Thank you for your kind words. And thank you to SIFMA’s Compliance and Legal Society for inviting me. I’m grateful for the opportunity to speak with you. As always, what I have to say reflects my own views and not necessarily those of the Federal Reserve Bank of New York or the Federal Reserve System.1
I have been a lawyer in the Legal Group at the New York Fed for almost twenty years. In my current role as General Counsel, I also oversee the Bank’s compliance function. Martin Grant, whom some of you may know, is our Chief Compliance Officer. Martin has been an advisor and role model for me throughout my tenure at the New York Fed. So much of what I have learned about compliance, I have learned from Martin. It’s not every day you get to thank a mentor publicly, so I don’t want to let this opportunity pass without saying thank you to Martin.
I will offer some observations today as a fellow traveler in the legal and compliance fields. But I also hope to share some lessons learned from when our institutions may have been on opposite sides of the table. I do not aim to break any new ground today. This is, after all, a luncheon. I am worried about your digestion. Instead, I want to offer some high-level reflections. I will then share with you a few of the questions that are on my mind.
Let’s begin with some high level observations about the state of play in compliance. The role of compliance within supervised financial institutions has grown dramatically—in size, scope, and relevance. It’s the relevance of compliance that stands out to me. In day-to-day interactions with supervised financial firms, I sense that risk and compliance functions have grown in respect and stature across the financial services industry. That’s a good thing.
I am further encouraged by what may be on the horizon for compliance. In the same way that social psychology has altered the fields of economics and other social sciences, compliance is beginning to learn from academic research about human behavior.2 Again, this is a good thing. I am particularly fond of a description of one method, coined by Cass Sunstein and Richard Thaler: the “nudge.” I believe compliance will, in the near future, supplement an existing framework that restricts poor choices with new ways to encourage good choices.
Here is a classic example of the type of change I have in mind. When employers recommend that their employees “opt in” to retirement plans, they achieve a far lower rate of participation than when employees are automatically enrolled, but may “opt out.” What accounts for this? The economics of the plan work either way. And the incentives have not changed. Employees are not promised more money if they choose not to “opt out” than if they choose to “opt in.” But a better result is achieved by “nudging” employees simply by changing the starting point.3
Compliance programs may be more likely to achieve their desired effects if they are based on studies of how people actually behave. Here are three ideas that would benefit from continued empirical study.
First, can we increase participation in voluntary training and education programs by pre-populating enrollment? That is, can we rely on the same type of inertia that keeps employees from opting out of retirement savings programs? I’m speaking here of programs above and beyond the minimum training firms already require. These might explore in greater depth the ethical decisions that come up in corporate life—in particular, times when the corporation’s interest and a client’s interest appear to diverge.
Second, I am interested in the potential for certain employees to serve as carriers for social norms. Their identification is not always based on rank in a corporate hierarchy. Step one is to find out who these people are. We might, for example, attempt to map electronic communication within an organization. We might then ask how these can people become living, breathing “nudges” in favor of better behavior.
Third, and more generally, I wonder whether our approach to compliance is, at times, too rules-based. This is a classic “rules versus standards” debate, that is familiar to many lawyers.4 A surfeit of rules may cause employees to believe that they are not trusted. This could create the misimpression that it is someone else’s job to consider long-term consequences or what is the right thing to do. Now, I am not suggesting that there should be a wholesale elimination of rules. But, in some areas, compliance programs may be more effective if some rules were redeployed as standards. That way, front line businesses would have to exercise good judgment in interpreting and applying those standards. Simply put, some empirical basis for evaluating the right balance of rules and standards would be helpful.
So, there is room for improvement and creative thinking in compliance—even in ways that challenge basic assumptions on how compliance should work. You are familiar, no doubt, with the phrase, “Don’t let the perfect be the enemy of the good.” My first message to you is, “Don’t let the good be the enemy of the better.”
Compliance and Influence
Progress aside, I still see confusion about the basic roles and responsibilities of compliance functions within supervised financial institutions. Or, perhaps, there is a degree of entrenched resistance.
Before I tell you what I mean by that, here is what I don’t mean. I am not advocating for a vast expansion of the role of the compliance function. It is tempting to think that vesting compliance officers with greater and greater authority over business will lead to better outcomes—at least in terms of the safety and soundness of the financial institution. But, I am very sensitive to the risk that as compliance becomes more involved in business decisions, it loses its independence. That independence is critical to effective governance and, ultimately, to the safety and soundness of an institution. What’s more, there is some point at which compliance becomes an end in itself, detracting from broader corporate and social purposes. I will return to this thought later.
Here is my point: Most if not all firms could use greater clarity about who is responsible for what within their organization. I offer this observation based, in part, on the compliance enhancements required in many Federal Reserve enforcement actions. Many compliance professionals have a very clear understanding of their own role—in terms of both duties and limitations—and strive to maintain their independence. I am less confident about the degree to which others in an institution are aware of what the role of compliance is, and what it is not. A shared understanding between business and compliance about this is critical. A misunderstanding of roles can lead to confusion of responsibility (or diffusion of responsibility), laying the groundwork for control failures.
Let me explain how confusion about rules might play out. The more that the compliance function is perceived to be certifying or validating the business’s actions, the less the business sees itself as responsible for adhering to the firm’s policies, and even to the law. Because the compliance function often has the power to block business decisions, as a practical matter, it can also be viewed as giving its approval by not blocking decisions. That tacit approval can work like a license to take increased risks.
When those increased risks become a control failure, government investigators start asking questions about what went wrong. Witnesses then start pointing fingers. Compliance is quick to say that the business owns the risk. Bankers say it is not their fault because compliance gave its blessing—often inferred from silence.
Neither side has it quite right. For one thing, I do not buy the excuse “if it was really a problem our compliance people should have stopped us.” This kind of scapegoating can sacrifice credibility with a regulator. It can also damage the morale within the compliance group. On the other hand, I wonder why compliance personnel did not look for and identify a gap in understanding and escalate the issue. It is not enough for compliance to lob its advice over the wall and then move on. Compliance is not simply an advisory function. It bears a certain responsibility to safeguard the organization. When risks are not being addressed, senior management—or, if necessary, the board—must be alerted.
The role of the compliance officer is often divided into two categories—serving as a control function and serving as an advisor. In many respects, this framing works just fine. Compliance sometimes needs to control. And sometimes it needs to advise. Indeed, for in-house counsel, this dual-hatted approach is not unfamiliar. I have discussed in previous remarks the “partner-guardian” model espoused by the former general counsel of General Electric, Ben Heineman. He argues that a lawyer serves as both a partner to the business unit and a guardian of the organization.5 I am a big fan of this model and think it serves in-house lawyers well.
But, this binary approach—advisor versus controller—also misses something. I think we would be well served to keep in mind that the mark of a strong compliance function—at least, from my perspective—is that it is influential within the organization. Compliance functions, like in-house counsel, need to adeptly use all the tools in our respective toolkit to influence behavior within an institution. Some of these tools are more advisory; others, are more controlling.
Policies and procedures that reinforce clear roles for the first and second lines of defense, along with clearly defined escalation paths, can help compliance exert appropriate influence over business decisions. When a senior manager understands that she has responsibility for control failures that occur on her watch, and sees that her responsibility cannot be deflected or redistributed, then her view of the compliance function shifts. What was once something that was inhibiting her business line is now something that is helping her protect it. She may find that compliance as a constructive and independent partner can offer ways to avoid problems .
Greater clarity about roles is a good starting point. Here are some additional ways in which compliance may strengthen its influence while preserving its independence.
First, compliance should insist on getting involved earlier. Influence delayed is influence denied. If a firm is considering restructuring a unit or designing a new product, compliance should be at the drafting table with an opportunity to hear and to be heard. If a new trading strategy is to be implemented, compliance should review sooner than on the eve of execution. I understand that time is money, but investing time early in a compliance review may save years of investigation later.
Second, compliance should keep an eye out for larger, more systemic compliance risks and issues. As a centralized function, compliance is well-situated to connect the dots and identify broad issues that are not always visible to management. The compliance function typically serves the entire organization, and can use that enterprise-wide view to spot systemic problems.
One type of systemic compliance risk that I think about is what Gillian Tett of the Financial Times has called The Silo Effect. Silos can result from the specialization common in hierarchical organizations working in highly technical fields. Silos are at risk of breaking away from the main. They may develop aberrant norms that can undermine standard oversight and controls. Compliance can and should leverage its independence to spot silos—or any form of “groupthink”—before undue risks mature.
Third, compliance can increase its influence through careful stewardship of its people. This means attracting and retaining talented compliance professionals, and, whenever possible, insisting on getting to know the business area. The role of a compliance officer should include building relationships and becoming a trusted resource. Such relationships can yield a deeper understanding of, among other things, the motivations and pressures that are affecting the business. These insights can inform and help improve policies, procedures, testing and monitoring. As I mentioned earlier, compliance can become more effective if it calibrates processes to actual circumstances and behaviors.
Finding and retaining talented people for compliance roles is a major challenge facing firms across the industry right now. After all, compliance can be a nearly impossible job. And well-trained, experienced compliance personnel are scarce. Those are but two of the many challenges that compliance functions in financial institutions face. I certainly do not have solutions to every compliance challenge. But, having to manage the attraction, retention, and development of the New York Fed’s compliance staff, I am sympathetic.
I am optimistic, too. As I mentioned earlier, I think the broad trends in compliance are heading in the right direction. Compliance functions are gaining influence. Greater clarity about roles can help. Compliance will always be a difficult job, but does not have to be a seemingly impossible one.
Another cause for optimism is the attention compliance now receives in law schools and other graduate programs. Two examples are NYU Law School’s Program on Corporate Compliance and Enforcement, and Fordham Law School’s LLM program in Corporate Compliance. These programs engage key leaders in the field in important public discussions, and train students who, in terms of their understanding of corporate governance, are well ahead of where many of us were when we began our careers. These programs will contribute to a bright future for the compliance profession.
Compliance, Enforcement, and Accountability
I also want to say a few words about enforcement and accountability. I believe, of course, that past misconduct should be punished. I also believe that we who play a role in bringing wrongdoers to account should also require forward-looking reforms under the mantra of “Never again.” For those forward-looking reforms to be successful, firms and enforcement attorneys need to pay attention to root causes of misconduct.
There is a vigorous and important debate in academic and regulatory circles about the prosecution of individuals in cases of corporate misconduct. Virtually everyone agrees that individual prosecutions can have deterrent effect on future misconduct if people believe they will get caught. I follow the debate with great interest. Suffice it to say, I agree that individuals must be held accountable for misconduct. If the misconduct is criminal, criminal prosecution is warranted.
I also believe what science teaches about behavior: Our actions are a product of both individual disposition or volition and the situation in which we function. And, the situation might be more potent than we might think.6 So, I wonder, for example, whether the thought of “getting caught” even crosses someone’s mind if a prohibition is so routinely disregarded that violating that rule is normal. In the LIBOR and FX cases, for example, traders discussed openly their manipulation of reference rates in electronic chat rooms that they knew were recorded and monitored. The fact that those traders used a back channel to communicate evidences an awareness of wrongdoing—not to mention the brazen content of their communication. I have to conclude that the risk of getting caught either never crossed their minds or was massively discounted.
On behalf of their firms, compliance personnel can help identify the root causes—especially the situational factors—that contribute to control failures. A thorough and honest exploration of those factors can help inform structural and governance changes mandated in enforcement actions. It is in everyone’s interest for those reforms to succeed, to fulfill the mantra of “Never again.”
I do not think this type of inquiry is easy—not because the root causes are unknowable. Rather, it may be uncomfortable to ask the right questions. Here are some examples. There are sure to be others.
- Are behavioral expectations—and the consequences of violating those expectations—clear? In other words, does the company say, “This is the conduct we want, and this is how we will hold you accountable for it.”
- Does the company employ leaders who are visible role models of good conduct and fire those who are not?
- Are systems of compensation and promotion aligned with corporate goals and purposes? And, if there is a pattern of misconduct, are you sure that your incentive programs are based on merit?
- Can the heads of business lines—the people responsible for P&L— explain how it is that each part of their business makes money and manages the associated risks? If not, are they really capable of effective oversight?
- When misconduct comes to light, does the company assess itself and challenge assumptions with brutal honesty?
- Upon learning of misconduct, is the company willing to intervene in a timely fashion? If there is an emerging pattern of misconduct, how quickly is it identified and addressed?
- Finally, are there particular desks or teams in which everyone is quite junior? Too junior, perhaps, to have worked through a down business cycle or the financial crisis? If so, are we giving that area adequate supervision and compliance attention?
I want to raise one final topic with you today, which, to my mind, is related to the question of accountability. It is the risk that control groups in large institutions can evolve to a place where they are driven by their own self-preservation or immediate concerns.
If the compliance regime—inclusive of policies, procedures, testing, monitoring, etc.—is geared toward shielding the compliance function itself from blame or responsibility, then it has failed to serve the institution. It also risks becoming irrelevant. Compliance has to resist adopting a “check the box” mentality—slavishly adhering to formal rules while ignoring standards of suitability, integrity, and fairness. Compliance personnel are professionals. As such, they are entrusted to exercise judgment. They are expected to make conscious choices, not merely to rely on the outcome of a particular process.7
Lawyers are not immune from a similar criticism: permitting the avoidance of legal risk to become a goal in itself, rather than a tool for advancing the purposes of the organization. When an acutely litigious mindset prevents a company from launching a cross-organizational review, or writing a self-critical report, the near-term goal of managing discovery has overrun the broader interests of the company in honest self-assessment and improvement.
A legal group should not automatically veer toward shutting down self-reflection for the sake of being able to rest easy about litigation. Similarly, compliance cannot rest easy when its processes succeed in building a paper trail, but do little to uncover and resolve problematic behavior. In short, some risks are worth taking.
Thank you for listening to my remarks today. I am happy to take any questions.