The U.S. Securities and Exchange Commission (SEC) probably missed Bernard Madoff for 25 years or more, likely missed Allen Stanford for at least 20 years, overlooked other recent Ponzi schemes for many years and also was slow to act in the case of several other recent widespread frauds, such as the “market timing” scandals in mutual funds, stock-options backdating and the auction-rate securities meltdown. Again and again, it has been last to the scene of the crime, waiting until state regulators took the first step and forced it into action. Even if Ponzi schemes and similar frauds are hard to detect, the SEC had credible evidence from whistleblowers in the Madoff, Stanford and other recent cases. And yet it slept. What is going on here?

Deregulatory mindset helped to enable fraud

The likely answer has at least three parts. First, the SEC has recently been hobbled by a deregulatory mindset that staffers had to buy into if they were to advance within the agency. In two respects, this deep-seated bias played a particularly important role in enabling Madoff to continue his fraud. First, Bernard L. Madoff Investment Securities LLC (BMIS) was audited by a fly-by-night auditing firm with only one active accountant who had neither registered with the Public Company Accounting Oversight Board (PCAOB) nor even participated in New York state’s peer review program for auditors. Yet the Sarbanes-Oxley Act required broker-dealers to use a PCAOB-registered auditor. See Section 17(e)(1) of the Securities Exchange Act of 1934.

Nonetheless, until the Madoff scandal exploded, the SEC repeatedly exempted privately held broker-dealers from the obligation to use such a PCAOB-registered auditor and permitted any accountant to suffice. See, e.g., Securities Exch. Act Rel. No. 34-54920 (Dec. 12, 2006). Others also exploited this exemption. For example, in the Bayou Hedge Fund fraud, which was the last major Ponzi scheme before Madoff, the promoters simply invented a fictitious auditing firm and forged certifications in its name. Had auditors been required to have been registered with PCAOB, this would not have been feasible because careful investors would have been able to detect that the fictitious firm was not registered.

Presumably, the SEC’s rationale for this overbroad exemption was that privately held broker-dealers did not have public shareholders who needed protection. True, but they did have customers who have now been repeatedly victimized. At the end of 2008, the SEC quietly closed the barn door by failing to renew this exemption — but only after $50 billion worth of horses had been stolen.

A second and even more culpable SEC mistake continues to date. Under the Investment Advisers Act, investment advisers are required to maintain client funds or securities with a “qualified custodian.” See Rule 206(4)-2 (“Custody of Funds or Securities of Clients By Investment Advisers”). In principle, this requirement should protect investors from Ponzi schemes, because an independent custodian would not permit the investment adviser to have access to the investors’ funds. Indeed, for exactly this reason, mutual funds appear not to have experienced Ponzi-style frauds, which have occurred only in the case of hedge funds and investment advisers. Under Section 17(f) of the Investment Company Act, mutual funds must use a separate custodian. But in the case of investment advisers, the SEC permits the investment adviser to use an affiliated broker-dealer or bank as its qualified custodian. Thus, Madoff could and did use BMIS, his broker-dealer firm, to serve as custodian for his investment adviser activities.

The net result is that only a very tame watchdog monitors the investment adviser. Had an independent and honest custodian held the investors’ funds, Madoff could not have recycled new investors’ contributions to earlier investors, and the custodian would have noticed that Madoff was not actually trading. Other recent Ponzi schemes seem to have similarly sidestepped the need for an independent custodian. At Senate Banking Committee hearings on the Madoff debacle this January, the director of the SEC’s Office of Compliance, Inspection and Examinations estimated that, out of the 11,300 investment advisers currently registered with the SEC, some 1,000 to 1,500 might similarly use an affiliated broker-dealer as their custodian. For investors, the SEC’s tolerance for self-custodians makes the “qualified custodian” rule an illusory protection.

The ‘revolving door’ inhibits real regulation

This frames a larger question: Why does the SEC seem so willing to accept illusory protections? Here, we get to the second and deeper source of the pathology at the SEC. For decades, a “revolving door” has shuttled personnel from the relevant industry to the SEC and, after a decent interval, back again. This tendency is particularly strong in the backwater divisions of the SEC — precisely the ones that missed the “market timing” and Madoff scandals. For personnel in these divisions, the expectation is strong that they will eventually return to the “regulated” side of the aisle, and this can deter them from making waves as regulators.

At present, the Madoff scandal has so shaken investor confidence in investment advisers that even the industry trade group for investment advisers (the Investment Advisers Association) has urged the SEC to adopt a rule requiring investment advisers to use an independent custodian. But do not therefore assume that the SEC’s staff will quickly produce such a rule. A slow-moving body in the best of times, the SEC staff’s preference for inaction, foot-dragging and the status quo runs especially deep in some divisions. The staff knows that smaller investment advisers will oppose any rule that requires them to incur additional costs. Even if a reform rule is proposed, the staff may still overwhelm such a rule with exceptions (such as by permitting an independent custodian to use sub-custodians who are affiliated with the investment adviser). Nonetheless, an ounce of prevention is worth a pound of penalties. Because Ponzi schemes are hard to detect until they fail and because they are often the product of desperation (and therefore are not easily deterred), the best hope to prevent them is through prophylactic rules. Whether the SEC can formulate a meaningful independent custodian rule will be a measure of whether it can reform itself.

‘Settlement culture’ represents another problem

A third and related problem at the SEC is its “settlement culture.” Whereas young prosecutors learn to try criminal cases, young SEC enforcement staffers advance by settling their caseload. Thus, Madoff survived a series of investigations that resulted in nothing more than gentle admonitions. In 2006, as the result of one such investigation, he agreed finally to register as an investment adviser, but his registration was not followed by any examination of his books and records, either by the SEC or the Financial Industry Regulatory Authority (FINRA), despite a host of red flags.

In fairness, this settlement culture results at least in part from understaffing, but it is also the product of the “revolving door” culture that has left the SEC overly deferential to the established and powerful.

Indeed, the SEC’s inability to respond to credible allegations from whistleblowers may also reflect an insularity that comes at least in part from excessive inbreeding. The agency needs some fresh blood and should not fill every senior position from its alumni.

Shortcomings at the SEC and related agencies

The Madoff scandal exposes shortcomings not only at the SEC but elsewhere in related agencies. During the past five years, the number of investment advisers has grown from roughly 7,500 to 11,300 — more than one-third. Given this growth, it is becoming increasingly anomalous that there is no self-regulatory body for investment advisers. Although FINRA may have overstated in its claim that it had no authority to investigate Madoff’s investment adviser operations (because it could and should have examined BMIS’ performance as the “qualified custodian” for Madoff’s investment advisory activities), FINRA still lacks authority to examine investment advisers. Some self-regulatory body (either FINRA or a new body) should have direct authority to oversee the investment adviser activities of an integrated broker-dealer firm.

Similarly, the Securities Investor Protection Corp. continues to charge all broker-dealer firms the same nominal fee for insurance without any risk-adjustment. Were it to behave like a private insurer and charge more to riskier firms for insurance, these firms would have a greater incentive to adopt better internal controls against fraud. A broker-dealer that acted as a self-custodian for a related investment adviser would, for example, pay a higher insurance commission. Also, if higher fees were charged, more insurance (which is currently capped at $500,000 per account) could be provided to investors. When all broker-dealers are charged the same insurance premium, this subsidizes the riskier firms — i.e., the future Madoffs of the industry.

Under its new chairwoman, the SEC is beginning to shift toward a tougher enforcement stance. Still, if the SEC wants to signal a shift in its enforcement style, the clearest such signal would be to make more aggressive use of powers that it has to date largely ignored. Under Section 304 of Sarbanes-Oxley, the SEC can claw back bonuses, equity-based compensation and stock trading profits from executives in cases involving restatements. This would require a fight, but maybe it is time for the SEC to stop settling and start fighting.

John C. Coffee Jr. is the Adolf A. Berle Professor of Law at Columbia Law School and director of its Center on Corporate Governance.