ABA Section of Business Law
ABA Section of Business Law
Business Law Today
July/August 1999
It’s a question of control
Some guidelines for compliance in a scattered sales forceBy PAUL HUEY-BURNS and ROBERT FOSTER
Huey-Burns is a senior manager in the National Regulatory Advisory Services practice of KPMG, LLP, in Washington. He previously served as assistant director of the Division of Enforcement of the SEC. Foster is a senior manager in the Capital Markets Technology practice of KPMG in New York City.
Your securities company has a far-flung sales force. One of your agents has been doing something the SEC frowns on. How should you deal with and in fact prevent such problems in the future?
Of course, the securities industry is dynamic. It consistently demonstrates its ability to quickly develop new products and services in response to its customers. For example, the industry has developed new models for the retail distribution of securities products. These new models include Internet brokerage, mutual fund supermarkets and the use of widely dispersed sales organizations to service an expanding customer base. This last model involves the use of independent contractors as a sales force or dispersed offices that operate with significant autonomy. Certain banks and insurance companies, for example, have adopted this model as they develop their brokerage operations.
Firms that use diffused-sales organizations, particularly if their traditional businesses are in nonsecurities-based financial services, have run into problems with the SEC, the NASD and state securities commissions. The regulators have fined, suspended or otherwise sanctioned several firms and numerous individuals.
This article reviews regulatory actions of the past few years that have particular significance for firms that use diffused-sales organizations. It extracts from those cases (and others that involved more-centralized firms) some of the hallmarks of a good compliance system. It then discusses what firms that use diffused-sales organizations can do to develop these practices within their own organizations.
All securities firms face similar regulatory issues. They differ in their ability to exercise centralized control over their sales forces, and their willingness to use such control to bring about compliance. The traditional "wire-houses," such as Merrill Lynch or Paine Webber, exert a high degree of centralized control. Most of their representatives work from established branch locations. Branch-office managers, typically experienced representatives who have received extensive training on compliance issues, are supposed to closely supervise the representatives attached to their branches. These supervisors are in a position to transmit and enforce home-office directives, and to report troublesome representatives to the home office for disciplinary action. Of course, there are many examples of the model working better in theory than in practice.
Other firms (typically firms at an earlier point in their business development) do not attempt to exert such centralized control. Their representatives work from their homes or from small offices, staffed by two or three representatives. Such offices cannot support a branch-office manager whose focus is on supervision and compliance. These firms face the challenge of ensuring that their sales forces comply with regulations, without having the luxury of centralized control.
In the Matter of Royal Alliance Associates Inc. (1997) is the SEC’s leading statement on the compliance responsibilities of firms using diffused-sales organizations. The case involved a broker-dealer that had approximately 2,700 registered representatives located in 1,500 offices. Two of these representatives, acting independently of each other, defrauded their customers through a variety of schemes, including misappropriation of client funds, forgery, improper transfers among accounts and churning. The commission found that Royal Alliance failed to assign specific supervisory responsibility to individuals in the supervisory hierarchy and failed to establish an adequate program of branch-office supervision.
The SEC’s action focused on specific deficiencies in Royal Alliance’s compliance program, such as the firm’s practice of conducting pre-announced inspections of its offices. Although the SEC’s written opinion disavowed the suggestion that firms using diffused-sales organizations "cannot devise an adequate system of supervision," the commission warned that "such arrangements necessarily entail greater supervisory challenges." The commission stated that it would require "firms organized in such fashion to meet the same high standards of supervision as at more traditionally organized firms."
Regulators have accelerated their scrutiny of firms using diffused-sales organizations. The SEC has issued several opinions since Royal Alliance, which develop the themes articulated in that case. These include In the Matter of GKN Securities Corp. (1996); In the Matter of H. Beck Inc. (1998); In the Matter of PFS Investments Inc. (1998); In the Matter of FSC Securities Corp. (1998); In the Matter of NYLIFE Securities Inc. (1998) and, most recently, In the Matter of James Harvey Thornton and Payne & Thornton. (1999). Throughout these opinions, the commission repeats its theme that it will hold firms using diffused-sales organizations to the same standards as more centralized firms.
The NYLIFE Securities case is particularly instructive. In that matter, the commission found that the company failed to supervise two registered representatives, including one who worked in a one-person, "off-site" office, who had misappropriated funds from their customers. In particular, NYLIFE Securities had failed to conduct surprise inspections of the off-site office, to review customer files and to ensure that the manager of the relevant branch office was diligently exercising his supervisory authority.
The firm’s supervisory procedures mandated that branch office managers interview annually each registered representative for whom they were responsible. The procedures also required that regional compliance officers conduct an annual inspection of each branch office. The procedures, however, did not require the managers or the regional compliance officers to conduct further, more detailed reviews to confirm the representations made during the interviews or the information generated during the annual inspections.
In particular, the commission pointed out that the firm’s supervisory procedures did not require a review of customer files or other documents that, the commission believed, would have detected the illegal conduct. Similarly, because the firm scheduled inspections of off-site offices, the registered representative who worked off site had the opportunity to purge his files of incriminating material and advised his administrative assistant to be out of the office on the days that the inspections were scheduled.
Firms that use diffused-sales organizations, by their nature, are vulnerable to particular types of regulatory problems. Those employing a large number of independent contractors as representatives need to be concerned with "selling away." ("Selling away" occurs when a representative sells a customer a securities product that has not been validated and approved by the firm.) Firms that have a large number of remote offices, particularly if those offices are each staffed with only a small number of representatives, need to be wary of sales-practice violations, such as churning, misrepresentations and unsuitability. Firms need to adjust their compliance programs to focus on those areas that present the highest risk for the company. As we discuss below, information-management technology is one of the most important compliance tools available to firms using diffused-sales organizations.
What can a securities firm that uses such a sales organization do to develop an effective compliance system? We believe they should evaluate their systems against the elements of good compliance that have emerged from SEC opinions:
• A compliance-oriented culture — A firm must demonstrate that compliance is an important part of its corporate culture. The company must communicate enforcement directives effectively throughout the organization. It must demonstrate that it takes such directives seriously and that they will be enforced. Senior management must provide leadership on compliance issues and take "ownership" of such issues until they are resolved.
A firm can manifest the cultural aspect of an effective compliance program in several ways. First, it should establish a rigorous training program and develop a mechanism to track participation in the program. The program should include a testing mechanism to ensure that attendees understand the information being disseminated. Second, the firm should include compliance factors, such as incidents of customer complaints and participation in training programs, in performance evaluations and, particularly, compensation and bonuses.
Third, the firm must ensure meaningful discipline of personnel who violate firm policies or regulatory requirements, regardless of their position within the firm or the volume of business they generate. The firm must send a clear and consistent message to its employees (and its regulators) that it will not give undue deference to large producers when it comes to compliance matters.
In those situations where a regulator has ordered remedial action, such as the adoption of procedures recommended by an independent consultant, the firm must do so promptly. In In the Matter of Prudential Securities Inc. (1993) for example, the firm, in the context of a previous proceeding, had agreed to implement a consultant’s recommendation that its branch-office managers contact customers to determine the reasons for increased account activity. The firm failed to maintain this procedure, and senior management did not correct the failure when it came to their attention. The failure to contact customers contributed to some of the violations on which the subsequent proceeding was based, and resulted in an increased sanction.
The effective use of technology to manage a firm’s compliance efforts can be critical to demonstrating a compliance-oriented culture. A firm whose management is not focused on compliance issues may not devote the resources to integrate or adequately maintain its compliance-related technology systems. Regulators may view the resulting patchwork of compliance systems as evidence that the firm has not developed a compliance-oriented culture.
One way in which technology can improve a firm’s compliance culture is by improving communication among different departments within the firm and between the home office and remote locations. This helps ensure, for example, that compliance directives are disseminated throughout the firm in a timely and effective manner.
• Clearly defined responsibilities — A firm must ensure that compliance responsibilities within the organization are clearly defined. Procedures must be well thought out, must be disseminated throughout the firm and must designate people at appropriate levels throughout the organization to bring about those procedures. If senior management delegates responsibility, such delegation must be clear and effective.
A brokerage firm should ensure that its written procedures are thorough and detailed. Employees, especially those in remote locations who may not have frequent contact with home-office compliance personnel, should not have to guess at what is expected of them in the compliance context. Similarly, these procedures must designate persons who have enough clout within the organization to ensure that the compliance program is carried out.
One effective technique for such firms to adopt is to establish a compliance committee, which concentrates ultimate compliance authority in a small number of senior managers. Firms should also consider establishing a network of regional compliance offices to serve as a conduit between the home office and the branches. Such offices can be highly effective in responding to issues quickly and in disseminating home-office directives to the field. (The SEC ordered the firm to adopt both the compliance committee and regional compliance office structures in the Prudential Securities matter.)
The principle that a firm must clearly define compliance responsibilities explains the importance of coordinating the compliance and technology functions. Effective communication between these departments is essential. Firms should initiate periodic training programs and encourage interaction between their compliance and technology staffs, so that each group becomes familiar with the other group’s needs and the jargon they use to express those needs.
• Flexibility and redundancy — The compliance system must be flexible and redundant. The firm’s program must be able to adapt as the firm evolves. It must respond to rapid growth, new personnel and increasing decentralization. It also must have sufficient "checks and balances" to enable detection of problems if one aspect of the compliance program fails.
Ensuring that their compliance programs are both flexible and redundant is especially important for firms that have experienced significant growth or that allow their remote offices substantial autonomy. In GKN Securities Corp., for example, the SEC criticized the firm for not hiring a full-time compliance officer and other compliance personnel in a manner that kept pace with the firm’s expansion.
Flexibility is also an important attribute for the technology supporting the compliance function. Firms may go to great lengths to develop a comprehensive compliance system but tie the technological aspects of that system inextricably to the organization structure at the time. As the sales organization evolves and new tiers of compliance management are instituted, many systems cannot accommodate a different view of the compliance world.
• A rigorous inspection program — The firm must establish a rigorous inspection program. Such a program should include surprise inspections of branch offices. The staff conducting these inspections must be qualified and experienced, and the firm must act on the results.
Beyond the requirements imposed by regulations, the firm should determine the details of its inspection schedule through a risk analysis. In other words, it should evaluate a variety of factors, including the size of the office, the number of customer complaints, the experience level of the supervisor in charge and other factors particular to the firm’s business. Offices that present greater regulatory risk should be inspected more frequently. The inspections should include reviews of customer files, and those files should be cross checked against trading data and other information to detect inconsistencies.
Most important, the inspection program should include surprise inspections conducted by competent, experienced compliance personnel. The SEC and other regulators have made it clear that they will consider the substance of the inspection program, not just its form. They also consistently have rejected the argument that inspections would not have uncovered the underlying fraud where the inspections themselves were inadequate.
As in other areas, technology becomes the defining element of a successful compliance system. In a risk-based compliance environment, transactional exception reports, tracking databases and customer-complaint management systems all contribute to the rigor of the firm’s inspection process.
A well-built compliance system will target areas of focus for an examiner and steer him or her away from areas with lower risk. It will "red flag" activities of interest in regard to a particular registered representative or office. Effectively managed, it becomes the driver of the compliance process. Although there is no substitute for personal contact (which regulators insist on, in any event) an effective information management system allows a degree of centralized monitoring between inspections. It also allows periodic and surprise inspections to be more effective.
• Miscellaneous attributes of an effective compliance system — Compliance procedures must include, among other things, customer contact and review of customer files, special supervision of registered representatives where there are indications that such supervision is warranted, review of incoming and outgoing correspondence, and the generation and review of exception reports.
Firms should contact customers as part of their surveillance programs. Such contact should take a variety of forms, from so-called "happiness" letters sent at random to a cross-section of customers, to phone calls and meetings with customers who meet specific criteria. Firms can base these criteria on the characteristics of the customer. Such characteristics could include the customer’s age, financial condition or trading patterns.
Firms also can base these criteria on the characteristics of the customer’s representative. Such characteristics could include the representative’s level of experience or a history of complaints concerning his or her conduct. More generally, firms should use customer complaints to focus their compliance efforts. They must develop mechanisms to track customer complaints and review them to detect patterns and to identify offices and individual representatives who may present compliance problems.
The compliance program must require special supervision if a particular representative or office has a history of noncompliance, or if there are "red flags" that have (or should have) alerted supervisors to potential problems. In Consolidated Investment Services Inc., the SEC found the firm liable for failing to supervise a registered representative because, among other things, it failed to initiate special supervisory steps despite being aware, when it hired the individual, that there was a pending NASD complaint against him. In such circumstances, the firm must go beyond its normal procedures and respond to the specific circumstance with which they are presented. The firm also must "escalate its response" if indications of illegal conduct continue.
Branch-office managers and other persons in positions of authority must review incoming and outgoing correspondence to detect inappropriate behavior, become aware of customer problems and ensure that letterhead is being used appropriately. This is especially critical for firms concerned with "selling-away" issues.
Finally, the firm must develop a series of "exception reports," which will identify accounts with higher than normal account activity or concentrations, commission trends, early redemptions and other indications of potential improper conduct.
Technology solutions can be designed to support each of these functions. For example, a firm can provide representatives with Internet access and scanner technology (or insist that they obtain it on their own). The firm could require representatives to use this technology to submit customer documentation, such as new account forms and correspondence, electronically.
Firms should be aware of regulatory requirements concerning their creation and maintenance of required books and records. They must ensure that their policies concerning both paper and electronic documents comport with regulations. The firm can design automated filters to review this documentation and identify situations meeting established parameters for direct review by a compliance officer. Accurate and flexible exception reports and other data allow the inspection staff to be better prepared for the inspections. For example, such reports can inform an inspector of SEC trends, patterns among customer complaints and other red flags, which allows the inspection to focus on those areas presenting the greatest risk.
Brokerage firms using diffused-sales organizations should not underestimate the challenges they face as they develop their businesses. With appropriate insight and technological support, those challenges are not insurmountable.
