The Securities & Exchange Commission has released its list of 2021 examination priorities for broker-dealers and investment advisers, with a heap of attention paid to business continuity, climate change disruptions, and how the pandemic has amplified risks to cybersecurity and supervision.
The SEC’s Division of Examinations (previously known as the Office of Compliance Inspections & Examinations, until OCIE was elevated to be its own division last year) inspects the business practices and compliance programs of financial firms. Every year
OCIE the Division publishes a list of the coming year’s examination priorities, so firms know what to expect should SEC staff come knocking on their door. This year’s list is a 42- page report recapping last year’s examinations and what will come next.
Several of the priorities are highly specific to broker-dealers and registered investment advisers, such as how those firms are implementing Regulation Best Interest (to prevent conflicts of interest) and its accompanying documentation, Form CRS. Another priority will be how firms are preparing for the end of LIBOR, the London Interbank Offered Rate that serves as the basis for interest rates for many other financial instruments — a rate that will cease to exist at the end of this year, after numerous scandals involving banks gaming LIBOR for their own interests.
Other examination priorities, however, are worth more attention because they address topical risk management challenges that any compliance officer could appreciate, even from outside the financial services sector.
Adjusting to Pandemic’s Consequences
Like the rest of us, SEC examiners spent most of last year working from home and radically reordering their priorities. As the SEC said in its report, “The Division pivoted to focus on the most pressing risks — including examining whether registered firms’ business continuity plans were updated, operational and effective, and addressing increased cybersecurity risks facing firms and investors.”
Now it’s become clear that most firms will continue with remote work, and all its attendant compliance challenges, well into 2021. So questions on SEC examiners’ minds include…
- How will firms use new communication technologies to reach clients or collaborate with coworkers?
- How will firms develop new workflows for onboarding customers?
- Will firms expand any existing products or services, or introduce wholly new offerings?
- Will any new offerings generate new conflicts of interest that might require disclosure or mitigation?
- How will firms maintain a sufficiently strong level of supervision over employees and third parties, given the physical separation of remote working?
The pandemic also propelled business continuity and cybersecurity risks to the top of firms’ priority list. The SEC is likely to ask about those issues, too. (
OCIE The Examinations Division also sent a steady stream of risk alerts last year warning about ransomware, credential compromise scams, and so forth.)
Of course, none of these issues are new any longer. The question for compliance officers today is how you are developing sustainable, long-term strategies to the risks and compliance challenges that the pandemic and remote work create. I explored that question in a previous post picking apart the idea that businesses will return to “normal” work any time soon; now the SEC will be picking apart that idea in its 2021 examinations.
Business Continuity and Climate Change
The SEC’s examination priorities also include climate change — just not quite in the way that I expected. Foremost, examiners will review how climate disasters are addressed in a firm’s business continuity plans.
That makes sense, considering the huge disruptions that wildfires, hurricanes, cold snaps, and other weather disasters have caused across the country in recent years. To use the SEC’s words:
[T]he Division will shift its focus to whether [business continuity] plans, particularly those of systemically important registrants, account for the growing physical and other relevant risks associated with climate change… As climate-related events become more frequent and more intense, we will review whether systemically important registrants are considering effective practices to help improve responses to large-scale events.
This is interesting because just last week, acting SEC chairman Allison Herren Lee said SEC staff will start paying more attention to the climate change disclosures that all firms make in their corporate financial statements, as a prelude to adopting new climate change guidance sometime in the future. Banking regulators are also looking at ways that climate change might be a risk in the financial sector, and one significant enough that it might require regulatory action.
Whatever issues that new guidance might address, weather disasters disrupting your business continuity is an immediate problem. You should already have business continuity plans in place for just such threats, addressing practical matters like data recovery, redundant IT systems, and communication plans for employees and customers alike. This year, the SEC examiners will want to see those plans.
Fintech and Regtech
Examination priorities this year will also include “financial technology,” a wonderfully vague phrase to encompass whatever new ways firms are using technology to run their own operations or to interact with customers.
A lot of this is about automation of services such as investment advice or asset allocation, which traditionally were delivered by actual humans. Now it’s all done by software code, which raises questions about how a firm can assure that its automated processes still work in a client’s best interests. But SEC exams have touched on that particular point of fintech for several years.
I was more interested to see this sentence:
Among other areas, examinations will focus on evaluating whether firms are operating consistently with their representations, whether firms are handling customer orders in accordance with customer instructions, and review compliance around trade recommendations made in mobile applications.
That sounds to me like a warning shot to Robinhood, the online trading app at the center of that frenzied trading in Gamestop stock last month. Robinhood came under fire for not filling retail investors’ trading orders (costing them a fortune), and questions abound over whether the firm had sufficient capital for a business model that involves letting investors play with fire.
So if I were Robinhood or any other online trading firm with a similar business model, I’d be bracing for the regulatory equivalent of a colonoscopy this year.
The SEC also devoted a paragraph to “regtech,” the even more wonderfully vague phrase for technology that helps with compliance automation and enhanced transaction analysis. Regtech can be a great tool, the SEC stressed — but, “misused or improperly configured regtech may lead to compliance program deficiencies. Examinations will focus on the implementation and integration of RegTech in firms’ compliance programs.”
The SEC raises a valid point, one that any compliance officer should ponder. Technology accelerates business processes and transforms business models. So before you implement said technology, perform a full risk assessment and consider all the compliance implications of your accelerated business process or new business models. The last thing you want to do is discover you’ve made a mistake long after the new tech ramped up your operations to bullet-train speed.