The SEC’s associate director of enforcement, Stephen L. Cohen, left, had some great things to say when he spoke this week at the SCCE Annual Conference in Washington D.C.
Here’s part of what he said:
* * *
I am surprised how infrequently companies try to persuade us at the front end of an investigation that they have a robust compliance culture and record of ethical conduct. Invariably, the discussion about a company’s compliance program takes place during settlement negotiations in the context of the substantial remediation that the company has undertaken since violations occurred.
Although we give credit for these important efforts, I often wonder why it so often takes an enforcement action to change corporate behavior. Where are the compliance culture studies during normal times? Why not use them to support deference to your internal investigation? Why are companies creating or elevating CECO roles after we notify them of impending charges rather than before?
JPMorgan Chase recently announced it was spending billions of dollars and hiring or focusing 5,000 people to compliance and control functions in the wake of its recent regulatory struggles. These efforts should be applauded. But, imagine how much it could have saved in money and reputation by making that investment years earlier.
So, as you go back to your companies to advocate for more resources and stature, tell your management that they will get much more credit from regulators by demonstrating that misconduct is an outlier in a highly ethical and compliance-driven culture rather than a remedial step after investors have suffered losses. . . .
* * *
My last segment will offer some personal observations regarding problematic and successful compliance programs.
Where we find fraud, there are often early warning signs that may have suggested a corporate compliance culture that is not meeting appropriate standards.
Pushing the envelope.
Risk-taking in the area of legal and ethical obligations invariably leads to bad outcomes. Any company or person prepared to come close to the line when it comes to legal and ethical standards is already on dangerous ground. Tolerating close-to-the-line behavior sends a terrible message throughout an organization that pushing the envelope is acceptable.
Be on the lookout for people who are overly technical in their approach to issues of ethics and professional responsibility. Pay particular attention to those who may disparage or diminish the importance of respect for the law and protecting the organization from reputational harm.
Be skeptical of explanations that don’t add up regardless of who provides them. If someone explains something to you in a way that you don’t understand, don’t accept it. In many ways, one of the important lessons of the financial crisis is that highly sophisticated models that can explain away risk but defy common sense shouldn’t be trusted. We often see people come in and testify that they failed to follow up on their hunches until after it was too late.
Lack of Empowerment.
Another warning sign is an organization that limits the access of legal and compliance personnel to senior leadership of the company. These leaders need to hear candidly and regularly from those on the front lines of compliance efforts. Compliance professionals are not hallway monitors. Companies that empower these professionals to act as trusted advisors are more likely to stay out of harm’s way.
* * *
Cohen finished with some thoughts about effective compliance programs — well worth reading.
His full remarks to the SCCE Annual Conference on October 7 are here.
Richard L. Cassin is the Publisher and Editor of the FCPA Blog. He can be contacted here.