Overview of 2017 SEC, FINRA Regulatory Priorities
The SEC’s Office of Compliance Inspections and Examinations (OCIE) and FINRA have released their 2017 examination priority letters, highlighting areas of examination focus for the year. Given that there are many common concerns, this article summarizes both letters, highlighting topics common to both investment advisers and broker-dealers, followed by topics specific to investment advisers and, finally, those specific to broker-dealers.
FINRA CEO Robert Cook notes that a common thread through their priorities is a focus on the “blocking and tackling” issues of compliance, supervision and risk management. Likewise, many of OCIE’s priorities have been the subject of Risk Alerts or priority letters in recent years. OCIE stresses that their exam program is “data-driven and risk-based” and incorporates extensive data analytics to identify industry practices and registrants that appear to have elevated risk profiles.
OCIE continues to shift resources from broker-dealer to investment adviser examinations, and saw a slight uptick in advisers examined in 2016. Due to the transfer of resources, OCIE will enhance its oversight of FINRA, assessing the quality of its exam program. In addition, OCIE will focus on money market funds’ adoption of new liquidity rules and oversight over market participants such as the exchanges, clearing agencies and transfer agents.
In 2017, FINRA will introduce electronic, off-site reviews of selected risk areas to supplement its on-site cycle examinations. They also intend to publish a summary report outlining key findings from examinations in selected areas.
Areas Common to Investment Advisers and Broker-Dealers
Electronic Investment Advice
Given the rise in automated or digital platforms to provide investment advice, OCIE will examine firms offering such services, whether the automated tool is client-facing (often called a “robo-adviser”) or supports a financial professional in the investment program (“quantitative model”). This is a new focus area in 2017, and examinations will look at compliance programs, marketing, investment recommendations, data protection and compliance oversight of the algorithms that generate recommendations.
Recidivist Representatives and their Employers
Both OCIE and FINRA are focused on advisers and broker-dealers that hire individuals with a track record of misconduct. Examinations will focus on the controls in place to oversee and supervise such individuals. In September 2016, OCIE issued a Risk Alert regarding the supervision practices at investment advisers and called attention to individuals with a history of disciplinary events, including those that have been disciplined or barred from a broker-dealer. FINRA established a dedicated unit to identify and examine brokers who may pose a high risk to investors.
Branch Offices
In December 2016, OCIE issued a Risk Alert regarding investment advisers with multiple branches and operations geographically dispersed from a main office. In it, OCIE announced the launch of the Multi-Branch Adviser Initiative to examine such investment advisers to determine the effectiveness of compliance programs.
Likewise, FINRA evaluates firms’ branch office inspection programs and supervisory systems for branch and non-branch offices, including independent contractor branches. Advisers and broker-dealers with branch offices should ensure that their compliance programs and supervisory systems provide the necessary oversight and control.
Senior Investors
In 2013, OCIE and FINRA published the National Senior Investor Initiative, highlighting trends and practices identified during exams to assist firms in considering their policies and procedures in this area. The regulators will continue to examine how firms manage interactions with senior investors, including the ability to identify potential financial exploitation of seniors. Specifically, FINRA will focus on microcap fraud schemes targeted at senior investors. In addition, OCIE will continue its multi-year ReTIRE initiative, focusing on investment advisers and broker-dealers and the services they offer to investors with retirement accounts, including recommendations and sales of variable insurance products and sales and management of target date funds. Examiners will review controls surrounding cross transactions, particularly with respect to fixed income securities.
Wrap Fee Programs
OCIE intends to expand its focus on investment advisers and broker-dealers associated with wrap fee programs, building on previous exams of wrap fee program sponsors and the investment advisers to such programs. OCIE will examine whether investment advisers are meeting their fiduciary duty, suitability, effectiveness of disclosures, conflicts of interest and brokerage practices, including best execution and trading away from the sponsor firm.
Operations
Cybersecurity. Cybersecurity threats remain one of the most significant risks an organization faces, and the regulators intend to assess procedures and controls a firm has in place to protect its infrastructure and client data. There is no “one-size-fits-all approach,” and firms are expected to assess their individual risks and implement appropriate programs. Firms with branch offices should also consider controls in those branches, especially independent contractor locations.
Anti-Money Laundering. FINRA and OCIE will examine broker-dealers to determine whether AML programs are tailored to a firm’s specific risks, how firms monitor for suspicious activity and how firms meet their suspicious activity reporting requirements.
Share Class Selection
As discussed in its July 2016 Risk Alert, OCIE will continue to review conflicts of interest and other factors influencing the selection of a particular share class of a mutual fund. Investment advisers making such recommendations should ensure that they are upholding their fiduciary duty to clients in the selection and that conflicts of interest are fully disclosed in the firm’s ADV. Broker-dealers should also be diligent to ensure that investors are purchasing the lowest cost share class available.
Municipal and Public Pension Advisers
Advisers to state and local governments and their pension plans have specific risks, including restrictions on political contributions, gifts and entertainment, as well as compliance with Municipal Securities Rulemaking Board (MSRB) rules. Advisers should also ensure that they are properly registered with the MSRB and that municipal advisor representatives pass FINRA’s new Series 50 exam as necessary.
Investment Adviser Areas
Private Funds
As in years past, OCIE will continue to examine private fund advisers, with a focus on conflicts of interest, the disclosure of those conflicts and actions that appear to benefit the adviser at the expense of investors.
Never-Before Examined Investment Advisers
OCIE is expanding its “Never-Before Examined Adviser” initiative, as described in their 2014 letter, to include focused, risk-based examinations of newly registered advisers as well as existing advisers that have never been examined by OCIE.
ETFs
OCIE’s attention with respect to exchange traded funds lies in two areas. First, they will examine sales practices and disclosures involving ETFs, in particular the suitability of a broker-dealer’s recommendation to purchase ETFs with niche strategies. In addition, OCIE will review ETFs for compliance with applicable exemptive relief and the unit creation and redemption process.
Broker-Dealer Areas
Sales Practices
Product Suitability and Concentration. FINRA continues to observe instances where firms recommend unsuitable products to customers, including situations where the customers do not understand important product features. FINRA will review how firms conduct suitability reviews, including the supervision of that process. FINRA will also review the controls firms use to monitor for excess concentration in client accounts.
Trading Practices. FINRA will evaluate firms’ ability to monitor for short-term trading of products designed for long-term investments, such as mutual funds, variable annuities and unit investment trusts. Such trading may result in increased costs to clients. Firms should consider whether their supervisory systems can detect activity intended to evade automated surveillance for excessive switching activity.
Outside Business Activities and Private Securities Transactions. FINRA will continue to examine a firm’s procedures with respect to a registered person’s outside business activities and private securities transactions.
Electronic Communications. FINRA reminds firms of their supervisory and record retention obligations with respect to social media and other electronic communications. A firm must capture and retain all business-related communications in such a way that the firm can review them for inappropriate conduct.
Operational and Financial Risk
FINRA has identified a number of operational and financial risk management issues. For example, it will evaluate whether a broker-dealer has an effective liquidity risk management plan, including sufficient sources of funding, rigorous stress testing and contingency plans. It will also review firm’s implementation of the new margin requirements under Rule 4210 for covered agency transactions.
Operationally, FINRA will review how a firm tests its internal supervisory controls. It has observed weaknesses in data quality, record retention and disclosure delivery. Firms with significant increases in the scope or scale of their business or compliance system conversions should review their processes. In addition, FINRA will review a broker-dealer’s compliance with Regulation SHO regarding short sales.
FINRA will also review a firm’s controls and supervision to protect customer assets, including segregation procedures. It has observed that some firms engage in transactions designed for no other purpose than to reduce their asset segregation requirements under the rules.
Market Integrity
Ensuring market integrity is critical and a number of initiatives have been identified in this area. OCIE and FINRA stress the duty of broker-dealers to seek best execution when handling or routing transactions. Firms should also ensure that payment for order flow disclosures are complete and accurate. FINRA also will review compliance with the market access rule, exams of alternative trading systems and continuation of the Fixed Income Securities Surveillance Program, Tick Size Pilot and the Audit Trail Reporting Early Remediation Initiative.
Conclusion
While OCIE and FINRA may not have introduced many new focus areas this year, their continued focus on the topics addressed should direct investment advisers and broker-dealers to ensure that their compliance programs remain effective. Further, this list is not exhaustive and the regulators will likely identify new risk areas throughout the year. Firms should continue to advance their compliance programs, finding better ways to improve their analytical capabilities and focus on identifying and mitigating risks.
NOTE: The SEC Exam Process will be one of the key content tracks of Ascendant’s upcoming conference on April 3-5. During the course of the conference, we’ll take you through a typical SEC exam journey, highlighting the lessons we’ve learned in the field alongside compliance teams just like yours. We’ll go through all essentials, from how to respond to the SEC’s information requests, to handling the in-person interactions, to the exit interview and responding to a findings letter. For more information, view our agenda by clicking here, and registration information by clicking here.
Ascendant Joins Compliance Solutions Strategies as Anchor Firm
Ascendant Compliance Management, a leading compliance consulting firm, today announces its partnership with Compliance Solutions Strategies (“CSS” or the “Company”), a newly founded global compliance risk management company launched by CIP Capital, LLC.
The CSS platform was created through CIP Capital’s investments in three leading businesses in the governance, risk management and compliance (“GRC”) market: Ascendant, Advise Technologies, and The MoneyMate Group. This strategic combination of three leading organizations will result in a global platform that leverages software across a broad range of solutions to enable clients in the financial services industry to meet mandatory regulatory and compliance requirements.
“We’re very enthusiastic about our partnership with a team that has recognized Ascendant’s industry-leading talent and entrepreneurial spirit,” said Jon Higgins, Ascendant president and CEO. “One of the compelling and symbiotic aspects for us is CSS’ strategic and business philosophy, and we look forward to expanding services and solutions for our clients and increasing our international footprint.”
The CSS platform provides a comprehensive technology-enabled offering encompassing regulatory reporting, data management, outsourced compliance management services, compliance workflow tools, shareholding disclosure, trade monitoring, trading analytics and cybersecurity solutions. The Company focuses on serving the global financial services industry and collaborates with a large client base across asset managers, alternative investment funds, investment advisors, broker-dealers, banks and insurance companies. The platform offers expertise in an extensive range of regulatory requirements including AIFMD, CPO-PQR, Form ADV, Form PF, MiFID II, N-MFP, N-PORT, Rule 206(4)-7, Rule 38a-1, Solvency II and PRIIPs, among many others.
Key products across the platform’s current offering include Consensus, Signal, Vault, Ascendant, ACM, Trade Blotter Manager, Accudelta, Silverfinch and Longboat Analytics. The Company maintains a global footprint across both the United States and Europe with offices in locations including New York City, Salisbury (CT), Dublin, London, Paris and Amsterdam. The senior executive teams of all three companies will continue to run their respective businesses as part of the CSS platform.
“The financial services industry faces significant operational challenges and headwinds from the complex and ever-changing regulatory environment,” said Jim Casella, who will serve as Chairman and CEO of the CSS platform and be based in New York City. “Now more than ever, firms need to leverage technology and software to ensure compliance with a broad range of non-discretionary regulatory requirements in a transparent and efficient manner. This unique combination of Advise, Ascendant and MoneyMate will provide the industry with a strategic partner for regulatory compliance.”
CSS will streamline these challenges faced by the financial industry by integrating services and technology to ensure the most effective and efficient solutions for clients. Ascendant leverages the experienced and diverse backgrounds of its team members to offer innovative compliance consulting to investment advisers, investment companies; Advise focuses on regulatory intelligence software tools that work simply and intuitively; broker-dealers and more; and MoneyMate specializes in fund data technology, working with stakeholders across the investment lifecycle to achieve better access to data.
By synergizing their offerings and creating a diversified platform of solutions, CSS can uniquely serve a global customer base and ensure the client’s full service from the outset of the trading cycle until post-compliance.
“Advise, Ascendant and MoneyMate have each developed a range of innovative solutions in response to the needs of their clients,” said Bobby Kelly, Managing Director of CIP Capital. “We look forward to serving as their partner as part of the combined platform and providing additional resources and further investment in order to better serve our global client base.”
SEC Examined 11% of Advisers in 2016
The SEC met its stated fiscal year 2016 goal by examining 11 percent of the investment adviser pool. The SEC released the results as part of its annual Summary of Performance and Financial Information.
That number presents a one percent uptick from fiscal year 2015.
Out of the estimated pool of 12,200 investment advisers, that amounts to roughly 1,342 advisers that were covered. Under recently departed SEC Chair Mary Jo White, the SEC shifted personnel from broker exams and explored third-party exams as a way to boost its examination efforts. It’s not known whether that initiative will be pursued by incoming SEC leadership.
However, in January’s National Exam Program Exam Priorities 2017 release, the SEC said it would be expanding its “Never-Before Examined Adviser initiative” to include focused, risk-based examinations of newly registered advisers as well as selected advisers that have been registered for a longer period but have never been examined by OCIE.
Despite the seemingly low number of advisers looked at in 2016, many advisers receive some touch from SEC examiners. During Ascendant’s recent ComplianceCast, “SEC Exam Priorities: What’s Between the Lines & Behind the Scenes,” 74 percent of attendees said their firms have been examined by the Commission.
The SEC cast a wider net on investment companies, examining 17 percent of them in fiscal 2016, exceeding the internal 15 percent projection. Meanwhile, broker-dealers saw 50 percent coverage.
Inside the SEC Exam Program
The SEC’s Exam Program will be a major focus of Ascendant’s upcoming conference on April 3-5 in Naples, Florida, taking attendees through a typical exam journey, highlighting lessons we’ve learned in the field alongside compliance teams and regulators. We’ll go through all the essentials, from how to respond to the SEC’s information requests to handling the in-person interactions to the exit interview and responding to a findings letter. Here’s a look at our SEC Exam track. For more information on the conference, cliquez ici.
SEC Exam Track Sessions
- Special Presentation: SEC Data Analysis of Investment Managers
- SEC Exam Part 1: First Day Letter & Exam
- SEC Exam Part 2: What Happens When Regulators Are in Your Office
- SEC Exam Part 3: The Exit Interview and Responding to a Findings Letter
- What You Still Want to Know About SEC Exams
Cybersecurity & 2017 SEC Exam Priorities
In September 2015, the SEC announced it was starting Phase 2 Cybersecurity Exam Initiative exams in which the SEC started doing more in-depth testing of policies, procedures and controls at firms. For example: testing a firm’s access provisioning policy by standing over the shoulder of various employees to confirm whether they could or couldn’t access certain files and folders on the network.
In January 2016, the SEC’s Exam Priorities announced a continuation of the Phase 2 exams.
Now in January 2017, it appears that Phase 2 is over, and this more in-depth testing has found its way into SEC examinations in general.
Granted, some exams might not focus on cybersecurity at all, but the ones that do are likely to now include a more in-depth examination of it, and the SEC will be looking to corroborate that you are doing what your policies say you are doing, and that you have policies on things they expect you to have policies on when it comes to cyber.
At the upcoming Ascendant Compliance Management conference, “Revolutionizing Compliance: The Matrix of Regulation, Operations & Technology,” we will be covering things on the SEC’s cybersecurity request list – what documentation they expect, what types of controls they expect, what policies they expect; how to test various policies ahead of time; ways to improve your firm’s training and security awareness program – since some firms are being called out for inadequate cyber training and since the SEC is using the benefit of hindsight to fine firms that have a cyber incident that comes to light during an exam.
Translation: more training reduces the likelihood of a cyber incident in the first place.
If you need to gain a deeper understanding of the SEC’s views of cybersecurity and how it might affect your firm, join us in Naples on April 3-5. For more information, read our agenda by clicking here.
New York DFS Cybersecurity Rules Take Effect March 1
The New York Department of Financial Services (“DFS”) recently issued a revised rules proposal that will add its own cybersecurity requirements to those already in place for banks, insurance companies and other financial services companies. While the proposed rules would only be applicable to financial firms licensed by the New York DFS, they reveal that state regulators are just as concerned about the growing risk of cybersecurity breaches. New York’s proposed rules are the first of their kind in the United States for a state regulator to issue, and may portend a sign of things to come.
Due in part to the nature and volume of the personally identifiable information (PII) they maintain, and partially attributable to the name recognition of some high-profile banks and financial institutions, these firms are increasingly finding themselves at the receiving end of targeted and sophisticated cyber-attacks.
As proposed, 23 NYCRR 500 (“Cybersecurity Requirements for Financial Services Companies”) will require financial institutions under the jurisdiction of the DFS “to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.”
The Cyber Rules will become effective on March 1, 2017, and covered entities will be required to submit annual certificates of compliance to the DFS beginning February 15, 2018.
Take Action Now to Ensure DFS Compliance
Ascendant creates tailored and risk-based policies and procedures for firms designed to address the DFS Cybersecurity Regulation to include the following areas to the extent applicable to the Company’s operations:
- Information Security
- Data Governance and Classification
- Asset Inventory and Device Management
- Access Controls and Identity Management
- Business Continuity and Disaster Recovery Planning and Resources
- Systems Operations and Availability Concerns
- Systems and Network Security
- Systems and Network Monitoring
- Systems and Application Development and Quality Assurance
- Physical Security and Environmental Controls
- Customer Data Privacy
- Vendor and Third-Party Service Provider Management
- Risk Assessment
- Incident Response
For more information about how we can help you reach compliance with New York’s new DFS Cybersecurity requirements, contact us.
SEC Releases 2017 Examination Priorities
On January 12, the SEC’s Office of Compliance and Examinations (“OCIE”) released its Examination Priorities for 2017 with a focus on “certain practices, products, and services that OCIE perceives to present potentially heightened risk to investors and/or the integrity of the U.S. capital markets.”
Here is a roundup of key priorities mentioned in the release:
Matters of importance to retail investors
- OCIE plans to examine registered and investment advisers and broker-dealers that offer electronic investment advice, including the use of robo-advisers. Exams will likely focus on compliance programs, marketing, formulation of investment recommendations and more. Compliance practices for the oversight of algorithms will also be explored.
- OCIE plans to expand its focus on RIAs and broker-dealers associated with wrap fee programs, including whether advisers are acting in a manner consistent with fiduciary duty. Wrap account suitability, disclosure effectiveness and conflicts of interest are all areas of scrutiny.
- OCIE’s Never-Before-Examined Adviser initiative will be expanded to include focused, risk-based exams of newly registered advisers.
- Other focuses in this area include recidivist representatives and their employers, multi-branch advisers and share class selection.
Risks specific to elderly and retiring investors
- The ongoing ReTIRE initiative will continue, with an expanded focus on registrants’ recommendations and sales of variable insurance products, as well as sales and management of target date funds.
- Investment advisers will be examined as to how they assess how they are managing conflicts of interest and fulfilling their fiduciary duty. Other risks including pay-to-play and undisclosed gifts and entertainment practices will be reviewed.
- OCIE will assess how firms manage interactions with senior investors, including their ability to identify financial exploitation of seniors.
Market-wide risks
- In October 2016, rule amendments regarding structural and operational reforms to address redemption risks became effective. OCIE will examine money market funds for compliance with the amendments, including assessments of the boards’ oversight of the funds’ compliance as well as a review of policies and procedures relating to stress testing and periodic reporting to the SEC.
- Cybersecurity will continue to be a focus, with scrutiny on procedures and controls, including testing the implementation of those procedures and controls.
- Broker-dealers will have their AML programs examined to assess whether they are customized for specific risks the firm faces. OCIE will also review how broker-dealers are monitoring for suspicious activity, and the effectiveness of independent testing.
Other initiatives OCIE expects to expend resources on include the examination of municipal advisors; transfer agents; and private fund advisers, with an emphasis on conflicts of interest and disclosure of conflicts.
NOTE: The SEC Exam Process will be one of the key focus areas of Ascendant’s upcoming conference on April 3-5. During the course of the conference, we’ll take you through a typical SEC exam journey, highlighting the lessons we’ve learned in the field alongside compliance teams just like yours. We’ll go through all essentials, from how to respond to the SEC’s information requests, to handling the in-person interactions, to the exit interview and responding to a findings letter. For more information, view our agenda by clicking here, and registration information by clicking here.