John Walsh: The regulatory architect

Walsh joined the above-mentioned law firm in October 2011, after departing the SEC as a 23-year veteran. He describes his work at the law firm as a “compliance-centered practice.”

“My practice covers the whole spectrum, from working with clients to help prevent problems to working with them when a problem has materialized and they are asking what they should do about it. Finally, the backend is helping clients deal with the regulators—SEC or the Financial Industry Regulatory Authority—when a problem has grown or mature to the level that it involves regulatory intervention. It’s sort of the compliance process from soup to nuts,” Walsh says.

With his deep, insider’s experience and perspective regarding the SEC, Walsh represents broker-dealers, hedge funds, investment advisers, and other securities firms in compliance and regulatory issues involving the agency. He counsels clients on the full spectrum of securities issues from development and compliance to cooperation in examinations and defense in enforcement proceedings.

Much of his legal approach—from soup to nuts—was undeniably shaped by Walsh’s experiences at the SEC. He was special counsel to legendary SEC Chairman Arthur Levitt from 1993-1995. Earlier, from 1990-1993, he worked in the SEC Division of Enforcement, serving first as senior counsel and then as chief of the branch of regional office assistance, where he regularly appeared before the Commission’s closed meetings to present and discuss regional office enforcement cases. He also advised the commissioners and staff on securities laws and agency policy.

Most important, in many ways, was his role in helping create the Office of Compliance Inspections and Examinations (OCIE). It administers examinations of U.S.-registered securities entities. Walsh designed and implemented the SEC’s securities compliance examination practices, first as a senior advisor for compliance policy and then, most recently, as associate director-chief counsel. He also served as OCIE’s acting director and led a massive retraining of examination staff on antifraud techniques.

“I loved my time at the SEC; it was a great experience,” Walsh says. “One of the nice things about the SEC, is that it is a relatively small agency—bigger now than it used to be, but it’s still relatively small. Depending on where you are, you can actually have a role in a lot of different things.”

Levitt’s leadership left an indelible mark on Walsh.

“He taught me a lot of things. I think he’s brilliant—a visionary,” he says. “Because of his experience in business, he has a very good sense of where an organization needs to be pushed, where it needs to be encouraged, and how to get things done. I actually have a collection of Arthur Levitt-isms that I still pull out from time to time and think, ‘Well, you know, Arthur said something about this.’ He had a huge, huge impact on my life and career.”

That influence is evident in the creation of OCIE.

“In a nutshell, Arthur said that ‘everybody else had a compliance program, why don’t we?’ It made sense to do something on a holistic basis, not a little piece here and a little piece there,” Walsh says. “He sent over his then-chief of staff, Lori Richards, to be the director. I was his special counsel and became a legal and policy person. We pulled in pieces from all around the agency, some from Market Regulation, now known as Trading and Markets, some from Investment Management, and so on, to create the holistic compliance office we envisioned. That’s what Arthur wanted, and that’s what we tried to deliver.”

OCIE lives on as an integral part of the SEC. It is currently the second largest office inside the Commission.

Reminiscing about the inception of OCIE, Walsh compares it to the exciting time in the 1990s where compliance started to become a professionalized business function. “It’s really been fabulous watching OCIE develop and also watching compliance in general develop over the last several decades,” he says.

As both OCIE and compliance continue to evolve, one thing that stays the same is the bad behavior confronted. “There are certain fundamental issues I don’t think are ever going to change much—like fraud, lying, cheating, and stealing,” Walsh says. “A key role for the SEC is to look for people who are committing bad behavior. One of the things that’s often shocking to people who don’t have regulatory experiences is just how bad behavior can be, and how it can be packaged in a way that hides it very successfully.”

An often-unrealized dilemma for both regulators and compliance professionals is adequately addressing different levels of “bad.”

“What do you do about conduct that is against a rule? For example, perhaps, it’s a violation but where no one is hurt? I think that’s an area where there’s been a fair amount of movement over the years. Do you police those problems primarily through the SEC’s examination program? Do you say, ‘Look, this is a problem, fix it. If we come back and you haven’t fixed it, you will talk with enforcement,’ ” Walsh says. “Of course, people almost invariably fix it. That’s one approach. With the other approach, the agency went through a period where it was bringing actions for nearly everything. They called it ‘broken windows.’ We can still debate whether that was a good idea or not. I think it masked a lot of the good work being done by the examination program by focusing exclusively on enforcement.”

Walsh pointed to another compliance evolution that has already proven to be revolutionary: the availability of data, data tools, and data analytics. “I think regulation and oversight has fundamentally changed,” he says.

Better tools for regulators and enforcement, unfortunately, equate to innovative ways for bad apples to be bad.

Walsh recalled, from some years ago, a swindler who conducted a multimillion-dollar fraud. “He basically ran his own fake broker dealer, with fake accounts, fake returns, and fake statements,” he says. “He managed to do the whole thing on a laptop, a printer and a fax machine. When you look at this, you say, ‘wow, one guy, is doing what not that long ago would have required a whole operational department and a whole accounting department.’ And yet he could do it. That was a wakeup call for everyone.”

“We’re in a very brave new world. We’re all struggling to keep up,” Walsh says, stressing, optimistically, that “luckily, the bad guys don’t have a monopoly on innovation.”

As compliance has matured as a function, responding to whistleblowers has become a more refined practice, and one that now comes with bounties ($50 million was the total of one recent award) and retaliation protections.

Walsh shared his thoughts on the importance of being able to establish a speak-up culture at firms.

“I think most firms, certainly the folks that I’m aware of, take internal complaints really seriously,” he says. “I think what causes some concern is the anonymity that covers the SEC’s whistleblower process and the fact that huge dollar awards are being handed out and everything about them is anonymous. I do think that is worrisome. One would think that when the federal government starts handing out large amounts of money there would be some publicity. Also, having spent my career at the SEC, I’m a big believer in the benefits of full disclosure. I worry about what could happen in a process that is cloaked in secrecy, like the whistleblower process, when even at the very end, when someone is getting 10s of millions of dollars, everything is cloaked in secrecy.”

Nevertheless, concerns aside, he sees the value of “people taking it seriously, trying to be responsive, and giving respect and credibility to their internal whistleblowers to make sure they’re responding appropriately,” Walsh says. “The person who comes forward should be satisfied that they’re being taken care of within their firm and that they’re being listened to. That’s the takeaway for firms. You’re getting free information from these people. They’re saying, ‘Hey, we’ve got a problem.’ You should listen to them, figure out what the problem is, and then fix it.”

Browsing through some of the anonymized case studies spotlighting Walsh on the Sutherland Asbill & Brennan Website, one involved a company that needed advice on how to fire a current chief compliance officer.

Walsh chose not to elaborate on the facts of that case. It did, however, inspire a broader narrative.

“Let’s start with what makes a good CCO,” he says. “First, and most importantly, I’ve always liked the phrase ‘compliance professional.’ Once you start talking about a profession, as opposed to a craft, it’s not simply a body of knowledge, and it’s not simply the fact that you control a certain toolbox. Most importantly, being a compliance professional involves judgment and—just as a lawyer does, just as a doctor does—you bring professional judgment to a situation. I think that if I were to design the perfect CCO—and there are a lot of them out there who are really good—I would say it starts with expertise and knowledge of the tools. Then, most importantly, it’s having good judgment.”

Sometimes, however, CCOs just do not perform. “I think a firm should always view turnover in the CCO position as a significant matter that needs to be handled carefully,” Walsh says. “The company needs to think about things like, ‘should we call our regulator?’ But firms should not feel that they have to stay with a CCO who’s not working out.”

The flip side of that situation is when a company is itself a bad fit for a CCO. “What is the old saying, ‘what’s sauce for the goose is sauce for the gander’? Compliance professionals may look at their situation and say, ‘Well, they keep promising me the budget, but I never get it. I keep making recommendations about problems that need to be addressed. And there’s never any follow through.’ On both sides of the equation, people need to ask: When is it enough? When is it time to move on? Both sides need to be thoughtful and careful and not act in haste to repent at leisure.”