Thank you for that kind introduction, Bruce Karpati. I appreciate the invitation to speak during today’s lunch. Many thanks to the National Society of Compliance Professionals (“NSCP”) for hosting this event. I want to extend warm greetings from the Securities and Exchange Commission to the approximately 800 compliance professionals from across the country attending this three-day conference.

Before I begin, I need to provide the standard disclaimer that the views I express today are my own and do not necessarily reflect those of the Commission or my fellow Commissioners.

It is appropriate for this conference to be happening this week as Halloween is tomorrow. Halloween, after all, is all about compliance with rules. What kind of candy and how much should you give out? Does a garbage bag really count as a costume? If you leave a bowl of candy on your front porch, how much is it ok for any one trick-or-treater to take? Are baby carrot packets really an acceptable thing to hand out? Is keeping the porch light off an appropriate way to signal that you will not have any candy? Are parents really entitled to a “candy tax” on their kids’ Halloween haul? Who should accompany a trick-or-treating child? How old is too old to trick-or-treat? How long can trick-or-treaters be out and about?

Most of the rules governing Halloween tend to be unwritten codes that are enforced by informal social pressure. I recently learned, however, that a few Virginia cities have deemed trick-or-treating over the age of 12 or after 8 p.m. a criminal act.[1] In fact, the maximum penalty for violating this law is six months in jail and a $100 penalty. I remember trick-or-treating in high school and being reprimanded at one of the houses I visited, which shamed me into quitting, but criminalizing the practice seems a bit extreme. If every house a teenager visits gives her a stern look or a little bag of kale chips in lieu of the chocolate she wants, she might get the message—without having to spend even one night in jail—that people do not welcome teenage trick-or-treaters.

Even where localities have criminalized certain aspects of trick-or-treating, however, the October ritual is most certainly less regulated than the financial industry. In the financial industry, there are lots of principles about conduct and reams of specific statutes and rules. All those rules can make your jobs quite scary, but just how terrifying your jobs are depends on how we at the Commission interact with you and your firms. It is this interaction that I would like to spend a few minutes discussing today.

Some people believe that a formal enforcement action is the obvious response to every compliance infraction. In my view, a better approach is to build certain norms into the industry that foster compliance. Hitting someone over the head with a criminal conviction is a sure way to scare all trick-or-treaters, even those not breaking the rules, into ceasing and desisting from trick-or-treating. More subtle approaches, however, can actually be of greater long-term value. These approaches seek to encourage compliance by building an understanding of the purpose behind rules and suggesting ways to comply with those rules.

Subtle approaches do not work with people who are not well-intentioned. I trust, however, that in a room full of compliance professionals, the majority of you are trying to do the right thing. It does not take an enforcement action or the fear of one to convince you to care about investors. You strive to improve the industry by working with your firms to build cultures of compliance. You are motivated by a desire to protect your firm’s customers, its brand, and thus your own reputation. We assist you in cultivating healthy habits not by targeting you when something goes awry, but by assisting you in understanding how the rules apply to the unique features of your firm and the products and services it offers.

A key part of the SEC is our inspections and examination function, which helps firms build strong internal compliance programs. Our compliance team’s efforts are essential—and indeed, I would argue, central—to our mission of protecting investors and our securities markets. I commend Chairman Jay Clayton; Pete Driscoll, the director of our Office of Compliance Inspections and Examinations (“OCIE”); and the OCIE staff, which is spread across the country, for their great work in executing the SEC’s examination program. In fact, just yesterday, I had the opportunity to meet with examiners from our Atlanta Regional Office. Through the use of targeted examinations, reassigning personnel, and better risk and data analysis, OCIE has been able to look at more registrants and to look at aspects of those registrants where there are most likely to be problems.[2] In addition, by focusing on better and more frequent communication with firms about areas where OCIE is seeing problems across the industry, our exam program is able to further expand its reach.[3] OCIE, the eyes and ears of the Commission, also works with our Divisions of Investment Management and Trading and Markets to suggest rule changes that will address commonly occurring problems.

OCIE’s efforts at increasing its productivity and reach has been especially important given that, in 2017, the number of investment advisers that registered for the first time with the SEC increased by 20 percent from the year before.[4] Today, OCIE has the daunting task of overseeing more than 13,000 investment advisers with nearly $84 trillion in assets under management.[5] By 2019, there may be only one examiner for every 20 investment advisers.[6] And that is just the adviser population. OCIE also oversees 585 municipal advisors,[7] 21 national securities exchanges,[8] seven active registered clearing agencies,[9] transfer agents, the MSRB, and FINRA—which is the frontline regulator for the 3,700 SEC-registered broker-dealers.[10]

Given these increasing demands on our staff, our expectations of the firms we regulate also have risen. For our compliance efforts to be successful, firms and compliance officers have to be willing to work with our compliance staff. You should keep the communication channels open with us. Ask our staff questions when you have them. Join us for our Chief Compliance Officer (“CCO”) Outreach programs.[11] Let us know if you have questions about how OCIE or our rulemaking divisions are interpreting a particular regulatory obligation. When we do come in to look at your firm, cooperate with us to ensure the exam runs as smoothly as possible. Among other things, your firms need to answer our questions and provide documents in response to our requests in a timely manner.[12]

Too often, firms drag their feet or provide patently inaccurate or obviously incomplete information. I understand that document requests can be large and time frames for their production can be short. It is therefore important for us to work with you to help you get us what we need in a way that does not unnecessarily tax your firm. Please raise concerns about the document requests with the staff so that they can work through those concerns with you. Your cooperation means that our staff can be in and out of your firm faster and on to the next exam, where there might be problems that threaten real investor harm. With the ever-increasing number of registered investment advisers, it is imperative that firms assist OCIE in using its resources wisely so that OCIE can effectively and efficiently conduct its examinations and cover as many registrants as possible. Through such cooperation, investors, industry, and the Commission will all benefit.

When a firm needs to cobble the records together after the fact to satisfy our requests, the firm is likely not holding up its end of the compliance bargain. If you don’t have your records in order, we start to wonder how you are even able daily to do your job. The firm cannot conduct its own internal reporting and monitoring without complete records. How can you prepare an exception report if you do not know what is exceptional? You need to know what normal looks like so that you can spot something that is not normal. In short, when a firm is out of compliance with the SEC’s recordkeeping rules, I am less concerned that there is a books and records rule violation than that the firm’s recordkeeping issues might become substantive problems for the firm and its clients.

I am not trying to downplay legitimate concerns that you and your firms may have, including concerns about the breadth of a request or how the SEC will protect data that it collects. I want there to be an open dialogue between firms—in particular their compliance officers—and our staff. It is important that those of you in the industry feel comfortable asking questions and presenting your reasons for seeking modifications to a document request’s timing or scope. If we are asking for large batches of the same records repeatedly, it is fair for you to ask whether we should be getting those documents pursuant to a notice-and-comment rulemaking, rather than through the exam process. If you are getting multiple requests for the same documents from different parts of the agency or from different regulators, you should alert us. Your concerns are most likely to be heard, however, if you work in good faith to answer questions and produce documents in instances when you can do so without implicating those concerns.

This kind of dialogue is possible because the SEC is a regulatory agency, and I want to keep it that way. A frequent refrain of mine when I see an enforcement recommendation is “Couldn’t this matter have been handled through our compliance program?” Enforcement resources should be saved for serious matters, not squandered on compliance slip-ups. Concern that we are forgetting our status as a regulator also causes me to take issue with our practice of calling agreements not to proceed with an enforcement action against a particular firm or individual “non-prosecution agreements.”[13] We are not prosecutors; we are regulators. However, if we are not to be an enforcement-centric agency, we need firms to take our examiners seriously. Otherwise, our Enforcement Division will be backed into taking an unduly prominent role in carrying out the Commission’s mission.

The Commission, in the past, has sent mixed messages about who should be playing what role in cultivating compliance. Over-reliance on enforcement and second-guessing of compliance officers cast doubt on where the responsibility for compliance lies. If you do not know what your role in achieving compliance is, how can you perform that role well? The lesson became clear to me recently when some friends invited me to their five year-old daughter’s soccer game. As the team was warming up, I asked what position she played. The little girl’s mother responded: “Oh, they don’t have assigned positions. Every player does whatever she can to help the team, but there are no assigned positions.” The ensuing chaos was fun for the kids and amusing to watch, but such chaos has no place in the world of compliance; roles and responsibilities must be clear and people should play in accordance with their assigned positions.

The SEC’s Enforcement Division, for example, has an important role to play in combating violations of the securities laws. However, it is not the first-line of defense. Instead, the managers and employees at the firms for which you work are the first line of defense.[14] In doing their jobs, these employees and executives should strive to act in a manner that is consistent with the securities laws and should encourage compliance by the employees they supervise. Frontline firm employees cannot offload their responsibility to you. You, as compliance professionals, are the second-line of defense. You help your firms and their employees to comply by developing a deep knowledge of the rules, conducting training, monitoring conduct, and speaking up boldly for ethical business practices. The next line of defense after compliance officers and any internal audit function is OCIE. Enforcement is more like a goalie. Its role is essential, but it should not be running around the whole field trying to insert itself into every minute of the game.

An examiner’s role, by contrast, is a very active one. Examiners are able to move more nimbly than Enforcement. As an example, yesterday, during my visit to our Atlanta office, I heard two stories of how our examiners were able to go into firms with weak compliance programs and work with them to improve those programs. The firms saw the logic of OCIE’s insights and were willing to incorporate them into their compliance programs. No enforcement action. No fanfare. Just better compliance. Drawing on an example from a regulatory colleague, FINRA has a Rapid Remediation Program, through which FINRA identifies a one-off compliance problem in an area like trade reporting, notifies the firm, helps the firm fix the problem, and checks to see that it was fixed.[15] Again, no investigation opened. No enforcement action. Just a compliance problem identified and resolved quickly.[16]

Yes, one thing OCIE does is make referrals to the Enforcement Division, but—despite the attention these referrals get—sending matters over to enforcement is not OCIE’s most important function. It is just an easy metric to measure. A good day for a compliance examiner is helping a firm identify issues and working with that firm to correct those issues in an efficient, collaborative, and effective manner without the expense, inconvenience, delay, reputational damage, and sleepless nights of an enforcement proceeding. I am not naïve. I recognize that interactions with our examiners are unlikely to find their way into a firm’s photo album of happy highlights of the year. That said, I hope that by making clear that exams are not a hunt for enforcement actions, we can give you the comfort you need to work productively with our exam staff toward a good resolution of any problems they identify.

Serving as a compliance officer is a demanding job. You have to exhibit a variety of skills including financial, legal, and business knowledge; leadership; good communication; and rock-solid integrity. Given the demands of your jobs, the SEC should look for ways to support you and should avoid second-guessing good faith decisions through enforcement actions. You are not responsible for violations at your firms simply because compliance systems for which you are responsible failed to detect those violations. As I noted earlier, the primary responsibility for compliance lies with a firm’s managers and employees.

Regardless of the outcome, enduring an enforcement investigation and defending against an SEC enforcement action is stressful, costly, time-consuming, and reputationally harmful. Additionally, depending on the facts and circumstances, an enforcement action against a compliance officer can have a chilling effect on all compliance professionals and may even drive some people out of the industry altogether.[17] Court Golumbic, in a law review article appropriately titled “The Big Chill”, explained how recent enforcement actions by financial regulators, including the SEC, have caused some compliance professionals to rethink their career choice. Golumbic put it this way: “Regardless of the cause, the resulting ‘chilling effect’ on financial sector compliance officers should raise an alarm. The level of ensuing ‘brain drain’ could diminish significantly the efficacy of financial sector compliance programs, and the integrity of the industry more generally.”[18]

Similar concerns were expressed by the National Society of Compliance Professionals in an August 2015 letter that recommended that the Commission decline to bring enforcement actions against compliance officer’s based on a legal theory of simple negligence.[19] In that letter, Executive Director Lisa Crossley wrote, “we submit that a fundamental policy question is whether enforcement actions against compliance officers will motivate them to greater vigilance or risk a demoralizing belief that even exercising their best judgment will not protect them from the risk of a career ending enforcement action, with the result that many of the best compliance officers will choose to leave the profession rather than face the risks.”[20]

I share these concerns. We cannot afford to drive out of the profession people whose talents, commitment, and experience help to make our capital markets so remarkable. We need people like you to stay in the industry and recruit and train the next generation of compliance professionals. You will do neither if we tell you through our enforcement actions that we do not trust your judgment. A conflict between your judgment and ours, which is always informed by hindsight, should not result in an enforcement action against you. Troubled by the prospect of running people like you out of the industry, I have been extremely reluctant to charge compliance officers.

That said, under some circumstances, I have supported enforcement actions against compliance officers, but have always done so with some trepidation because of the concerns I just mentioned. Indeed, in an uncomfortably timed release, one of those matters hit our website yesterday evening.[21] Once you have had time to consider the matter, I hope you will reach out to me with your thoughts on it. I welcome your help as I consider how to approach future matters involving compliance officers.

In the meantime, let me walk you quickly through yesterday’s Commission opinion. The opinion upheld a FINRA disciplinary action finding that the chief compliance officer at issue had failed to establish a reasonable supervisory system for the review of electronic communications, failed to reasonably review electronic correspondence, and failed to report to FINRA his firm’s relationship with a statutorily disqualified person. The CCO, for example, did not review any emails in 13 of the 26 relevant months and failed to update the written policies and procedures, which did not contain any review parameters, for one-and-a-half years after arriving at the firm. In addition, the CCO, after having become aware of a registered representative’s outside relationship with a person he knew to be statutorily disqualified, did not disclose the relationship to FINRA, which was asking about the matter, or further investigate after the firm’s CEO told him the relationship was unobjectionable.

On one hand, this type of enforcement action is exactly the kind of case which I have concerns. I do not like going back to question how well CCOs have done their jobs. On the other hand, in this instance, the CCO did not take basic steps that would have established that he was carrying out his job in good faith. As the opinion explained, “his failure to fulfill his own responsibilities was egregious.”[22] The firm was not charged, a fact the opinion notes, and one that gave me pause as I considered the charges against the CCO.[23] The opinion emphasizes the CCO’s failures and our objection to second-guessing CCOs, and I would like to underscore my view that enforcement actions of this type should be extremely rare. Obviously, when a compliance officer is an active participant in committing or covering up fraud, this person should be held accountable. The facts at issue in yesterday’s matter are admittedly more difficult, and I think that difficulty is reflected in the language of the opinion.

I agree with former Commissioner Dan Gallagher, who noted in June 2015 that the Commission should “tread carefully when bringing enforcement actions against compliance personnel” and should not pursue enforcement actions based on “strict liability for CCOs under Rule 206(4)-7.”[24] I have been skeptical, for example, of enforcement actions against anti-money laundering compliance officers who are alleged to have filed too few Suspicious Activity Reports (“SARs”). Currently, there is no clear rule delineating when firms should file a SAR, so they and their compliance officers are left to exercise their own judgment. We should not bring enforcement actions simply because we disagree, in hindsight, with their judgment.

As compliance professionals, you can help to keep responsibility for compliance failures properly allocated. Too many compliance officers seem to sign on to employment agreements that make them responsible for “ensuring” that the firm will comply with the securities laws. Language like that stands in contrast to the reality of this imperfect world and is not helpful as we try to keep the responsibility for compliance squarely on the firm. Another complicating factor in many factual scenarios is the compliance officer’s wearing of multiple hats at the firm. It may not be clear what hat someone is wearing when a violation occurs. Of course, many firms cannot afford to hire a person whose only job responsibilities are compliance, but CCO and non-CCO functions should be clearly delineated.

The National Society of Compliance Professionals plays an important role in setting high standards for compliance professionals. Your efforts at raising the profile of compliance personnel complement our efforts to work more effectively with compliance officers. By helping compliance officers do their jobs with excellence, you help us to identify instances in which compliance officers have acted well outside accepted norms of conduct. Organizations like this highlight the diligence with which most CCOs are just trying to do the right thing when performing their daily duties. Your letter also warns—and I agree with you—that “a negligence standard is so amenable to liability by hindsight, we are concerned that compliance officers will face the rigors of an enforcement investigation, and potentially career-altering liability, for simple mistakes or errors of judgment which could somehow be connected to a primary violation committed by others.”[25] I look forward to working with you to build a better regulatory environment for compliance professionals.

Thank you for the opportunity to speak with you today. I hope I have given you some insights into how I view the role of compliance officers, the role of the SEC in helping firms to comply, and enforcement actions against compliance officers. I hope that you have a productive and enjoyable time while in Atlanta. If you do plan to take your kids trick-or treating, make sure to check the laws first. In the remaining time we have left, I am happy to answer any questions.