In this continuing series on regulatory issues for in-house counsel and compliance professionals, the author will devote the next few columns to offering suggestions to the next administration and Congress. We begin with compliance leadership.
Business ethics have been drawing attention as a political issue. Candidates on both sides of the partisan divide have spoken out about the ethical condition of banking, Wall Street, finance and other business sectors. Yet, the political rhetoric has been strangely silent about a ready means for addressing non-compliance with governing standards. There is a private sector tool that has repeatedly proven its effectiveness, and is available for immediate and enhanced use. Of course, that would be: professional compliance.
The United States created modern compliance. It first emerged in the 1960s, as the result of a special study of the securities markets conducted by the Securities and Exchange Commission. In the 1970s, an advisory committee of securities firms, sponsored by the SEC, developed more detailed guidance on compliance controls. Then, in the 1980s and 1990s, compliance spread into a number of new areas: including sentencing guidelines, banking, corporate governance, health care and others.
Always, however, at least in the United States, compliance developed at the ground level, sponsored by specialized commissions, regulatory agencies, state courts and inspector generals. (A more detailed description of the origins of compliance can be found in Chapter 2, "A History of Compliance," in David H. Lui & John H. Walsh, eds. Modern Compliance [Wolters Kluwer, 2015].) Importantly, this legacy has continued in recent years. While the Dodd-Frank Act and Affordable Care Act have inspired intense debate, pro and con, little has been heard about the important compliance provisions in both acts. In short, even as compliance has grown and spread, and proven its value, it has never been seen as a strategic component of national regulatory policy.
Foreign jurisdictions, on the other hand, have increasingly recognized the value of compliance. In 2014 a global working group developed and published a compliance management standard for the International Standards Organization, or "ISO." The standard was published on December 15, 2014 as Compliance Management Systems—Guidelines, ISO 19600. The drafting group was led by Australia, and participants included Austria, Canada, China, France, Germany, Malaysia, Netherlands, Portugal, Singapore, Spain and Switzerland. Observers to the process included Japan and the United Kingdom. Embarrassingly enough, the United States, the home of compliance, appears to have played no role. Compliance leadership may be moving overseas.
In the United States meanwhile, current public policy appears to be focused on when to bring enforcement actions against individual compliance professionals. The SEC, for example, has brought several recent cases. Members of the SEC Staff have also issued statements setting out their views on when compliance professionals should be prosecuted. Both the Director of the Division of Enforcement, in a November 2015 speech to the National Society of Compliance Professionals and the Division of Trading and Markets, in guidance issued in September 2013, have weighed in on the point. These statements are welcome, because clear prosecutorial standards are always helpful, and especially so in a profession where the best practitioners make it their business to rush into dangerous compliance situations. When standards are unclear, compliance professionals may start hesitating, looking over their shoulders, and worrying about their own liability, even when they are acting in complete good faith. Unfortunately, recent enforcement cases include findings of liability for honest negligence, and staff prosecutorial standards continue to leave room for doubt.
More fundamentally though, prosecution alone will never enhance the profession. At its best, prosecution plays a negative role by weeding out the true bad actors. While compliance practitioners should welcome enforcement actions against those who knowingly engage in affirmative misconduct, for their part regulators should recognize the limitations of prosecution as a regulatory policy.
Even without public action, compliance has been developing rapidly on its own. Law schools and universities have recognized compliance as suitable for academic attention. Centers for corporate compliance, symposia, roundtables, and other relevant academic institutions have appeared, fostering research and the intellectual development of the field. Similarly, compliance has begun to appear in course catalogues, fostering better training and professional development. Also, professional organizations have established compliance certification programs, either as stand-along ventures or in collaboration with academic institutions.
We should also note that compliance itself is evolving, with third-party practitioners becoming increasingly important. Traditional compliance practitioners are embedded within a single firm, and third party practitioners provide services to a variety of firms. At its best, third party compliance delivers a level of expertise and independence that would be impossible for many individual firms. Finally, the use of big data tools has opened a new realm to compliance practitioners, with algorithms searching data sets for signals of compliance issues. Big data promises to transform compliance, as it has every other field it has touched.
All of which brings us to the point of this essay. Compliance is taking off, and is ready to play a more strategic role in national regulatory policy, especially in addressing concerns about business ethics. Legal and compliance practitioners should be ready to ask candidates: What will you do to help compliance achieve its full potential? When candidates talk about bad conduct in finance or other business sectors, we should be ready to ask: What are you doing to help professional compliance address these issues?
A few ideas may help get the conversation going:
What can public policy do to enhance compliance standards? The global ISO standard is a major step forward. A U.S. standard – perhaps authorized by Congress and drafted by joint action of the financial regulatory agencies – could establish a framework for domestic application. This could help regulators judge the conduct of compliance professionals (see below) and further professionalize activities, such as compliance audits, that would benefit from greater uniformity and testing to a defined standard.
How can public policy enhance the provision of third-party services? In 1933 government action transformed third-party accounting through the audit provisions of the Securities Act. The SEC has indicated that it is considering requiring investment advisers to retain third party private sector compliance auditors. One must wonder, however, how much the agency can do on its own, without congressional authorization. Moreover, considered as a matter of national policy, Congress could address the merits of third party compliance audits across the entire financial sector, and not merely for one specialized type of firm.
What can public policy do to clarify the duties and liabilities of compliance professionals? Today, compliance practitioners suffer all of the detriments and enjoy none of the benefits of serving as institutional gatekeepers. When they rush into a problematic compliance situation they have no privileges or professional standards upon which to rely. Better standards of practice would certainly be helpful (see above). But beyond professional standards, there should be some protection for practitioners who are competent, professional and work in good faith, even if, in hindsight, months or years later, a forensic observer could question whether perfect decisions were made. These protections must be carefully crafted to avoid excusing wrongful conduct. But the worst-case scenario, for society at large, is when problems go undetected or uncorrected, because compliance professionals are too busy protecting themselves.
In sum, compliance can play a critical role in addressing the concerns about business ethics that have already been heard on the campaign trail. At the same time, public policy can play a critical role in moving compliance forward, so it can play an even more effective role in the future. The time has come to make private sector compliance a national policy issue. With public leadership and support at the highest levels of the federal government, compliance can play an enhanced role in responding to public concerns about the ethics of finance, and other business sectors. Let us hope we hear more about this during the coming electoral campaigns.