SEC Investment Adviser and Investment Company Exam Priorities
The exam priorities of the SEC’s Office of Inspections and Compliance or OCIE, announced on January 7, 2020, are a key priority for every investment advisor and investment company. Those priorities are key not just for those who may be facing an exam this year but also for the industry. The priorities typically center on a combination of emerging issues, key risk areas for the firm, traditional areas of concern not just to the agency but the industry and current SEC priorities.
The areas identified this year are no different — they build on the past while tying those points to current Commission priorities. Those identified in the press release (here) and the glossy booklet published by the Office titled 2020 Examination Priorities, Office of Compliance Inspections and Examinations (here), are: Retail investors; market infrastructure; information security; focus areas for advisers, ICs, broker-dealers and muni advisors; AML; fintech; and FINRA and MSRB. When evaluating these points, it is however critical that they be considered in the context of the overall OCIE program.
The focus of OCIE is compliance. The exam process, and the areas selected for examination, tie directly to this goal. Exams will thus be driven the factors identified in the Exam Priorities but not delimited by them. Other factors tied to past and emerging risks as seen by the Office and the agency, and informed by new rule initiatives, may impact the exam.
OCIE also uses analytics, as does the entire agency, to identify key areas on which to focus. Those analytics are anchored in the four key pillars of the program: “promoting compliance, preventing fraud, identifying and monitoring risk, and informing policy. The risk-based approach, both in selecting registrants and examination candidates and in scoping risk areas to examine, provides OCIE with greater flexibility to cover emerging and exigent risks to investors and the marketplace as they arise,” according to the 2020 Exam Priorities.
Critical to the exam process is a review of the compliance programs of the advisory. The traditional focus is whether the policies and procedures are reasonably designed, implemented and maintained. This includes account selection, portfolio management, custody, best execution, fees and valuation.
The program results also fosters compliance. Last year the Office verified over 3.1 million investor accounts totaling over $1.5 billion. When appropriate OCIE also encourages registrants to make customer and clients whole. In addition, it issued over 2,000 deficiency notices in the last fiscal year and made over 150 referrals to the Division of Enforcement involving a range of issues.
Key exam areas for advisors
Retail investors: Retail investors are a key area of focus not just for OCIE but also the Commission. Chairman Clayton, for example, has repeatedly discussed the importance of the retail investor, and in particular, seniors.
Here, the inspections will continue to asses whether the advisory, as a fiduciary, is fulfilling its duties of care and loyalty, particularly where potential conflicts are present. As the 2020 Exam Priorities makes clear, this “will include assessing . . . whether RIAs provide advice in the best interests of their clients and eliminate, or at lease expose through full and fair disclosure, all conflicts of interest which might incline an RIA, consciously or unconsciously, to render advice which is not disinterested.” It is critical that the advisor faithfully fulfil its duties and obligations to the client.
The exams will also focus on key disclosure issues tied to the advisor’s duties and asses the recommendations and advice furnished to clients. Seniors and recommendations and advice provided to “entities and individuals targeting retirement communities . . [and] teacher and military personnel . . .” will be a focus. One example of issues in this area is certain securities products that pose elevated risks for the investors and investment advice involving such products.
Fees and compensation are also critical here since conflicts may be presented in a number of forms. For example, sharing arrangements that involve the advisor and an entity can present conflicts. Issues can also arise with mutual funds as in the share class selection cases, and with ETFs, municipal and other fixed income securities and microcap securities.
Information security: This is a critical security and risk area for virtually any enterprise. OCIE will focus on questions centered on the systems at the firm and risks presented by vendors and third parties. With respect to the enterprise, the exam will focus on six key points: 1) governance and risk management; 2) access controls; 3) data loss prevention; 4) vendor management; 5) training; and 6) incident response and resiliency. Key for the enterprise is the proper configuration of network storage, information security and retail trading security.
Issues regarding third-party and vendor risk management will also be assessed. Those include question regarding oversight, cloud-based storage, controls surrounding online access and mobile application assess to customer accounts. In addition, safeguards surrounding the proper disposal of retired hardware will be considered.
RIAs and ICs: For complex programs, OCIE typically assesses compliance in one or more core areas keyed to the appropriateness of account selection, portfolio management practices and custody issues. The Office will continue to prioritize exams of firms that are dually registered or are affiliated with broker dealers.
Additional areas will include investments in mutual funds and ETFs. In this regard the examinations “will assess industry practices and regulatory compliance in various areas which include . . . (1) RIAs that use third-party administrators to sponsor the mutual funds they advise or are affiliated with; (2) mutual funds or ETFs that have not previously been examined; and (3) RIAs to private funds that also manage a registered investment company with a similar investment strategy.” The Office will also review RIAs to private funds to assess risk compliance and controls.
AML programs: The Bank Secrecy Act requires that financial institutions, which includes broker-dealers and investment companies to establish anti-money laundering programs. The programs must include policies and procedures reasonably designed to identify customers and beneficial owners of legal entities, perform customer due diligence in accord with the Customer Due Diligence rule, monitor suspicious activity and were appropriate file SARs.
OCIE also conducts inspections in other areas. Those include market infrastructure for clearing agencies and national securities exchanges, transfer agents, FINRA and the MSRB. The priorities of the program are designed to assess certain risks in each of these areas as well as information gathering, all of which facilitates coordination with other regulators and agencies.