Good morning, everyone. I would like to thank the academy. Oh, I get confused.
It is true that a lot has changed and the program has improved technologically and otherwise. This is the first time I’ve been here in three years and there’s a green room, which is great. Maybe in a few years it will actually be green.
Usually, when I show up at events like this, I like to let you know if I did or did not bring enough subpoenas. Dutifully, as I came this year, I filled my briefcase with lots of them. This morning, when I was looking in my briefcase to see if I had them, somehow they were all miraculously replaced with 500 copies of Rob Khuzami’s resume. Apparently, he’s looking for a job.
I want to congratulate SIFMA and all the organizers on the very auspicious timing for a conference like this. I am sure that St. Patrick himself would be thrilled to know that the leading securities and compliance professionals in America chose to commence their conference yesterday—on the festive St. Patrick’s Day holiday.
Anyway, given one of the more popular traditions associated with St. Patrick’s Day, if you look carefully in your program, you’ll see that the organizers—in their infinite cleverness—chose to entitle my speech this morning the, uh, Hair of the Dog Kickoff Keynote.
By the way, those of you who actually checked your program just now will not be eligible for CLE credit this morning. You know who you are.
Anyway, it’s a great honor to be invited back for the third straight year to give the opening keynote address at this conference. I’m not sure why I keep getting invited back, but maybe it has something to do with the fact that every single year I waive my usual speaking fee.
Now, as you may have noticed if you follow such things, our financial fraud prosecutions continue, unabated.
Since I first spoke at this conference two years ago, there have been scores more insider traders charged and convicted; scores more smart and privileged people separated from their liberty; scores more scandals that have come to light.
We continue to see firms fold and reputations rupture. We continue to see billion dollar screw- ups and epic compliance failures.
So our work is not done, and it may never be.
When I speak to industry groups and financial professionals and business students, I usually take a lot of questions from the audience. Obviously, I’m too smart to take questions from you folks.
Anyway, members of those audiences ask many of the same questions, over and over.
One question is: why does a person with so much property and privilege and power, risk his reputation and freedom by committing financial crime?
It is an excellent, maybe even profound, question.
Why does such a person blithely cross over the legal line? It is hard to know. And I think no general answer is possible, because organizations are complex and human beings more complex still.
Is it hubris? Is it greed? Is it intemperance? Is it a belief that one is too clever to get caught? A belief that the transgressed law isn’t being enforced? Is it a simple absence of morality? Or bad risk assessment? Is it peer pressure? Is it a belief about what is demanded in the job? That nothing—no rule or regulation—can stand in the way of securing that ever-elusive competitive “edge”?
I don’t know why particular human beings do what they do.
What I do know is that, as an institutional matter, not all business organizations are equal, when it comes to ethics, integrity, and lawfulness.
History teaches that misconduct occurs more often in some firms than in others.
And experience shows that some firms are more blameworthy than others for that misconduct. And so what is the differential?
Is it a deficiency in hiring? In training? In monitoring? In communication? Is it deficient leadership, deficient culture, deficient systems? Is it a combination of some or all such deficiencies?
These, of course, are among the fundamental questions that must occupy the good people in this room, every single day.
They are among the questions whose answers must inevitably shape one’s approach to what we call “compliance,” which is of course the subject that not only brings you all together for this conference but—much more importantly I hope—joins you together in common cause as advisers to many of the most powerful financial institutions that have ever existed on earth.
Why do some compliance programs fail more often than others? That is a basic question worth spending some time on.
Now, when I use the term “compliance” this morning, I am speaking broadly about the people and the systems that are responsible for keeping a firm on an honest course—not just the particular people technically assigned to a so-called “compliance” department, but also the general counsel and outside counsel and members of important committees. And not just them, but the C-suite leaders and members of the board as well.
Why? Because the responsibility for “compliance” understood in an expansive way can never be quarantined within a cordoned-off capsule inside a company.
I mentioned a great book last year called Indispensable Counsel. At page 97, the authors write this: “If we had to roll the general counsel’s indispensable responsibility into one term, it would be ‘guardian of the corporate integrity.’” I wholeheartedly endorse that concept, and I hope you do too. And it goes not just for the general counsel, in my view, but everyone in the compliance universe at a firm.
The problem is that we don’t talk often enough about “guardians of the corporate integrity.” We rarely speak so loftily, maybe because it sounds a little bit corny.
So, there are no “guardians of the corporate integrity.” There are merely compliance officers and in-house attorneys and accountants and auditors. And on the business side, the adjective that most commonly precedes each of these titles is probably a pejorative like “pesky.”
And so people sometimes shrink into small-bore bureaucrats, instead of growing into big-picture leaders.
They dwell on specialized reporting requirements, at the expense of universal ethical duties. They obsess about checking some box, but forget to check their gut.
They decree myriad mandatory trainings, which just cause fatigue. They circulate countless email updates, which just cause confusion.
And they issue thick and convoluted compliance memos, which just cause paper cuts.
This is not to say that training sessions and policy manuals should be junked. Of course not. But they have to be part of a larger purpose, part of a larger message, part of a larger value system.
Just imagine if we had our entire criminal code and regulatory structure, whether it’s related to securities fraud or anything else, but no Constitution.
Every institution, whether it’s a country or a company, needs a charter of first principles that are everlasting – not just a hodgepodge and mishmash of bureaucratic rules and requirements.
One problem, it seems, is that the broad compliance function too often seems alien from the goals and mission of the company.
You can almost visualize the compliance apparatus at some firms as sitting awkwardly atop the company like some ill-fitting beanie, instead of being part of the lifeblood of the company itself, as it should be.
And therein lies a part of the problem, and I think an important part. You see, “compliance,” at least as a term, if not as a concept broadly and properly understood, has an image problem.
Just consider the term, “compliance.”
It is narrow. It is cramped. It is uninspiring.
It connotes something reactive and reflexive—there are rules and they must be complied with.
It conveys no affirmative notion of integrity or honesty or fair dealing. It conveys nothing about any core value.
It doesn’t hint of anything that brings profit or reward to the firm, only the veiled threat of harm if some kind of obedience is not paid.
But beyond the relative poverty of the term, “compliance” has other significant challenges and problems.
Let me sketch out some of those challenges and suggest a couple of ideas as food for thought.
First, the compliance folks are often seen as aliens by the business people—Martians with little or no understanding of the perils and pressures attendant to a lightning-fast, intensely competitive workplace.
Let me mention two quick anecdotes.
When I spoke to the first-year students at Harvard Business School last month as I have done in the past, I witnessed a telling classroom discussion centered on the need to consult with lawyers and compliance folks before taking certain actions, and always when one is not fully clear about the rules.
Who could argue with that? When in doubt, elevate.
But a student raised his hand to say, “Look, when I am making business decisions, I have to move quickly. I’m dealing in seconds and minutes. The compliance people move at a different pace—more like months and years. I just can’t waste a year of my life by calling compliance.”
The whole room cracked up in the kind of knowing laughter that suggests a truthful chord had been struck.
Second story—not too long ago, I met someone who took over as the head of compliance at a major company and when she arrived, someone had distributed within the compliance department mugs emblazoned with a simple slogan: “Just say no.”
The mugs were obviously likely meant as a joke, but they undoubtedly reinforced a pejorative perception.
Now, the new head got rid of the mugs, but it highlights what I think is an overly stark discordance and disconnect between those who are supposed to be guardians of the corporate integrity and the corporate body itself.
If we are to expect rank and file employees at a company to elevate issues, to seek consultation, and to stay on the right path, going to compliance has to be a smidgen more pleasant than a trip to the dentist.
I know I’m not making a groundbreaking point here, but I think you need to understand the prosecutor’s perspective on this.
If there is a culture of non-consultation and non-elevation and consequently bad or questionable conduct goes undetected and unchecked, that is the company’s problem. It is a serious one, and it will properly be held against the institution no matter how nice the compliance program looked on paper. And we have seen examples of that time and time again.
Second, as I’ve mentioned, the compliance project at many firms seems sometimes overly focused on technical box-checking and memo-writing, at the expense of something more basic. Again, those things should not be jettisoned, but they are not enough.
The task of keeping a company on the straight path is beset on all sides not just by the difficulty of interpreting complex regulations and by the complexity of identifying red flags in torrents of Big Data, but also by the vicissitudes of human nature.
Getting people to listen and report and sound alarms and seek advice requires more than email reminders—it entails understanding what motivates real people in real life, people with vulnerabilities and fears and biases and every other ordinary human failing and foible.
The funny thing is that every successful business leader understands this—no one would think that email reminders alone can spark creativity or spur productivity or advance morale. It takes a lot more. But somehow when we get to talking about ethics and compliance, these long-term and long-known leadership lessons often get short shrift, and I am not sure why.
At a conference in London last year, I heard the global head of compliance of a Fortune 50 company put it this way: “I earned a degree in psychology in college before I earned my law degree. And I have found that in this job, which is all about motivating people to act better and modifying ordinary people’s behavior, I find myself relying much more on my psychology degree than on my law degree.”
I think there is a lot of wisdom in that insight.
In a related vein, I have always loved what I read in a column by David Brooks in the New York Times last May. He wrote: “It is worth noting that you can devote your life to community service and be a total schmuck. You can spend your life on Wall Street and be a hero. Understanding heroism and schmuckdom requires fewer excel spreadsheets, more Dostoyevsky and the Book of Job.”
I am not saying that compliance departments should start assigning Russian literature, but I think you get the broader point.
Finally, what these common deficiencies sometimes boil down to is the absence of an animating principle, clearly communicated, that undergirds the whole purpose and point of the compliance enterprise—i.e., to be the guardians of the corporate integrity.
Too often the compliance function seems narrowly reactive only to what regulators want and expect.
Here’s a newsflash: regulators and the regulations they promulgate are not perfect. Don’t tell anyone I said that.
But we hear at conferences and in training materials everywhere the constant refrain—do X because that is what regulators expect; do Y because regulators will more likely be persuaded that you discharged your duty.
Now, that’s all well and good.
But it can’t be the only thrust of the compliance enterprise. When it is, one is at risk of earning the narrow, cramped, and uninspiring reputation that the term “compliance” connotes.
It’s like teaching to the test.
You’re forgetting about the core value of education. When you teach to the test, you’re not explaining to students that what’s important is the value of education and curiosity and wisdom, you’re teaching them you’ve just got to get some answers right on the test. The same thing is true if the only focus is on making sure that there’s no regulatory or enforcement action.
Over the weekend I read SIFMA’s own just-released sequel to its Role of Compliance white paper. I think it’s called Compliance Strikes Back. I was wrong.
I want to take gentle issue with the white paper in a couple of respects. As helpful and instructive as it is, it falls a bit into the pattern of being regulator-reactive.
Here’s one example. In a section called “Follow-up,” the white paper says this:
“Not only must Compliance consider the quality of the advice that it provides to business personnel, but in certain instances such as when it becomes aware that significant advice is not being followed, it must also take appropriate measures to follow up on the advice that it has given. Compliance …must take reasonable follow-up action …Recent cases, such as Urban, show that regulators may not consider a Compliance officer’s duties to have been fully discharged once he or she has provided advice.”
So follow up is important so the regulators won’t get mad. I guess that’s true.
But for the record, follow up is basic leadership and management—and I understand that there is a need to warn of liability if proper follow-up is not done, but when the message is solely regulator-focused, some part of its strength is inevitably diluted.
Every supervisor in every division of every company has to engage in follow up.
The broad point of compliance is to keep the company risk-free and healthy into the long term; it is to keep it in line with what should be a central value of every company—to deal honestly, to act in good faith, to follow the rule of law, and to maintain a good reputation. That’s what leads to long-term stability for the company.
Good leaders don’t allow simple and understandable and compelling messages like that to get lost in an ocean of jargon and legal mumbo jumbo, as necessary as that ocean might even be.
And yet, I see manuals and articles and presentations that always begin with the minutiae, rather than the main point.
Values are about the forest more than the trees.
I recently met a hedge fun General Counsel and asked what he did to welcome people who came into the firm. He said, very proudly and he was right to be proud of this, that he met with every single person who came to the firm and had a personal session with them so that they would be familiar with him and be comfortable coming to him. He said I take them through a lot of the regulations and what the requirements are, and I take them through recent changes in securities laws, and I check through a lot of different things.
And that’s terrific.
But I wondered how did he begin the talk?
Did he begin the talk with a simple and strongly-delivered message: Here’s what you need to understand about this place—we don’t cheat and we don’t steal and we don’t lie. If you do, you’re out, simple as that. We have zero tolerance for any kind of that nonsense. That message, I submit, will sit a lot longer than the ocean of minutiae that will follow.
And yet, I don’t know how often simple messages like that are delivered.
There is a helpful passage in the White Paper about the value of adopting mission statements that describe and convey the overall purpose of compliance—but, respectfully, I am not sure it should have been relegated to footnote 16. I think those things should be communicated a little bit further up.
Now, I am not a regulator or a policy-maker or a CEO or a corporate consultant or an ethics expert. I am just a prosecutor, armed with incredibly blunt instruments when it comes to affecting corporate culture and integrity.
But for what it’s worth, let me offer three humble observations on what might be of value as people think about why certain compliance programs fail and others do not. They have to do with hiring, promotion, and compensation.
First, as a preliminary matter, what makes any organization successful is the people who comprise it.
There is nothing more basic than that.
If one is to be a guardian of the corporate culture, one has to be a responsible sentry at the entry level.
It is much harder to train a fundamentally dishonest employee to fight his dishonest impulses than it is to supervise an honest employee. And much greater care needs to be taken in the hiring of people.
I’ve made this point many times, but it is worth repeating because nothing is more important to the stability of the firm than the character of the people who are permitted to join it.
As they say in a different context, garbage-in, garbage out.
And yet, I still see precious little talk and discussion about hiring good people as part of any holistic approach to compliance. A lot of things you hear about occur after the cake is baked with all sorts of bad ingredients in them.
Second, as I have already mentioned, leaders must communicate core values and integrate those values throughout the firm.
Management has to embrace fundamental principles and convey not just what people are supposed to do, but why.
They must convey why it is important to stay on the right side of the law, far from the line, and it should be for reasons that are larger than simply because the bureaucrats at the regulatory agencies want it that way.
They must communicate that the institution will not tolerate ethical lapses; that zero tolerance is the order of the day.
They must express appreciation for all those who serve as guardians of the corporate integrity.
It can sometimes be difficult to be in the compliance department. As I sometimes say, in certain places where it’s not going well, it’s akin to a not well-considered Internal Affairs Bureau at a police department.
But the way to deal with that is the way that good leaders deal with it in police departments. Ray Kelly, who is a great friend of mine and the police commissioner in New York, has made it a point to give a lot of power and authority and respect to the head of the Internal Affairs Bureau at the New York City Police Department.
Recently, about a year and a half ago, we had occasion, sadly, to arrest eight of New York’s finest because of significant crimes they were committing. The head of the organization, the “CEO” of the Police Department, Ray Kelly, stood at a podium, along with the head of Internal Affairs, and talked very persuasively, poignantly, and powerfully about why it is that you can’t tolerate that kind of nonsense at a police department.
And people recognize that. And people see that. And it sends a message within an institution— whether it’s a police department or financial institution—that the boss actually cares about those things.
But, in the end, good compliance requires not just good words, but good deeds and good action. Tone at the top is important but it has to be matched by concrete conduct on the ground and in the field.
Companies need to think about putting their money where their mouth is. It is not enough to say how important integrity is.
The financial industry can and should do a better job of incentivizing ethical conduct in tangible ways.
In an environment where people are driven largely, if not entirely, by making money, capitalism ethics should be relevant to the way employees are evaluated and compensated.
There needs to be more than just lip service through statements about culture and ethics and values, which can take on the air of facile and perfunctory homilies. Managers need to put their money where their mouths are by actually making it a real consideration in promotion and compensation.
Imagine if, in a prosecutor’s office, we promoted only the best trial lawyers with no regard for how ethical they were.
Imagine I have two prosecutors in my office, one is better at trials and case-making, but on a couple of occasions his initial judgment on disclosure was not great. It turned out okay because that person was just a line prosecutor and there was a supervisor with better judgment, and a bad thing was avoided. In time, maybe that person could be trained, but there was at least a minor question in a particular case about his ethical judgment.
The other is slightly less talented but always demonstrated absolutely impeccable ethics, candor, and judgment, and there would be not even a hint of worry if she were completely autonomous.
Which prosecutor would you want me to promote? Which is the lower risk? Which prosecutor is better for the long-term reputation of the office? Which prosecutor is better, more importantly, for the wise exercise of discretion and administration of justice?
So these things should matter in promotion. It’s not an easy thing to do.
A focus on ethics and integrity can also be worked into the compensation scheme, as a valuable incentive.
That’s not something we often see. In fact, what we often see is how whistleblowers are marginalized and how sometimes their career trajectories are stymied. We also see perverse and destructive incentivizing. Incentivizing people to do the unethical thing.
Let me give you just one example:
We have seen underwriters compensated for how many home loans they approved rather than for how many they processed.
Think of how perverse that is.
Perverse incentives that encourage unethical conduct abound.
It is up to people, like you folks, working with companies to figure out how you can incentivize in a tangible and real way ethical conduct.
When was the last time a whistleblower was given extra compensation by his or her company—I don’t mean by the Government under the False Claims Act or Dodd Frank. I mean by the employer? I think it’s pretty rare.
Firms can do more than merely protect the whistleblower from harm.
After all, isn’t sounding the alarm worth something? Worth something more than a pat on the back and the protection it is already offered by the law?
In the long run, that is money well spent, if you consider the devastating impact of even one employee missing the message. It is not just the right thing to do, but the smart thing to do.
In the end, why take the straight path? The French philosopher Montagne put it this way:
“Were I not to follow the straight road for its straightness, I should follow it for having found by experience that in the end it is commonly the happiest and most useful track.”
Good luck traveling the straight road, and please stay under the speed limit. Thank you.