Thomas C Baxter: Compliance - some thoughts about reaching the next level

Remarks by Mr Thomas C Baxter, Executive Vice President and General Counsel of the Federal Reserve Bank of New York, at the Fordham Journal of Corporate Counsel & Financial Law Symposium, Fordham Law School, New York City, 9 February 2015.

The views expressed in this speech are those of the speaker and not the view of the BIS.

Central bank speech  | 
10 February 2015
PDF version
(154kb)
 |  5 pages

These remarks are personal and do not necessarily represent the views of the Federal Reserve Bank of New York, or any component of the Federal Reserve System.

Introduction

Let me begin by thanking Professor Sean Griffith, the director of the Corporate Law Center, and Robert Lyons, editor of the Fordham Journal of Corporate & Financial Law, for inviting me to participate in this symposium about corporate compliance and corporate governance. Let me also thank Fordham Law School for hosting the symposium. I would also like to recognize a colleague who is with us today. He is Martin Grant, who is the New York Fed's chief ethics and compliance officer. I have had the privilege of working with Martin for the last 25 years, and much of what I have learned about compliance I have learned from him.

In the space sometimes labeled compliance, we have come a very long way in a relatively short time. In about 20 years, compliance has transformed from a nice idea to an important component of most major corporations. This is especially true in the highly regulated industries, including the industry where I have made my career, financial services. We could spend much time discussing how this transformation happened. From my vantage point, it happened because of the combined effects of the Federal sentencing guidelines, the Delaware Chancery Court's Caremark decision,1 and the post-Enron legislation known as Sarbanes Oxley. Of course, other events also fueled the transformation, and in the financial services industry, the worst financial crisis our country has seen since the Great Depression became a burning platform.

While it is always important to look back at the road traveled, I am not going to spend any more time on that particular topic. Instead, today I intend to look forward at where compliance is going, and to forecast for our future some things we should pay attention to now. I will discuss five different items, and I predict that some of the greatest accomplishments for compliance are not in the recent past but in the not-too-distant future. If we plan ahead, and if we can successfully adapt to changing circumstances in our respective industries and in the national and global economies, then 20 years from now you will listen to another keynote speaker remarking on further amazing progress for the compliance profession. In short, we are on our way to another level.

Important steps toward the next level

Most of my remarks today will be devoted to the things that I believe will get us to the next level. Let me turn to them now.

1. Ethics and compliance/values and rules

The nomenclature that is used in compliance to describe the company officer responsible for compliance has changed, and the change in nomenclature is a clue to revealing a material, substantive change. Twenty years ago, we called this officer the "compliance officer", and I emphasize the singular. Over several years the title morphed, as compliance programs developed and compliance jobs multiplied, both with respect to subject matter expertise and the types of skill sets needed to make compliance programs "take". Consequently, companies found that the compliance officer turned into the chief compliance officer, because in major companies, it took a village to get compliance done. Compliance, you see, turned from singular to plural.

More recently the title has again changed. In many companies today, the title is chief ethics and compliance officer, or CECO, reflecting a salutary trend on the part of many companies to integrate ethics and compliance. Why is this happening? In my view, it is happening in recognition of the fact that it is easier to have an effective compliance program in a company that nurtures a strong ethical culture. In a recent speech, Daniel Tarullo, a governor of the Board of Governors of the Federal Reserve System, accurately observed that "culture" is a "somewhat contested academic concept". Yet, the evidence is growing that an ethical culture produces tangible benefits, including making compliance more effective.

Recent studies attempting to assess the effectiveness of compliance programs have developed a measure called the "PEI", or Program Effectiveness Index. Early work with the PEI shows that companies combining their ethics and compliance programs tend to have better PEI scores. The reason for the higher effectiveness measure seems to be something that I find perfectly rational. Ethics programs, consisting of measures taken to inculcate organizational values, help to create a culture that is not only conducive to following rules that are embedded in law and regulation, but also conducive to compliance with company mores. A strong ethical culture breeds a more compliant culture.

The symbiotic relationship between ethics and compliance arises because of the close connection between values and rules. Ethics is about values and compliance is about rules. You obtain the beneficial symbiotic effect when the values and the rules live in harmony. A different result is obtained when you have organizational values that conflict with the rules.

One of the very exciting areas in compliance today relates to how a company's strong ethical culture can impact corporate behavior. One aspect of this behavioral change relates to the greater tendency of corporate constituents to follow the applicable rules when the culture is right. Looking to the future, I envision we will see much more empirical research that shows the benefits of merging ethics with compliance, and placing both in the hands of a trusted corporate officer with a catchy new name - the chief ethics and compliance officer. As we move to the next level, ethics and compliance will increasingly become a part of a single program.

2. Ethics and compliance as a tool for on-boarding risk

The last 20 years have demonstrated the benefit of ethics and compliance in identifying legal risk and taking operational measures to keep that identified legal risk within the organization's accepted risk appetite. In most applications, though, compliance has been the vehicle that prompts the organization to reduce risk by constraining activity. In the financial services industry, correspondent banking provides an illustrative case.

Correspondent banking is the business of effecting funds transfers for other financial institutions. Because the U.S. dollar is the international medium of exchange, financial institutions throughout the world have a need to effect dollar-denominated transfers of funds. Ethics and compliance professionals in U.S. banks have pointed out that this type of business presents several different legal risks: money laundering, terrorist financing, and sanctions evasion are the most obvious and the most notorious. There is no doubt that these compliance professionals are correct. One consequence of their being right, however, is that U.S. correspondent banks decided to "de-risk". To execute on the de-risking mandate, many U.S. correspondents stopped providing correspondent banking services to those perceived to present such risk.

As a result, certain elements of the global financial services industry now find it increasingly difficult to transact business in dollars. There is a concern by the U.S. correspondents transferring funds for Middle Eastern customers that the correspondents might unwittingly be providing services to a terrorist organization, or be enabling a person or affected sovereign to evade economic sanctions. So, the correspondents close accounts for all banks in the Middle East. Similarly, there is a concern by the U.S. correspondents transferring funds for Latin American customers that they might unwittingly be providing financial services to drug traffickers, a money laundering risk. So, they close accounts for all banks located in Mexico, Venezuela and Colombia. The de-risking exercise succeeds in its risk-reducing objective, but it succeeds in an overly broad manner by cutting services indiscriminately to so many.

The adverse and unintended consequences for certain regions of the world are clear and present. There are also implications for U.S. policy with respect to the role of the dollar as the international medium of exchange. These issues, while highly consequential, are not the object of my remarks today; rather, they are a symptom of what compliance can lead to - namely, a reason to restrict business activity. Given the size of penalties for violations, and the potential reputational damage associated with this business, it is very difficult to quarrel with the business judgment.

The success of compliance over the last 20 years has conditioned business leaders to think about compliance as a pathway to terminate or constrain a risky business relationship. However, it is possible to look at compliance in a very different way, as a two-way street and not a "one-way" street. Let me explain what I mean. A sound and effective compliance program can be used, appropriately in my view, as a tool that would permit on-boarding of what is seen as risky business.

To continue with the example of correspondent banking, if a U.S. correspondent had a sound and effective compliance program that was well tailored to identify and control the risks of money laundering, terrorist financing, and sanctions evasion, this correspondent might become sufficiently confident to on-board risk. This means that instead of closing accounts for everyone in a specific geographic area, it would continue with some of these accounts, or even open new accounts. Now, I do not want anyone to think I am saying that all correspondents can reasonably have such confidence now. At this point in our journey, I concede the need to develop greater confidence that the identified risks can be controlled at a reasonable cost. With that said, I believe that we will reach a place where ethics and compliance programs are sufficiently developed so organizations can make considered decisions to on-board risk and keep it within the accepted risk appetite by using effective controls. I look forward to that time as we move to the next level.

3. Developing the methodology to assess effectiveness

I mentioned earlier one of the promising new tools to assess the effectiveness of ethics and compliance programs, and that is the PEI, the Program Effectiveness Index. The excellent report by the Ethics Resource Center, The Federal Sentencing Guidelines For Organizations at Twenty Years, has drawn attention to standards for assessing program effectiveness. The report states: "Altogether, the lack of assessment standards and guidance on how the quality of a compliance/ethics program should influence the outcome of a matter create the impression, validated by the [Ethics Resource Center] and Conference Board studies...that too many judgments are being made inside a black box."2

While we seem to be on the cusp of a number of promising indicators, like the PEI, the truth is that we are not there yet. We simply do not have a tool that will give us an accurate and reliable measure of program effectiveness. Instead, we have a situation where enforcers (including those agencies with civil enforcement authority, such as the banking agencies) tend to be result oriented. When we see that a particular organization has experienced a major compliance failure, we tend to view the failure as evidence of the ineffectiveness of the ethics and compliance program. We reason backward, "if the program were effective, this would not have happened." I think this is natural and understandable for the enforcement community, but it is not necessarily good policy. To borrow an observation from Senator Ted Kennedy concerning the Federal sentencing guidelines, this creates "a risk that companies without substantial compliance programs will get a free ride, and those with strong programs will not receive the credit that they deserve."3

Alternatively, if there were a reliable and acceptable measure of program effectiveness, this kind of backward reasoning would be replaced by reliance on the effective measure. Institutions could use the measure when making arguments for leniency, again assuming that the measure demonstrated that their programs were effective. It might, of course, show just the opposite. And there are other, perhaps even more important, benefits. If an industry and its regulators came to have great confidence in a particular effectiveness measure, this might provide a foundation for building a program that could be used to on-board risk. Put differently, a particular organization could have confidence that its ethics and compliance program would be protective because the program had been validated by a well-accepted measure of effectiveness.

Some of the skeptics will say "you are dreaming". When I hear them, I am reminded of the words of George Bernard Shaw, and specifically the reminder to dream things that never were and ask "why not".4

4. Adaptive compliance - adding speed and agility to process and procedure

Over the past 20 years, as ethics and compliance has moved through infancy and into early childhood, we have become committed to the process and procedure that is emblematic of a program. There is much about this progression that is good. The building of compliance programs has produced real benefits,5 and these benefits have created the compliance profession. There is a risk too. The risk is that the process and procedure that is the substance of the compliance program will become a kind of iron cage, restraining innovation so that the organization cannot adapt to changing circumstances. In short, the process and procedure can stifle speed and agility.

One place where this has occurred recently is in financial services. Some institutions witnessed some malefactors violating the law and engaging in anti-competitive practices with respect to the setting of the Libor rate. Those institutions responded to very specific rate fixing abuses, but they did not envision that the abuses with respect to Libor could also be occurring in other businesses, like foreign exchange. Compliance, in this particular instance, was not adaptive. Compliance professionals, in this instance, did not show the needed speed and agility. They did not reason along the lines that "if it is happening concerning Libor then it might be happening concerning foreign exchange."

As compliance becomes increasingly routinized and subject to what the consultants would call the "repeatable process", the process can have a tendency to drive out creative thought. As creativity dissipates, so does the ability to connect related occurrences. In the next 20 years, we will need simultaneously to perform repeatable processes and to think innovatively. We will need to continue to build the routines and repeatable processes. Yet, we will also need to be sufficiently flexible to see around corners, to where new problems are emerging, and new risks to our franchises are developing. This is what it will take to be successful at the next level.

5. Attention at the top - developing protocols for escalation

I commend Fordham for focusing this symposium on compliance and governance. They are related and intertwined. The four items discussed all relate to compliance. My last item touches on governance.

As I speak with chief ethics and compliance officers, a regular topic of conversation is conflict with the business leaders who own the risk. This is a little unsettling, because during the last 20 years we have been successful in establishing as a better practice the approval of the compliance program by the board of directors. One might think that, if the board of directors approves the compliance program, then it should not be difficult for the chief ethics and compliance officer to get the business owners to pay close attention.

The devil here, as in so many other places, lies in the details. It is usually the implementation of the compliance program that causes the conflict. It is usually related to the cost of compliance, because the cost ordinarily affects how the business owner measures success, which is the size of the business' profit. The chief ethics and compliance officer will not be able to resolve the conflict easily, because compliance is a cost to the business which can make compliance the adversary of the business owner. The chief ethics and compliance officer will not want to bring a specific conflict issue to the attention of the board of directors. While this might be very effective in resolving the specific conflict, it could absolutely destroy her ability to function effectively thereafter. In a recent survey of chief ethics and compliance officers conducted by Price Waterhouse, the survey respondents identified as a problem their "struggle to gain the attention of the board of directors."6 Two specific issues were identified. One related to fear on the part of the chief ethics and compliance officer to engage in action to resolve a conflict with a key business person - a fear of losing one's job or her place in the corporate hierarchy. The other problem concerned access to the board of directors. It is one thing to go before the board of directors annually to have the compliance program approved. It is quite another to go before the board of directors to do battle with a senior executive who is probably before the board of directors on a regular basis.

One possible solution as we move to the next level is to embed ethics and compliance issues in the disciplines that are more typical of governance issues involving the board of directors. These would be issues like strategy, business goals, and risk management, all of which touch ethics and compliance. Another solution would be to create escalation pathways to the board of directors for resolving conflicts between the chief ethics and compliance officer and a senior business leader.

Conclusion

As I said at the outset, ethics and compliance have come a long way in a very short time. We have learned a great deal during the journey. As I look out over the road ahead, I believe we will continue to make significant progress in business organizations that deliver on their value proposition, not only to shareholders, but to the other constituents that these organizations serve, their customers, employees, and communities. Ethics and compliance will be an important part of that progress, provided that ethics and compliance is nurtured by a strong ethical culture, in a company following sound corporate governance, and employing the best and the brightest personnel. I am excited about the road ahead.

Thank you for listening.


1 In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del.Ch. 1996).

2 Ethics Resource Center, The Federal Sentencing Guidelines for Organizations at Twenty Years at 51 (2012).

3 Remarks of the Honorable Edward M. Kennedy, U.S. Sentencing Commission, Symposium Proceedings: "Corporate Crime in America: Strengthening the 'Good Citizen' Corporation," at 120 (1995).

4 George Bernard Shaw, Back to Methuselah: In the Beginning, act 1, Selected Plays with Prefaces, vol. 2, at 7 (1949).

5 A survey sponsored by the Ethics Resource Center from 2011 "shows that employees in companies with effective, meaningful codes of conduct and programs... witness fewer incidents of misconduct, and are far more likely to report misconduct when observed." Ethics Resource Center, supra note 2, at 2.

6 Price Waterhouse Coopers, "What It Means to be a 'Chief' Compliance Officer: Today's Challenges, Tomorrow's Opportunities" at 12 (2014).