On February 7, 2018 the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced its 2018 National Exam Priorities. The priorities, formulated with input from the Chairman, Commissioners, SEC Staff and fellow regulators, are mostly unchanged from years past (New Year, Similar Priorities: SEC Announces 2017 OCIE Areas of Focus, Orrick.com). However, the publication itself is presented in a more formal wrapper that begins with a lengthy message from OCIE’s leadership team describing the Office’s role and guiding principles, including that they are risk-based, data-driven and transparent, and that they embrace innovation and new technology.
OCIE’s principal 2018 priority, not surprisingly, appears to be the protection of retail investors, including seniors and those saving for retirement. OCIE specifically stated that it will focus on the disclosure of investment fees and other compensation received by financial professionals; electronic investment advisors – sometimes known as “robo-advisors”; wrap fee programs in which investors are charged a single fee for bundled services; and never-before-examined investment advisors. As to the latter, OCIE indicated that in the most recent fiscal year, it examined approximately 15 percent of all investment advisors, up from 8 percent five years before. It remains to be seen whether that increasing trend will continue.
Noting that the cryptocurrency and initial coin offering (ICO) markets “present a number of risks for retail investors,” OCIE included them as a priority for the first time. Examiners will focus on whether financial professionals maintain adequate controls and safeguards over the assets, as well the disclosure of investment risks.
Other 2018 priorities are compliance and risks in critical market infrastructure; cybersecurity protections, which OCIE states are critical to the operation of our markets; and anti-money laundering programs. In addition, OCIE has prioritized its examinations of FINRA and MSRB to ensure that those entities continue to operate effectively as self-regulatory organizations subject to the SEC’s oversight. READ MORE
Last week, the SEC’s Office of Inspector General (“OIG”) released its semiannual report to Congress, which details the OIG’s independent and objective audits, evaluations, investigations and other reviews of the SEC’s programs and operations in order to prevent and detect fraud, waste and abuse in SEC programs and operations, and other vulnerabilities the SEC faces. In the most recent report, the OIG was critical of various programs, but most notably: (1) recommended a new framework to increase the Office of Compliance Inspections and Examinations coverage of registered investment advisors, and (2) informed Congress it was conducting a further evaluation on the SEC’s enforcement investigations to ensure that investigations are coordinated internally and across SEC divisions and offices.
On January 11, 2016, the SEC announced its Office of Compliance Inspections and Examinations (OCIE) priorities for the year . The announcement included several new areas of focus, including liquidity controls, public pension advisers, exchange-traded funds (ETFs), product promotion, and variable annuities. Hedge fund and mutual fund managers, private equity firms, and broker-dealers – in particular those that deal with retirement investments – would be wise to take note of these new areas of interest. As in past years, enforcement actions in these areas are likely to follow.
On Monday, November 9, 2015, the Office of Compliance Inspections and Examinations (“OCIE”) of the U.S. Securities and Exchange Commission (“SEC”) released results from its evaluation of investment adviser firms’ use of third parties for compliance functions, including outsourced chief compliance officers (“CCO”). Outside CCOs often perform important compliance responsibilities, including updating firm policies and procedures, preparing regulatory filings, and conducting annual compliance reviews. Despite the importance of these functions, the Risk Alert (“Risk Alert” or “Alert”) indicated that several of the outsourced CCOs examined had not implemented effective compliance programs. The Alert, available here, sends a cautionary signal to investment adviser firms considering outsourcing compliance functions. This warning is particularly timely since government agencies, including the SEC, have increased their focus on financial firms’ compliance programs, and on CCOs in particular.
For the last few years, the SEC has been issuing guidance as to appropriate cybersecurity policies and procedures for financial firms. In a move that signal’s the regulator’s willingness to put muscle into its cybersecurity guidance, the SEC announced an agreement with St. Louis-based investment company, R.T. Jones Capital Equities Management (“R.T. Jones” or “the company”), to settle charges that the company failed to adequately safeguard the personal information (“PI”) of approximately 100,000 individuals. Consistent with this trend, the SEC has announced that its Office of Compliance Inspections and Examinations (“OCIE”) would be conducting a second round of investigations into the cybersecurity practices of brokerage and advisory firms (the “Cybersecurity Examination Initiative”). These moves signal the SEC’s increasing scrutiny of investment firms’ information security practices and indicate the regulator’s willingness to enforce the guidance that it has issued.
On February 3, 2015, the U.S. Securities and Exchange Commission released a Risk Alert addressing cybersecurity issues at brokerage and advisory firms, along with suggestions to investors on ways they can protect themselves and their online accounts. FINRA issued a similar, more extensive “Report on Cybersecurity Practices” on the same day.
The National Exam Program Risk Alert, “Cybersecurity Examination Sweep Summary” summarizes cybersecurity practices and policies of 57 registered broker-dealers, and 49 registered investment advisers based on examinations conducted by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”). These findings should be reviewed by CISOs and CIOs who have responsibility for cybersecurity protection because they highlight best practices and areas ripe for improvement. It is reasonable to assume that both the SEC and FINRA will expect firms to review the findings and tailor their own internal assessments and practices to improve their cybersecurity posture, accordingly. They also underscore that the simplest cyber-related scams (phishing, fraudulent e-mail scams, etc.) are still remarkably successful.