On February 7, 2018 the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced its 2018 National Exam Priorities. The priorities, formulated with input from the Chairman, Commissioners, SEC Staff and fellow regulators, are mostly unchanged from years past (New Year, Similar Priorities: SEC Announces 2017 OCIE Areas of Focus, Orrick.com). However, the publication itself is presented in a more formal wrapper that begins with a lengthy message from OCIE’s leadership team describing the Office’s role and guiding principles, including that they are risk-based, data-driven and transparent, and that they embrace innovation and new technology.
2018 Priorities
OCIE’s principal 2018 priority, not surprisingly, appears to be the protection of retail investors, including seniors and those saving for retirement. OCIE specifically stated that it will focus on the disclosure of investment fees and other compensation received by financial professionals; electronic investment advisors – sometimes known as “robo-advisors”; wrap fee programs in which investors are charged a single fee for bundled services; and never-before-examined investment advisors. As to the latter, OCIE indicated that in the most recent fiscal year, it examined approximately 15 percent of all investment advisors, up from 8 percent five years before. It remains to be seen whether that increasing trend will continue.
Noting that the cryptocurrency and initial coin offering (ICO) markets “present a number of risks for retail investors,” OCIE included them as a priority for the first time. Examiners will focus on whether financial professionals maintain adequate controls and safeguards over the assets, as well the disclosure of investment risks.
Other 2018 priorities are compliance and risks in critical market infrastructure; cybersecurity protections, which OCIE states are critical to the operation of our markets; and anti-money laundering programs. In addition, OCIE has prioritized its examinations of FINRA and MSRB to ensure that those entities continue to operate effectively as self-regulatory organizations subject to the SEC’s oversight.
Insights Regarding Execution of OCIE Priorities
Kristin Snyder, OCIE’s Co-head of the SEC’s Investment Adviser/Investment Company Examination Program and Associate Regional Director in the SEC’s San Francisco Regional Office, commented on OCIE’s 2018 priorities during a Q&A panel the day after OCIE released them. She emphasized that OCIE employs a data-driven risk-based strategy to select individuals and entities for examination. The approach involves looking at factors that create the greatest possibility for liability and selecting exam subjects based on that risk analysis. This model does not mean that OCIE expects to find violations in those selected firms and priority areas, but rather that it will focus its resources in the areas that present the greatest risk. Indeed, Snyder noted that very few entities and individuals who are examined get referred to the SEC’s Division of Enforcement, and of the few matters that are referred to Enforcement, even fewer result in charges.
Snyder also emphasized that OCIE increasingly uses risk data analytics to scope entities and individuals for examination and to effectively carry out its priorities. Specifically, regional OCIE offices receive a spreadsheet from OCIE’s home office that provides objective data analytics, such as firm size, that they use, along with their experience and other factors, to put entities or individuals on the exam list or to move their position on the list. Factors making entities or individuals more likely to be exam subjects include problems with prior exams, unusual changes in disclosures or involvement in lawsuits.
Snyder also discussed a number of hot-button issues, including:
- Fees: Snyder emphasized that OCIE is focused on fees for registered investment advisors and valuations for private fund advisors. Its priorities are largely identical to those articulated in OCIE’s September 14, 2017 Risk Alert .
- Valuations: Snyder said that OCIE would also continue to focus on valuation methodologies and disclosures with respect to private fund advisors.
- Potential liability of Chief Compliance Officers (CCOs): When asked about the SEC’s stance regarding individual liability for CCOs under the new Administration, Snyder referred to Former Enforcement Director Andrew Ceresney’s November 2015 speech to the National Society of Compliance Professionals and stated that the Commission’s views on the subject remain unchanged: it remains focused on compliance officers who engage in fraud or egregious failures, obstruct investigations or exhibit a wholesale failure to carry out responsibilities. It thus appears that the change in Administration has not signaled a departure from OCIE’s previous position on individual liability for CCOs: compliance officers who perform diligently and in good faith should not fear OCIE exams or enforcement actions. Snyder did, however, note the trend to outsource CCOs, particularly for smaller firms. She indicated that outsourcing the CCO role is not a per se problem or issue, but noted that some outsourcing firms are now servicing upwards of 20 investment advisors at a time, thus raising questions about whether they have the resources to adequately fulfill CCO duties.
- ICOs: Finally, Snyder said that OCIE would be looking at ICOs and whether advisors need to register because they are a “security” and, if so, whether they are complying with suitability and custody rules.
Tips and Best Practices
OCIE has emphasized that the 2018 list of priorities is not exhaustive, and that OCIE is not bound by the areas of focus described therein. Nonetheless, it seems likely that OCIE will devote the majority of its resources toward the stated priorities in the coming year. Companies and individuals would thus be well advised to focus efforts on ensuring that their compliance infrastructure is strong, particularly in announced areas of OCIE focus.
One best practice for ensuring that a firm is in shape to address OCIE’s priority issues and pass an exam is to conduct a mock OCIE exam. Entities and individuals who have previously been the subjects of OCIE exams have reported that conducting mock exams – often under the supervision of counsel, thus protecting the results under privilege – has prepared them for actual OCIE exams. In addition, entities and individuals should document all compliance issues, significant judgment calls and changes to their valuation methodology, so they have a record and are well prepared should the matter be questioned during an exam. As a best practice, this should be done upon advice of counsel and under privilege in the first instance to avoid creating liability.