SEC Exam Priorities Highlight Flexible, Holistic Compliance

On Jan. 7, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations released its examination priorities for 2020.[1] This annual publication provides visibility into OCIE’s priorities for the coming year, and an overview of the existing and emerging risks and trends that financial firms[2] should proactively consider and address in their compliance programs.

The exam priorities echo many of the concerns expressed in last year's priorities.[3] Both releases focus on the protection of retail clients, the need for robust information security and cybersecurity policies, the regulation of digital assets, review and implementation of anti-money laundering, or AML, programs, and the protection of critical market infrastructure.

The exam priorities also reference the SEC’s significant rulemaking over this past year, including Regulation Best Interest, or Reg BI, the accompanying client relationship summary, or Form CRS, and various SEC interpretations of the Investment Advisers Act of 1940.

A summary of the exam priorities and how firms may prepare for exams follows.

Protection of Retail Clients

OCIE continues to prioritize the protection of retail clients whom the SEC views as historically vulnerable, such as seniors, teachers and military personnel.

Firms with retail clients or those that market products to retail clients (e.g., mutual funds, exchange-traded funds and municipal securities) should be prepared to demonstrate how they disclose fees, expenses, compensation arrangements and conflicts of interest, as well as how they supervise the outside business activities of associated persons that may

give rise to conflicts of interest. Firms that offer products that are complex or lack transparency should be prepared to demonstrate the disclosure of the characteristics and nuances of such products, which are not likely to be obvious to retail clients.

A new focus for broker-dealers in 2020 will be compliance with Reg BI and Form CRS, which become effective June 30. Reg BI requires broker-dealers to act in their retail clients’ best interests when recommending a security or investment strategy, and prohibits them from putting their interests ahead of their clients’ interests.

Compliance with Reg BI cannot be satisfied through disclosure alone. Firms must implement policies and procedures that ensure security recommendations or investment strategies are, in fact, in their clients’ best interests.

Ahead of the June effective date, broker-dealers are required to demonstrate their progress on the implementation of Reg BI and Form CRS in OCIE exams. Thereafter, exams will assess each firm’s policies and procedures regarding conflict disclosures, the delivery of Form CRS,[4] and the other requirements of Reg BI.

The SEC provided a contact email (IABDQuestions@sec.gov) for firms with questions regarding the implementation of Reg BI and Form CRS.

Holistic Information Security Policies and Procedures

A successful cyberattack on a financial firm may have consequences that extend beyond any one firm and impact the wider market. Therefore, OCIE has again prioritized information security policies throughout the industry.

Firms should review and test their information security policies and procedures to ensure they meet industry best practices and, if necessary, employ third-party consultants to audit and document the robustness of their information and cybersecurity policies.

These policies and procedures should be reasonably tailored to the firm’s business, particular security risks, and designed to address the following:

• Proper configuration and monitoring of network storage devices;
• Governance and risk management policies;
• Access control policies, especially for firms that offer access online and/or via a mobile application;
• Data loss prevention policies and procedures;
• Vendor and network management and oversight, especially for firms that utilize cloud-based storage;
• Training on cybersecurity concerns;
• Incident response and resiliency; and
• Appropriate disposal of retired hardware that may contain client and/or network information.

In the event of a cybersecurity breach, OCIE encourages firms to inform regulators and law enforcement to limit the impact of such breaches on clients or investors and other industry participants.

Review of Firms That Leverage Fintech and Innovative Technologies

OCIE will continue to focus on firms that implement new technologies to drive their business. These technologies include the use of alternative data to make investment decisions; trading automation; the trading, custody and issuance of digital assets; and the provision of investment advice via automated tools or platforms, as done by robo-advisers.

Firms that employ these technologies should be prepared to demonstrate (1) how they use technology to conduct their business and interact with both clients and service providers, and (2) the compliance policies, procedures and controls they have implemented to address risks peculiar to these technologies.

Digital Assets

OCIE notes that digital assets present particular risks for retail clients who do not appreciate the differences between digital assets, such as Bitcoin, and more traditional financial services products.

Due to OCIE’s concerns regarding the general public’s still nascent understanding of digital assets, OCIE will prioritize exams of firms that offer services related to digital assets. These exams will assess, in part, the investment suitability of the digital assets for clients, the firm’s portfolio management and trading practices, the safety and security (i.e., custody) of client funds and assets, the valuation of such assets, and the compliance policies and controls adopted to address risks specific to digital assets.

Such firms should provide fulsome explanations in plain English to clients regarding the basic characteristics of digital assets and the corresponding risks related to the purchase, holding and disposition of these assets.

Electronic Investment Advice

Consistent with the past three years, OCIE has again prioritized exams of robo- or digital advisers. These advisers should anticipate exams soon after registration. As with more conventional advisers, the exam will vary based on the scale of the business and the perceived risk of the advice and types of products offered.

OCIE will review, at a minimum, the adviser’s eligibility for SEC registration, the effectiveness of its compliance and cybersecurity policies and procedures, its marketing practices, and the adequacy of its disclosures to clients, as well as how it addresses conflicts of interest consistent with its fiduciary duty to clients.

In light of OCIE’s focus on new registrants, advisers should ensure that their policies and procedures are in place and operational upon registration.

Review of AML Programs

OCIE will continue to review the AML programs of investment advisers, broker-dealers and investment companies. OCIE exams will focus on the adequacy of policies and procedures, based on the firm’s business and client or investor base, to identify suspicious activity and illegal money-laundering activities.

OCIE’s review of AML policies and procedures will include an assessment of the firm’s customer identification programs, the satisfaction of suspicious activity report filing obligations, the due diligence process for accepting and onboarding clients or investors, compliance with beneficial ownership requirements, and the robustness and timeliness of independent AML program testing.

Given OCIE’s focus on AML, firms should periodically test their AML programs and be prepared to demonstrate that their policies reflect their practices, especially concerning client or investor onboarding, vetting and surveillance.

Additional Market Participant-Specific Focus Areas

Registered Investment Advisers

OCIE examinations of registered investment advisers will continue to focus on Rule 206(4)-7 compliance programs and the extent to which they are reasonably designed and implemented to detect violations of law based on the adviser’s business operations, investment mandates and types of clients/investors.

OCIE expects to scrutinize the accuracy and adequacy of disclosures that offer new, niche or emerging strategies or products such as those currently in vogue with an environmental, social and governance, or ESG, orientation.

According to the exam priorities, OCIE intends to prioritize the examination of investment advisers that are dually registered as, or are affiliated with, broker-dealers, or that have supervised persons who are registered representatives of unaffiliated broker-dealers.

OCIE will also prioritize the examination of investment advisers that contract with third- party asset managers, and will conduct risk-based exams of newly registered and yet-to-be- examined advisers. Investment advisers that have not been recently examined should prepare for an exam that assesses whether their compliance programs and policies have evolved with the investment advisers’ growth and changes in their business.

Investment advisers to private funds that also have an impact on retail clients, such as investment advisers that manage separately managed accounts in addition to private funds, should expect an exam in the near term. Such investment advisers should be prepared to explain how they identify and assess compliance risks, including the controls they have adopted to prevent the misuse of material, nonpublic information; conflicts of interest, such as undisclosed or inadequately disclosed fees and expenses; and the use of affiliates to provide services to clients.

OCIE also intends to prioritize exams of mutual funds, ETFs and their respective investment advisers and boards of directors, given the broad exposure of these products to retail investors. Due to the proliferation of ETFs, OCIE is likely to continue to focus on the evolving industry practices of ETFs, their trustees, service providers and sponsors.

Broker-Dealers

In 2020, broker-dealer exams will focus on compliance with the Customer Protection Rule,[5] the Net Capital Rule[6] and trading and risk management practices. OCIE will also examine how firms address regulatory compliance of trading odd-lot orders (i.e., orders under 100 shares), which often come from retail clients and require special treatment to ensure compliance.

Consistent with the focus on fintech and innovative technologies discussed above, OCIE exams of broker-dealers will also focus on the deployment of trading algorithms and trading automation. Exams will cover how such activities are established and supervised, including the development, testing, implementation, maintenance and modification of the computer programs that support automated trading activities and access controls to the algorithmic trading codes.

A firm’s written supervisory procedures should address the supervision and monitoring of these perceived higher-risk products and activities. As previously mentioned, broker-dealers should also be prepared to demonstrate compliance with Reg BI and Form CRS.

Conclusion

The exam priorities should encourage financial firms to continue to evolve their compliance programs consistent with the evolution of their business in light of the products and services offered, the types of clients/investors served and emerging market risks.

The SEC encourages firms to take a holistic view of their business with an emphasis on client or investor protection. While there has not been substantial movement in the priorities and areas of focus of regulators, the exam priorities support the proposition that compliance is not a static function, but instead a dynamic, living organism intended to evolve and mature with the demands of the business and the introduction of new products and new market risks.

Given the proliferation of digital assets and increased dependence on technology and infrastructure, OCIE continues to emphasize the centrality of thoughtful and robust information security policies and related best practices concerning the protection of sensitive client information.

OCIE will review how technology impacts the investment process, including how investment decisions are conceived and effectuated, and how investments are held for the benefit of clients. Because many of these functions do not represent core competencies of financial firms, OCIE will continue to focus on how these firms perform due diligence and supervise vendors and third-party service providers that perform increasingly mission-critical roles.

Firms leveraging new technologies that affect investment decisions or trading automation should have plain-English disclosures that explain the product features, risks and conflicts and should be able to demonstrate through the use of contemporaneous documentation, the care they take with respect to the safety and security of client assets, adherence to investment mandates and their clients’ best interests. OCIE has expanded its focus on technological innovation employed by firms, and we expect this priority will continue for the foreseeable future.

The exam priorities echo OCIE’s historical focus on industry risks and trends that OCIE believes most impact the U.S. capital markets.

The above analysis of the exam priorities is not exhaustive, and while it lays out the key areas of focus of OCIE’s exams, the scope of any firm exam is determined through a risk- based approach that includes, among other things, analysis of a firm’s history, including prior exams, operations, services and products offered.

As the SEC's Division of Enforcement continues to trumpet its triumphs against bad actors in the industry and its commitment to protecting clients and ensuring that the capital markets operate fairly, financial services firms would be well served to take notice of the exam priorities[7] and devote the necessary time and resources to ensure their compliance programs keep up with the pace of change in the business, in the industry and in the eyes of the regulators.[8]

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.