Remarks at SIFMA AML
Executive Vice President, Enforcement
New York, NY
Good morning. It’s great to have this opportunity to be with you today.
My colleague in Member Regulation, Sales Practice, Mike Rufino, will be talking about FINRA’s regulatory and examination priorities during the next session, so I won’t steal Mike’s thunder and tell you everything that he is going to say. Rather, I want to take a step back and take this opportunity to talk about something that has been the main focus of my waking hours since I took over my role as head of FINRA’s new consolidated Enforcement group last year—and that is how FINRA Enforcement can be most effective.
As many of you may know, when Robert Cook joined FINRA in the summer of 2016, he embarked on a listening tour, traveling the country and sitting down with investors, firms and other stakeholders. To ensure that FINRA is the best informed, most effective SRO it can be, last year we announced our FINRA360 project to evaluate key aspects of our operations and to identify opportunities to further our mission more effectively.
As a result of the listening tour and FINRA360, and in consultation with FINRA’s Board of Governors, we decided to merge together FINRA’s two previously distinct enforcement teams—one that handled disciplinary actions found through Market Regulation’s surveillance and examination programs, known as Market Regulation Legal, and the other that handled cases referred from other regulatory oversight divisions, known as Enforcement. This was driven in part by what we were hearing: that there was a perceived inconsistency in approach at times between the two enforcement teams. That perception is troubling. If firms don’t know what to expect from their regulator, they don’t know how to shape their behavior in order to comply with the rules.
As we integrate these two Enforcement teams, we are focused on how to ensure that the combined team will approach cases in a similar manner and reach foreseeable conclusions. To do that, we decided to get right down to basics and define what an effective Enforcement action looks like – to identify clearly our common goals.
This isn’t a change in direction, by any means; rather, it is a clarification of our existing philosophy as we bring two groups together. We wanted to be sure we are asking the same questions, and considering the same factors in the same way on the cases we handle every day. In this way, we reconfirmed the straightforward framework that the unified Enforcement team uses when we make decisions and exercise our judgement.
We want any compliance professional to be able to look at any FINRA enforcement action and say to themselves, “Ah, yes, this case makes sense. This enforcement action and sanction are what I would expect based on the facts and circumstances of this action. I can use this case to convey to the business the importance of compliance.” To accomplish that, we need to be transparent about Enforcement actions, including identifying the factors we weigh and discuss internally, and the objectives we seek to meet when we bring a case.
Today, I want to provide more insight into the principles that guide our enforcement decisions.
Now, when I said this exercise was an exercise in getting back to basics, I meant it. The first question we ask ourselves about every potential case is this: is an enforcement action appropriate?
Enforcement actions are not an end to themselves; they are a means to an end. Our overarching goal in bringing an enforcement action is to effect change. We do not bring an enforcement action for the sake of bringing an enforcement action. We bring an enforcement action to fix something that is broken or to prevent future misconduct, either by the same respondent or by another individual or firm.
Enforcement is not the only way that FINRA seeks to effect change and facilitate firms’ compliance. Our examination program is a different means to the same end; FINRA often identifies rule violations and addresses them within the examination process, without referral to Enforcement. And we have begun publishing examination findings, as Mike will surely discuss. Similarly, FINRA sends member firms report cards, and, through our Rapid Remediation program, we alert firms to potential systems issues in real time so that firms can correct the problem and potentially avoid a formal investigation.
Enforcement action, while a powerful tool in FINRA’s toolbox, is not the right tool in all cases. In fact, we must be thoughtful and intentional in order to use our finite Enforcement resources in the matters where they are most needed. To determine if an enforcement action is the right tool to use in a given circumstance, we ask ourselves: Is there demonstrated financial harm resulting from the misconduct? Has there been a significant impact to market integrity? Did the misconduct create significant risk?
When misconduct results in financial harm, we will expect the member firm or the individual who caused that harm to remediate and make the customers whole. Similarly, if misconduct actually disrupts the operations of the market, we’ll want to ensure the issue is fixed and that we, and the industry, have taken steps to prevent something harmful from recurring. In light of such significant consequences in those types of cases, we consider whether an Enforcement action is needed to further our regulatory objectives.
But the third area—when misconduct doesn’t create quantifiable harm but creates risk, whether for a customer, member firm or the industry at large—this is where most of our cases land. Often, when we ask ourselves if the best way to address a rule violation is through formal Enforcement action, what we are really asking is whether the misconduct created significant risk, such that the misconduct requires an enforcement response in order to prevent and deter future harm.
We think about risk in many ways. First, risk may be evidenced by a high likelihood of harm. For example, a firm that employs a number of brokers with sales practice disciplinary histories, but fails to implement a reasonable system to supervise those higher risk brokers, has demonstrated supervisory failure that results in a high probability of harm.
Second, risk may be evidenced by the potential for widespread harm. When the probability of significant harm is smaller, it can still be significant if the impact would be broad. Our cases regarding violations of the customer protection rule, such as firms’ capital reserves and custody obligations, fall into this area at times. Take, for example, a firm that fails to segregate its customers’ securities properly. Depending on the firm, the likelihood that a large, well-capitalized firm might fail overnight and be unable to return to its customers their securities might be low. But if it did happen, the impact of such a failure on millions of customers would be so broad and deep that the risk is serious, even if it is not highly likely.
Third, and this goes without saying, we consider the heightened risk posed by intentional or reckless misconduct. Consider two scenarios: Firm A seeks guidance from counsel about what the firm is obligated to do in order to comply with a rule. The firm misunderstands the rule, relies on incorrect guidance in good faith, and subsequently violates the rule. Firm B doesn’t understand the same rule, but doesn’t seek any guidance, doesn’t take steps to comply and subsequently violates the rule. Both firms technically violated the same rule, but Firm A, acting in good faith, poses far less risk than Firm B, whose intentional or at least reckless noncompliance demonstrates a fundamental disregard for regulatory obligations that could be – and in fact likely is – widespread and pervasive.
Another significant and similar risk we consider is the risk characterized by recidivism. This is a central tenet of our Sanctions Guidelines. Repeated misconduct after disciplinary action indicates reckless or even intentional disregard for regulatory obligations. The notion of recidivism is an important component of our approach to high-risk brokers and high-risk firms. Repeated misconduct is not only a compelling reason for an enforcement response; it also requires progressively escalating sanctions.
A broad pattern of disregarding regulatory requirements is another red flag. Consider a firm that violates a number of different rules across the organization, perhaps demonstrating different types of violations year after year. There are some firms—I’m sure none of them are in this room—that pay little heed to preventing or detecting misconduct, preferring to pay regulatory fines as a cost of doing business rather than strengthening their systems or controls. Therefore, pervasive and persistent rule violations must be viewed in context. A firm that violates a specific rule in isolation may pose different risk than a firm that violates that same rule, plus many others, year after year. The latter firm’s widespread violations indicate a fundamental lack of supervision, if not disregard for customer protections, that may pose a significant risk even when, by luck or happenstance, no significant harm has yet resulted. It may be appropriate to bring an enforcement action for a failure to implement reasonable supervision even when there has not yet been quantifiable damage.
Supervision, of course, is performed by individuals, and an individual supervisor’s failure to carry out her responsibilities is a marker of risk that we take seriously. Because the industry depends so much on individual supervisors as the first line of defense, a failure to reasonably supervise by an individual who has clear supervisory responsibilities can—and often does—create significant risk. Instances of individual failures to supervise are, therefore, often circumstances where enforcement action may be an appropriate response to incentivize that individual supervisor to approach her responsibilities with more care, and to demonstrate for other individual supervisors the importance of the role they play. Note that this is not a declaration of war on CCOs: we focus on actual supervisory roles, and don’t reactively blame compliance for the failure of the actual supervisors.
When is Enforcement action an appropriate regulatory response? When we identify misconduct that caused financial harm, significantly affected market integrity, or created significant risk for customers, member firms or the market as a whole. It isn’t rocket science. We have long considered these factors when determining whether to bring a case. But it is helpful to discuss this, because it helps us to define what it is we’re trying to accomplish through Enforcement action and it helps you to understand our expectations.
At the root of every Enforcement action there is conduct that needs to change. We want the system to be fixed, the churning to stop, the disclosures to be made. Enforcement actions are remedial in nature – we want to restore to harmed individuals what they have lost, and literally remedy the problem by fixing what’s broken. Enforcement actions should also have a preventive or deterrent effect. Enforcement actions create an overall incentive structure so that non-compliance has more difficult and expensive consequences than compliance. Otherwise, firms might choose not to expend sufficient resources on compliance.
Therefore, a behavior that causes harm or creates risk should be remedied and prevented through Enforcement action. Now, once we have a clear understanding of the behavior that requires change, the next question is this: What does a fair and effective sanction look like? In other words, how should we fashion a sanction that is best suited to effect the change in question?
Our first rule about sanctions is simple: we seek first to obtain restitution for harmed investors. We want to make sure wronged investors are made whole. That’s the most important outcome, and it’s reflected in the Financial Guiding Principles that FINRA recently published. Restitution for harmed customers is our highest priority, although there are many cases in which it is not practical because there has been no calculable financial harm.
Beyond that, what else does a fair and effective sanction accomplish? We believe a fair and effective sanction is one that is tailored to most effectively address the root of the problem.
These are the two things at top of mind when we are thinking through the right sanction in a case. First, we are thinking through the whole list of options available to us in the sanction guidelines, which have long been in place and are widely known: fines, restitution, disgorgement, expulsions, bars, plenary and principal suspensions, undertakings (such as the undertaking to hire an independent consultant), rescission, requirements to requalify, business restrictions, supervision requirements, pre-approval requirements.
We carefully consider all of these options, and we consider what other regulators find effective and whether we should adopt additional approaches. We want to choose the tool that most precisely effects the needed change. For example, in some cases the most effective sanction might be requiring a member firm to hire an independent consultant to review the firm’s systems and recommend enhancements that the firm is required to implement. In other cases—for example, where a firm has demonstrated through repeated actions that it knows what it’s doing is wrong and it doesn’t intend to fix it—an independent consultant’s advice is not likely to improve the firm’s conduct. In that case, we look to other forms of incentives or disincentives. Are increasing fines the best way to make the firm’s conduct so cost-prohibitive that it will finally choose to change? Are suspensions and bars against the firm’s supervisors the best way to change the firm’s approach to supervision? Should the firm be restricted from conducting certain types of business that it has repeatedly failed to supervise appropriately?
As we consider the sanctions that can address the root cause of the problem most effectively, we also keep in mind that a sanction should be proportionate to the harm or risk of harm posed. It should be remedial, and an effective deterrent, but it should not be excessive to the point of being vindictive.
Determining where this line falls is a challenge that we face every day. It’s the second thing at top of mind when looking at sanctions. FINRA members range from two-person firms working out of a home office to enormous, multi-national firms with vast resources. Determining a sanction for a specific respondent in light of that firm or broker’s facts and circumstances is one of the hardest parts of our job. There is no simple algorithm or formula we can use.
Of course, our Sanction Guidelines provide a wealth of guidance, including recommended ranges and the aggravating and mitigating factors we consider when determining the appropriate sanction in a case. But those considerations are judgement based, and we have long and spirited discussions with each other, within Enforcement and across departments, when we discuss sanctions. Again and again, discussions about sanctions go back to the fundamental question: what are we trying to accomplish in this Enforcement action? How do we most effectively use sanctions as a tool to help us accomplish our goals in this case?
We don’t want to just address the side effects of misconduct. We want to remediate any systemic deficiencies contributing to the misconduct. It’s not about just asking what went wrong here, but also asking why. If there was a trade reporting violation, why was there a trade reporting violation? What happened? What was broken? And was it fixed?
Fixing problems—if you haven’t noticed—is an issue we care about deeply. And it is a way that respondents can help themselves and help us effectively resolve matters. In 2008, we issued FINRA’s Guidance Regarding Credit for Extraordinary Cooperation, which discussed the value of self-reporting, extraordinary cooperation, restitution and remediation. We are currently working to update that guidance and anticipate some refreshed guidance this year. We believe strongly in credit for extraordinary cooperation, and restitution and remediation are very important factors for us, particularly in light of Rule 4530’s requirement of self-reporting under some circumstances.
In the past several years, FINRA has granted credit for extraordinary cooperation—with an emphasis on a respondent’s efforts on restitution and remediation—in a number of matters. We gave substantial credit, for example, to two firms last year that each had different but significant supervisory issues. Each of the firms spent significant time and resources analyzing the effects of its supervisory failure on customers, establishing a restitution plan early in the process and sharing its methodology with us. Each firm ultimately paid restitution, and they were assessed substantially reduced fines in recognition of their extraordinary cooperation.
In addition to credit for cooperation, we also believe a fair sanction reflects consideration of any discipline for the same misconduct already imposed by the member firm or another regulator. In a world of limited regulatory resources, every Enforcement action that FINRA brings should have unique value. Now, that doesn’t always mean that we won’t bring an action at the same time as another regulator. In the AML space, in particular, different regulators have different rules and we may need each other in order to bring a global case that addresses the totality of the misconduct. But if a FINRA case would not add unique value—for example, if another regulator sanctions a respondent for the same misconduct we would address, imposing what we consider to be an adequate and fitting sanction—we question whether it is necessary for us to bring a case. In addition, we are mindful of not only other regulatory actions, but also discipline imposed by member firms. For example, if an individual has already been suspended from her member firm for three months, we will consider that when weighing a regulatory suspension and factor it in as appropriate.
So, in sum, how do we think about sanctions? Fundamentally, we seek first to obtain restitution for harmed customers. Following that, we look for sanctions that are tailored to address the root cause most effectively; are proportionate; encourage remediation of endemic problems; and reflect credit for cooperation and discipline by other regulators or member firms. These principles all reflect that a fair and effective sanction is one that creates an incentive to comply. After all, compliance is our ultimate goal, and individuals and firms that do the right thing and make the effort should have a clear and meaningful advantage over those that do not.
Okay, if that is what we expect of the industry, I’ll now turn to what we expect of ourselves. What does the Enforcement group as a whole need to do, to ensure we are fair and effective?
For us, success means thoughtful, balanced and timely investigations. What matters most for us at the end of the year isn’t how many cases we brought, but the confidence that our investigations were well done, we identified the right issues and achieved the right outcomes. We are positioned uniquely as an SRO to leverage the industry knowledge that exists all across FINRA, and our investigations should reflect that.
Moreover, a successful investigation reflects rigorous legal analysis. I worry that past settlement documents have not always clearly identified the legal framework supporting our conclusions. We hold ourselves to the highest standards when it comes to legal reasoning, but that is only useful to you if we are transparent about our analysis. We want anyone to be able to look at a given case and immediately understand the basis for the charge. Without that transparency, we run the risk of creating confusion in the industry. We understand member firms will look at our actions to assess their own conduct.
This is particularly important in the AML space, where we often get questions, particularly about individual respondents and why they were charged. I’ll tell you candidly, we have learned from those questions how we can do better. It’s a goal for us to be as transparent as possible about the legal framework, including the legal basis for supervisory liability. We need to be clear to the industry about exactly what conduct violates the rule and why, so that you understand how to pattern your behavior. This is a challenge, because settlement documents, unlike legal opinions, are negotiated documents and we need to be fair when negotiating with respondents. But we appreciate the value of explaining clearly the basis for certain charges, especially charges against individuals in their roles as supervisors.
That need for transparency goes to sanctions too. We want to be clear and specifically identify the aggravating and mitigating factors we considered when reaching a sanction determination. And again, there are pragmatic challenges in that. When we settle a case, the language is negotiated and respondents don’t like to talk about aggravating factors in detail. We need to walk the line and make sure we characterize these aspects of the case in a way that respondents can agree is fair, but still communicates with the industry why a sanction is larger or smaller.
Transparency is particularly important in Enforcement. In order for the industry to be able to follow a rule, FINRA’s expectations have to be clear and rule violations have to be foreseeable. We want to avoid any perception of “rulemaking by enforcement.” That is why as we continue to integrate two enforcement teams, we are also thinking about our internal processes when we bring a case. In particular, we are considering how to identify any novel issues early, and ensure that we flag and discuss these issues with the rest of FINRA to develop the most effective regulatory response on behalf of the organization. Enforcement actions are one type of tool that FINRA can use to effect compliance. Other departments have other tools, and we want to make sure that we consult and collaborate early and often with our FINRA colleagues to consider issues holistically, and to think about the range of actions we might take, from an enforcement action to a Regulatory Notice or even a new rule.
A prime example of this type of collaboration is a recent case we brought concerning a product that was widely known to be complex. The product was misunderstood across the respondent firm, and as a result, we saw unsuitable transactions and a failure to supervise sales of the product. There were harmed customers that needed to be made whole, so we brought an enforcement action and ordered restitution. But we were also concerned that other firms could be selling this product without the necessary understanding of its attributes, so we knew we needed to go back to our toolbox and go beyond just enforcement action. So FINRA issued a Regulatory Notice describing what firms needed to know about these products—an example of a regulatory response that used additional tools beyond Enforcement to achieve our regulatory goals.
The question of an appropriate regulatory response brings me back to the beginning, and I appreciate the opportunity to provide a window into our thinking and approaches to enforcement with you today. While I may have come close to waxing somewhat philosophically on the topic of Enforcement and its existential purpose, I believe the additional transparency is necessary and beneficial. As I said, these are very important questions to me and to the entire Enforcement team as we build our integrated department with a focus on resolving cases with consistent, foreseeable outcomes designed to effect change—to incentivize compliance, to fix things that are broken, to make harmed customers whole and to prevent future harm from recurring.
Thank you for your time and attention.