SEC Examination Priorities for 2018 – Understanding Core Focus Areas and Preparing for the Next Potential Examination

The Office of Compliance Inspections and Examinations (“OCIE”) of the U.S. Securities and Exchange Commission (the “SEC”) released its National Exam Program examination priorities outlining areas of focus for its 2018 examinations (the “2018 Examination Priorities”).^[1] While the layout and display of the 2018 Examination Priorities has changed from years past, the examination focuses remain consistent. With that said, this does not mean you should dismiss reading, understanding and preparing for OCIE’s examination priorities for this year.

This article summarizes the key themes detailed in the 2018 Examination Priorities and briefly outlines some key takeaways.

 

2018 Examination Priorities

The examination focus areas this year resemble the core themes that were the focus for 2017, including some core areas that have been a focus since the OCIE first started releasing its examination priorities for the given year. The 2018 Examination Priorities focused on the following five themes: 1) Retail Investments, including Seniors and Those Saving for Retirement; 2) Compliance and Risks in Critical Market Infrastructure; 3) Focus on FINRA^[2] and MSRB^[3]; 4) Cybersecurity; and 5) Anti-Money Laundering (“AML”) Program. These themes, along with the main areas of focus, are briefly summarized below.

1. Retail Investments, including Seniors and Those Savings for Retirement.

• Disclosure of fees charged, other compensation received related to the services provided and/or products recommended, conflicts of interest, especially and in particular with certain types of products or services that better incentivize the financial professional.
• Investment advice offered by investment advisers and broker-dealers through automated or digital platforms, including “robo-advisers”. The areas of concern here include oversight of program algorithms that generate recommendations, marketing materials, investor data protection, and disclosure of conflicts of interest.
• Cryptocurrency, Initial Coin Offerings, Blockchain. While this is a newly focused examination priority, it is not surprising. Similar to the foregoing items, the core focus is the adequacy of disclosures, avoidance of misleading materials, and protection from theft and/or misappropriation.
• Best execution compliance, especially for fixed income securities traded in the secondary market.

2. Compliance and Risks in Critical Market Infrastructure.

• OCIE continues to focus on certain firms that are essential to facilitating, maintaining and/or operating the integrity and functioning of the financial markets, particularly with clearing agencies, national securities exchanges, transfer agents and regulation systems compliance and integrity entities.

3. Focus on FINRA and MSRB.

• OCIE continues to focus on the effectiveness of operations and regulatory programs, and the quality of examinations performed by FINRA and MSRB.

4. Cybersecurity.

• Cybersecurity continues to be an examination focus as cyber-attacks increase in frequency and severity. The OCIE is focusing on a firm’s ability to identify and manage cybersecurity risks, which includes the governance and risk assessment, access rights and controls, data loss prevention, vendor risk management, applicable training, and incident response.

5. AML Program.

• OCIE continues to focus on whether applicable entities are adopting their AML Programs that satisfy the Bank Secrecy Act of 1970 (“BSA”) and the rules promulgated thereunder. The examination reviews will cover the firm’s customer identification program, customer due diligence requirements, whether the firm took reasonable steps to understand the nature and purpose of customer relationships and properly address risks, and whether the firm filed timely, complete and accurate suspicious activity reports (“SARs”).

 

Key Takeaways

As stated in the 2018 Examination Priorities, the list of examination priorities for this year is not an exhaustive list. With that in mind, your firm should address the following themes, at a minimum.

Accurate Representations and Adequate Disclosures.
Ensure accurate representations are made and adequate disclosures are provided; in particular, affirm accuracy and consistent application of fees collected and expenses charged with the terms set forth in investor agreements, marketing materials, disclosure documents, and the firm’s policies and procedures. This was, and still is, the central cause of enforcement actions related to fee and expense allocation issues raised against private equity firms, and it also applies to the potential concerns relating to electronic investment advice and products and services offered for retirement related accounts.

Adequate and Effective AML Program.
Develop and conduct a robust, independent assessment of your AML Program.^[4] Enforcement actions against broker-dealers regarding inadequate AML Programs are becoming more frequent, imposing material civil penalties and, at times, individual accountability.^[5] These actions were observed from the following: SEC v. Alpine Securities Corporation (failure to: (i) include material “red-flag’ information in certain SAR filings, (ii) properly file continuing SARs where subsequent activities were clearly unusual or potentially suspicious, and (iii) file at least 250 SARs within the required 30-day timeframe); In the Matter of Lia Yaffar-Pena (among other things, failure to comply with BSA reporting, recordkeeping and record retention requirements, including customer identification program rule); In the Matter of Windsor Street Capital, L.P. (failure to identify and report SARs “concerning dozens of potentially illegal stock sales transactions” related to penny stock businesses).

Policies and Procedures.
Ensure your policies and procedure are adequate and reflect actual practices of the firm. Quite frequently, issues identified with a firm’s AML Program or other expected processes and controls lead to a finding of inadequate policies and procedures.

Robust Cybersecurity.
Perform all the necessary testing to understand potential and actual vulnerabilities with combating against cyber threats. The testing should include assessing the firm’s vendor risk management program and cybersecurity compliance training program; and performing vulnerability assessment, penetration testing, and security incident response testing. The risks are far too great to ignore addressing your cybersecurity needs – the failure to adequately prepare for a cyber attack can cause severe financial and reputational harm.

Maintenance of Documentation.
Ensure you maintain adequate documentation supporting assessments performed, including analyses regarding achieving best execution. While best execution, for example, is not new, more often than not we find firms maintain a good best execution process, but fail to adequately document the process.

Examination Preparedness.
If you have not been examined for quite some time, or ever, especially if your product or services relate to the examination priorities for this year (e.g., offer robo-advisers, offer or participated in initial coin offerings), you should have an independent party perform a “mock” examination to understand your examination preparedness.

In addition to the foregoing items, there were at least two items worth noting from OCIE Leadership’s message.

1. The OCIE expressed that it “…intends to conduct examinations targeting circumstances in which retail investors may have been harmed and reviewing whether financial service professionals have meet their legal obligations.” (emphasis added). This focuses not only on applicable governing documents and the fiduciary standard applicable to investment advisers, but likely also references the Fiduciary Rule that may take effect in 2019, which will impact broker-dealers.^[6]

2. The OCIE’s Quantitative Analytics Unit further honed its ability to perform risk-based exams through the advancement of its technology, the National Exam Analytics Tool. These advances facilitate the analysis of trading blotters, regulatory filings, and trading activities to identify potential non-compliance with securities laws. 

Additional Resources

To access OCIE’s Risk Alerts, as well as subscribe for certain updates, please visit OCIE’s website:
https://www.sec.gov/ocie.