The speech made by the US Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examination’s director Carlo di Florio at the National Society of Compliance Professionals meeting in Baltimore last week might have been a little heavy handed in its delivery (he referenced philosophers Plato and Aristotle, for one), but the message was an interesting one: data transparency is a fundamental prerequisite to sound enterprise risk management (ERM). Of course, his speech, which he entitled “The Role of Compliance and Ethics in Risk Management,” noted that some degree of ethical change is required in order to ensure that a firm’s risk management culture evolves, but a lot of this is to do with “fair” communications and “disclosure” of relevant data.
He referred to the business conduct standards that have been rolled into the Dodd Frank Act in order to foster this transparency with regards to data and restore confidence in the financial markets. Accordingly, he highlights elements such as: “a requirement that communications with counterparties are made in a fair and balanced manner based on principles of fair dealing and good faith” and “an obligation to disclosure to a counterparty material information about the security-based swap, such as material risks, characteristics, incentives and conflicts of interest.”
Ensuring customers and counterparties are treated “fairly” therefore requires a degree of data transparency with regards to compliance and risk management, in the eyes of regulators such as the SEC. This is evident when you look at most aspects of Dodd Frank, especially on the OTC derivatives side of things, and most EU legislation – check out the prescriptive data sets that must be included under the proposed sequel to MiFID, for example (see my blog from earlier this week here).
Of course, the issue of transparency is open to debate and many firms are particularly concerned about a one size fits all approach being applied to transparency requirements across all markets, from equities to derivatives. Industry associations have this week raised concerns about that very issue with regards to the Markets in Financial Instruments Regulation (MiFIR) pre and post-trade transparency regime.
However, for now, this push towards transparency is clear and present within a whole host of regulations and, as di Florio’s speech indicates, regulators are very aware of the importance of data transparency if they are to conduct their day jobs in assessing whether firms are truly acting in what he calls an “ethical manner.” This transparency extends beyond just reference data, market data, risk analytics models or the like, it extends to a firm’s governance policies and to controls around who has access to what data (see UBS’ recent woes with its Delta One desk for a case study in why this is important).
As a parting shot and to stress the importance that his office are now placing on firms being able to demonstrate this handle on its data and its overall governance, di Florio said: “If we believe that a firm tolerates a nonchalant attitude toward compliance, ethics and risk management, we will factor that into our analysis of which registrants to examine, what issues to focus on, and how deep to go in executing our examinations.” In other words, if you can’t prove that you’re being fair, ethical and transparent in your communications with clients and counterparties, regulators will take it into their own hands.
His speech, which is available to view in full here, is worth a look but if you don’t have time to read it, here’s what the SEC determines to be the 10 elements that make an effective compliance and ethics programme:
- Governance. This includes the board of directors and senior management setting a tone at the top and providing compliance and ethics programmes with the necessary resources, independence, standing, and authority to be effective. NEP staff have begun meeting with directors, CEOs, and senior management teams to better understand risk and assess the tone at the top that is shaping the culture of compliance, ethics and risk management.
- Culture and values. This includes leadership promoting integrity and ethical values in decision making across the organisation and requiring accountability.
- Incentives and rewards. This includes incorporating integrity and ethical values into performance management systems and compensation so the right behaviours are encouraged and rewarded, while inappropriate behaviours are firmly addressed.
- Risk management. This includes ensuring effective processes to identify, assess, mitigate and manage compliance and ethics risk across the organisation.
- Policies and procedures. This includes establishing, maintaining and updating policies and procedures that are tailored to your business, your risks, your regulatory requirements and the conflicts of interest in your business model.
- Communication and training. This includes training that is tailored to your specific business, risk and regulatory requirements, and which is roles-based so that each critical partner in the compliance process understands their roles and responsibilities.
- Monitoring and reporting. This includes monitoring, testing and surveillance functions that assess the health of the system and report critical issues to management and the board.
- Escalation, investigation and discipline. This includes ensuring there are processes where employees can raise concerns confidentially and anonymously, without fear of retaliation, and that matters are effectively investigated and resolved with fair and consistent discipline.
- Issues management. This includes ensuring that root cause analysis is done with respect to issues that are identified so effective remediation can occur in a timely manner.
An on-going improvement process. This includes ensuring the organisation is proactively keeping pace with developments and leading practices as part of a commitment to a culture of ongoing improvement.