During January of 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued two reports that highlight the work and priorities of OCIE: on January 7, 2020, OCIE issued its 2020 Examination Priorities and on January 27, 2020, OCIE issued its Cybersecurity and Resiliency Observations. In January, FINRA also published its 2020 Risk Monitoring and Examination Priorities Letter, which describes the areas of focus for FINRA’s risk monitoring, surveillance, and examination programs. SEC and FINRA 2020 Examination Priorities focus on market infrastructure, investment advice, digital assets, and issues important to retail investors.
OCIE 2020 Examination Priorities
The Examination Priorities are published by OCIE on an annual basis for the purpose of assisting investment advisers and other financial industry participants with the promotion and improvement of compliance efforts, with the underlying goal of protecting investors and maintaining the integrity of the U.S. capital markets. The 2020 Examination Priorities similarly offer a glimpse into what the OCIE may be focusing on this year and are summarized below.
Fiscal Year 2019
The 2020 Examination Priorities contain a summary of Fiscal Year 2019 Results. During Fiscal Year 2019, OCIE conducted 3,089 examinations, including approximately 2,180 of registered investment advisors (“RIAs”), 150 of investment companies, and 350 of broker-dealers. OCIE examined approximately 15% of RIAs, reflecting OCIE’s commitment throughout the past several years to increase its RIA coverage.
During Fiscal Year 2019, OCIE issued over 2,000 deficiency letters. In response to these letters, firms took various corrective actions, including amending compliance policies and procedures, enhancing disclosures and returning fees to investors. Over $70 million in fees were returned to investors as a result of improper calculations or charges of investment fees.
During Fiscal Year 2019, OCIE also finalized many new rules and interpretations. Of particular note, OCIE finalized a series of rules and interpretations designed to enhance the quality and transparency of retail investor relationships with RIAs and broker-dealers. These rules are briefly noted below under “Regulation Best Interest," the new “Form CRS Relationship Summary," and two separate interpretations under the Advisers Act — the implementation and evaluation of which will be 2020 Examination Priorities.
Focusing on the year ahead, the 2020 Examination Priorities identify practices, products, and services that OCIE believes present heightened risks to investors or the integrity of the capital markets. The 2020 priorities include:
- Retail Investors, including seniors and individuals saving for retirement: Within this segment, OCIE intends to prioritize examinations of intermediaries that serve retail investors. OCIE will prioritize examinations of RIAs, broker-dealers, and dually-registered firms and intends to apply a focus on those disclosures that are required by federal securities laws – including disclosures relating to fees and expenses and conflicts of interest. In addition, examinations that focus on investments marketed to, or designed for retail investors, such as mutual funds, ETFs and municipal securities, will also be a priority for OCIE.
- Information Security: Examinations related to information security will be a priority for OCIE and will emphasize the proper configuration of information security governance as well as retail trading information security. With regard to RIAs, OCIE’s information security focus areas will include: (1) governance and risk management; (2) access controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response and resiliency.
- RIAS and Investment Companies: OCIE will continue to review the compliance programs of RIAs, with a focus in the following areas: account selection, portfolio management practices, custody and safekeeping of client assets, best execution, fees and expenses, and valuation of client assets. OCIE will also prioritize examinations of RIAs that are dually registered as, or are affiliated with, broker-dealers. Specific areas of focus for these entities will include whether such firms maintain effective compliance programs to address the risks associated with best execution, prohibited transactions, fiduciary advice, and disclosure of conflicts.
- Broker Dealers and Municipal Advisors: OCIE will continue to prioritize its examinations of broker-dealers, with such examinations to focus on compliance with rules regarding the safeguarding of client assets and firms’ trading and risk management practices. For example, OCIE will examine firms’ trading and other activities in “odd lots” – or, orders under 100 shares, as these orders often represent retail interest and require special treatment by broker-dealers.
- AML Programs: OCIE examinations will also focus on the anti-money laundering requirements that were previously established by the Bank Secrecy Act. OCIE will examine broker-dealers and investment firms to evaluate for and ensure compliance with anti-money laundering obligations. Such examinations will asses whether firms have established appropriate customer identification programs, whether they are satisfying their filing obligations, and conducting appropriate due diligence on customers.
OCIE Cybersecurity and Resiliency Observations
On January 27, 2020, OCIE published its observations related to cyber security preparedness and operational resiliency. This report is designed to assist firms participating in securities markets in establishing procedures to monitor, assess and manage their cyber security risk profiles, including operational resiliency. OCIE has observed and will continue to assess the following practices during its examinations:
- Governance Risk Management: OCIE observed that key elements of effective governance risk management programs incorporate, among other things: (i) risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization, (ii) written cybersecurity policies and procedures to address those risks; and (iii) effective implementation and enforcement of these policies and procedures.
- Access Rights and Control: Access rights and controls are used to determine appropriate users for systems, and are measures that firms use to mitigate cyber risk. OCIE has observed several successful strategies related to access rights and controls, including: (i) developing a clear understanding of access needs to systems and data, (ii) managing user access through systems and procedures, and (iii) monitoring access and developing procedures that monitor for access to systems.
- Data Loss Prevention: OCIE observed that firms typically deploy tools and procedures to ensure that sensitive data, including client information, is not lost, misused or accessed by unauthorized users. Such measures include, among others, vulnerability scanning, implementing capabilities that are able to control, monitor and inspect incoming and outgoing network traffic, and implementing capabilities that are able to detect threats on endpoints.
- Mobile Security: Mobile devices and applications create additional risks and vulnerabilities for firms. To address these potential weaknesses, firms have established policies and procedures related to the use of mobile devices, using mobile device management applications, and training employees on proper use.
- Incident Response and Resiliency: Effective incident response includes the timely detection and disclosure of material information, as well as assessing the appropriateness of corrective actions. OCIE has observed that firms’ effective incident response plans included procedures related to notification and response, escalation of incidents and communication with key stakeholders.
- Vendor Management: OCIE has observed that practices and controls related to vendor management generally include measures for: (i) conducting due diligence for vendor selection, (ii) monitoring and overseeing vendors and contract terms, (iii) assessing vendor relationships in context of the organization’s ongoing risk assessment process, and (iv) assessing how vendors protect client information.
FINRA 2020 Risk Monitoring and Examination Priorities Letter
The FINRA Risk Monitoring and Examination Priorities Letter are similarly issued each year and describe FINRA’s risk monitoring, surveillance and examination programs for the upcoming year. The 2020 FINRA’s priorities include the following, among others:
Sales Practice and Supervision
- General Obligations: FINRA will continue to evaluate firms’ compliance with sales practice obligations to their customers, as well as the supervision of such practices. Specific areas of focus include compliance with regard to sales of complex products, variable annuities, private placements, fixed income mark-up/mark-down disclosures, and senior investors.
- Regulation Best Interest (BI) and Form CRS: On June 5, 2019, the SEC adopted Reg BI and new rules and forms requiring broker-dealers to provide a brief relationship summary to retail investors. Firms must comply with Reg BI and Form CRS, which is the form that broker-dealers must use for the required relationship disclosure, by June 30, 2020. FINRA will work with firms to ensure preparedness for and compliance with Reg BI.
- Communications with the Public: FINRA will continue to review how firms review, approve, supervise and distribute retail communications regarding private placement securities, as well as firms’ compliance with their obligations related to the review and retention of communications, in light of the use of various digital communication channels with customers.
- General Obligations: FINRA will continue to review firms’ compliance with continuing obligations such as market manipulation, Trade and Compliance Engine (TRACE) reporting, short sales and short tenders.
- Direct Market Access Controls: FINRA will prioritize firms’ compliance with the Market Access Rule, given the continued growth in automated and high-speed trading.
- Best Execution: FINRA will review whether firms’ use reasonable diligence to determine whether their customer order flow is directed to the best market, given the size and types of orders, conditions of orders, and other factors as required by FINRA rules.
- Digital Assets: FINRA recognizes that the sale of digital assets raise novel and complex regulatory issues under FINRA rules, as well as federal securities laws and regulations. FINRA is receiving an increasing number of applications from firms’ seeking to facilitate private offerings of digital asset securities, operate secondary trading platforms or facilitate trades of indirect investment products. FINRA will continue to work with the SEC to understand firms’ business plans and determine how securities laws apply to those plans.
- Liquidity Management: FINRA will continue to review firms’ liquidity management practices and will continue to focus on areas addressed in Regulatory Notice 12-33 (Guidance on Liquidity Risk Management Practices).
- LIBOR Transition: FINRA will engage with firms (outside of the examination program) to understand how the industry is preparing for LIBOR’s retirement at the end of 2021, focusing on firms’ exposure to LIBOR-linked financial products and steps that firms are taking to transition away from LIBOR to alternative rates.
In the SEC’s press release announcing its 2020 Examination Priorities, OCIE Director Pete Driscoll stated that "as markets evolve, so do risks and potential harm to investors. OCIE continually works to adjust its examination focus areas to target these risks and publishes its annual priorities to communicate where we see the potential for increased risk and related harm.” This transparency by the regulators is a reminder to investment advisers and broker dealers to continuously evaluate and improve their compliance programs.