The High Price Of Non-Compliance

Sunday, June 1, 2008 - 01:00

Editor: Could you both provide our readers with your respective functional responsibilities at Duff & Phelps?

Ewing: I am in the Dispute and Legal Management Consulting group, focusing on providing advice and consulting services to general counsel and chief compliance officers, primarily in the areas of strategy and appropriate organizational design.

Warren: I am also in the Dispute and Legal Management Consulting group, focusing on financial service industry disputes and litigation. In contrast to Jim's role - keeping companies out of trouble, I deal with the problems after trouble begins.

Editor: Adam, what compliance failures would you particularly highlight in terms of the subprime crisis?

Warren: Starting with the subprime lending crisis, the first compliance failures are evident in whether proper standards were met in the underwriting process of the actual loans - whether the banks, brokers and other lending institutions in some way compromised what would be considered best practices or good policy for loan underwriting. The number of incomplete loan applications that were actually funded is staggering. The next step in compliance failure has to do with the securitization of these loans and the packaging of them for sale to the end user. The purchasers of these instruments may not have understood the quality of the assets they were buying - whether they were buying the A tranche, a very highly rated piece of paper, or the B, C or the equity tranches, which were junk status.

Editor: Going back to subprime, how much better protected are the investors in the A tranche of a CDO? Aren't all tranches in jeopardy of failure?

Warren: No, they are not. If you look at the way a CDO ("Collateralized Debt Obligation") is structured, it is kind of a roll-up process in terms of failures, and the main question is whether you have adequate securitization of your collateral. Equity is the first tranche to fail where there is a collateral shortfall, then the C, the B and lastly the A tranche. Some of the A tranches are experiencing failures in what were once the "red hot markets" such as California, Arizona and Florida. Knowing that all markets are cyclical, good investment practice dictates good investment compliance in realizing that housing markets will not continue to soar at 15 to 40 percent a year.

Editor: What you are saying is that some of the A type mortgages may still be good credits - not all the paper in a CDO is in a failure mode?

Warren: Nationally we are looking at an under eight percent failure rate, but this is an exponential difference from the historic average of one or one and one-half percent. We know that the vast majority of people are making payments on their mortgages. The people needing homes who have defaulted do not disappear nor does the real estate property. There is still some value in these homes at some market clearing price. The liquidity of this market is just not as fluid as it once was. Ask the hedge funds who are buying up pieces of the CDO's!

Editor: What guidelines should have been followed or were missing in both cases?

Ewing: The financial institutions failed to follow good standards in investment management. Money was so cheap for such a long period of time that the institutions could not get it out the door fast enough. I believe a contributor to this shortcoming was the extent to which the institution had a strong culture of compliance. Organizations with a strong compliance culture will likely see business opportunities through a different prism than those with a weak compliance culture. As an example, organizations with a strong compliance culture are more likely to weigh compliance issues early on in the product development cycle, not after the product is out into the market.

Looking back on this period, we will see that those organizations with a strong compliance culture were not the ones necessarily trying to push beyond the edges of the legal and regulatory box. Others who were aggressively moving outside the box did not understand or were unconcerned as to where the market was taking them.

Editor: How should these failures be rectified in the future? Must they be legislated by government fiat or can the organizations themselves be left to self-regulate?

Warren: My belief is the market works it out. Legislation will only cause more problems and lead to greater expenses in the long run. I think that the social displacement and individual suffering will still be there, but by letting the market work it out, the resolution will be faster and in the long run less painful.

Ewing: In mitigating the stigma that will befall the financial players, much will turn on how well the industry can show that what occurred has been more a failure of process, a failure that related to unique circumstances, but not a failure to adhere to a commitment to compliance. If the industry can somehow demonstrate that it has had this commitment and it has been doing some of the right things, but that what happened was a failure of process, it may be less harshly treated.

Editor: With instantaneous electronic trading which may fall below the radar of the best compliance programs, what can be done to assure these problems do not recur?

Warren: I spoke last fall to a group of Chief Compliance Officers and General Counsels on new trading technologies and techniques and what they mean for compliance. First, there is electronic trading plus the growth of algorithmic trading and the black box models. There are also the dark pools of liquidity - invitation only non-public markets where you don't have the transparency and price disclosure one has in a public market. These particular firms using electronic trading need the absolute best possible risk management and compliance capability - meaning you have to spend the time, money and effort on not just technology but on people and process.

Editor: What is to prevent a number of trading groups from having the same algorithm that causes them all to fail at the same time?

Warren: Mathematically, the existence of the same algorithm sometimes occurs but often one group gets the edge over the rest. The slower ones fail. The algorithms have arbitrage built into them and after a time, arbitrage gets smaller or disappears. If the market is efficient, one or two groups prosper and the others find that the returns on the identical algorithm are flat or negative. With events happening so quickly, there's more of a chance that internal controls are overlooked.

When we talk about compliance, particularly in the financial services industry which is so dynamic and changing so rapidly, I go back to the basics of a compliance culture. Where is risk identification and risk assessment taking place as it relates to the development and design of new products and services? In those organizations where by necessity there should be such an emphasis on compliance, it should be part of the initial dialog about new products and what markets they are going into as opposed to looking at compliance risks once the product is being traded. The compliance minefield is much more difficult to navigate once the product has finished its development cycle.

Editor: Jim, how do you distinguish compliance from risk assessment?

Ewing: I think of risk assessment as a component of compliance, one of the core elements and the leading element. I think about compliance as a continuum; you always start off with risk assessment which is triggered by (1) moving into a new market; (2) acquiring a new business, or (3) changes to the legal or regulatory environment. Those kinds of events should trigger an assessment internally - what should be the impact on our control environment? how might that affect our policies and procedures? how might that affect how we are understanding and reporting on risks? I see it as the first and leading step in an overall good compliance management philosophy.

Editor: What channels of communication should be used in affecting a good compliance program? Should these be across functional lines within a company?

Ewing: I believe senior management buy-in and engagement in compliance is one factor that will go a long way in demonstrating strong compliance programs in the current environment. Is senior management involved in the regular messaging about the importance of compliance to others in the company? Is it a standing agenda item at staff meetings? Is it part of the performance measurement process? Now more than ever the outside world is attuned to the old notion of management talking the talk and walking the walk.

Ewing: The compliance environment has changed so much over the last decade. What was thought of as good compliance 10 years ago, i.e., making people take certain training courses or checking a box, is no longer enough. People in the company should revisit the basic components - here's what we have to be concerned about as a business and here are the things you can do to make sure that we are acting in an appropriate manner. Those kinds of things do affect culture and should be part of basic business philosophy - the regular messaging, compliance as part of the regular dialog of management and filtering the message throughout the organization.

Editor: How can technology be utilized to further manage risk?

Warren: There are a couple of ways that technology can and should be used. One is making sure you have budgeted an adequate spend on risk management technology. The growth of the market is ahead of the ability of current technology systems to manage the risk. Too many firms short-change risk management- they all want to get into the new products and be involved in the new marketplaces but they don't realize that there has to be a concurrent growth in their ability to manage the risk and compliance issues the new products present. As part of the budgeting process firms need an adequate spend on the technology that will manage those risks. The two should grow in parallel.

Editor: How is program effectiveness measured?

Ewing: That is a challenge that organizations are grappling with. The effectiveness of a program cannot be measured based upon negative outcomes. Just because an organization has not had a serious compliance issue brought to the fore may simply mean it is lucky. Our firm tries to suggest to organizations that they follow a very balanced approach to metrics in measuring process types of operations - what training is being made available? who is or is not taking the training? who are the audiences for various compliance-related communications? how many components in the performance measurement process relate to compliance? Look at process events such as investigations - how quickly are those things dealt with? Obviously, looking at outcomes is part of the mix - what kinds of compliance failures resulting in fines is the organization incurring. Holistically, one must look at process-driven as well as outcome-driven measures to get a handle on overall effectiveness.

Editor: What more would you like to add?

Warren: It is important to be aware that the cost of non-compliance, of not having an effective compliance program and not putting enough money, time, technology and effort into compliance, may result in putting your firm out of business or subjecting the firm to regulatory oversight. Good compliance is very cheap insurance and the dollars spent upfront in having good compliance and risk management are far, far less than the cost of non-compliance.

Ewing: To piggyback on those comments - there was a time when investment in compliance was a type of blind faith, but times have changed and we see a lot more sensitivity to compliance across the whole of an organization, not just in the general counsel's or chief compliance officer's offices. We see greater appreciation for the importance of investing in a high quality compliance program.

Please email the interviewees at or with questions about this interview.