The SEC’s compliance priorities for 2019 reveal a particular focus on cyber and data security. Key players at top consultancy Navigant consider what steps compliance officers, corporate executives, and boards of directors should take to see success in their next compliance examinations.
Each year, the United States Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) and the Financial Industry Regulatory Authority (FINRA) publish their compliance examination priorities that each respective regulator will focus on during compliance inspections and examinations in the coming year. An analysis of the examination priorities provides insight into the regulatory trends and areas of emphasis that may be the focus of examiners’ inquiries. Awareness of these priorities and the expectations of the regulating bodies is instrumental in ensuring that your institution withstands this heightened scrutiny.
This year’s examination priorities discuss both recent areas of regulatory concern and some new ones. Recurring themes from both the OCIE’s and FINRA’s annual priorities include the protection of retirement-age investors, risk-based review of mutual funds and exchange-traded funds, anti-money laundering (AML) programs, duties of best execution, suitability determinations, cybersecurity, market manipulation, and governance of market infrastructure.
“This time around, the regulators have identified newer themes that focus on the supervision of digital assets businesses, unregistered online distributors, and various disclosures.”
Both the OCIE and FINRA continue to prioritize cybersecurity and AML programs as critical compliance program elements. In addition, both OCIE and FINRA indicate that inspections of institutions offering, trading, or investing in digital assets will be an important component to both regulators’ examinations in the coming year.
The OCIE’s 2019 Examination Priorities make clear that it will once again focus on critical market infrastructure and the protection of retail investors. More specifically, the OCIE will promote investor protection by prioritizing reviews of fee, expense, and conflict of interest disclosures, as well as firm marketing of mutual funds and exchange-traded products. The OCIE will also continue to focus on broker-dealers engaged in selling micro-cap securities and their programs for preventing potential market manipulation. Regarding its oversight of critical market infrastructure, the OCIE will review compliance and risk in clearing agencies, technology infrastructure subject to Regulation Systems Compliance and Integrity (Regulation SCI), transfer agents, and national securities exchanges.
FINRA, which regulates all U.S. broker-dealers and their registered representatives, placed a greater emphasis on risk monitoring and new priorities in its 2019 Examination Priorities.
“FINRA highlighted online distribution platforms, fixed income markup disclosures and regulatory technology as new priorities.”
In addition, the FINRA 2019 Examination Priorities focus on various sales practice, operational, market, and financial risks.
Notably, both the OCIE and FINRA explicitly refer to their intention to examine firms’ participation in the digital assets marketplace. The OCIE identifies digital assets as a stand-alone examination priority, citing the significant growth of the digital asset market and the well-known risks involved. Specifically, the OCIE notes that, after identifying firms with digital assets businesses, it will assess the extent of their activities and conduct examinations focused on portfolio management of digital assets, trading, safety of client funds and assets, pricing of client portfolios, compliance, and internal controls.
On the other hand, FINRA’s 2019 Examination Priorities identify the supervision of digital assets in the context of operational risk and request that its member firms notify it if they plan to engage in the digital assets business, despite the absence of any legal or membership requirement to do so. In addition, FINRA states that its reviews will examine compliance with applicable securities laws and regulations and regulated supervisory, compliance, and operational controls to mitigate the risks associated with such activities.
Given the SEC’s focus on regulating digital assets that qualify as securities, and FINRA’s close coordination with and oversight by the SEC, firms need to document their processes and decision-making for determining whether a given digital asset qualifies as a security. In instances where the firm offers, trades, or has custody of digital assets that are securities, compliance officers need to be prepared to furnish examiners with documentation of a robust compliance program and appropriate records to evidence compliance with applicable securities laws and regulations.
Critical market infrastructure and market access
The OCIE dedicates an entire section of its 2019 Examination Priorities to risk-based examinations of entities that operate critical market infrastructure, such as clearing agencies, Regulation SCI entities, transfer agents and securities exchanges. Generally, examiners will look to see whether critical market infrastructure firms comply with applicable federal laws and adhere to independent audit requirements. In addition, the 2019 FINRA Examination Priorities will focus on the controls and monitoring of broker-dealers that provide market access.
To prepare market access and critical market infrastructure firms for examinations, compliance departments should expect to produce their policies, procedures, and controls for review. In addition, market surveillance technology, as well as policies and procedures for detecting and reporting improper activity should also be reviewed ahead of an exam. Furthermore, compliance officers need to ensure that their firm reviewed and executed any corrective actions identified in previous audits or examinations and that it follows all relevant recordkeeping regulations.
Given the OCIE’s goal of protecting retail investors, a recurring OCIE examination priority is the disclosure of the costs of investing. In its 2019 Examination Priorities, the OCIE explains that its exams will focus on the adequacy of disclosures and brokerage practices where fees are charged on advisory accounts, firms’ business models create increased risks of inadequate disclosures, and firms receive financial incentives for the sale of mutual funds. Similarly, FINRA’s 2019 Examination Priorities highlight the importance of adequate fixed income markup and markdown disclosures.
Prior to an exam, OCIE and FINRA-regulated entities should review controls related to fee calculation and adherence to policies and procedures for charging of fees and expenses. Firms should review the policies, procedures, and controls around incentives for the sale of certain mutual fund classes and ensure there is proper documentation of the decision-making process, disclosures, and suitability determinations for such product sales. In addition, compliance departments need to ensure that the firm adheres to requirements for disclosures of potential conflicts of interest arising from the use of affiliated service providers and products.
Online distribution platforms
FINRA notes in its 2019 Examination Priorities that it will assess compliance programs of firms that utilize online distribution platforms. In some instances, registered broker-dealers operate their own online distribution platforms. However, FINRA notes that some broker-dealers that partner with platforms operated by unregistered entities assert that they are not selling or recommending securities and appear to try to circumvent regulation. Nonetheless, firms that operate – either through direct or indirect involvement – an online distribution platform should be prepared to show compliance with all relevant compliance controls. Specifically, firms that may be involved in handling customer accounts or funds, or receive transaction-based compensation, may be responsible for customer-specific suitability analyses, supervision of communications with the public, and meeting AML requirements.
The extent of an examiner’s probe into cybersecurity compliance and preparedness will depend largely on a firm’s specific business and risk profiles, but compliance officers can generally expect an examination to cover security governance, policies, and procedures for information security, risk assessment, incident response, and data loss prevention. It’s worth noting that examinations also seek to explore the ability of firms to detect and prevent both external and internal cybersecurity threats.
“The OCIE and FINRA continue to prioritize cybersecurity and protection of customer data and their importance to risk-based compliance programs.”
Compliance officers should be prepared to provide branch-level written supervisory procedures and cybersecurity risk assessments. In addition, firms should review and update various cybersecurity-related policies and procedures including, but not limited to, reporting, responding to and managing cybersecurity incidents, customer data storage and isolation, review and selection of third-party vendors, and independent testing of cybersecurity preparedness.
Compliance officers for retail firms should be aware that examiners will demand documentation of AML programs. Both the OCIE and FINRA examinations, as they relate to AML programs, focus heavily on policies and procedures for detecting and reporting suspicious transactions, transaction-monitoring resources, including personnel and technology, and independent testing of the AML program. In addition, FINRA examiners will review firms’ implementation of the Financial Crimes Enforcement Network’s Final Customer Due Diligence (CDD) Rule, which includes both the identification and verification of beneficial ownership and risk-based monitoring.
Preparing for the AML program examination requires that compliance officers be able to produce a written AML program document, as well as additional information relating to specific policies and procedures for transaction monitoring and sanctions screening, CDD, risk assessments, and governance. Compliance officers should also have due diligence files for foreign affiliates with accounts at the firm. Additional considerations include customer, product, and jurisdictional risk assessments and sharing of management information.
As the SEC and FINRA become more focused on individual accountability for compliance failures – particularly with respect to attempts to obstruct or mislead the SEC or failures to carry out their responsibilities – it is more important than ever for compliance officers, corporate executives, and boards of directors to routinely assess the effectiveness and sustainability of their compliance programs. Ensuring the proper documentation of risk-based compliance programs throughout the life cycle of business lines and products is paramount. Proactive management of compliance and cooperation with the OCIE and FINRA during their examinations will set any securities firm up for success in their next examination.