On Feb. 7, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released its 2018 National Exam Program Examination Priorities (NEPEP). The NEPEP are organized around five themes, many of which build on OCIE’s priorities from prior years:
- retail investor protection, including seniors and individuals saving for retirement
- compliance and risk in critical market infrastructure
- Financial Industry Regulatory Authority (FINRA) and the Municipal Securities Rulemaking Board (MSRB);
- cybersecurity; and
- anti-money laundering programs (AML).
Retail Investors, Including Seniors and Those Saving for Retirement
Assessing the disclosure of fees and costs provided to investors as “some of the most important information they receive,” the NEPEP point out that OCIE examiners will focus on how clearly registered investment advisers and broker-dealers disclose costs and fees to retail investors and how those disclosures are implemented across an array of services and products. Examiners will likely review whether (1) fees and expenses are calculated and charged in accordance with disclosures; (2) assets are valued in accordance with investor agreements, disclosure and a firm’s policies and procedures for the purpose of calculating fees charged to advisory accounts; and (3) investment advisers are meeting their fiduciary and contractual obligations in connection with wrap fee programs. Examiners are also likely to place particular emphasis on financial professionals’ and firms’ disclosures of conflicts of interest relating to “higher cost or riskier” products and services that may incentivize financial professionals to recommend those products to retail investors. Furthermore, OCIE will focus resources on certain mutual funds and exchange traded funds (ETFs) that potentially subject retail investors to heightened risk due to poor performance, liquidity and valuation problems, a lack of experience on the part of the funds’ adviser or, in the case of ETFs, a poor secondary trading market.
With respect to senior and other retail investors who are saving for retirement, examiners will review (1) how broker-dealers identify financial exploitation of seniors, the subject of recent FINRA rules changes, and (2) firms’ internal controls designed to supervise their registered representatives’ sales of products and services directed at senior investors. OCIE will continue to examine firms’ investment recommendations, sales of variable insurance products and sales and management of target date funds in retail retirement accounts, along with their facilitation and involvement in retirement vehicles that primarily serve state and local government employees and employees of nonprofit organizations.
Consistent with announcements made by SEC Chairman Jay Clayton, and recent enforcement trends, OCIE will now also examine cryptocurrency and initial coin offerings (ICOs). OCIE notes that an increasing number of broker-dealers and investment advisers are engaged in this space and that areas of focus will include whether financial professionals (1) maintain adequate controls and safeguards to protect these assets from misappropriation and (2) are providing investors with accurate disclosures about the risks associated with these investments.
OCIE will also continue to examine (1) firms offering investment advice through electronic or automated platforms, including “robo-advisers”; (2) registered investment advisers who are either newly registered or have not been examined; (3) municipal advisers and underwriters; and (4) broker-dealers’ implementation of policies and procedures to ensure best execution.
Compliance and Risks in Critical Market Infrastructure
With respect to market infrastructure, OCIE will continue examinations of entities performing functions critical to market infrastructure, including clearing agencies, national securities exchanges, transfer agents and Regulation SCI entities. Among other things, OCIE’s areas of focus in this space will include (1) transfer agents’ compliance with the SEC’s Standards for Covered Clearing Agencies and corrective action taken in response to prior examinations; (2) the governance, revenue and expense generation and revenue and expense allocation procedures of national securities exchanges; (3) transfers, recordkeeping and safeguarding of funds and securities by transfer agents; and (4) whether SCI entities have effectively implemented policies and procedures to ensure, among other things, their systems’ integrity and security in the event of an SCI event.
Focus on FINRA and the MSRB
When OCIE shifted resources to increase coverage of the expanding number of federally registered investment advisers, it did so by reallocating examiners from the broker-dealer exam program. To ensure continued coverage of broker-dealers, OCIE now relies more heavily on FINRA’s examination program and meets its regulatory oversight responsibilities through OCIE’s FINRA and Securities Industry Oversight (FSIO) Examination Program. FSIO is responsible for conducting exams of FINRA and the MSRB.
FSIO completed its first full year “in business” this past year. What this means for broker-dealers is that they will see more of FINRA and less of the SEC in routine exams; but OCIE will be watching and conducting targets reviews as they deem necessary.
In 2018, OCIE will focus on FINRA’s operations and regulatory programs and the quality of FINRA’s examinations of broker-dealers as well as municipal advisers also registered as broker-dealers. For the MSRB, OCIE will focus on the effectiveness of certain (but not identified) operational and internal policies, procedures, and controls.
Cybersecurity is a repeat priority for OCIE as it is for all regulators in the financial industry regulatory space. OCIE has a partnership approach to managing the risk in this area and is appropriately engaging with firms to identify and manage risks. In 2018, OCIE examiners will focus on: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response. Each of these six areas is critical to assessing and controlling cybersecurity risks and threats.
In 2018, OCIE will examine whether firms are adapting their AML programs to ensure compliance with obligations. OCIE notes three areas of review: (1) Customer Due Diligence and the firms’ need to take “reasonable steps to understand the nature and purpose of customer relationships and to properly address risks.” While not specifically mentioned, Customer Identification Programs (CIP) will need to be amended, as necessary, to include the new regulatory obligation imposed by the Financial Crimes Enforcement Network’s (FinCEN’s) Customer Due Diligence rule, which has a May 11, 2018 compliance date. (2) Suspicious Activity Reports (“SARs”) and ensuring that firms are filing timely, complete, and accurate reports. (3) Independent tests and ensuring that firms tests are robust and conducted in a timely manner.
OCIE’s examination priorities for 2018 will largely follow its prior iterations, emphasizing the protection of retail investors with particular focus on fee disclosures, senior investors and retirement accounts. OCIE will also continue to examine firms’ ability to manage risk associated with cybersecurity breaches and money laundering. Following Chairman Clayton’s lead, OCIE will also add to its examination portfolio recently emerging issues relating to cryptocurrencies and ICOs. Finally, regulated firms are reminded that the priorities identified in the NEPEP are not exhaustive and that OCIE will continue to conduct examinations focused on risks, issues and policy matters arising from a variety of sources, including market and regulatory developments, information learned through examinations, complaints, referrals and coordination with other regulators.