In writing and speaking about regulatory compliance, one term that comes up quite a bit is “credible deterrence.” When deterrence is real, institutions and the people in them are able to resist any temptation to skirt legal and regulatory imperatives, if only because of the fear of likely repercussions.
When such consequences seem minimal (the cost of doing business), unevenly applied, or unlikely, there’s just no reason for a business and its people to knock themselves out withal of the burdens of regulatory propriety.
In the U.S. financial services sector, the meltdown experienced in 2007-09 was caused by a myriad of factors, ranging from dangerous investment vehicles (like collateralized debt obligations backed by subprime mortgages), to financial firms being allowed to take on greater risk, to consumers thinking “more is better” when it comes to their purchasing habits.
The protections businesses and their top executives receive from the costs of failure undermine credible deterrence.
If you know there’s a safety net below you, the written compliance program might remain strong, but the day-to-day adherence to it becomes far more laissez-faire.
Before I get to what credible deterrence could look like, I want to mention that a business that gets some things wrong on occasion is not necessarily a corrupt enterprise.
Systems and people fail. Business leaders make mistakes and learn from them, sometimes crafting a far better strategy for the firm and its customers in the longer term.
The Bernie Madoff reminder. The guy everyone loved to hate, at least ten years ago, is Bernie Madoff.
My friend, Colleen Eren, an associate professor of Sociology at William Paterson University, wrote about him in a book called Bernie Madoff and The Crisis: The Public Trial of Capitalism.
Without putting makeup on him and pretending he was anything but a crook, Colleen points out that the media, regulatory, and law enforcement attention paid to Madoff was rather interesting.
That is, it was questionable given that the profits generated by selling houses in the prior decade were funded by dodgy mortgages implicitly underwritten by the U.S. government, even though they were based on lies — and their implosion was staggeringly larger and more damaging to the general public than the $17.5 billion rip-off perpetrated by Madoff.
He spearheaded a multibillion-dollar Ponzi scheme that harmed many investors, but his 150-year sentence likely did not lead to credible deterrence, because the case involved exaggerative elements in terms of the scale of the crime and the public’s incredible resentment built up during the financial crisis period — resentment finding an outlet in the face of one white-collar criminal.
Credible deterrence. Credible deterrence depends on the quality of external oversight and the probability that individuals will be named and an entity charged with a fine that is far above the cost of doing business. It also relies on the firms themselves encouraging whistleblower reporting, and depends on the impact of shaming the business and its top executives in media accounts so as to provide that final impetus to good behavior.
Sometimes it appears to be top of mind for regulators (take this enforcement in which the Financial Industry Regulatory Authority both expels a firm but later maintains jurisdiction over it sufficient to bar its brokers and impose fines) and sometimes more like an afterthought for regulators (see this post about plummeting penalties at the Securities and Exchange Commission).
With such a vacillating system of meting out punishment, we’re left with businesses being at the frontlines of creating credible deterrence.
Business leaders must realize that some job functions attract those with a penchant for risk-taking, and when they have the ability to exert investor harm, these persons must be closely monitored.
Consequences for misconduct must be certain and predictable.
Certain attitudes and behaviors must be discouraged repeatedly from voices in the organization that are recognizable and have impact.
The roles of compliance professionals in these firms should be elevated to a highly respected executive level, and their jobs must remain doable, i.e., they have reasonable budgets, salaries, and important technological surveillance resources. What they recommend must be valued, even if it means delaying transactions and investigating a high-performing employee.
It means it is credible the bad actor and the business not only won’t ever consider doing that again; if sufficiently egregious, each might not be ever given the opportunity.
Julie DiMauro, pictured above, is a contributing editor of the FCPA Blog. She writes best practice articles and speaks about compliance and risk issues in the financial services sector as part of the Regulatory Intelligence group at Thomson Reuters in New York. Follow her on Twitter @Julie_DiMauro and email her here.