Washington, D.C.
Oct. 19, 2016
Thank you for that very kind introduction and for inviting me to speak today. Before I start, I must provide our standard disclaimer that the views I express today are my own and do not necessarily reflect the views of the Commission, the Chair, other Commissioners or my colleagues on the Commission staff.[1]
In preparation for this speech I looked at the Conference Agenda and realized that you had the benefit of an opening keynote speech from my colleague, Marc Wyatt, Director of the Office of Compliance Inspections and Examinations ("OCIE") and have been through two and a half days of intensive presentations on compliance issues. I also realize that I am what stands between you and your return home, so I will do my best to keep this brief, but informative. So what could I talk about that you have not already heard? I thought I could be most helpful today by summarizing some of my previous remarks on the subject of compliance and then share my thoughts on the future challenges you may face in performing your difficult, but absolutely critical, task.
Over the past year, I have spoken about a variety of challenges within the compliance community. Given my forty-plus years of experience in the industry — from overseeing legal and compliance at firms large and small, to leading the SEC's Investment Management Division and now serving as Chief of Staff — I wanted to share a few of my observations on the state of compliance.
My first speech as Chief of Staff, in October 2015,[2] focused on the compliance challenges faced by OCIE and the office's strategy for optimizing the use of its limited examination resources by: (a) identifying risk; (b) embracing data and technology; and (c) enhancing its existing expertise. The number of market participants overseen by the Commission is truly eye-popping — over 25,000. But with only modest growth in our budget, OCIE — like all of our divisions and offices — has had to do more with less. By embracing technology and experts to better identify risk, OCIE is able to maximize both its efficiency and its effectiveness. I concluded those remarks with my thoughts on how I would consider my role as Chief Compliance Officer if I had your job. I flagged the importance of certain issues like conflicts of interest and the need to fully understand your organization — from its structure and clients to its technology and compliance systems.
In March 2016,[3] I continued this theme of compliance-related advice by speaking about corporate compliance and the importance of developing a strong culture. I also discussed how compliance personnel must keep it simple and intuitive when developing policies and procedures, the need to ensure that personal responsibility is not denigrated by the rise of technology, the growing complexity of firms, their operations and their products and services, and the need to appreciate and worry about what you don't know as you evaluate potential risks. I ended with a few thoughts on how to get comfortable with your significant compliance responsibilities.
And this past spring,[4] I took a step back and provided a broader perspective about the growing intersection between our securities regulation and the global financial community. I discussed: (1) the globalization of the securities markets — from investment advisers and broker dealers, to cross-border holdings and foreign issuers; (2) the importance of international engagement as we continue to work more closely with our foreign counterparts — both to add a strong policy voice in international discussions and enhance our enforcement efforts; and (3) the Commission's regulatory achievements over the last three years.
Having spent the past year sharing my insight from a lifetime working with and overseeing compliance functions, I would like to be more forward-looking today. These decades of experience have not only given me insight into how things are, but also into where things are likely headed. As a result, I thought I would spend time today discussing some of the potential challenges that I see facing the compliance function and compliance officers in the future. I don't pretend to be clairvoyant — otherwise the New York Giants would have won the Superbowl every year — but given my time both in the industry and at the Commission, I feel like I've seen enough to make a few safe predictions. This is not intended to be all inclusive and is based on my own experience and observations, and not those of my colleagues at the Commission.
Years ago, the skills and expertise required of the compliance area and its personnel were fairly straightforward. You had to develop a basic expertise in the laws and regulations that affect your business. Back then, compliance was comprised of lawyers, accountants and auditors, and some operational staff. In the future, I envision that the necessary expertise for compliance will consist of a far broader set of subjects, including expertise in technology, operations, market, risk, and auditing, to name a few. Even now, compliance personnel need to have a solid understanding of these areas, but I envision the role becoming even more demanding such that a CCO will truly need to be a jack of all trades with access to a wide array of skillsets.
The business and economic environment faced by broker-dealers, investment advisers, investment companies and other regulated entities is dynamic and highly competitive. Many of these businesses have seen dramatic changes to the composition of their products, changes to their traditional business models, and migration of clients and business to less lucrative areas. For example, in the asset management industry there has been a sizeable transition over the past several years from active management to passive management, and the resulting shift from higher revenue and margin business to lower revenue and margin business.[5] In addition, many businesses that previously experienced very healthy growth rates have matured and face the prospect of modest future growth, at best.
I have concerns that this general trend of declining or stagnant top line revenue growth will trigger an ever-increasing fixation on expenses. While I have no problem with cost management — indeed it is a prudent part of any business — I worry about the potential long term implications because, as you all know, compliance is a significant cost center, as are technology and legal. So a very real challenge for compliance departments and personnel — both today and in the future -- will be to insure that they have the funding necessary for discharging their critical function as well as the technological and other resources that are essential to their success. This concern about resource constraints is especially critical as the role of compliance continues to expand in the post-financial-crisis era. If the focus on the bottom line makes the compliance function more efficient, then that certainly is a good outcome. But if it negatively impacts the ability of compliance personnel to discharge their duties effectively, that can be a serious problem.
The proper role of compliance within firms is evolving and different firms have taken different paths. Some firms see the role of compliance as assisting the businesses in identifying potential regulatory issues and — along with the business — developing appropriate policies and procedures to address those issues. Compliance then must insure that the policies and procedures are properly implemented and followed. Other firms take a more expansive vision for the role of compliance. One where compliance is more proactive and takes a more active role in insuring that the firm is complying with all applicable regulatory requirements. In this more holistic model, compliance is often expected to develop front-end controls that will prevent the business from violating regulations or disregarding established policies and procedures. Technology has been the primary catalyst of this approach as it has enabled the development of highly sophisticated tools to efficiently detect and prevent violations. Now I recognize that most firms are likely somewhere between these two extremes with a bias over time towards the latter as firms increasingly adopted tools that are designed to prevent violations at the outset.
As technology continues to develop effective systems to prevent practices that could violate regulatory requirements or firm policies and procedures, there will continue to be, in my view, a very rational and appropriate move towards the latter approach. But as this trend accelerates it is important that businesses not view this as an opportunity to abdicate their responsibility. It is critical that businesses remain accountable and not view compliance as being responsible for any and all violations. Compliance should of course bear responsibility for properly discharging its duties but I believe it should not take on the role of insuring that the business never misbehaves — that is the entire business's obligation. Holding the business responsible will also, I believe, encourage firms to properly focus on compliance, including providing adequate resources. Compliance should continue to be viewed as a partner — not a scapegoat or cost center — in the quest for developing a conscientious and compliant business.
Increasingly businesses and their operations are not confined to a single jurisdiction or country. And clients frequently need solutions that encompass investments or strategies across several regulatory regimes. It is not uncommon for firms and their clients to need to comply with a wide array of laws and regulations that apply to securities, broker-dealers, investment advisers, investment companies, commodities, ERISA (and the new DOL "fiduciary duty rule"), insurance and banking, to name a few. As these trends of globalization and business complexity continue, firms face growing challenges about how best to organize their operations and how to determine the best way to interpret and comply with the applicable regulatory requirements. For example, a firm might have an exceptional investment capability located in the U.S. that clients in Europe or Asia want to access. The jurisdiction for those clients may have regulatory requirements that differ in significant ways from those that apply in the U.S. Firms often have global clients and operations in global markets, but must deal with a complex array of local requirements. Some of the requirements that relate to client reporting may be easily addressed, while those that concern actual investment activities of the firm or how the firm manages its operations and activities may be far more difficult to navigate. The determination of which regulatory requirements apply, and how they should be interpreted and implemented, will be an increasingly significant legal and compliance challenge to firms. To successfully meet these issues, it is absolutely critical for legal and compliance personnel to have the necessary global and regulatory expertise.
Technology continues to play a prominent role in the markets, firm operations, product development, and compliance. One element of this is the growing use of artificial intelligence in the operations of firms and their products. The development of robo-advisors, online marketplace lending platforms, and high-frequency trading are but a few examples. Firms also increasingly utilize automated systems to perform routine tasks such as allocating trades and monitoring performance. And firms are developing the ability to manage money using technology not only to provide analysis to portfolio managers but to actually determine portfolio compositions and implement trades. The expertise required by compliance in a more automated environment is quite different from that required in a more traditional, manual setting. The ability to understand and effectively monitor the technology and related systems that are being developed and employed is a considerable challenge that will occupy a growing share of your time and attention.
Relatedly, many firms currently employ technology systems that were developed several years — if not decades — ago. Although perhaps once considered cutting edge, these legacy systems are often adapted time and time again to conform to new businesses, market changes or regulatory requirements. As a result, over time these systems are being required to perform functions for which they were not intended — and often not ideally suited. In addition, as firm businesses have evolved, merged or been acquired, they often have a variety of separate systems that perform similar or overlapping functions. Both the business and compliance need to understand the strengths and limitations of each system and where and how they should be integrated. Updating or even replacing these legacy systems -- and effectively integrating them — can be time-consuming and quite expensive, and itself presents a significant business and compliance challenge. I don't anticipate this becoming any easier in the future.
Another real challenge for the businesses, lawyers and compliance personnel is staying up to date on changes in regulatory requirements, changes to the firm's businesses, and anticipating trends in both. I have the advantage of having learned businesses and regulatory requirements over a forty-year period. As a result, I have been fortunate enough to gradually process and incorporate the various changes over several decades, in a somewhat manageable manner. Most of you do not have the luxury of time like I did — to the extent being older is a luxury — and must possess or have access to that level of knowledge from day one. It is critical that you make it a priority to develop the necessary technical expertise, keep up with changing market dynamics, fully appreciate all of the firm's businesses and follow regulatory developments and their impact on your firm and its operations. I know that sounds exhaustive, but the significant role you play demands no less.
I will stop there and get you all on the road a few minutes early. I hope my talk today does not scare you away from a career in compliance. That certainly was not my intent. Rather I wanted to share some of my personal views about the issues that you will continue to face in the future. Thankfully, there are a variety of steps and approaches that you and your firms can take to meet these challenges and I urge you to start thinking about them now. I am confident that with prudent planning and proactive thinking, you will be up to the task. Much like in medicine, when it comes to compliance, an ounce of prevention is truly worth a pound of cure.
Thank you for listening to me today and have a safe trip home.
[1] The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of the author and do not necessarily reflect the views of the Commission or of the author's colleagues on the staff of the Commission.
[2] "Remarks at NRS 30th Annual Fall Investment Adviser and Broker-Dealer Compliance Conference," Oct. 14, 2015, available at https://www.sec.gov/news/speech/donohue-nrs-30th-annual.html .
[3] "New Directions in Corporate Compliance: Keynote Luncheon Speech," May 20, 2016, available at https://www.sec.gov/news/speech/donohue-rutgers-new-directions-corporate-compliance-keynote.html .
[4] "SEC Regulation Outside the United States: The SEC at Home and Abroad," June 28, 2016, available at https://www.sec.gov/news/speech/andrew-donohue-investoregulation-conf-london.html .
[5] See Anne Tergesen and Jason Zweig, "The Dying Business of Picking Stocks," Wall Street Journal (October 17, 2016).