New Directions in Corporate Compliance: Keynote Luncheon Speech

Andrew J. Donohue, Chief of Staff

Rutgers Law School Center for Corporate Law and Governance
Camden, New Jersey

May 20, 2016


Thank you for that very kind introduction.  Let me start off by providing our standard disclaimer that the views I express today are my own and do not necessarily reflect the views of the Commission, the Commissioners or my colleagues on the Commission staff.[1]

I was quite honored to receive an invitation to speak at this event and I am happy to share with you my thoughts and observations about corporate compliance.

I struggled somewhat with how best to structure my talk today.  I look at the faculty and note that you likely will have great discussions regarding the traditional materials related to corporate compliance, its importance and the elements of an effective corporate compliance program.  So I won’t spend my time today reciting some of the important guidance that you can and should consult.  That guidance is contained in a number of documents such as: (a) Section 8B2.1 of the U.S. Sentencing Guidelines[2]; and (b) the Resource Guide to the U.S. Foreign Corrupt Practices Act put out by the U.S. Department of Justice and the U.S. Securities and Exchange Commission[3] to name but two sources.

I could also spend my time today discussing the various enforcement cases that have been brought by the Securities and Exchange Commission (SEC) where there were compliance lapses relating to money laundering, the Foreign Corrupt Practices Act, and other laws we enforce.  But my colleagues at the SEC have done a fine job not just bringing those cases but also talking about them.  So for those who are interested, I recommend various speeches by members of our Division of Enforcement especially those by Andrew Ceresney, the Director of that Division.  There is also a thoughtful piece on compliance and ethics that was given by Stephen L. Cohen, Associate Director of the Enforcement Division in October, 2013.[4]

So what can I contribute to this event?  You already recognize the importance of corporate compliance and you have a distinguished faculty of experts.  So here is what I came up with.  For some forty years I have lived in this world.  I have had responsibility for legal and for corporate compliance at large and small firms, for domestic and international operations, for broker-dealers, investment advisers, commodity trading advisors, investment companies, private funds, UCITS, trust companies and for private – and to a degree public – firms.  I have also had the great privilege of doing two tours at the SEC.  The first as the Director of the Investment Management Division from May 2006 until November 2010 and most recently as the Chief Of Staff since June of last year.  So I thought I might just share some thoughts and observations regarding corporate compliance with you based on that experience.

Integrity and Personal Responsibility

Throughout my career I have witnessed that a critical component of an effective corporate compliance program is the integrity of those people you have in your organization and their ownership of personal responsibility for themselves and the areas for which they are responsible.  If you don’t have the right people with integrity who accept responsibility, the likelihood of your corporate compliance program being effective is, at a minimum, diminished appreciably.


I can’t stress enough the critical role a firm’s culture has on its corporate compliance program and its effectiveness.  A culture of always doing the right thing, not tolerating bad practices or bad actors is essential.  The culture should encourage people to ask questions and to discuss openly what is the proper response to a particular issue and how conflicts should be resolved.  It should hold the higher up members of the firm to at least the same standard of conduct as those below them.  I have always thought that the higher up you were in an organization, the less tolerant the firm should be of your non-compliance.  If that is the culture of the firm that sends a powerful message within an organization.

Another sign of the culture of a firm is whether there is a correlation between ethical behavior and the firm’s reward structure, such as salaries, bonuses and promotions.  Are people who are less compliant nevertheless rewarded?  It is also telling in a firm when questions are being asked, conflicts being resolved or decisions being made, is the discussion solely about whether we can do this or is it also about whether we should do this?  Is it the right decision or course of action for the firm and its clients?  I always appreciated how extremely difficult it would be to have responsibility for the corporate compliance function within a firm that did not have a good culture.

Keep It Simple and intuitive

When developing the policies and procedures you expect the firm and its personnel to follow they will be most effective if they are as simple as possible, are explained in plain English and are intuitive to those that have to comply with them.  Policies and procedures should be the result of clear thinking by individuals who understand the applicable requirements as well as the firm’s operations and systems.  Identify what you are trying to ensure compliance with and develop a means to that end which people who are less familiar with the law, the industry or the firm and its operations can understand and apply.  The simpler and more intuitive your policies and procedures, the greater the likelihood that they will be understood and complied with.  It may be a little more work on the front-end but it will certainly, in my estimation, be well worth it.

Role of Technology

Advancements in technology over the past 40 years have been phenomenal and have greatly advanced, in many ways, the ability of firms to implement and monitor the firm’s compliance with applicable requirements.  I have been concerned, however, about the impact of technology on the responsibility of individuals for ensuring compliance.

Years ago it was quite clear within an organization who performed certain tasks or had certain responsibilities.  Those individuals then bore the responsibility for ensuring that that task or responsibility was carried out properly.  It was clear back then that compliance resided with the business and most compliance functions back then were backend, done after the fact either manually or via some exception reporting.  As technology developed, firm’s correctly recognized the opportunity to automate a variety of functions relying on the system to replace or at least supplement the individual in performing a task or in discharging a responsibility.  Done correctly, this created tremendous efficiencies and eliminated many human errors.  Technology also created great opportunities for increased testing and monitoring within organizations.  This all seems great for a corporate compliance program – eliminate human error, provide for increased testing and enhance monitoring capabilities.

Of course, not all technology is perfect and the people developing the computer programs you are now relying on may not fully understand what you are seeking to achieve, may not access all the correct files that need to be accessed or might just make a mistake.  And it can be difficult at times for many in the firm to understand exactly what the system did and why it did it.  And frequently, systems are being tasked with roles they were not designed to perform or solutions that are not perfect.  So who now has the responsibility for ensuring that the firm is complying with the requirements?  Is it the programmer?  The business person who receives the output from the system?  It is an important question.  It is not about assigning blame when a problem occurs but rather ensuring ownership of the process to lessen the likelihood that there will be a problem.  This can be pervasive within an organization where technology has been employed extensively.

I do worry that firms may not be paying enough attention to this area and what can be done to insure that personal responsibility is not degraded by the existence of the very technology that was intended to help individuals do their jobs well.  So I do hope that technology is the solution and not the problem.

Complexity of Firms, Their Operations and Their Products and Services

As firms’ operations, products and services have become more complex, their ability to develop and implement effective compliance programs has been a real challenge.  In many cases, businesses have developed different computer systems to address specific operations.  Where there are many businesses or a complex array of products and services within a business, there frequently is a need for business or compliance purposes to integrate those systems.  They may not talk to each other very well and data fields and sources that need to be integrated often can’t be.  But that is just part of the challenge.

As this phenomenon has developed it has required a cadre of experienced and highly talented executives who understand what the various businesses are doing, how they can and cannot interact with each other and what the regulatory requirements are for each.  The knowledge and expertise necessary for key personnel at complex firms has increased significantly and I expect that this trend will continue.  While you can segregate many tasks and responsibilities within a complex firm so they are manageable, you still need a number of key personnel who appreciate how it all works and can then identify where there may be gaps or inconsistencies.

What Don’t I Know?

The thing I always worried about was what I did not know.  I never thought ignorance was bliss.  I believed that I and my colleagues could deal effectively with those things we knew about but I recognized that we did not know everything.  We did not know everything the businesses were doing.  We did not know all the laws and regulations that might be applicable to the firm or its operations (although I did hope we had done a very responsible job in that regard).  Were we comfortable with the approach that had been taken to insure compliance and were we aware of the system limitations that might affect the ability to do so effectively?  Do we have a bad actor in the firm?  Is the firm engaged in certain businesses or transactions that were not fully vetted by legal and compliance?  Do people in the firm feel comfortable in coming forward and bringing potential issues to the attention of the firm?  In short, how can I improve the chances of uncovering issues that should be known and addressed?  I was always asking myself how I knew everything was ok, especially in high risk areas.

How Did I get Comfortable?

So how do you get comfortable having responsibility for the corporate compliance function in a firm?  Now that is a good question.  I never really got comfortable and I was always worried.  But that was ok as it kept me constantly alert and thinking and I was able to sleep most nights.  Here are a few thoughts on how you might get more comfortable with these responsibilities:

These are a few of the things I did during my career to get comfortable with the corporate compliance responsibilities I had.  This list is certainly not exhaustive but I hope it gives you some things to think about.


Corporate compliance programs are enormously important.  Developing, implementing and maintaining a corporate compliance program in today’s world is very challenging but it certainly can and must be done.

I hope these thoughts and observations have been helpful and I would be pleased to answer any questions you might have.

[1] The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees.  The views expressed herein are those of the author and do not necessarily reflect the views of the Commission or of the author’s colleagues on the staff of the Commission. 

[2] United States Sentencing Commission Guidelines Manual, November 1, 2015 (available at: )

[3] A Resource Guide to the U.S. Foreign Corrupt Practices Act (available at: )

[4] Remarks at SCCE’s Annual Compliance & Ethics Institute by Stephen L. Cohen, Associate Director Of Enforcement, October 7, 2013 (available at )