The Exam Priorities of the SEC’s Office of Inspections and Compliance or OCIE, announced on January 7, 2020 (the “Exam Priorities”), should be a key area of focus for every investment advisor and investment company. The Exam Priorities are key not just for those who may be facing an exam this year, but for the industry as a whole. The Exam Priorities typically center on a combination of emerging issues, primary risk areas for firms, traditional areas of concern to the Commission and the industry, and the broader current SEC priorities.
The areas identified this year are no different -- they build on prior-year areas of focus, tying those to current Commission priorities. The Exam Priorities identified in the press release and the booklet published by OCIE titled 2020 Examination Priorities, Office of Compliance Inspections and Examinations, are: Retail investors; market infrastructure; information security; focus areas relating to, investment companies, broker-dealers and muni advisors; AML; fintech; and FINRA and MSRB. When evaluating these stated priorities, it is however critical that they be considered in the context of the overall OCIE program.
The focus of OCIE is compliance. The exam process, and the areas selected for examination, tie directly to this goal. Exams will thus be driven by the factors identified in the Exam Priorities but not delimited by them. Other factors tied to past and emerging risks as seen by OCIE and the Commission, and informed by new rule initiatives, may also impact exams.
OCIE also uses analytics, as does the entire agency, to identify key areas on which to focus. Those analytics are anchored in the four key pillars of the program: “promoting compliance, preventing fraud, identifying and monitoring risk, and informing policy. The risk-based approach, both in selecting registrants and examination candidates, and in scoping risk areas to examine, provides OCIE with greater flexibility to cover emerging and exigent risks to investors and the marketplace as they arise,” according to the 2020 Exam Priorities.
Critical to the OCIE exam process, and tied to the Exam Priorities, is a review of the compliance program of the adviser. The traditional focus of an adviser’s annual compliance review, for example, is on whether the policies and procedures are reasonably designed and effectively implemented to prevent violations of federal securities laws. This includes review of policies and procedures relating to portfolio management, custody, best execution and brokerage practices, fees and expenses, valuation and the handling of conflicts of interest. Evidence of this review, as well as its findings, will always be of great importance to OCIE.
The OCIE program produces measurable results and also fosters compliance. Last year, OCIE reports that it verified over 3.1 million investor accounts totaling over $1.5 billion in investor assets. When appropriate, OCIE also encourages registrants to address failures, errors or omissions and make customers and clients whole for certain losses. Its primary tool is the issuance of deficiency notices relating to such matters, having issued over 2,000 in the last fiscal year. OCIE made over 150 referrals to the Division of Enforcement involving a range of issues during the same time. The number of enforcement referrals was fairly consistent with the number of enforcement referrals for the prior year.
Key exam areas for advisers
Retail investors: Retail investors are a key area of focus, not just for OCIE, but also the Commission. Chairman Clayton, for example, has repeatedly discussed the importance of the retail investor, and in particular, seniors and retirement investors.
In this area, examinations and inspections will continue to assess whether the adviser, as a fiduciary, is fulfilling its duties of care and loyalty, particularly where potential conflicts are present. As the Exam Priorities make clear, this “will include assessing . . . whether RIAs provide advice in the best interests of their clients and eliminate, or at lease expose through full and fair disclosure, all conflicts of interest which might incline an RIA, consciously or unconsciously, to render advice which is not disinterested.” This will also be the first exam cycle following the issuance of the June, 2019 Commission Interpretation Regarding Standard of Conduct for Investment Advisers which reaffirms and clarifies the disclosure-based Advisers Act fiduciary duty that is derived from common law principles. It is critical that the adviser faithfully fulfil its duties and obligations to the client.
Exams will likely also focus on key disclosure issues tied to the adviser’s duties and identified conflicts of interest, and assess the suitability of recommendations and advice furnished to clients. Recommendations and advice provided to seniors and “entities and individuals targeting retirement communities...[and] teacher and military personnel . . .” will also be an OCIE focus. Concerns in this area include advice pertaining to certain securities or investment products that pose elevated risks for investors.
Fees and compensation, as well as client borne expenses, remain critical since these are likely areas in which conflicts may arise. For example, cost-sharing arrangements that involve the adviser and an investment fund can present conflicts relating to allocation of expenses. Issues can also arise with recommendations pertaining to mutual fund investments, as was seen with the share class selection cases, and with thinly-traded ETFs, municipal and other fixed income securities and microcap securities.
Information security: This is a critical risk area for virtually any enterprise. OCIE will focus on the systems at the firm, prioritizing cyber and other informational security risks, as well as risks presented by vendors and other third-parties. With respect to the enterprise, the exam will focus on six key points: 1) governance and risk management; 2) access controls; 3) data loss prevention; 4) vendor management; 5) training; and 6) incident response and resiliency. Key areas for an enterprise to focus are, the proper configuration of network storage, information security governance, and retail trading information security.
Issues assessed regarding third-party and vendor risk management will include oversight generally, cloud-based storage, and controls surrounding online and mobile application access to customer accounts. In addition, safeguards surrounding the proper disposal of retired hardware will be considered.
RIAs and ICs: For more complex compliance programs, OCIE typically assesses compliance in one or more core areas keyed to the appropriateness of account selection, portfolio management practices and custody issues. OCIE will continue to prioritize exams of certain firms that have not been examined for a number of year and those which are dually-registered or are affiliated with broker-dealers.
Additional areas of focus will include mutual funds and ETFs. In this regard the examinations “will assess industry practices and regulatory compliance in various areas which include . . . (1) RIAs that use third-party administrators to sponsor the mutual funds they advise or are affiliated with; (2) mutual funds or ETFs that have not previously been examined; and (3) RIAs to private funds that also manage a registered investment company with a similar investment strategy.” OCIE will also review RIAs to private funds to assess risk compliance and controls more generally.
AML programs: The Bank Secrecy Act requires that financial institutions, which includes broker-dealers and investment companies, establish anti-money laundering programs. The programs must include policies and procedures reasonably designed to identify customers and beneficial owners of legal entities, perform customer due diligence, in accord with FinCEN’s Customer Due Diligence rule, monitor suspicious activity, and where appropriate, file SARs. OCIE will continue to prioritize examining broker-dealers and investment companies for compliance with their AML obligations.
LIBOR: As advisers transition away from LIBOR, OCIE has indicated that it will review firms’ preparations and disclosures regarding their readiness, particularly in relation to the transition’s effects on investors. The SEC expects that firms will evaluate their exposure to LIBOR, not only as related to fallback language in contracts, but also in connection with its use in benchmarks and indices, accounting systems, risk models, and client reporting.
Critical market infrastructure: OCIE also conducts inspections of other entities and agencies it deems critical to market infrastructure. Those include clearing agencies and national securities exchanges, transfer agents, FINRA and the MSRB. The priorities of the program are designed to assess certain risks in each of these areas as well as to perform information gathering, all of which facilitates coordination with other regulators and regulatory agencies.
In releasing its Exam Priorities OCIE emphasizes that they are not exhaustive and will not be the only issues OCIE addresses in its examinations. OCIE indicates that they prioritize transparency to investors, registrants, and the broader financial industry regarding its exam observations, and that they will continue to use a risk-based approach that includes analysis of the registrant’s operations, products offered, and other factors.