Last week, the Securities and Exchange Commission’s newly renamed Division of Examinations (formerly known as the Office of Compliance Inspections and Examinations) published its 2021 Examination Priorities (“Exam Priorities”). This annual guidance reports on the Division’s accomplishments and rates of examinations for the prior year, and seeks to promote compliance, prevent fraud, identify and monitor risk, and inform policy. It provides industry participants with a road map to plugging any gaps in their compliance.
Many of the Exam Priorities are perennials—for example, those related to broker-dealer sales practices and treatment of seniors, and registered investment adviser compliance programs—but these are supplemented by the Division’s focus on risks that have emerged in recent years, including information security, digital assets, and operational resiliency in light of climate-change related risks. This Alert will highlight those announced Exam Priorities for which industry members should prepare in the event that they are visited—perhaps virtually—by the Division’s examiners. Certain priorities—including fintech, LIBOR transition, operational resiliency, and information security—are the result of recent technological, economic or environmental trends, and firms should use the Division’s report as an opportunity to ensure that their compliance in these areas is on pace with the evergreen compliance concerns. Unfortunately, it is those emerging areas that can often lead to findings of deficiencies in examinations.
- Fintech: It is no surprise that with the rapid growth and economic importance of financial technologies, alternative data and digital assets, the Division is putting greater emphasis on regulating these areas.
- The Division will examine whether fintech firms are operating consistently with their representations, whether firms are appropriately handling customer orders, and how firms make trade recommendations in mobile applications.
- In examining participants in the digital assets markets, the Division will focus on several areas, including the suitability of these investments, that is, whether they are in the best interests of investors; portfolio management and trading practices; safety of client funds and assets; and pricing and valuation.
- As financial technologies evolve, firms are increasingly using new sources of data, known as alternative data, to interact with and provide services to investors. Alternative data is the use of data sources to drive investment decision-making. If not regulated, it creates privacy and insider trading risks, among others. Examination of alternative data will include whether firms are implementing appropriate controls and compliance around the creation, receipt, and use of such information.
- AML Programs: The Division will continue to review firms for compliance with applicable AML requirements, in particular, whether broker-dealers and registered investment companies have adequate policies and procedures in place that are reasonably designed to identify suspicious activity and illegal money-laundering activities. The Division’s continued focus on AML is not surprising in light of the Anti-Money Laundering Act of 2020, which Congress enacted on January 1, 2021. It contains the most significant reforms to U.S. AML laws since the USA PATRIOT Act of 2001. Examinations of AML programs will evaluate whether firms have established customer identification programs, are conducting due diligence on customers, and are conducting timely independent assessments of their AML programs, among other things. While there is nothing particularly new in the description of the AML priorities, the area remains a significant concern across all financial regulators.
- LIBOR Transition: Like last year, the Division continues to be focused on the industry’s transition away from LIBOR. The Division will assess registrants’ understanding of any exposure to LIBOR, their preparations for the expected discontinuation of LIBOR, and the transition to an alternative reference rate.
- RIA Compliance Programs: The Division’s limited coverage of registered investment advisers (RIAs) has always been a subject of regulatory concern; the Division reports that it examined 15% of such firms last year. To address that concern, this year the Division will prioritize RIAs that have not been examined in recent years or have never been examined since registering. In line with other regulators, the Division will continue to try to ensure that RIAs’ compliance programs are robust and effective. The Exam Priorities note that the Division will be particularly focused on products and services marketed as sustainable, socially responsible, impact, and/or environmental, social and corporate governance (“ESG”) conscious.
- Operational Resiliency: As climate-change becomes more prevalent, the Division intends to review whether firms are considering effective practices to help improve responses to large-scale events caused by climate-change. These examinations will include review of business continuity and disaster recovery plans, and will be similar to the work the Division did after Hurricane Sandy. See Joint SEC, FINRA, and CFTC Business Continuity Planning Observations (August 7, 2013) for a set of best practices and lessons learned following Hurricane Sandy.
- Information Security: Cyber security has been a priority issue for several years, but the COVID-19 pandemic raised the stakes with the increase in remote working. Remote operations raise concerns about, among other things, data loss, remote access, use of third-party communication systems and vendor management. The Division will review whether registrants have taken appropriate measures to: safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access; oversee vendors and service providers; address malicious email activities, such as phishing or account intrusions; respond to incidents, including those related to ransomware attacks; and generally manage operational risk as a result of remote operations.
- Municipal Advisors: Like information security, COVID-19 has created risks for municipal advisors and their clients. The Division will continue its examinations of municipal advisors’ registration, professional qualifications, and continuing education requirements. It will also focus on whether municipal advisors have met their fiduciary duty obligations to municipal entity clients.
- Regulation Best Interest: Regulation Best Interest refers to a standard of conduct for broker-dealers when making a recommendation to a retail customer about any securities transaction or investment strategy involving securities. After the Division issued a risk alert last April, Examinations that Focus on Compliance with Regulation Best Interest, and then in December issued a Statement on Recent and Upcoming Regulation Best Interest Examinations, it is no surprise that the Division will be focused on this area in the coming year. Firms should expect the Division to review, among other areas, the processes firms have used to recommend complex products, make recommendations to new customers, and identify and address conflicts related to recommendations.
Implementing a robust compliance program, with a focus on the areas outlined above, will help firms under examination protect themselves from findings of deficiencies. The Exam Priorities provide a survey of the perennial and emerging risks that firms should be prepared to address, but firms should also not lose sight of the hallmarks of an effective compliance program—adequate resources, a knowledgeable and empowered CCO, a strong tone from the top and compliance’s active involvement in different aspects of the firm’s operations. A legal compliance strategy has never been more important.