By Steve McGraw
Expanded regulations continue to go into effect as a result of the Dodd-Frank Act. As a result, financial services organizations must not only show that they have compliance and ethics programs in place, but be capable of demonstrating that their programs are actually working. Regulatory scrutiny of corporate compliance programs has shifted from a focus on policies, procedures and retrospective audits, to proactive measures of effectiveness and desired results. Regulators are increasingly working to prevent organizations from “going through the motions” of compliance and instead requiring them to proactively show the substance behind their programs. Many financial services organizations now seek to implement measurements that will help them demonstrate the effectiveness of their compliance and ethics programs.
In 2011 alone, examples of increasing regulatory scrutiny include the whistleblower programs finalized by the SEC in May and the Commodity Futures Trading Commission (CFTC) in August. Whistleblower allegations, motivated by “bounty hunter” payments from enforcement agencies, are likely to grow significantly as a result of these new programs. For example, if a whistleblower claims that a financial services organization has violated privacy laws, the whistleblower can receive a percentage of the fine levied, if the investigators determine that the claim is valid and are successful with a whistleblower lawsuit. A concern in the industry is that due to these financial rewards, rather than calling an internal company hotline to report a suspected issue, whistleblowers will call a regulator instead. The regulator may in turn demand evidence of an effective compliance program from the organization.
There are several guidelines and tools available for financial services organizations to use as they strive to demonstrate the effectiveness of their compliance programs. The most commonly cited resource is the list of seven elements of effective compliance and ethics programs that were revised in 2010 by the United States Sentencing Commission when they modified the U.S. Federal Sentencing Guidelines. These provisions set forth the attributes of effective compliance and ethics programs. There are also tools and checklists available for self-assessment that often build on these seven elements, adding specific assessment questions for each of the elements.
For any compliance self-assessment, facilitated by the use of one of these tools or some other means, the depth and timeliness of the evidence is critical to success. For instance, let’s consider a common process, such as managing the code of conduct for an organization. In our example we’ll look at various techniques, progressing from very basic and potentially high-risk, up through highly effective approaches offering increased protections and the potential for reduced sanctions and fines resulting from audits, reviews and allegations of wrong-doing.
- At the most basic level, a financial services organization should publish a code of conduct and revise periodically. However, if this is the extent of the organization’s management of the code of conduct, an audit or review is likely to identify significant deficiencies, leaving the organization exposed to the possibility of severe penalties in terms of fines and sanctions.
- Taking the next step, the organization should distribute the code of conduct directly to all employees and collect attestations indicating that the code has been read and understood. Any compliance gaps identified should be remediated, possibly through enhanced training and additional outreach. Going to this level is certainly an improvement but may still leave an auditor wanting to know how the organization knows that employees really read and understood the code of conduct.
- Going a step further, the employee attestations could also include subject matter questions with scored results, allowing compliance officers to make an objective assessment of each employee’s understanding of the code of conduct. As sub-par scores are logged, remediation tasks can be initiated, completed and logged. This approach provides a more compelling body of evidence showing that the organization is proactively focused on assessing the effectiveness of the code of conduct and using quantified measures to address potential shortcomings.
- Having the ability to log, investigate and track any incidents related to the code of conduct, and monitor for recurring issues or trends that might require broad, corrective actions, can also contribute to the body of evidence of a commitment to compliance.
- Additionally, having the ability to make this evidentiary information available to auditors in a well-organized, easily accessible manner is important. Maintaining time-based snapshots of this information can allow organizations to demonstrate the effectiveness of their compliance programs for any point in time.
- Producing the evidence of compliance is typically the greatest challenge for a financial services organization. This requires a determination of what the evidence needs to be, how the organization will monitor it and how often to update it so the organization has the ability at any point in time to say, “here’s the evidence that we have in place now, and here’s the evidence of the system that we had in place during the time period in question.”
Some may wonder why organizations would need to maintain this historical information. This is critical because allegations of compliance breakdowns are seldom processed with expediency. For instance, when a whistleblower submits an allegation to the government, due to bureaucracy or work backlogs, it can take regulators months or even years to come to the organization with a lawsuit or claim of a compliance or ethics breach. It is critical that the organization have the ability to look back to the timeframe in question and say, “Here are the regulations that were in effect at that time, and here is the evidence of what we were doing to comply with those regulations.” This information must be provided accurately, consistently and confidently to the regulators in order for it to be effective – even if the whistleblower’s allegation is upheld.
No compliance program can prevent every potential issue. But, if the organization can show that they were doing the right things, with a true intent of preventing issues, the organization may benefit from a reduction in fines and sanctions. An organization is likely to incur higher fines and sanctions, as well as a higher likelihood of negative publicity, if they were found to be in violation of regulations and they were doing nothing or the bare minimum to prevent issues and ensure the effectiveness of their compliance program. From the perspective of the board of directors for many financial services organizations, the ability to demonstrate the effectiveness of their compliance programs is viewed as a critical component in the protection of the brand.
For most financial services organizations, relying on manual means to demonstrate the effectiveness of their compliance programs is virtually impossible and usually problematic. These organizations should consider automating their processes with a “compliance system of record,” allowing them to confidently and consistently demonstrate the effectiveness of their compliance programs. Even if the organization is following its own checklist or one that is already in existence, the seven elements of effective compliance and ethics programs, found in the Federal Sentencing Guidelines, should be closely examined:
- Establish Policies, Procedures and Controls
- Exercise Effective Compliance and Ethics Oversight
- Exercise Due Diligence to Avoid Delegation of Authority to Unethical Individuals
- Communicate and Educate Employees on Compliance and Ethics Programs
- Monitor and Audit Compliance and Ethics Programs for Effectiveness
- Ensure Consistent Enforcement and Discipline of Violations
7. Respond Appropriately to Incidents and Take Steps to Prevent Future Incidents
1. Establish Policies, Procedures and Controls
Organizations must establish standards, procedures and controls to prevent and detect unethical conduct. According to the guidelines, these standards of conduct and internal controls should be reasonably capable of reducing the likelihood of misconduct. The standards should be incorporated into a written code of conduct that enables audit systems and other procedures to have a reasonable chance of preventing and detecting wrongdoing.
2. Exercise Effective Compliance and Ethics Oversight
Organizations must involve multiple layers of management in the compliance and ethics process with the goal of ensuring the effectiveness of the programs. Designated individuals in each management level must be appropriately knowledgeable of the program. The tone at the top of the organization is important but if the “tone in the middle” is broken, the marching orders from the top cannot succeed. Guidelines should impose specific duties on various levels of management, including the board of directors, senior management and individuals with primary responsibility for the compliance and ethics programs.
3. Exercise Due Diligence to Avoid Delegation of Authority to Unethical Individuals
Organizations must use reasonable efforts to avoid delegating substantial authority to individuals with a history of engaging in illegal activities or other behavior inconsistent with an effective compliance and ethics program.
Many organizations are increasingly more reliant on third parties to handle a variety of outsourced operational functions. Outsourcing functions that are beyond an organization’s core strengths may make good sense from the perspectives of economics and business focus. Organizations, however, must also use proper safeguards to ensure they are dealing with reputable and ethical businesses since they cannot outsource their liability along with operational functions.
4. Communicate and Educate Employees on Compliance and Ethics programs
The organization must take reasonable steps to communicate its standards, procedures and other aspects of the compliance and ethics programs periodically and in a practical manner throughout all levels of an organization, including senior management and the board of directors.
5. Monitor and Audit Compliance and Ethics Programs for Effectiveness
Organizations must ensure that compliance and ethics programs are followed by employees. They must also create mechanisms for auditing and reporting on the effectiveness of the programs.
6. Ensure Consistent Enforcement and Discipline of Violations
The guidelines indicate that organizations should consistently promote the value and importance of compliance and ethics programs. Organizations should reward those actions that demonstrate adherence to an ethical culture and discipline individuals who fail to adhere to the organization’s ethical standards.
7. Respond Appropriately to Incidents and Take Steps to Prevent Future Incidents
The guidelines require that organizations take appropriate investigative actions in response to suspected compliance and ethics violations. Organizations should also take appropriate steps to preserve the confidentiality of investigations.
With a “compliance system of record,” policies, assessments, audits, incidents, investigations and corrective action plans can be linked back to applicable laws and regulations to create a dynamic body of evidence of compliance and ensure a continual audit-ready state for the organization.
As a result of the United States Sentencing Commission’s modifications to the Federal Sentencing Guidelines and the ongoing process of regulatory updates resulting from the Dodd-Frank Act, financial services organizations should establish compliance and ethics programs rooted in these guidelines and evaluate existing corporate compliance and ethics programs to ensure that they conform. By establishing effective compliance and ethics programs and satisfying the requirements in the guidelines, organizations are eligible to receive benefits such as reduced fines, reduced sentences or deferred prosecution. Aside from the benefits of reducing the likelihood and severity of civil enforcement actions, establishing an effective compliance and ethics program makes good business sense and can enable organizations to better protect the corporate brand by reducing the likelihood of bad events and minimizing the consequences should they occur.