SEC Broken Windows Enforcement Policy - Is There Anything New Here
- 1. 1 The SECs Broken Windows Enforcement Policy: Is there Anything New Here? Denver G. Edwards Summary: This article examines the Commissions Broken Windows enforcement program and whether it should change how compliance professionals think about carrying out their duties. Historically, the Commission has been perceived as monitoring all areas of the securities markets. Broken Windows does not appear to be a significant shift. Instead, Broken Windows has intensified existing elements of the Commissions enforcement program. Compliance personnel need not overreact to the Commission rebranding as the tough cop on the beat, but they should remain vigilant of business practices within their organizations, leverage technology to monitor their organizations commercial activities, and think creatively about where and how violations may occur. In the early 1990s, if you drove a car in New York City and were lucky, men carrying squeegees sprayed water on your windshield and demanded a tip. If you were unlucky, squeegee men, as there were known, merely spat on your windshield, wiped it off with a dirty rag, and then demanded a tip. Subway cars were tagged with graffiti and riders felt unsafe. Prostitution and peep shows littered Times Square, and up the street in Bryant Park, the drug trade flourished. Former Mayor Rudy Giuliani and Police Commissioner Bill Bratton adopted a policing strategy in 1994 known as Broken Windows to combat quality of life crimes. The theory is that when a window is broken and someone fixes it, it is a sign that disorder will not be tolerated. But, when a window is not fixed, it is a signal that no one cares, and so breaking more windows cost nothing. Broken Windows aimed to avoid an environment of disorder that would encourage more serious crimes to flourish and to send a message of law and order. No infraction was too small to be uncovered and punished. New York is markedly better today than it was in 1994. The squeegee-men have been banished. Subway cars are clean and safe day or night. Times Square is home to Good Morning America, and Bryant Park hosts New York Fashion Week in the fall and movie screenings in the summer. Securities and Exchange Chairwoman, Mary Jo White, was the United States Attorney for the Southern District of New York from 1993 through 2002, and she witnessed New Yorks transformation under Broken Windows. Chair White has sought to adapt the Broken Windows approach to regulation of the securities market. In speech on October 9, 2013, Chair White said that the Commissions enforcement program intends to be perceived as being everywhere, pursuing all types of violation of federal securities law, big and small. Even the smallest infractions have victims, and the smallest infractions are very often just the first step toward bigger ones, which can foster a culture where laws are increasingly treated as toothless guidelines. The Commission will be a strong cop on the beat and the Division of Enforcement will pursue not just the biggest frauds, but also violations such as control failures, negligence based offenses and strict liability offenses where intent is not required. The Broken Windows Enforcement Program The Broken Windows enforcement program is comprised of five elements: Streamline collaboration with the Department of Justice, Financial Industry Regulatory Authority (FINRA), and state securities regulators; Target gatekeepers;
- 2. 2 Leverage the Office of Compliance Inspections and Examinations (OCIE) to understand and monitor the latest risks and to provide effective oversight; Incentivize whistleblowers to report wrongdoing; and Marshal technology to analyze data efficiently. Each of the first four elements has been a constant feature of the Commissions enforcement regime. The Commission routinely works with the Department of Justice to conduct parallel investigations, as evidenced by recent insider trading investigations. Similarly, the Commission works with SROs, such as FINRA, to conduct sweeps to target industry-wide behaviors that are detrimental to investors and could jeopardize the integrity of the financial markets. The Commission collaborates with the North American Securities Administrators Association and state securities regulators to get intelligence on developments in state securities markets so that it can target issues before they become systemic problems. The Commission has increasingly targeted gatekeepers, including attorneys and accountants since passage of the Sarbanes-Oxley Act (SOX), and more recently it has targeted broker-dealers who violate the market access rule. OCIE has been the Commissions boots on the ground to monitor risks posed by registrants since its creation in May 1995. OCIE has been a source of referrals for the Division of Enforcement since its inception. A key difference today, however, is that OCIE examiners specialize in discrete areas and are able to better understand the businesses they are examining, and the Division of Enforcement now values investigating and bringing non-fraud enforcement actions as it does bringing insider trading cases. The Commissions whistleblower bounty program has been effective since enactment of the Insider Trading and Securities Enforcement Act of 1988, which mandated payments for tips reporting insider trading. The Dodd-Frank Wall Street and Consumer Protection Act (Dodd-Frank) provides a 10% - 30% bounty for reporting violations of the securities laws in SEC or CFTC enforcement actions that result in monetary sanctions greater than $1 million. The Commissions investment in technology is the new feature of its enforcement program and may have the most significant impact on broker-dealer compliance functions. The Commission created the Center for Risk and Quantitative Analytics (CRQA) with a mandate to develop quantitative methods to monitor signs of potential wrongdoing and high risk behaviors. CRQA will feed its findings to the Division of Enforcement to investigate and prevent conduct that harm investors. The Commission has also developed the Advanced Bluesheet Analysis Program to analyze relationship among market participants to identify suspicious trading which may not be readily apparent. It also uses predictive analyses to spot trends, identify aberrational performance, and analyze data from new data sources, such as Form PF. On the examination side, the National Examination Analytics Tool (NEAT) enables the examiners to analyze millions of transaction documents accurately within a short time, and enables OCIE to do more precise and sophisticated examination. More information about the long-term effectiveness of the Commissions analytics tools is needed. Based on recent releases from the Commission, the tools are working as intended, and have increased the Commissions ability to devise sophisticated surveillances of broker-dealer activities. For example, the Staff conducts link analyses, which looks for relationship between two disparate data sources, in insider trading cases. Link analysis has been used to analyze phone records and trading data to determine if two suspects had a phone call with the same person. In another example, the Staff has used link analysis to analyze large volumes of brokerage firm data to identify instances when a corporation allegedly purchased and sold its own stock, with no significant gain or loss, to create fictitiously high trading volume in order to obtain bank financing. The Staff has also used analytics to detect aberrational performance of a hedge fund that
- 3. 3 fraudulently claimed it performed better than its peers throughout good and bad markets. These analyses use to take the Staff weeks or months to perform and were subject to human error. Today, these analyses can be completed within days. As a result of the Commissions zero-tolerance for technical violations or control failures, and their willingness to bring enforcement actions for non-fraud cases, compliance officers will need to rethink how they fulfill their roles to protect their institutions. Broken Windows Presents Opportunities for Compliance Broken Windows presents two potential opportunities for compliance: (1) a chance for more assertiveness with business units in instituting rigorous controls and testing those controls more frequently; and (2) an opening to negotiate for more resources to respond to the regulatory environment and greater cooperation from other areas of the firm. Broker-dealers are required by statute/regulations to have written supervisory policies and procedures (WSPs) regarding their activities. Compliance is a partner to a firms business units. However, the goal of the firm is to make money for clients, shareholders and employees, and onerous and overly restrictive WSPs may be perceived as limiting legitimate commercial activities for which buy-in from business units is necessary. Broken Windows presents an opportunity to tighten existing WSPs to limit supervisory gaps, require increased cooperation between compliance personnel and line supervisors, offer more training on codes of conduct and ethics for employees and management, and obtain more certifications or attestations regarding a supervisors fulfilling his or her supervisory obligation. Moreover, Broken Window policies may help compliance obtain more resources and organizational support. Currently, compliance initiatives are balanced against interests of the firm, including for example, technology and operations projects that drive the firms commercial success. Compliance can cite penalties/fines as evidence of the Commissions aggressive approach to demonstrate that lack of resources, including personnel or proper technology, create enterprise-wide legal, regulatory, and reputational risks that may have far- reaching consequences for clients, counterparties, shareholders, and may cause personal liability to supervisors and management. The intensity around the Broken Windows enforcement policy arms compliance with tools to make the case to employees to report violations to compliance in order for the organization to avoid regulatory scrutiny, fines, and penalties. Compliance must balance encouraging employees to report violations internally while not undermining the employees right (and perhaps the Commissions expectation) to report securities violations externally. As a starting point, compliance could appeal to the shared responsibility of each employee to root out bad actors that violate the securities laws, jeopardize investors, and threaten the integrity of the market. It could also promote methods within the organization to facilitate reporting violations, such as toll-free hotlines, an ombudsman position, anonymous e-mail websites to accept tips, and drop-boxes to submit tips regarding violations. Without suggesting employees should not report externally, compliance could point out to employees that reporting outside (1) does not guarantee an award due to the high threshold (voluntarily providing original information and $1 million sanction), and (2) may have an impact on the organization. For example, in fiscal year 2014, the Commission received 3620 tips of which 139 (3.8%) received the designation of Notice of Covered Action (NoCA) and therefore eligible for an award. Since the inception of the program in August 2011, only 5.6% of tips (570 out of 10,193) have received the NoCA designation. The impact of non- qualifying tips include business disruption, lost productivity, costs to retain legal counsel to defend against regulatory investigations, and potential damage the firms reputation, and client or counterparty relationships. Compliance should reiterate to employees that external reporting remains an option if the
- 4. 4 employee reports a violation internally to a designated person and the violation is not addressed timely. This approach balances the firms goal of operating in an efficient, ethical and commercially reasonable manner with the Commissions interest in protecting investors and the market. Considerations for Compliance Professionals Compliance personnel who actively work with a business unit to implement WSPs risks being labeled a supervisor and may be subject to liability for aiding and abetting or failure to supervise. Compliance personnel may minimize the risk of being labeled a supervisor by establishing in meetings with business supervisors that although he or she is an integral part of the business units operations, the business supervisor is the designated supervisor. Compliance personnel must document the supervisory reviews of the business that the supervisor is responsible for overseeing, and should periodically obtain certifications or attestations from supervisors indicating that she or he understands his or her supervisory role and is undertaking his or her supervisory obligations. More generally, compliance should ensure that the firms supervisory manual states that compliance personnel are solely responsible for activities within the compliance department. Compliance personnel should have a predetermined process to investigate, track and document red flags. They must act decisively when red flags surface or if red flags are brought to their attention. Compliance personnel should document each red flag, which business supervisors will address the red flag, and what corrective action will be taken. Compliance personnel must take reasonable steps to follow up with the business supervisor to ensure the issue has been resolved and then must monitor the issue to ensure it does not recur. Compliance personnel should also share information with firm management (particularly if a red flag involves a senior manager), and should be prepared, and have a process in place, to escalate matters to the Board of Directors if management fails to take corrective action. Membership on firm committees is also an area of concern for compliance personnel. As evidenced in In the Matter of Theodore Urban, membership on certain firm committees may cause the Commission to determine that compliance personnel who, as a member of a committee, learn critical information about a violation have a duty to ensure that corrective action is taken. The Commissions approach exposes compliance personnel to personal liability that could potentially jeopardize careers and, as a result, may cause qualified candidates to avoid compliance roles. The Commissions use of data analytics tools has increased the pressure on compliance personnel to ferret out fraud, technical violations, and control failures. One approach is to conduct surveillances similar to those performed by the SECs analytics teams. Some reliable off-the-shelf surveillance may be available, but compliance may have to leverage internal information technology resources and get buy-in from business units to build surveillance tools to counter the SEC. The associated costs may be significant since the Commissions data analytics program is continuously evolving and broker-dealers would need to keep pace. However, since repeated violations could lead to increasingly severe fines, create the impression that there is a lack of institutional control at firms, personal liability, and could jeopardize firms reputation and client relationships, firm may have limited choice. The other alternative is for compliance personnel to rely on the traditional approach, which is based on developing strong policies and procedures that match the firms business and the regulatory environment, and diligent oversight. This approach requires frequent monitoring and testing of the adequacy of business units compliance with polices and procedures. It also requires compliance personnel regularly ask where issues could occur, what controls are in place to prevent or detect problems, and what residual risks remain unmitigated by such controls?