By Jeffrey Hiller
Behind the Scenes: Life as a CCO (Part 1)
Financial services compliance continues to evolve, but there are many things you just can’t learn from a book. Join us for Part 1 of our lookback at our popular series, CCO Behind the Scenes. Take advantage of the practical experiences shared by Jeffrey Hiller, a former CCO for global investment firms and SEC regulator.
Transcript provided by Temi transcript services
Jefferey Hiller: I’m Jeffrey Hiller, Managing Director at Oyster Consulting, former Senior Counsel for the SEC’s Division of Enforcement. I’ve also served as CCO in many well-known global investment firms. I’ve seen both sides. I’ve been on both sides, and I literally helped write the textbook for U.S. Modern Regulatory Compliance. Being CCO is more than just checking boxes. There are office politics to navigate, nuances to dealing with regulators and board members, and of course, ethical issues. Join me as I share my real experiences and lessons learned from my decades in the industry. Some things you just won’t get from a textbook.
The first thing I thought I’d talk about is one that, uh, has always sort of puzzled me from the beginning of my career. I’ve probably managed 25 to 30 SEC exams over my career, and one of the questions, or first questions, that regulators always ask is, “What is the tone at the top?” I always find that an interesting question because how do you measure that and what does it mean, and what do you do about it? So after a few times, I’ve come up with a system where the first thing I do is, at the initial meeting, I always have the CEO to at least stop in and say hello and greet the regulators and know that they’re available. But more importantly, I develop a plan over the course of years so that I can answer this with substance. What I do and how I measure it is, I ensure that the CEO, when he has town halls or she has town halls, they raise questions and raise the importance of compliance for the firm.
And then, along with business and other things, that that’s really critical. The other thing which I think is most persuasive to regulators is that I ensure that my CEO rewards good compliance and sanctions bad compliance, and we build a track record of that. So when we’re asked, how do we prove tone at the top, it’s positive. I point to the specific actions that we take, and I’ve been told many times by regulators that that’s a unique, but very effective, way to do it. That sort of falls into a second item I talk about, which is, before the SEC ever comes in, they send you a document production list. You usually are given 2-3 weeks to produce all these documents. My experience has been throughout my career, that in the course of producing these documents, we also find exceptions that we weren’t aware of.
And there’s no reason to panic. There’s no reason to be concerned because you can use these exceptions to your advantage in the course of document production, right? If you find exceptions or compliance violations, fix them, and make a list of them. When the SEC comes in for your first meeting, you should say, during the course of document production, there are items that we found that are not major, but they’re out of compliance and as is our practice, we complete them and fix them immediately. Here they are, we have nothing to hide. We want you to know how the company operates. That’s another instance where the SEC really appreciates the candor and the openness of what we’re doing and shows the firm’s commitment to doing the right thing.
Another item I thought I would address is working with Boards. If you’re a CCO of an investment company, then by statute you have to meet with the Board on a routine basis in private meetings and share with them what you’ve learned, and if there are any problems that they need to know about. That’s pretty straightforward. You’ve got to be open and honest with the Board. This applies whether it’s an investment company and asset manager, or a broker-
dealer. You should be presenting, not a worst-case scenario, but the findings you have. Again, what you’re doing to reconcile them. If you find a problem, always look for more than one solution. Often the other thing I’ve done in practice, suggested by a former colleague who was a head of the Division of Investment Management at the SEC, was to always look the evening before the Board meeting, check the SEC website, see if there’s anything new that the CEO could be asked the next morning at the Board meeting. These Boards fly in from all around.
In fact, one time, I can’t recall exactly what it was, but the night before a Board meeting, the SEC came out with something that could impact everybody. So I left the one sort of paragraph bullet point with the CEO, and sure enough, he got it in the morning, went to the Board meeting at eight. One of the board members said, “Did you happen to see this in the news?” And my CEO was able to say, “Yes, I have a little write up here. We can discuss it with you.” Well, that engendered so much gratitude from him, and he got a sense of I’m looking out for him. I’m looking out for our firm. I’m looking to see that if there is a change in the SEC’s policies or procedures, their suggestions, that we’ve jumped on them immediately. And I can guarantee you, if you do that for the next 30 days, you’re going to find something that the SEC is pronouncing, that you can use.
When you review past issues, you’ve got to identify whether you have any repeat violations. If you were given a deficiency letter or notified of something about the SEC a year or two years ago, you should put that in your annual compliance report, and you should routinely, maybe once or twice a year, make a list of all prior violations to make sure they’re still fixed. It wouldn’t be unusual, with people going on vacations, with personal trading, that they can get lost. It’s not for a bad purpose, but just in the normal course; you do so much that sometimes you lose sight of those things. So I make a routine list of all past violations, and then I review them at least once a year. I also report to the Board or my bosses, or whatever, that these were prior violations, and that that’s probably the most serious kind of sanction you can have with the SEC, and then we’re on top of it. That engenders both trust from your bosses, and when the SEC comes in, they see that we are routinely incorporating what they’ve said over the last three, four, five years, or however long since the last exam, or during the course of exams. That again gives you a lot of credibility. So that is one tip that I would encourage everyone to do.
Another topic I’d like to briefly discuss is escalation. When you escalate an issue to your boss or to the Board or to others, many times I’ve had a staff member come to me with a panic: “We have an awful trade, and we need to notify everyone immediately. Totally. It is a critical and we could lose a lot of money.” One day, I brought such an issue and escalated it quickly, and it turned out that it wasn’t such a serious issue. My employee was right in flagging it to me, but I was probably wrong in escalating it until I understood all the facts.
Another important topic compliance officers have to manage is personal compliance violations. Many people at advisors and broker-dealers have procedures that they have to follow to pre-clear securities to make sure that there’s not open orders on the desk. This usually/oftentimes automated, sometimes not. It also, in many cases, applies to the portfolio manager, the trader, or whoever involved with it applies to their family trading. It wouldn’t be unusual for someone, to their spouse or one of their children living at home, to forget they had to pre-clear and then they have a violation in those cases. I think you just need to realize that, yes, you’re going to note the violation. You’re going to sit down and talk with the employee. You’re going to talk with their supervisor and get them to understand how the process works. And most importantly, people have to understand that compliance should never, ever sanction or discipline an employee. The compliance officer or whoever is managing this, should share the information with the supervisor, should make suggestions to have the supervisor handle it and let the supervisor handle the sanction or discipline or talk and notify compliance that they’ve done it. Because, if you start sanctioning someone as a compliance officer, you become a policeman. You also become their supervisor, and that’s not what you’re looking for. You’re looking to embed a firm with a culture of doing the right thing, and supervisors are responsible for that.
As an example, one time I had a sales guy who was a CPA and he taught at the CPA American Institute. I got a note from the Institute saying that my employee had fraudulently submitted expenses, that he said that he took a plane, but he flew his own plane, said he had meals, but he didn’t, so the AICP sanctioned him. When I got the notification, I conducted a soup-to-nuts examination of everything that person had done at the firm because my theory is that if they’re going to cheat in one way, they’re going to cheat in another way. I’m always amazed by people with large incomes who take these little shortcuts that they really don’t need to take. But in this case, I presented it to the employee supervisor. We happened not to find that anything else where he cheated the firm he was with or cheated us, but we also sanctioned him for the violation he occurred outside. We put restraints on his activities, and we entered and provided enhanced supervision of him for two years to make sure that we weren’t caught with surprises. And when the SEC came in and they requested files, they saw that we did this and they thought, “We are impressed.” And so those are a very important thing to find periodically. I would look at the email periodically. I would try and do a, or have somebody on my staff, do a Google search of people. If you find a violation, don’t assume it’s the only violation. It could be, and you could have a happy ending, but you need to do the footwork and show that you’ve done it. If you haven’t written it, it hasn’t happened.
Thanks for listening, and I hope you found this helpful. If you like what you heard, make sure to follow the Oyster Stew podcast on whatever platform you listen to. Oyster consultants are industry practitioners; we aren’t career consultants. We’ve done your job and know the issues you face. If you’d like to learn how we help firms start, run, and protect and grow their business, visit our website at www.oysterllc.com.