The SEC’s Office of Compliance Inspections and Examinations’ recently published 2020 Examination Priorities provides an overview of key areas on which OCIE will focus its examinations of SEC registrants in the coming year.
Beyond the specific elements covered in the report, registrants should take note that office expanded its staff in 2019 and that its 2020 report is a substantial expansion of the prior year’s report. Taken in combination with important regulatory developments, the SEC’s enhanced data analytics capabilities, and evolving risk landscape, the report should serve as a reminder for industry members to stay vigilant in their compliance and supervision efforts.
As in past years, OCIE focuses on its core mission of protecting retail investors and how financial firms engage with the investing public, while identifying several “major risk themes” that it will closely track during the year, including information security and resiliency, geopolitical events, and the LIBOR transition.
Information Security a Priority
Notably, OCIE will continue to prioritize information security in each of its five examination programs, as it did in 2019. the office plans to scrutinize investment advisers’ governance and risk management, access controls, data loss prevention, training, and incident response and resiliency.
Registrants can expect OCIE to further drill down on mobile application and online access controls, as well as issues relating to the secure disposal and end-of-life plans for hardware and software that may contain customer information and/or present network vulnerabilities.
The office will also closely examine third-party and vendor risk management policies and practices, including oversight of cloud-based service providers and other third-party network solutions.
Several of the report’s other priorities align with topics covered by the SEC’s new Regulation Best Interest and Form CRS, as well as related guidance provided to registered investment advisers in 2019.
Beyond specifically focusing on firms’ level of preparedness given the June 30 compliance date for Reg BI and Form CRS, OCIE highlights several areas that speak directly to fulfilling the new standard of care, including recommendation and advice provided to specific communities (especially seniors, teachers, and military) and for specific product types (especially private placements, as well as complex or high-fee products and those issued by affiliated companies).
The office will also retain focus on how registered investment advisers fulfill their duties of care and loyalty, targeting how RIAs are compensated and the degree of disclosure provided to clients, including for specific product types (such as mutual funds and ETFs) that are targeted to retail investors.
In the brokerage space, marketplace abuse related to microcap securities (i.e., issuers with a market capitalization under $250 million) will continue to be a focus, including whether firms are complying with their obligation to file required suspicious activity reports for any potentially unlawful trading in those securities.
Expanded Focus on FinTech Practices
The 2020 priorities include an expanded focus on FinTech practices, including the use of alternative data, sales and trading practices for digital assets, and RIAs who provide services through “robo-advice” platforms. We specifically note OCIE’s overlapping priorities of alternative data and third-party risk management as areas where the it may devote specific attention during examinations.
For financial institutions subject to the Bank Secrecy Act’s requirement to establish and maintain an effective anti-money laundering program, OCIE will continue reviewing how firms adhere to requirements to verify customer identity and beneficial ownership of entities, as well as comply with their SAR filing and systematic testing obligations.
In addition, the SEC will continue its risk-based examination programs for key institutions in the U.S. market infrastructure, including clearing agencies, securities exchanges, transfer agents, and so-called “SCI entities” that are otherwise subject to the SEC’s Regulation Systems Compliance and Integrity.
The 2020 Examination Priorities highlighted the SEC’s 2019 settlements with clearing agencies and additional settlements involving Reg SCI as arising from the examination context. SCI entities can expect the SEC to look closely at remediation measures in response to past examinations in addition to IT inventory management, IT governance, incident response preparedness, and third-party vendor risk management, including cloud-based providers.
Of the more than 3,000 examinations conducted by OCIE in fiscal year 2019, it issued deficiency letters in approximately two-thirds of its examinations and made more than 150 referrals to SEC’s Division of Enforcement during that period.
Financial services firms should closely review the SEC’s list of priorities and ensure that they address any applicable areas before their next SEC examination.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Tim Foley is counsel at Alston & Bird LLP in Washington, D.C., in the firm’s Financial Services & Products Group. He advises broker-dealers and other financial institutions in regulatory compliance and enforcement matters involving the SEC, FINRA, self-regulatory (SRO) agencies and state and foreign regulatory agencies.
Katherine Doty Hanniford is a senior associate at Alston & Bird LLP in Washington, D.C., on the firm’s Technology & Privacy and Cybersecurity Preparedness & Response teams. She focuses her practice on cybersecurity and privacy compliance and enforcement.