Former SEC Enforcer Reviews Regulator’s 2019 Agenda

ACA Compliance Group presented an adviser-focused webinar on Wednesday, covering the 2019 regulatory agenda of the U.S. Securities and Exchange Commission (SEC) in high detail.

Speakers on the webinar included Askari Foy, managing director for the subsidiary ACA Aponix; Matthew Shepherd, principal consultant with the ACA Compliance Group; and Allison Charley, senior principal consultant with ACA Compliance Group and a former SEC examinations office chief.

According to the speakers, advisers would do well to review the increasingly important role played by the SEC’s Office of Compliance Inspections and Examinations, known as the “OCIE.” This is the body within the SEC that works to identify and address wrongdoing or negligence by investment advisers, mutual fund providers, transfer agents and the various other entities involved in the sale and service of securities.

In 2019, OCIE has a number of new points of focus, the speakers said. One of these is ensuring more timely reviews of “never-been-examine advisers,” even in cases where there are no strong red flags of the type that would typically trigger an audit.

As Charley pointed out, the “never-been-examined” nomenclature can be confusing, because this category in the eyes of the SEC and OCIE also includes advisers that have in fact been examined before—just not in some time. It also includes those who have had made a significant change in the business model, as well as those advisers whose practices have seen a lot of recent growth, she said.

“OCIE uses both an objective and subjective approach to risk-ranking firms during its process of deciding who will be reviewed next,” Charley explained. “They have a laundry list of what they perceive as risk factors, such as the size of firms, the complexity of product offerings, whether the firm has custody of client assets, etc. All of these risks go into different buckets that are then equally weighted, for better or worse. So in this system, the more of these risks you have—even if they are relatively innocuous risks when examined one by one—the higher your risk rating is going to be, because of the equal weighting.”

According to Charley, OCIE uses the bucket system to put firms in different risk tiers. At this stage, the various regional offices are asked to take a look and then offer a subjective score about each firm. The regional staff adds color about what they know about the firm, its staff, past regulatory issues and more. The objective and subjective analyses are then united to create a combined risk score. Naturally, a firm that seems riskier than its peers is more likely to see the SEC sooner than peers with lower risk scores, Charley said.

Turning to the areas where OCIE staff will focus their adviser audits in 2019 and beyond, Charley suggested one area will be around the development and use of custom asset-allocation models and custom indexes. OCIE staff will ask how are these being created and monitored over time, what is the accuracy and adequacy of the disclosures being made, and if there are any conflicts of interest between the adviser and the investment provider. If there are real or perceived conflicts, OCIE will ask how these are being disclosed and mitigated.

Picking up on Charley’s commentary, Shepherd said fees among retirement investments is a very hot topic at SEC this year.

“They are interested in assessing whether firms have business models that increase the risk that full disclosures aren’t being made,” he said. “They are very interested in making sure that this particular risk area is covered—they want to maximize the number of dollars that are being invested rather than going into the pockets of advisers and providers. Of course, SEC believes it is okay to charge a higher fee for a value-added service or a particular investment opportunity, but you have to make sure clients know what is going on.”

According to Shepherd, OCIE staff will be looking at the fees the adviser is charging on net, and then comparing this with what disclosures the client is presented with.

“They will be looking very closely for discrepancies,” Shepherd said. “They will look at the firms’ disclosures closely for any misleading or missing information. They are also going to look at the people who work at the firm to examine whether the staff has any personal financial incentives to recommend specific products over others.”

Shepherd also said “wrap fee programs” are high on the OCIE agenda.

“They will also be focusing on these disclosures,” he said. “Advisers must make sure wrap fee disclosures are clear and that the client knows what they are paying for. In the eyes of the OCIE, if a wrap fee program is working as intended, that’s great, but if the client is seeing trades that cause them to pay more than they otherwise would have done under a more standard brokerage fee arrangement, this will be a red flag.”

Following Shepherd’s commentary, Foy suggested another major priority for the regulator this year will be cybersecurity.

“Cybersecurity has becoming a top priority over the last five years, and this will obviously continue,” Foy said. “SEC will be making sure firms have the right governance and systems in place to protect investors. How are you going about governing and controlling your networks? SEC will ask you this and you must be ready to answer them. You must have a good understanding of the tools and solutions being used—and also an understanding of the configuration of network devices, such a firewalls, routers and switches. Is this documented? Who has access to sensitive systems, and how is this decided upon?”

Foy said SEC wants to see senior managers engaging in this topic. It cannot be left to lower-level technology staff to make the crucial decisions about protecting clients’ assets and personally identifiable information.

“What is being documented and discussed among managers to maintain security and compliance?” Foy asked. “SEC will be expecting to see minutes and documentation about this stuff. They will want to see a cybersecurity road map, penetration testing and established written criteria for what types of risks will be reported up the executive chain.”

Foy said the SEC likes to see this type of documentation because it shows senior management is in touch with what is going on within the firm from a technology perspective. He said policies should be written and documented, because at the end of the day, violation of a registered firm’s stated policies and procedures is a violation of the law in the eyes of the SEC.

“We’ve seen a lot of firms that have written policies, but they don’t have the full set of standards and procedures fleshed out to actually make the policies a reality,” Foy noted. “An example of a standard might be requiring strict passwords, requiring timed lock-outs when incorrect passwords are entered, etc. An example of a procedure would then be to describe in writing who is responsible for doing what when a breach of a given nature occurs. It doesn’t have to be so detailed that it is a step-by-step guide, but if I come into your shop, I should be able to take your policies and procedures and get the cybersecurity job done without you. In the SEC’s eyes, every firm is going to have some kind of breach or hack, it’s only a matter of time.”

Something else for advisers to ask is, what happens when a company insider or a service provider is part of a data breach? Foy said this is one area that is often overlooked. Another issue comes up when firms have remote offices and remote workers. How do the policies and procedures apply to these groups? SEC will want to know, because it is common to see outside advisers and offices not following fully the home offices’ policies and procedures. Foy suggested branches should be provided with a required list of hardware and software that is pre-approved by the headquarters.

“Is any sensitive information located at the branch offices?” Foy asked. “Is there adequate physical security at these locations, as well as cybersecurity? Is there a formal process and procedure set for how issues are going to be reported? Third parties with access to any sensitive systems must have policies and procedures in place that are as strong as yours, if not stronger.”