Regulators Foist Do As We Say, Not Do As We Do On Wall Street
At a November 19 meeting, the Securities and Exchange Commission adopted Regulation Systems Compliance and Integrity (Reg SCI). The new rule requires stock exchanges and other market infrastructure providers to keep their technology functioning properly. The SEC's own technology failed during the meeting when Commissioner Michael Piwowar's microphone malfunctioned. The irony was not lost on the commissioner, who joked that the SEC should subject itself to the new rule. The SEC's broken microphone is a harmless symbol of a real problem: too often, the regulators writing and enforcing standards do not adhere to their own standards.
Regulation Systems Compliance and Integrity replaces the current voluntary Markets Automation Review Policy program. Under that program, stock exchanges, clearing agencies, and other entities voluntarily submit to SEC inspections of their information technology infrastructure. Two years ago, the SEC's inspector general reported that a group of staffers charged with conducting these reviews used unencrypted computers in inspections, connected them to public networks, and left them unattended in public places. Presumably these computers contained sensitive data from the examined entities. Once the new rules take effect, covered entities could face severe sanctions for similar carelessness.
The SEC's do-as-I-say-not-as-I-do attitude is evident in other areas as well. A recent Government Accountability Office report found problems with the SEC's internal controls over financial reporting. This year's problem was a significant deficiency in accounting for enforcement penalties and disgorgement, but the SEC has struggled with a variety of internal control problems with varying levels of severity for years. If severe enough and not properly mitigated, poor internal controls can result in inaccurate financial statements. Even internal control problems that do not impair financial statements are troubling at the regulator that watches over the accuracy of public company financial statements and the adequacy of their internal controls.
Last month, the GAO also identified continuing internal control problems at the Bureau of Consumer Financial Protection. The GAO found a material weakness-the most serious category of internal controls violation-in connection with the Bureau's procedures for recording and detecting inaccuracies in its accounts payable relating to its millions of dollars in overstatements. In addition, the GAO found a significant deficiency related to the CFPB's accounting for property and equipment, "which led to significant, but not material, misstatements in its financial statements." Soon after the release of the GAO report finding that the CFPB's house is not in order, CFPB Director Richard Cordray, in a hard-nosed speech, chided banks for the manner and speed in which they record customer deposits and withdrawals. Another instance of do-as-I-say-not-as-I-do.
The SEC and CFPB are not alone in setting a bad example for regulated entities. The GAO's review last month of the Financial Stability Oversight Council found transparency, documentation, and recordkeeping problems at that agency, too. The GAO explained that "FSOC has not centrally collected or monitored certain information related to its determination process that is critical for internal control activities and managing results."
The FSOC, for example, does not keep track of the key dates in its designations of systemically important financial institutions. And once FSOC has designated a company systemically important, it does not sufficiently explain to the public its reasons for the designation. FSOC's managerial problems would not be a big concern were it a toothless agency, but it has the power to remake companies across the financial system through designations and regulatory recommendations.
As these examples illustrate, regulators often hold themselves to much less demanding standards than those they apply to the private sector. In typical human fashion, they are forgiving of their own failures and ready to pounce on regulated entities for the smallest infraction. Too often, we assume that putting regulators in charge is the answer when we see problems at private companies. Because regulators also make careless mistakes and sometimes operate in an undisciplined manner, we should not count on them to keep private firms in line. The good news is that markets, which are permitted to reflect accurately the needs and preferences of consumers, will discipline companies even when regulators are not at the top of their game.