A term of the moment in regulatory circles is “culture of compliance,” a desire for firms to move beyond check-the-box rules and compliance demands by making good behavior part of their corporate zeitgeist.
The latest regulator to do so is the Financial Industry Regulatory Authority. In January, its annual Regulatory and Examination Priorities Letter stressed that firm culture—which “has a profound influence on how a firm conducts its business and manages its conflicts of interest”—would be a focus. A Targeted Exam Letter distributed last week made good on that promise by asking a sampling of the firms it oversees questions about how they communicate, reinforce, monitor, and measure organizational values.
We spoke to Barbara Boehler, a regulatory compliance expert at Wolters Kluwer, about the increasing focus on corporate culture, how to define and measure it, and what regulators expect to see.
FINRA’s exam guidelines it, like other regulatory bodies, stresses a “culture of compliance.” What does it have to say about that somewhat subjective term?
It is amorphous, but it is also something that has hit the regulatory vernacular. We are seeing it at FINRA, in speeches by Securities and Exchange Commission officials, and in language coming from the Federal Reserve and other bank regulators.
FINRA, with its exam priorities letter, left it up to firms to develop their own definition of culture. It refers to a set of both explicit and implicit norms and practices and expected behaviors that influence how a firm’s executives, supervisors, and employees make and implement decisions. In 2016, we are seeing them formalize their assessment of a firm’s culture by continuing to focus on core conflicts of interest, while also embracing the idea that culture has a profound effect on how a firm conducts its business and manages those conflicts.
FINRA is not dictating culture; they want to understand how it affects compliance and risk management practices at a firm. This understanding will them help them evaluate individual firms and the regulatory resources they devote to them. It leads me to believe that firms that can’t find a way to formally document and demonstrate a positive culture of compliance will receive more scrutiny. The proof is what you can show the regulator and you always need to “show your math” when it comes to inspections.
FINRA's questions about a culture of compliance
The following is from a recent Targeted Exam Letter, issued by the Financial Industry Regulatory Authority to a randomized selection of the firms it oversees.
We request that your firm submit the following information (or indicate instances where the requested information is not available) to FINRA by March 21, 2016:
A summary of the key policies and processes by which the firm establishes cultural values. In the summary, include whether this is a board-level function at your broker-dealer or at the corporate parent of the firm. If it is a board-level function, describe the board's involvement. Also, provide a description of any steps you have initiated or completed in the past 24 months to promote, strengthen or change your firm's culture.
A description of the processes employed by executive management, business unit leaders and control functions in establishing, communicating and implementing your firm's cultural values. Include a description of how executive management communicates, promotes and establishes a "tone from the top" as it relates to cultural values (to the extent not covered by the previous question). Include a description of the firm's approach to ensure that its cultural values are adopted and applied by middle management.
A description of how your firm assesses and measures the impact of cultural values (to the extent assessments and measures exist) and whether they have made a difference at your firm in achieving desired behaviors. Provide a summary of the policy statements, procedures, mission statements or other related documents that reflect your firm's assessments and measures.
A summary of the processes your firm uses to identify policy breaches, including the types of reports or other documents your firm relies on, in determining whether a breach of its cultural values has occurred. Please focus your summary on those activities your firm considers to be directly related to reinforcing its culture.
A description of how your firm addresses cultural value policy or process breaches once discovered. What efforts are used to promptly address these policy or process breaches? What is the escalation process to surface and resolve such breaches?
A description of your firm's policies and processes, if any, to identify and address subcultures within the firm that may depart from or undermine the cultural values articulated by your board and senior management?
A description of your firm's compensation practices and how they reinforce your firm's cultural values.
A description of the cultural value criteria used to determine promotions, compensation or other rewards. Describe opportunities for promotion to the managing director or equivalent level available to personnel of your compliance, legal, risk and internal audit functions.
Culture [is like the Supreme Court Justice Potter Stewart’s] definition of pornography: hard to define, but you know it when you see it. It is a bit hard to define, but certainly you know it when you work within it. The difficulty for firms is finding a way to illustrate that to the regulators.
How does one go about measuring a concept that, as you have described it, is as “squishy and intangible” as culture?
You are required to have written supervisory procedures. It is nice to have a mission statement, for example. It is not, however, going to be enough to just have that stuff on paper. You need to be able to show that you are living and breathing your compliance program and it fits within the nature of your business.
Anyone can pay a marketing firm to develop a mission statement for them. Even Enron had a pretty fantastic one. Anyone can pay a law firm to craft supervisory procedures for them. When FINRA examines you, however, you need to make sure the written supervisory procedures are reflective of the business. When demonstrating and measuring success, it is not so much whether a compliance violation happens, as what you do once it does. You want to demonstrate that you discovered the issue, investigated the cause, amended policies, trained employees, and remediated as necessary, making sure that everything you did was documented.
We’ve seen instances where really large firms have taken hardline approaches to how they remediate compliance violations. There was recently a mini-scandal at Goldman Sachs when 20 new hires cheated on their training exams. Rather than a wink-wink, nudge-nudge—that this sort of thing happens and is not taken seriously—they fired the employees. The message: They are taking it very seriously when employees are found to have violated the procedures. In a check-the-box culture, where there isn’t a good tone at the top, employees will pay lip service to compliance. They cannot be expected to view it as important if they model their behavior on that of their managers.
[Banking giant] UBS has started to score employees on their behavior, and year-end bonuses are going to be affected by whether or not they act ethically and are team players. It begs the question of why you might keep someone who doesn’t score high on the “whether or not you act ethically” question, but it is nice to see they are coming up with some demonstrable, measurable assessments that actually have an effect. You are not going to get your bonus if you are not demonstrating the corporate culture.
What steps should CCOs take to be equipped with necessary resources as they navigate a culture-focused regulatory environment?
They need to make sure they have the right people, processes, and policies. Compliance cannot just be something the compliance department worries about, so it is nice to see firms where compliance is a little bit more decentralized. Where compliance doesn’t all sit on the 11th floor, it permeates throughout the business—you are sitting with your business lines and they are comfortable with an open-door policy and coming in to speak with you. You don’t want to be a firm where they are asking for forgiveness, not permission.
ABOUT BARBARA BOEHLER
Barbara Boehler, a securities subject matter expert at Wolters Kluwer, is an attorney and compliance officer with over 15 years of experience in the financial services sector. She has experience developing, monitoring and assessing both broker-dealer and investment advisor firms’ ethics and compliance programs.
Boehler formerly served as global chief compliance officer for Arete Research, a limited-purpose FINRA-registered broker/dealer specializing in equity research. She also held compliance leadership roles at Fidelity Investments, JP Morgan Invest, Standish Mellon Asset Management, and Babson Capital Management
She is currently a lecturer on compliance-related matters as an adjunct professor at both the Suffolk University Law School and Suffolk University’s Sawyer Business School.
We are trying hard to overcome old-school thinking and lazy compliance. You don’t want a workforce that is petrified to make a move; you want one that is comfortable enough to ask questions. If there is no two-way communication between them and the compliance department, something is missing. You want there to be constant communication with the compliance office, which doesn’t happen when it is only drafting policies.
You want to have the right technology in place so your business isn’t falling behind. There are some parts of the business that may need to be automated, but you need to do a risk assessment and there needs to be a thoughtful analysis that keeps stakeholders informed.
Most importantly, in terms of having a culture of compliance, you really do need support from senior management. It can be as simple as making sure that someone who is very senior at the firm attends employee orientations to make sure new recruits realize that culture is taken very seriously at the firm.
What level of investment does a firm need to prove its commitment?
Regulators are not going to tell you exactly what to do. They are not going to tell you what processes you need to buy or endorse vendors. Having a thoughtful, top-down reason for why you are doing something goes a long way.
People who don’t really understand the rules get stuck in them and aren’t able to think of creative solutions for the business. Depending on what the question is, sometimes the answer has to be “no.” But try to think of a “no, but” or “have we considered whether we should do it this way?” A lot of it has to do with making sure they want to come to you. If the answer is always going to be “no,” they are not going to come to you, and then something really is wrong with your culture. You can’t have a compliant culture by just having the people in the legal and compliance departments going along their merry compliance ways in some kind of ivory tower apart from the business.