It is November 2013, the government of the United States has reopened, and Washington, D.C., has returned to normal—or at least what passes for normal in our nation’s capital. Of course, all of the hard decisions about budgets and funding for the government remain unresolved. Who knows what crises, shutdowns, and distortions are still ahead? At a minimum, we can assume that adequate funds for regulatory agencies remain unlikely. This is a good time to ask what we can do to protect the U.S. regulatory system from the ongoing political circus and free regulation from the uncertainties of modern government.
Law and compliance—and particularly compliance—have always had symbiotic relationships with the federal government. The government promulgates regulations, and then lawyers and compliance professionals seek to implement them. In some situations the relationship is one-sided. The government dictates, and the regulated community reacts. In other situations the relationship has gone deeper, with regulators or self-regulators actively engaging with legal and compliance professionals to encourage their input and advice, and then working with them after the fact to foster and enhance better compliance.
In every case, however, the more dynamic role has been conceded to the regulator.
Now that we have learned to suspect the constancy of that regulatory presence, the private sector needs to assume the more dynamic role. It sounds like an oxymoron to speak of “private regulation”; regulation seems inherently governmental. Nonetheless, when we examine regulation closely, we find two consistent elements: standards and oversight. The regulator establishes standards and conducts oversight. The private sector can do the same.
Private standard setting is already present at many companies. When establishing compliance programs, many firms have gone well beyond the bare requirements of binding regulations. Instead, these companies address the types of conduct they wish to foster and the risks they perceive in their own business model. This is private regulation of the best sort.
Private oversight is also possible. The essence of oversight is its provision by a third party. Government inspectors, examiners, auditors, or investigators provide an independent view of the regulated entity. Similar benefits can be obtained through oversight with a similarly independent perspective. Compliance consulting firms already conduct these types of independent reviews. Indeed, in some regulated communities, such as investment advisers, compliance consultants have flourished. It is probably no coincidence that many advisers voluntarily pay for these audits to help ensure that their programs are efficient and up to date. Governmental oversight of advisers has plummeted in the last few years.
In short, as a matter of private policy, many firms are already regulating themselves. They have developed standards of compliance to suit themselves, not just the regulators, and have employed third party consultants to provide private oversight. This is a positive trend.
So let us ask the next question: Can private regulation become a matter of public policy?
To a limited degree, it already has. Pursuant to the Sarbanes-Oxley Act, the Securities and Exchange Commission required public companies to adopt Codes of Ethics applicable to senior officers, in order to deter wrongdoing and promote honest and ethical conduct, among other things. Shortly thereafter, the SEC adopted a Code of Ethics Rule for investment advisers. Codes of ethics adopted pursuant to these initiatives are good examples of private standard setting. Perhaps there are lessons to be learned here for application in other business segments. As a form of regulation, however, standing alone, codes of ethics are limited and lack the essential element of oversight.
The provision of private oversight has also received attention from time to time as a matter of public policy, but the idea has never taken off. On more than one occasion the SEC considered requiring mandatory third-party compliance audits for the entities it regulates. When Harvey Pitt was the agency’s chairman, the SEC published the concept for public comment. Later, when adopting the compliance rules for advisers and funds, the SEC noted that it did not intend to move forward with mandatory third-party audits, although it continued to view the approach as a viable option that it might reconsider. In the early months of Mary Schapiro’s tenure as chairman, there was a great deal of discussion of this concept, and even some public hints that the SEC was considering a rule.
Again, however, the idea did not move forward. More recently, and surprisingly, the SEC made no mention of this concept in its Dodd-Frank-mandated report on investment adviser examinations. In any event, given our current experiences with Washington, the time has come to revisit this idea.
Mandatory third-party audits would ensure that a company’s compliance is periodically reviewed and tested by independent outsiders. As a formal matter, these reviews could focus on whether the entity complies with applicable requirements (see e.g., Compliance Audits, Auditing Standards AU § 801) or whether it has deficiencies in its internal controls over compliance (see e.g., Compliance Attestation, Attestation Standards AT § 601). Just as importantly though, third-party auditors could ask good questions, bring the firm up to date on recent developments, test and sample, and identify areas of risk at the firm that may not be getting the attention they deserve due to the press of day-to-day business. Making these reviews mandatory would ensure that they are conducted where they are most needed: at firms that would not otherwise even consider such a thing.
Finally, as a private sector service, these reviews would more fairly distribute the costs of oversight through the application of various audit protocols, each with its own complexity, price points, and frequency, designed to meet the unique requirements of all market segments, from small and simple firms to the largest and most complex.
This type of generalized assessment of compliance or internal controls over compliance may sound a lot like the preventive reviews that the SEC used to conduct. That is not an accident. As regulators continue to shift from preventive oversight to more reactive risk-based investigations—in part because of their declining resources (relative to their responsibilities)—the need for private sector prevention has grown. Mandatory third-party compliance audits could meet that need.
Of course, there will always be a place for governmental oversight. Private regulation cannot substitute for law enforcement. However, if the regulators are unable to provide anything except law enforcement, then public policy should consider how to fill government’s other, now foregone roles. The private sector can provide preventive oversight. And more importantly, it can do so when the government is low on funds—or even closed.
John. H. Walsh is a partner at Sutherland Asbill & Brennan. He previously served for 23 years at the Securities and Exchange Commission, where he was instrumental in creating the Office of Compliance Inspections and Examinations. (This article is for informational purposes and is not intended to constitute legal advice. The views expressed by the author are the author’s alone, and do not necessarily represent the views of Sutherland Asbill & Brennan or its clients.)