It's no secret the federal government has been pursuing an aggressive regulatory enforcement agenda of late, but what does it mean for compliance officers trying to keep their firms operating within the law? Star's Head of Business Development and veteran compliance officer Steve Brown breaks it all down and offers practical steps to do just that
As Chair of the Securities and Exchange Commission, Gary Gensler is following a course similar to his time at the helm of the Commodities Futures Trading Commission, i.e., taking an aggressive approach to tougher enforcement across a wide range of areas. Since taking office in April 2021, his agency has brought cases and proposed regulation that address climate concerns, diversity, proxies, political contributions, outside business activity, recordkeeping, crypto assets, and, of course, insider trading.
In a speech on November 2 of this year, speaking before the Practising Law Institute’s 54th Annual Institute on Securities Regulation, Gensler quoted Franklin Roosevelt, saying: "[Securities law] and its effective administration are steps in a program to restore some old-fashioned standards of rectitude." As recently reported, the SEC filed 760 actions (a 9% increase YOY) and obtained judgments and orders totaling $6.439 billion, the most in SEC history. Gensler seems to be taking “effective administration” and “rectitude” to heart.
Further, Gurbir S. Grewal, Director of the Division of Enforcement at the SEC, is quoted in saying: “As reflected in these results, the Enforcement Division is working with a sense of urgency to protect investors, hold wrongdoers accountable, and deter future misconduct in our financial markets. A centerpiece of those efforts is ensuring that we are using every tool in our toolkit, including penalties that have a deterrent effect and are viewed as more than the cost of doing business. While we set a Commission record this past fiscal year for total money ordered at $6.4 billion ... we don’t expect to break these records and set new ones each year because we expect behaviors to change. We expect compliance.”
It must be noted that this approach to enforcement is aggressive enough in a new and different way that it is worrying lawmakers, who fear the demands it’s placing on the SEC—coupled with ongoing staffing shortages and higher-than-normal rates of employee attrition—has the potential to endanger US securities markets.
Compliance breaches are rarely intentional and are often the results of bad actors. Very few businesses flagrantly side-step the rules. More often than not, issues arise because steps in the compliance process are overlooked. There are many reasons for this, but legacy, "old-school" approaches head the list. Many companies still rely on manual processes—like email chains and spreadsheets—to track compliance. This is not only a tedious and laborious process, but also one highly prone to human error. These spreadsheets may be used in conjunction with a variety of unintegrated software systems, platforms, and databases. This means compliance officers aren’t getting complete data, and therefore not getting the complete picture.
Using such piecemeal systems brings challenges. Compliance officers forced to chase down critical data spread across multiple systems can spend a lot of time trying to track compliance, particularly when something goes wrong or a new regulation is introduced. And when companies have to defend themselves to regulators, this can lead to even more costs, like engaging outside counsel and consultants: all of which probably could have been avoided in the first place had proper attention been paid to best practices and modern methods.
UNPRECEDENTED COMPLIANCE CHALLENGES
Adding to compliance complexities are geopolitical turmoil, record-high inflation, sky-high interest rates, and a raft of proposed regulatory changes. Throw in emerging, and potentially destabilizing, technologies like digital assets, and it’s clear that compliance departments globally are facing an unprecedented set of challenges. Keeping up means reviewing existing processes and becoming more agile. To make sure your compliance program is as effective and efficient as it can be, it’s worth prioritizing the following:
1. CODE OF CONDUCT AND TRAINING
As the Department of Justice has made abundantly clear, any well-designed compliance program should include policies and procedures that clearly define what is acceptable from an ethical perspective and practical risk-assessment methodologies aimed at reducing company risk. This means that every company should have a code of conduct in place that outlines what the company and the employees can expect from one another, i.e., the rules everyone, including senior leadership, is expected to abide by.
Of course, creating a code of conduct in and of itself isn’t enough. Companies and compliance officers need the capacity to monitor and provide real-time training solutions on a wide range of compliance issues: for example, on the rules related to insider trading. In June, the Justice Department filed the first-ever, digital-asset insider trading charges against a former employee of the OpenSea NFT marketplace. These criminal fraud charges will set another precedent in the fast-changing and newly intersecting world of digital and insider trading. This is why it’s critical for innovative, fast-growing companies to put an integrated code of conduct and related training solution in place.
2. MONITORING INTERNAL RISK VECTORS
All public companies need the ability to monitor employee trading of their own stock and options. Firms should therefore monitor Non-Section 16 executives who have access to MNPI—e.g., finance, corporate finance, or strategy employees—as well as Section 16 executives. Firms also need a process to track which employees have access to what information. There have been numerous cases brought by the SEC and DOJ where employees have misappropriated MNPI to their advantage by trading on inside information. This means companies shouldn’t just monitor employees trading during window/blackout periods. Anytime an employee has access to company MNPI, it should be logged and tracked in a centralized system that can flag questionable behavior, for example a compliance software solution.
3. WORKFLOW & CONTINUOUS MONITORING
Companies, compliance, and regulation are constantly evolving. Corporations should have a continuous—as opposed to snapshot—approach to compliance risk assessments. As the DOJ points out, a “hallmark of an effective compliance program is its capacity to improve and evolve.” Compliance teams should look for software solutions that are configurable vs. hard-coded, ideally with the ability to monitor for compliance across the entire company. As the DOJ also states in its guidelines, not all compliance programs are alike. Configurable workflows that monitors employee trading and compliance training can take an immense load off the shoulders of corporate compliance officers.
AN EVIDENTIAL SYSTEM OF TRAINING & COMPETENCYAccountability is crucial to corporate compliance because one person's actions can reflect on and impact the entire organization. Regulators expect businesses to own the risk, supervisors to be accountable, and management to set the tone from the top. In other words, it’s all about company culture.
The best way for firms to achieve a desirable culture is with consistent messaging, training, and education. This starts with pre-hire communications, new employee training, and consistently reiterating the values the firm adheres to. Establishing and maintaining an evidential system of training and competency can be invaluable in this effort—making it far easier to support a culture of compliance, protect company reputation, and support employee career development. As the DOJ and SEC continue to aggressively execute their regulatory and enforcement mandates, such evidential systems of monitoring and training can go a long way towards identifying problems and defending the firm.