Two weeks ago it was the Financial Industry Regulatory Authority, last week it was the Securities and Exchange Commission. The SEC’s Office of Compliance Inspections and Examinations issued its examination priorities for 2016. As in prior years, OCIE indicated that its emphasis will revolve around three “thematic areas:” matters important to retail investors, market-wide risks and registrants engaging in illegal conduct. In looking at matters important to retail investors, OCIE said it will examine, among other things, various issues related to exchange-traded funds, including trading practices; disclosure; unit creation and redemption processes; and excessive portfolio concentration. OCIE will also look at fee arrangements at broker-dealers and investment advisers – assessing whether such arrangements are in the best interest of the relevant customers. In connection with market-wide risks, OCIE said it would review broker-dealers’ and investment advisers’ cybersecurity compliance and controls and look at liquidity controls at mutual funds, ETFs and private funds that have exposure to potentially illiquid fixed income securities. Finally, as part of its review of registrants, OCIE will review clearing and introducing brokers’ AML programs – focusing on firms “that have not filed the number of suspicious activity reports that would be consistent with their business models” as well as firms and employees that “appear to have engaged in excessive or potentially inappropriate trading.” (Click here to review FINRA’s 2016 examination priorities in the article, “FINRA Will Grade Members on Culture, Supervision and Liquidity Management; BDs Not Managing Spoofing Likely to Get Bad Scores” in the January 10, 2016 edition of Bridging the Week.)
Compliance Weeds: It is not new that the Securities and Exchange Commission is checking registrants cybersecurity programs. Last year, OCIE announced it was conducing cybersecurity exams of SEC registrants to assess, among other things, the effectiveness of registrants’ cybersecurity controls. It said it would focus on registrants’ governance and risk assessment; access rights and controls; data loss prevention; vendor management; training; and incident response. (Click here for details in the article, “SEC Discloses Elements of Cybersecurity Exams” in the September 20,2015 edition of Bridging the Week.) Effective March 1, 2016, members of the National Futures Association must also formally adopt and begin enforcing written policies regarding cybersecurity. (Click here for details in the article “NFA Proposes Cybersecurity Guidance” in the September 13, 2015 edition of Bridging the Week.) Both SEC and CFTC registrants – big and small – should ensure they have or are promptly adopting written policies addressing cybersecurity that are appropriate to their business model and that they adhere to their policies.