This past October, two victims of Bernard Madoff’s Ponzi scheme filed a lawsuit against the Securities and Exchange Commission. Their complaint: shoddy oversight and controls at the SEC let Madoff continue his fraud for years, despite numerous warnings and tips.
They’re not the only unhappy ones out there. After the Madoff debacle, the SEC announced changes to prevent such lapses from happening again. Recent disclosure of insider trading by SEC employees, however, has prompted even more calls for reforms. Given the problems and resulting loss of public confidence, it appears that the best way forward for the SEC would be a better, stricter system of internal controls and compliance at the Commission. Skeptics may wonder whether such a system can be built at a government agency, but we already have one model: the FBI.
I would know. I helped build it.
In 2007, the Justice Department’s Office of the Inspector General issued a scathing report regarding the Federal Bureau of Investigation’s use of “National Security Letters.” This resulted in congressional hearings and the usual editorials critical of the FBI and calling for change. The FBI moved quickly to fix its problems, and was even lauded for that effort in a March 26, 2008, Washington Post editorial.
But the larger story is still unfolding. Unlike the usual agency response to adverse audit findings—fix the problem identified and move on—for the FBI, the criticisms of 2007 begged the question: Was there anything else out there that could take a bite out of the FBI’s credibility with lawmakers and the American people? The SEC should be asking itself the same question now.
When the FBI asked for my help in answering that question, I recommended that the FBI consider adopting the business practices suggested by the U.S. Sentencing Guidelines and corporate compliance best practices. FBI Director Robert Mueller authorized just such a program, now in its third year.
Of course, we heard the usual objections and concerns that many compliance professionals hear all the time. People noted that the FBI already had a strong audit process and was under the jurisdiction of the Justice Department Inspector General, and wondered whether another compliance program would simply duplicate efforts.
Once we responded that audit was an after-the-fact, quality-control process while compliance would be integrated into how the FBI carries out its duties on a daily basis, the concern was answered. The audit function would still be needed, yes, but a partnership between audit and compliance was to take place.
Some of the earliest decisions that had to be made addressed the breadth of the program, its organizational structure, and how to identify and react to possible compliance risks. And, similar to the SEC’s dilemma now, we grappled with how widely the new compliance program should be applied. We asked ourselves: Since the issue that caused the FBI so much grief in the first place arose in connection with the Bureau’s investigative operations, should the compliance program therefore be limited only to the FBI’s criminal and national security responsibilities?
We decided that the program would be extended to all aspects of the FBI: investigative, human resources, contracting, information, and law enforcement services. The notion behind the decision was that if you are going to affect the culture of an organization, it can’t be done addressing only the direct mission-related areas. (Just imagine the SEC implementing post-Madoff reforms only to its Division of Enforcement, or only to its collecting of tips from the public.)
[T]here is no reason why the SEC—or any other government agencies—shouldn’t adopt a corporate compliance program.
Next was the question of how to organize the compliance program. We decided to establish an Office of Integrity and Compliance, which in turn gave rise to another traditional compliance question: To whom would this office report? The logical candidates were either the FBI general counsel or the FBI deputy director. After some discussion, Mueller authorized his immediate deputy to oversee the program.
More details were fleshed out as the process continued. Five compliance committees were established, each chaired by an executive assistant director (the Bureau’s equivalent of a senior vice president). The committees meet quarterly, and are charged with identifying and mitigating risks. I suggested that the organizational philosophy for the program should describe compliance as “the business of the business.” Translating that to the FBI meant that leaders, supervisors, managers, and employees had the duty—in addition to accomplishing their mission—to ensure that it be done in compliance with the law.
The Justice Department raised concerns about the ability of the people who “own” a problem to raise it and deal with it. The answer to that is: (1) only the people who deal with the issues on a daily basis know what and where those issues actually are; (2) the Office of Integrity and Compliance reports on possible risks at each meeting; (3) representatives from both the OIC and the general counsel are there to guide the chairs of the various committees; and (4) the chairs report semi-annually to the director.
We did encounter one problem. U.S. Sentencing Guidelines require that the organization’s governing body oversee the compliance program and be familiar with its efforts. Typically this would be the board of directors, but the FBI has no such board. To meet the spirit of the Guidelines (high-level oversight), then, we created a Compliance Council, chaired by the director to meet semi-annually to receive reports from, and provide guidance to, the chairs of the lower-level compliance committees.
Another organizational decision was how to handle the FBI’s implementation of the Office of Government Ethics rules previously housed in the general counsel’s office. These rules are much like corporate codes of business conduct, so we moved them into the new Office of Integrity and Compliance.
I believe all of this has worked well for the FBI, and there is no reason why the SEC—or any other government agency—shouldn’t adopt a corporate compliance program. Indeed, I can think of multiple reasons why agencies should go down this road:
Breathe life into the time-honored principle of the rule of law;
Enhance transparency in government;
Improve efficiency of operations;
Gain a better understanding of the requirements of such programs in the companies they regulate;
Draw a stronger, brighter line connecting non-compliant behavior between employees and the agency;
Give the comptroller general and Office of Management and Budget better insights into necessary internal control policies;
Improve the understanding of agency budgetary requirements, by identifying non-compliance because of funding needs not met.
It seems that the SEC could have benefited from such a program to require a disciplined introspection to determine whether it had in place the requisite policies, training, and monitoring to meet the challenges provided by such a sophisticated fraudster. I hope they undertake such a reform now.
No comments yet