NSCP: SEC Exam Division leaders share insights on new year of priorities

At the NSCP annual conference this week, SEC Exam Division leaders told the audience how to best prepare for agency inspections.

On Wednesday, at day three of the National Society for Compliance Professionals (NSCP) annual event, several SEC representatives addressed the audience to talk about the agency’s exam priorities, recent exam findings, and to offer recommended guidance documents firms can use for their ongoing training.

The speakers started with the list of 2024 exam priorities the agency released on Tuesday, saying the SEC met with even more outside stakeholders than usual, to assess what could be done better and better appreciate the impact of the rules. The NSCP itself was one of those stakeholders.

Speakers said publishing the priorities in January had felt disjointed, as it occurred after the SEC’s fiscal year, and it sounded like the new timing would stick. They also reminded the audience that the examination priorities listed in the document serve as a mere snapshot and don’t represent the wider array of possible examination topics the agency could pursue.

Investment advisers and risk

The SEC’s Investor Advisory Committee (IAC) advises the Commission on regulatory priorities, the regulation of securities products, trading strategies, and fee structures, among other things. Natasha Greiner, Acting Co-Director of the Division of Examinations, said the majority of the staff’s exam approach is risk-based, with the division allocating significant focus to specific services or product lines, particularly when they are new business lines for the firm being reviewed.

“We look at complex products being sold to retail investors and ask whether the firm is considering more suitable alternatives.”

Michael Rufino, National Associate Director, SEC Broker-Dealer Exchange Program

In the investment adviser space, she said fiduciary duty disclosure related to such duty and the effectiveness of compliance programs were major IAC priorities. Compliance programs must reflect the current state of the business, she said.

In the last (fiscal) year, the agency issued nine risk alerts, six of them in the IAC space. Greiner strongly encourages compliance professionals to keep two of them close at hand and use them to inform their compliance program improvements and ongoing compliance training initiatives.

The first one is from March, entitled “Observations from Examinations of Newly-Registered Advisers,” and it discusses the typical focus areas reviewed during examinations of newly registered advisers and shares the staff’s observations regarding compliance policies and procedures, disclosures, and marketing practices.

The second is from September and is titled “Investment Advisers: Assessing Risks, Scoping Examinations, and Requesting Documents.” It explains the agency’s risk-based approach for both selecting advisers to examine, and determining the scope of risk areas to examine. And it helps explain which documents they would likely request during an examination.

Compliance program rule

Marshall Gandy, National Associate Director of the Investment Adviser and Investment Company Examination Program, turned to the topic of compliance programs and the compliance program rule – SEC Rule 206(4)-7 – which requires each investment company and investment adviser registered with the SEC to adopt and implement written policies and procedures reasonably designed to prevent violation of the federal securities laws, review them annually for their adequacy and the effectiveness of their implementation, and designate a chief compliance officer to be responsible for administering the policies and procedures.

He said the rule empowers CCOs to protect investors and to protect the reputational interest of their firm. He recommended attendees read Commissioner Hester Peirce’s October 2022 speech “Costumes, Candy and Compliance,” which discusses how firms and compliance officers can best work with the SEC’s examinations teams when they are examining their firms.

He reminded attendees that the SEC strives to examine new firms within a year of their existence, both investment advisers and registered investment companies.

“You can view us as an adversary coming into your business, but then you will lose out on what is trying to be accomplished,” he said. “Your approach matters.”

BDX exam program

The Broker-Dealer and Exchange (BDX) Examination Program at the SEC conducts examinations of broker-dealers, national securities exchanges, transfer agents, municipal advisors, the Public Company Accounting Oversight Board and the Securities Investor Protection Corporation. Michael Rufino is its National Associate Director and Associate Regional Director in the New York Regional Office, and he spoke to attendees about the program’s particular focus points right now.

Regulation Best Interest is certainly one of them; Rufino said the division will continue to address standards of conduct issues for broker-dealers and investment advisers, with reviews focused on how they are satisfying their obligations under Regulation BI to act in the best interests of retail investors and not to place their own interests ahead of retail investors’ interests. Examiners look at firms’ consideration of alternatives (with regard to potential risks, rewards, and costs); management of conflicts of interest; trading (best execution obligations); disclosures (in Form ADV and Form CRS); and account selection.

Greiner strongly encourages compliance professionals to use two of the risk alerts to inform their compliance program improvements and ongoing compliance training initiatives.

“We look at a lot of complex products being sold to retail investors and ask whether the firm is considering more suitable alternatives, at the costs and fees, and whether compliance policies and procedures reflect outdated verbiage (mentioning suitability and not Reg BI), plus whether well-written policies and procedures are actually being followed,” he said.

Other concerns for the division are conflict of interest identification and mitigation processes, plus how the business may favor its proprietary products over others in their recommendations and trading practices.

Anti-money-laundering programs will always be a focus area, he said, as the agency wants to see businesses are able to spot and report on suspicious transactions in a timely way and memorialize these processes and decisions in writing.

Rufino said the SEC’s financial responsibility framework is something to keep in mind; namely, the net capital rule, which focuses on liquidity and is designed to protect securities customers, counterparties, and creditors by requiring that broker-dealers have sufficient liquid resources on hand at all times to satisfy claims promptly. And the customer protection rule, which complements the net capital rule by requiring customer property (securities and funds) in the custody of broker-dealers is adequately safeguarded.

BDX examines municipal advisers for their adherence to (among other things), their adherence to their duty of care and loyalty, and how businesses are managing their counterparty risk, or the probability that the other party in an investment, credit, or trading transaction may not fulfill its part of the deal.

TCP: Technologists … and some lawyers

Acting Co-Director of the Division of Examinations (along with Natasha) is Keith Cassidy, who told the attendees about the goals of the Technology Controls Program, or TCP, which conducts examinations of entities subject to Regulation Systems Compliance and Integrity (Reg SCI). This program area also administers the SEC’s CyberWatch program, which is the primary intake point for information filed under Reg SCI. 

It is staffed by a large team of technologists and a bunch of lawyers, he said.

It’s the newest of the programs at the SEC, founded in 2014, and it largely focuses on operational resilience, tech controls and system resilience, crypto assets (for which it has a specialist team), a cyber watch group that examines firms’ incident responses, among other areas.

A major focus has been efforts to ensure that systemically important clearing agencies are resilient in times of financial stress through recovery and resolution planning.

TCP seeks to ensure registrants appreciate their obligation to safeguard records, surveil their branch offices, and test the controls they have to monitor third parties, plus how registrants are ensuring the physical security of their infrastructure.

The office handles the examination of firms’ use of mobile devices and how they supply any automated advice and sales through robo-investment tools and other automated tools. And a major focus of it has been its ongoing efforts to ensure that systemically important clearing agencies are resilient in times of financial stress through recovery and resolution planning.

TCP has developed an entity risk assessment tool to help TCP staff assess entities’ risks in specific areas, such as business continuity planning and disaster recovery, database security, data loss prevention, mobile device security, and information technology governance.

Training for regulator and registrant

Greiner detailed how helpful it is to the examination staff that they have the people who write the rules right in their building – Market Regulation, Corporate Finance or Investment Management (IM), the rulemaking divisions – so they can better understand their goals and applicability. They have a copious amount of training resources, sometimes bring in outside experts and use their chief counsel office to help gather groups together so they work more consistently, and with a better appreciation for the rules.

Staff members also learn the same way that businesses do, from reading deficiency letters, going through examinations, learning how problems occur and how they can best be fixed. Basically, learning a lot on the job.

Each member of the panel stressed how much effort and real-case data they put into their guidance updates, staff interpretations, national seminars, risk alerts, and annual priorities report, and they hope registered firms will use them to regularly assess their compliance programs for effectiveness and timely updating.