Bates Research | 03-12-21
SEC 2021 Exam Priorities: Climate Change, Reg BI, Disclosures and Information Security Top the List
In his leadership message accompanying this year’s priority list from the renamed Division of Examinations (“the Division”), SEC Director Peter Driscoll covered a great deal of territory over 14 pages. Together with his Deputy Directors Daniel Kahl (Chief Counsel) and Kristin Snyder (National Investment Adviser/Investment Company Director), they highlighted the extraordinary growth of the Examination workforce (to over 1,000 employees across 11 regional offices) and the increased responsibilities of the Division since the inception of the Office of Compliance Inspections and Examinations (“OCIE”) 25 years ago.
The Directors described the regulatory and operational challenges of delivering financial services during the pandemic, the issuance of alerts on pandemic and emergent risks (including on cybersecurity), and the roll out of Regulation Best Interest (“Reg BI”) and the Customer Relationship Summary Form (“Form CRS”).
The Directors reported a series of data points to convey the success of their efforts during an operationally challenging 2020. The metrics are revealing. The Division completed 2,952 examinations (a slight decrease from the prior pre-pandemic year); the Division’s Investment Adviser/Investment (“RIA”) Company Program examined 15% of registered investment advisers (a market in which the number of RIAs and amount of assets under management increased substantially.) They noted that this growth trend would lead to the increased oversight risk of “diminished coverage, quality, and effectiveness” absent further support. The leaders also noted that the Broker-Dealer and Exchange ("BDX") Program completed over 330 examinations of broker dealers, more than 110 examinations of national securities exchanges, and over 90 examinations of municipal advisors and transfer agents.
Among other metrics, the Directors said that the Division issued more than 2,000 deficiency letters, verified (for the purpose of fighting fraud) over 4.8 million investor accounts totaling over $3.4 trillion (a vast increase over the prior year), and concluded examinations that have returned more than $32 million to investors.
These data points are intended to convey that, despite extraordinary challenges, the Division maintained its ambitious agenda to review firm compliance programs. The broader takeaway message from the Directors is that firms should be striving to build a compliance culture and to empower Chief Compliance Officers with sufficient seniority and authority to ensure the adequacy of firm frameworks and evolving and emerging risks.
This Year’s Priorities
The purpose of the annual report is to communicate Division-identified risks, trends and exam priorities to improve compliance for the ultimate protection of investors. The Division reemphasized vigilance on most of the prior years’ priorities. They covered these matters in broad categories, including protection of retail investors, financial technology and information security, anti-money laundering and market infrastructure, and there was repeated overlap from category to category.
As can be seen in Bates’ 2021 Exam Priorities Comparison Chart below, the Division added new emphasis on informational security and operational resiliency, and on “other initiatives.” That “other” category is not insignificant. It covers everything from the 2021 LIBOR transition to an increased focus on RIA compliance, broker-dealer trading practices, broker-dealer financial responsibility, and mutual and exchange traded funds (“ETFs”). Moreover, scattered throughout the priorities report was the impact of climate change.
2021 Exam Priorities Comparison Chart
© 2021, Bates Group LLC
Source: U.S. SEC Division of Examinations 2021 Examination Priorities (Compiled by Alex Russell, Managing Director, White Collar, Regulatory and Internal Investigations)
Protecting Retail Investors and Investors Saving for Retirement
The two largest programs run by the Division, Investment Adviser/Investment Company ("IA/IC") and BDX, focus on the protection of retail investors and retirement savers. The Division states that this year’s emphasis will be on sales related to mutual funds and exchange-traded products, municipal securities and other fixed income products, and microcap securities, but the exams will be in the context of compliance with Reg BI, last year’s top priority.
For broker dealers, the Division says it will conduct “enhanced testing” on various Reg BI-related policies and procedures on rollover recommendations, complex product recommendations, cost assessments, sales-based fees, and conflicts of interest.
For RIAs, the Division said it will review whether they are adequately assessing whether RIAs are meeting their fiduciary duties of care and loyalty. Examinations for RIAs will revolve around the risks associated with “fees and expenses, complex products, best execution, and undisclosed or inadequately disclosed, compensation arrangements.” The Division noted that extra attention will be paid to the use of “turnkey asset management platforms” that provide technology, investment research, portfolio management and other outsourcing services. As to fees, the Division will look to ensure that revenue sharing arrangements are adequately disclosed. For both RIAs and broker dealers, expect continued examination on the adequacy of both the content and the filing requirements for Form CRS.
Climate Change an Emergent Priority
This year, the Division noted the emergent risks associated with climate change. Leadership states that RIAs in particular are “increasingly offering investment strategies that focus on sustainability.” Financial products referred to as socially responsible, “ESG-conscious” or sustainable are sold to investors as part of open-end funds and ETFs. The Division stated that it will continue to examine these products and strategies to determine the consistency and adequacy of their disclosures, the potential for false or misleading statements in advertising, and to “review proxy voting policies and procedures and votes to assess whether they align with the strategies.”
Financial Technology and Information Security
To say that the SEC is “concerned” with data loss and identity risk would be an understatement. The Division said it is “acutely focused on working with firms to identify and address information security risks, including cyber-attack-related risks,” and it will focus exams on those compliance framework elements that concern “endpoint security, data loss, remote access, use of third-party communication systems, and vendor management.” Firms should prepare for an intense review of policies and procedures intended to protect customer accounts, prevent outside “intrusions,” ensure verification of customer identity, prevent unauthorized account access, supervise vendors, prevent phishing, respond to ransomware incidents, and handle risk associated with remote work conditions.
Examination subjects will include, among others, mobile customer information access, personal information and record data cloud storage, and business continuity and recovery planning. Notably, the Division said it will “shift its focus” on business continuity and recovery plans to deal with the physical and financial risks associated with climate change. The only guidance given on this focus is that it will be “similar to the post-Hurricane Sandy work of the Division and other regulators,” and that the Division will be engaged in the incremental “maturation and improvements to these plans over the intervening years.”
Also noteworthy are two evolving trends. First is the growing use of “alternative data” by firms for business and investment decision-making processes. The Division said it will examine use of this “non-traditional” data to determine whether firms have appropriate controls over the information. The second item relates to adequate review of digital asset, or assets based on distributed ledger technology. The Division said it will conduct examinations to review compliance with Reg BI obligations, management and trading practices, client fund safety, prices, the safety of client assets, the effectiveness of firm controls, and the supervision of outside business activities.
Much remains unsaid in the Division’s report about the increased expectations for compliance with the new 2020 Anti-Money Laundering Act and its anticipated implementing requirements. (See Bates’ White Paper on the expanding AML compliance framework). In the 2021 priorities report, the Division reiterated its previous examination priority for broker-dealers and registered investment companies to review firm compliance practices and procedures to assess: (i) the adequacy of customer identification programs, (ii) SARs filing performance, and (iii) whether firms are conducting appropriate customer due diligence, beneficial ownership review, and adequate testing of their programs. These exams are also meant to ensure that firm policies are appropriately tailored to the characteristics of the firm and the products and services sold to their clients.
The Division said that in 2021 it will continue to perform its statutory responsibilities to examine clearing agencies—and other entities exempt from registration—and will review core risks, processes, and controls and assess financial and operational risk. The Division also stated it will examine the national securities exchanges to monitor, investigate, and enforce member and listed company compliance with exchange rules and the federal securities laws. Further, the Division said it continues to examine self-regulating organizations (such as the Financial Industry Regulatory Authority and the Municipal Securities Rulemaking Board), plan processors, and alternative trading systems of a certain size in order “to establish, maintain, and enforce written policies and procedures designed to ensure that their systems’ capacity, integrity, resiliency, availability, and security is adequate to maintain their operational capability and promote the maintenance of fair and orderly markets.” These examinations will focus on governance, technology asset management, cyber threat management, incident response, business continuity planning, and third-party vendor management. Finally, the Division said it will examine transfer agents’ recordkeeping and record retention, the safeguarding of funds and securities and the timeliness of its operations.
LIBOR: The Division explained that it will “engage with registrants” to make sure they have reviewed their exposures as a result of the discontinuance of LIBOR and have made preparations for any transition to an alternative reference rate on their customers and their own behalf.
RIA Programs: The Division stated that it will prioritize exams of firms that have not previously been examined to ensure that their compliance programs “have been appropriately adapted in light of any substantial growth or change in their business models.”
Funds: In its 2021 exams, the Division said it will prioritize valuations and their impact on fund performance, liquidity and risk-related disclosures. In particular, the Division stated it is interested in markets affected by the pandemic (energy, real estate) and products affected by the pandemic (corporate and municipal loans), focusing on the adequacy of the disclosures. The Division said it will be particularly alert to mutual fund liquidity risk management programs, given recent market stress. As to private funds, examiners will review for preferential treatment given by advisers to certain investors and for funds that have a higher concentration of structured products (such as collateralized loan obligations and mortgage-backed securities) in order to assess the risks and the adequacy of the disclosure to investors of these complex products.
The mention of the new Event and Emerging Risks Examination team in the Directors’ letter reinforces the message of this year’s priority report: the SEC expects firms to be developing a compliance framework flexible enough to handle long-standing but evolving risk, and to be able to adjust to anticipated and potential future risk. Consequently, this year’s review appears less about communicating a specific set of priorities than it is about conveying the broader perspective necessary for supervisors to maintain ongoing compliance responsibilities while expanding compliance frameworks and addressing substantial and anticipated risk (e.g. LIBOR, climate change).
For regulatory and compliance questions concerning this article, please contact Alex Russell, Managing Director, White Collar, Regulatory and Internal Investigations at ARussell@batesgroup.com or Hank Sanchez, Bates Compliance Managing Director, Bates Group at HSanchez@batesgroup.com.