap fraud
     
  • Marketing and sales practices.
     
• We are also looking at how best to staff exams to break down our internal silos and enhance our ability to assign skills sets most effectively to address the specific risks in an exam profile, including deploying joint IA/BD teams to address issues such as some of the lessons learned from the Madoff fraud, or issues regarding dual broker-dealer and investment adviser registrants

While our structural improvements are comprehensive, they are also designed to achieve specific outcomes. For instance, in addition to facilitating better teamwork and collaboration with the policy divisions, the governance structure also strengthens the OCIE/Enforcement partnership and speeds alerts, information hand offs, and transitions from OCIE Exam staff to the Enforcement Division, transforming the lines of communication and accountability.

People — Recruiting Specialists, Improving Training and Strengthening Culture

Our initiatives regarding people have been focused on recruiting new skill sets that are critical to supervising our modern capital markets, building a leading practice training program, introducing mentoring, and building a culture of high-performance, teamwork and accountability. Here are some specific examples:

• We have recruited New Senior Specialized Examiners to strengthen our expertise and skills sets in key risk areas, including: complex structured products, risk management, quantitative analytics, valuation, trading practices, portfolio management and technology.
   
• We are working on a new Certified Examiner Training program that establishes consistent baseline technical training and certification standards across the country
   
• We are strengthening management skills and practices through our Successful Leaders training program
   
• We are launching a mentoring program to support the professional development of our examiners and leverage the expertise and experience of our most seasoned examiners.

Process — Streamlining Processes to Drive Consistency, Effectiveness and Efficiency

We have re-engineered our exam process end-to-end to streamline and focus on those activities that add the most value. With this process re-engineering we have designed a more risk-focused exam process, enhanced pre-exam preparation, improved multidisciplinary staffing, increased field supervision and strengthened our agility and ability to allocate resources to their highest and best use. In addition, we have introduced a number of new mechanisms to drive standardization, consistency and accountability across our National Exam Program. Here are some examples of these improvements:

• An updated, central National Exam Operations Manual
   
• Our first automated National Exam Workbook to drive consistency, effectiveness, efficiency and accountability in the exam process nation-wide
   
• OCIE’s first Chief Compliance Officer to enhance and monitor compliance with our own policies and procedures, like we expect of our registrants.
   
• Increased presence of supervisors in the field and involvement senior staff on exams
   
• Use of targeted scope correspondence exams to touch a greater percent of the registrant population and to risk-assess registrants with better speed and focus.

Technology — Automating the Exam Process to Keep Pace with New Developments

We have focused our technology improvement initiatives on automating our exam process end-to-end, including risk assessment and surveillance; exam preparation; all key activities associated with exam execution, such as trade analysis; work paper management and data analytics and reporting. Here are some of our technology initiatives:

• We’ve set up our first Technology Committee to oversee our technology resources and strategy.
   
• We plan to have a dedicated Senior Technology Officer who will develop a comprehensive technology strategy, technology architecture and implementation plan to automate and strengthen our exam program.
   
• We’ve added new risk assessment and surveillance technologies
   
• We’re automating our Exam Workbook
   
• We’ve developed automated tools to enhance trade analysis
   
• We’ve developed management information systems that support key performance indicator monitoring and reporting.

Seeing the Forrest from the Trees - Governance, Enterprise Risk Management and Internal Control

We are also focusing our exams on risk management as it pertains to corporate governance, enterprise risk management (ERM) and registrants’ internal controls. In doing so, we will be coordinating closely with our regulatory partners — other federal financial regulators, FINRA and the states. In a time of resource constraints we hope to realize three benefits from this approach: (i) this will keep us focused on the most significant risks; (ii) by focusing on a somewhat smaller but high-priority range of issues in each exam we will be able to extend our resources further; and (iii) engaging firms at a higher level of management will have a more effective impact on a firm’s culture.

The financial crisis revealed just how dramatically risk management failures can harm investors, jeopardize market integrity and hinder capital formation. It also revealed the interdependence between various risk categories (e.g., liquidity, funding, market, credit, operational, compliance and reputation risks), and demonstrated how that interdependence can accelerate risk concentration and harm to investors and markets. Finally, the financial crisis revealed the need for better oversight of risk at the board and senior management levels, and the need for stronger independence, standing and authority among risk management, control and compliance functions so senior management and the board understand the true risk in the business model and more proactive and effective risk management decisions can be made timely.

From an exam perspective, this involves understanding each registrant’s business model, products and asset classes, and evaluating the risks and conflicts that are inherent in that business model. It also means seeking an understanding of what kind of risk management governance and compliance control frameworks registrants have put in place to mitigate and manage that risk profile. I want to emphasize that we are keenly aware of the lessons learned from the financial crisis, as well as from Madoff, where we were roundly criticized for losing the forest for the trees by honing in on some issues and missing broader, systemic and far more serious problems in the organization.

As we increase our focus in these areas, we will generally want to understand how risk management is embedded in key business processes and decision-making at five levels:

1. How do the business units of an entity ensure they are taking and managing risk effectively at the product and asset class level in accordance with the risk appetite and tolerances set by the board and senior management of the whole organization?
    
2. How are key risk management, control and compliance functions structured and resourced to ensure they are effectively embedded in the business process, while having the necessary independence, standing and authority to be effective in helping the organization identify, manage and mitigate risk?
    
3. How is senior management ensuring effective oversight of enterprise risk management and embedding risk management in key business processes, including strategic planning, capital allocation, performance management and compensation incentives?
    
4. How does the internal audit process independently verify and provide the board and senior management with assurance regarding the operating effectiveness of risk management, compliance and control functions?
    
5. How is the board of directors (if one exists in the organization) staffed and structured to ensure it can effectively set risk parameters, foster an effective risk management culture, oversee risk-based compensation systems and effectively oversee the risk profile of the firm?

In addition to looking at key risk management issues, such as executive compensation incentives, new product review, and model validation, our examiners will also seek to understand how effectively the firm is managing key risk and control processes. These include:

• Setting of risk tolerances to manage and monitor the risk profile of the firm
   
• Risk-based strategic planning and capital allocation
   
• Oversight of risk management policies and processes
   
• Training and communication that support an effective risk management culture and tone at the top
   
• Surveillance systems that effectively flag exceptions to risk management policies
   
• Monitoring and reporting systems that track key risk indicators for decision-making
   
• Issues management processes to ensure timely escalation and remediation of risk and control concerns
   
• Change management controls to effectively implement new changes in the risk management framework and address new products, services, businesses, processes, etc.

We will incorporate a strategic dialogue of the enterprise risk management framework into our exams so we can effectively distinguish the forest from the trees and then dive into targeted exams in focused risk areas (e.g., products, asset classes, business units) to test effectiveness.

Brief Overview of Key Risk Focus Areas in our Broker-dealer Exam Program.

Financial and Operational Risks. The NEP is very focused on financial risk management of broker-dealers. Liquidity, valuation, concentration and funding are therefore critical issues from a risk management perspective. We also want to understand the products and services that pose particular risk. Complex structured products are therefore a key exam concern, as well as variable annuities, leveraged ETFs, and fixed income, including municipal securities.

Trading Practices. With regard to trading practices the NEP continues to look at best execution and short sales. Our examiners are also seeking to better understand algorithmic trading, high frequency trading, sponsored access and key risk controls around these processes as technology drives so much of the speed and risk around the trading environment.

Sales Practices. The NEP is particularly focused on fraud or abusive sales practices in the retail distribution channel. We want to understand what registrants are doing to identify, mitigate and manage the risks in this area and ensure effective compliance supervision. This is a particular concern where there are independent or remote branches, particularly if there are registered representatives in those branches who have a disciplinary history. As mentioned previously, the NEP is also going to conduct examinations of firms and individuals that are dually registered as broker-dealers and investment advisers to look at sales practices and other issues.

Protection of Customer Assets and Information. Increased emphasis on protection of customer assets from fraud and misappropriation and protection of customer information from misuse means that independent third-party asset verification will continue to be a significant part of exams. The NEP is implementing streamlined versions of our methodology for asset verification so that we do a targeted review of different types of accounts and custody locations.

Pre-retirement issues are also an exam area. Prior joint exams with FINRA have been conducted in the retirement space, focusing on seniors (free lunch seminars) and good practices. The NEP will continue to focus on risks and concerns in that space, such as:

• Fees — disclosure, how fees are assessed, fee oversight, negotiated pricing and intermediary compensation;
   
• Supervision; and
   
• Conflicts of interest.

Conclusion.

I would like to close by thanking you for coming together today to participate in this broker-dealer seminar. I very much look forward to an on-going dialogue.

Thank you very much.

¹ The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private statements by its employees.