Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Shop Talk: Navigating Compliance Duties During Dodd-Frank Delays

Reese Darragh | November 8, 2011

Mention the Dodd-Frank Act to ethics and compliance executives in the finance sector, and a few common themes emerge. Unfortunately, those themes tend to be confusion, frustration, and uncertainty, as long delays in rulemaking schedules leave compliance departments in limbo.


The following executives participated in the Oct. 18 roundtable on Dodd-Frank compliance in 2011.

Gordon Burnes,
Vice President, Marketing,

David Camputo,
Senior Vice President, Chief Audit Executive,
Endurance Specialty Holdings

Carlo di Florio,
Director, Office of Compliance Inspections & Examinations,
Securities and Exchange Commission

Paula Dominick,
Global Compliance Executive,
Bank of America

Jess Fardella,
Compliance Officer,
Goldman Sachs

Noreen Fierro,
Corporate Counsel,
Prudential Financial

Scott Gilbert,
Chief Risk & Compliance Officer,
Marsh & McLennan Cos.

Sean Gray,
Senior Vice President,
PNC Financial Services Group

Michael Kanef,
Chief Regulatory and Compliance Officer,
Moody's Corp.

Dan Kosowsky,
Managing Director, Director of Compliance,
Morgan Stanley Smith Barney

Jessica Maldonado,
Director of Enterprise Risk Management,
Centerline Capital Group

Saverio Mirarchi,
Chief Compliance & Ethics Officer,
Northern Trust Chicago

Joseph Spinelli,
Chief Compliance Officer,
BBVA Securities, Inc.

Giuseppe Tritto,
Head of Anti-Fraud North America,
BNP Paribas

For More Information on Compliance Week Roundtables

Such was the case last month, when Compliance Week and IBM OpenPages hosted a forum of compliance officers from Wall Street firms to hear their latest thinking on how to comply with the landmark law. Many voiced frustration over the slow pace of rulemaking from regulatory agencies and over how compliance departments can prepare for the inevitable stringent requirements. Also in attendance was Carlo di Florio, director of the Office of Compliance Inspections and Examinations at the Securities and Exchange Commission, who sympathized with their situation, but couldn't offer much comfort.

“From a Dodd-Frank perspective, we are regulating a $60 trillion market,” di Florio said in a subsequent interview, referring to the market for derivatives and other traded securities. “The SEC is working hard with these rules and getting input from the industry. Congress gives responsibility to the SEC, but it's no secret that the Commission is on a tight budget.”

The SEC is not the only agency running behind schedule. According to a legal bulletin from the law firm Davis Polk & Wardwell, various banking regulators have adopted 22 rules so far but missed the deadlines for 19 others, with 100 more other rules somewhere in the pipeline for future deadlines. Of those 100 future rules, regulators have written proposals for less than one-third of them. The SEC (which must write rules for all public companies, not just financial firms) specifically has adopted 16 final rules so far, is waiting on 29 more with future deadlines, and has missed the deadlines for 53.

That leaves compliance officers in a bind. So far, the broad contours of Dodd-Frank rules seem quite intimidating, but without a clear sense of the final rule language or implementation deadlines, firms can't plan IT overhauls or policy changes to adapt to the coming environment.

Gordon Burnes, head of marketing and business strategy at OpenPages, says firms are most challenged by the likely new data collection and reporting burdens Dodd-Frank requires. “Since less than 10 percent of the rulemaking has been completed, flexibility will be the watchword of any compliance program moving forward,” he says.

Take the impending Volcker Rule—a 298-page proposal to limit banks from engaging in proprietary trading and from owning private equity and hedge funds—released in October. Bank of America has spent millions of dollars to track the individual trades it will probably need to disclose to regulators, said Paula Dominick, BofA's chief compliance officer for the Americas. The problem? The bank doesn't know how to consolidate all that data into a format that will meet regulators' requirements, since the regulators themselves haven't settled on a uniform standard.

“One model to fulfill the requirement does not exist,” Dominick said. “The information is all there. How can we bring data together to fulfill the new requirements? This will be the industry's challenge.”

That complaint—various regulators demanding the same data, but each wanting it in slightly different formats—arose several times during the roundtable. The ultimate result, participants said, is even more strain on an already heavy reporting burden.

Another participant, who asked to remain anonymous, gave the example of his bank, based in New York and under the jurisdiction of the New York Federal Reserve, acquiring another bank based in Texas. Once that happened, the Federal Reserve in Atlanta started demanding access to his bank's records (one of the bank's subsidiaries is headquartered in Alabama in the Federal Reserve Bank of Atlanta's jurisdiction), even though all that data was already available to the New York Fed.

What companies also need, another participant said, is clarity from the SEC (and other agencies, for that matter) on how they can assess and document their compliance efforts against the SEC's expectations. Right now, the participant said, the SEC's review of compliance programs is too subjective. “There are no means for companies to make self-assessments and to evaluate if what they have implemented is in compliance with these rules,” said the attendee.

Despite the delays in rulemaking, Dominick suggested that companies try to practice the rules in spirit, since some elements of them are fairly clear. “We look at the sprit and intention of the regulatory reforms and translate those reforms into our practices and monitoring and testing before the rules come into effect,” she said. She added that companies need to find compliance officers who are passionate about their programs to design the necessary compliance framework for each division, which will then collectively help to address enterprise risk.

Ethics as Part of Compliance

Despite the tensions over compliance with specific Dodd-Frank rules, di Florio stressed that the underlying theme of the rules is to ensure that companies have good governance, so compliance officers should focus on encouraging strong ethical behavior regardless of specific challenges. “Framed this way, ethics is a topic of enormous significance to anyone whose job it is to seek to promote compliance with the federal securities laws. At their core, the federal securities laws were intended by Congress to be an exercise in applied ethics,” he said, echoing the words of a speech he recently gave making the same points.

“Since less than 10 percent of the rulemaking has been completed, flexibility will be the watchword of any compliance program moving forward,” said Gordon Burnes, vice president of marketing at OpenPages.

Bank of America (Americas Region) CCO Paula Dominick spoke on the difficulties of complying with the Volcker rule's latest reporting requirement. At left is Marsh & McLennan Chief Risk & Compliance Officer Scott Gilbert.

Di Florio sketched out three "lines of defense" that the OCIE now expects companies to have to prevent or root out misconduct: first, the business unit managers who are responsible for corporate operations; second (should that line of defense prove ineffective), the compliance function; and third, the internal audit function. He also stressed that when the OCIE does find a weakness or deficiency in a firm's compliance effort, warnings go straight to the CEO or other senior management rather than to the compliance officer--to drive home the point that good compliance is the responsibility of the whole enterprise, not just the compliance officer.

Roundtable participants welcomed that effort by the OCIE, but struggled more with how to embed good ethical conduct across the vast structure of the modern financial firm and how to integrate that message into the many (many, many) rules that will ultimately spring from the Dodd-Frank Act. In several instances, some participants said, the more straightforward exercise is to comply with the letter of the rule and be done with it.

Giuseppe Tritto, head of anti-fraud for the North America region at BNP Paribas, said good ethics derives from employees' knowledge of the business and the responsibilities their work entails—so compliance officers should start there. “From Day 1, [employees] should know their responsibilities to clients, when handling transactions or other functions within their daily operations,” he said. “The compliance division can provide the tools such as continuous training, support functions, monitoring, and surveillance. If a person has doubt, they should always check with the compliance division."

The SEC's Director for the Office of Compliance Inspections and Examinations Carlo di Florio, who spoke in an earlier interview on how the Commission is tackling new rules under Dodd-Frank, was also in attendance.

Other roundtable participants, however, raised the well-known problem of how to integrate ethical expectations across a multi-national business, when employees in some countries will have standards of good behavior that differ quite a bit from employees in others. The best path, one said, is to identify the core ethical values companies want to instill in their employees and build training programs based on that.

Then there was one other headache roundtable participants complained about: employees' perception of the compliance department as the stern watchdog nobody wants to approach voluntarily. “As compliance officers, we have to remind the employees that we are not the police; we are part of the bank's organization. We are here to help you,” Tritto said.

Compliance divisions can send out as many bulletins on the latest rules as they like, Tritto lamented, but there are no guarantees employees are reading them. “The best approach is to have informal conversation with employees and offer our assistance to them constantly,” he said.