Skip to main content

Tag: Financial Services

Summertime is Here! Compliance Can Keep You Cool!

As the summer heat kicks in, while there is little indication that the regulatory “warming trend” will subside any time soon, the typical slowdown in business over the summer months provides opportunities to review your firm’s compliance program. Focusing on selected aspects of your compliance program may also reveal ways to cut costs associated with compliance in the long run. The secret to an efficient review is to focus on the regulatory target areas and not try to do too much.

The Regulatory Focus

The regulatory focus on the retail investor will continue. The SEC and FINRA have enhanced their practices to target the areas of the highest risk to the public. Novel new products such as digital assets, structured securities, and prediction markets are in focus. The updates to Regulation S-P brought renewed focus on firm’s due diligence practices for vendors that host systems and access or store customer data. Piling on all that is the increasing risk of cybercrime – both internal and external – and the increasing use of artificial intelligence tools. If that’s all buttoned up, then you don’t want to get caught off guard with “old school” compliance gaps such as inadequate policies and procedures, recordkeeping, or supervision. There are certainly a wide range of focus areas that can be addressed. Like many firms, the regulators are using AI to assist in their analysis, which provides the ability to cover a wider range of topics in exams.

Identifying the Areas to Review

With the above in mind, the review of your firm’s operations should focus on those areas most relevant to your business. First, assess your products and services from a financial perspective, identifying products and services that generate the most revenue. The compliance review should focus on those areas of your firm’s operations that generate the most business, i.e. revenue. Also, consider looking at the policies and procedures for supervising branch offices and remote locations. Additionally, if there is a product or service that you have not reviewed in some time, or that is new to your firm, the policies and procedures related to those areas should be included in your review. For example, if you’re selling more ETF’s or insurance securities, look at the supervisory and operational procedures for those products. If you recently added digital assets or prediction market access, look at the procedures governing those practices and the training programs in place for the public facing and supervisory personnel.

Second, consider any areas where you rely on third parties to provide a significant support function. The most common for broker-dealers is the clearing function, while RIAs may rely heavily on the custodian or a portfolio valuation service. Create a list of vendors that includes the services they provide, the contact people for the vendor, and the contract date. Larger firms should also add the person(s) internally who own the relationship, such as the financial officer for accounting software, the operations officer for clearing relationships, etc. Consider all services provided by third parties or affiliates (services provided by affiliates are typically considered outsourced) including surveillance and compliance management vendors. In addition to the clearing and custody relationships noted above, many firms use third party vendors to support internet access and email, storage of books and records, payroll processing, and accounting functions. Some other common areas that are often overlooked are the phone systems, technology support, law firms, and consultants.

Conducting the Review

For the areas you’ve selected to review, determine how the business is processed from start to finish. It may be helpful to create a flow diagram of the process that identifies “touch points” where a supervisory procedure or control would/should exist. A good example would be where the representative forwards completed paperwork for a variable annuity transaction to a principal for review. These points could include the representative assembling the paperwork, delivering it to a sales assistant, and the sales assistant forwarding it to the principal or a centralized operations department for review and approval. Your procedures should address a control or supervisory process for each time the paperwork changes hands. Perhaps the sales assistant does a check to ensure all the proper completed paperwork is included, and in the predetermined order, before forwarding to the principal. This simple control will reduce delays in processing paperwork and the time that the principal has to spend reviewing, and supervising, the transaction, thereby saving time and money. When reviewing processes, policies and procedures for new lines of business, be careful not to try to fit a square peg into a round hole. That is, don’t assume that the procedure for supervising an equity security transaction will fit the exchange traded note. You must consider the unique aspects of the product, related disclosures, and the customer’s objectives. This is a simple example and more complex operations require a more in-depth assessment even when processes are automated, we often find data breaks where two or more data feeds are required to complete a process. These need to be carefully mapped out.

If your firm relies on third party vendors and does not have a due diligence process for assessing them, develop one – you are late to the game. Start with the vendor contract to determine if the regulatory requirements are met. For example, Regulation S-P now formally requires notification of a breach within 72 hours. Also, if the vendor is deemed a “Service Bureau” for the purposes of the SEC’s Books and Records Rules, the vendor must agree to make the records available to the Regulators. Similarly consider any AML, business continuity, and privacy issues that may arise from the relationship. For FINRA members, these arrangements may also have to be disclosed before implementation. Depending on the nature of the vendor relationship, your due diligence process should include reviews of the vendor’s internal control reports, business continuity plans, information and technology security, and insurance coverage such as E&O, theft, and professional liability. Ongoing vendor monitoring is critical. While most services can be monitored on an ongoing basis – that is, if the service fails you know it and correct it with a backup plan – it’s a good practice to schedule a formal meeting at least annually with the vendors’ representatives to review the services and reassess the areas covered in the due diligence process.

Correction and Documentation

As you complete each review, create a short, written summary of the review and gap analysis performed, including the corrective steps to be taken, if any. For material deficiencies, consider reviewing with counsel to determine the potential regulatory impact. In addition to amending written policies and procedures, corrective actions should include training employees to ensure that proper procedures are implemented, and the new procedures are adequately communicated.

Conclusion

A compliance review provides a great opportunity to reassess your business operations, not only for compliance purposes, but to identify areas of efficiency and cost savings. This type of review can be incorporated into your annual review requirements and supervisory controls testing. Your review should be reasonable, and you should not try to do too much. Once you start digging, you may find that one issue will take longer than you anticipated completing. It’s better to do a portion at a time and complete a full review on an area than to take on too much and leave items undone.

So, what are your plans this summer? Awaiting the regulatory heat? Or sitting back and enjoying the compliance reliance?

By: Louis Dempsey, CRCP, CSCP