SEC Compliance Outreach Program for Broker Dealers
Securities and Exchange Commission
The 2015 National Compliance Outreach Program for Broker-Dealers
Tuesday, July 14, 2015
Key Topics & Takeaways:
- SEC Input from Compliance Officers: SEC Chair White emphasized that the SEC remains open to input from compliance officers on risks and vulnerabilities they believe the SEC should focus on, and noted the significant opportunities for collaboration in the future
- Cybersecurity: Menna stated that the financial services sector “is the most mature in sharing threat information,” which allows it to take preventative measures, adding that “what is one person’s detection becomes everyone else’s protection.”
- SEC and FINRA Coordination: The SEC’s Goodman and FINRA’s Wollman discussed SEC and FINRA coordination during examination. Both explained that even though the SEC and FINRA may seem as if they are “stumbling over each other or even competing,” he stressed that they are trying avoid duplication unless it is necessary, as both have limited resources.
Speakers:
- Mary Jo White, Chair, Securities and Exchange Commission (SEC)
- Kevin W. Goodman, National Associate Director, Broker-Dealer Examination Program, SEC
- Susan F. Axelrod, Executive Vice President, Financial Industry Regulatory Authority (FINRA)
- Lon T. Dolber, Chief Executive Officer, Chief Information Officer, American Portfolio Financial Services, Inc.
- Jenny Menna, Cybersecurity Partnership Executive, U.S. Bank
- Daniel M. Sibears, Executive Vice President, , FINRA
- Christopher Hetner, Cybersecurity Lead, Technology Controls Program, SEC
- Sterling Daines, Managing Director, Global Compliance Division, Goldman, Sachs & Co.
- Sarah Green, Senior Director, Enforcement, FINRA
- Pamela K. Ziermann, Senior Vice President, Doughtery & Company LLC
- Denise Saxon, Assistant Regional Director, Denver Regional Office, SEC
- Gloria Greco, Managing Director, Co-Chief Compliance Officer, Bank of America-Merrill Lynch, Pierce, Fenner & Smith Inc.
- Daniel Gregus, Associate Regional Director, Chicago Regional Office, SEC
- Marion S. Halliday, Chief Compliance Officer, Janney Montgomery Scott LLC
- Bill Wollman, Executive Vice President, FINRA
- Michael Rufino, Executive Vice President, FINRA
- Bill Wollman, Executive Vice President, FINRA
Welcome and Opening Remarks – Chair White, Director Goodman, and VP Axelrod
Kevin W. Goodman, National Associate Director, Broker-Dealer Examination Program, Office of Compliance Inspections and Examinations at the Securities and Exchange Commission (SEC), welcomed participants to the event and highlighted the importance of programs to empower firms’ compliance professionals due to limited SEC resources available.
SEC Chair Mary Jo White emphasized the critical importance of compliance professionals on the front lines to assist the SEC and the Financial Industry Regulatory Authority (FINRA) in creating, implementing, and enforcing strong, comprehensive policies. She noted that compliance and risk management must be an “organization-wide” effort and responsibility, especially considering the limited resources available.
White highlighted that transparency is a priority of the national exam program, which the SEC has sought to enhance through its risk alerts and press releases about findings from prior examinations. She noted that the SEC’s intention is not to “target” compliance professionals, but instead to take action where misconduct occurs.
White closed by emphasizing that the SEC remains open to input from compliance officers on risks and vulnerabilities they believe the SEC should focus on, and noted the significant opportunities for collaboration in the future.
Susan F. Axelrod, Executive Vice President, Regulatory Operations, FINRA, highlighted the role of compliance professionals and regulators in creating a strong “culture of compliance” within their institutions and the markets as financial markets increase in complexity and the regulatory framework extends with them. She noted that open, constructive dialogue benefits everyone and enables regulators to identify issues before investor harm occurs.
Axelrod touched on FINRA’s program to enhance early recognition in the cyber-sphere through in-depth reports, such as the February 2015 report. With the frequency and sophistication of cyber attacks increasing, she said, responding to cyber threats is of the “highest priority.”
Axelrod spoke extensively about FINRA’s efforts in the senior investor sphere, noting that an April joint report from the SEC and FINRA outlined both firm’s policies and practices on senior investors. She highlighted the extent of the FINRA helpline for investors which began in April and has received 867 calls across 47 states and four countries (U.S., Israel, Vietnam, and U.K.). She added that the helpline has brought to light several areas where FINRA can help with investor education.
In the future, Axelrod noted, FINRA will continue to publish additional guidance to bolster controls and compliance procedures, specifically in the form of an upcoming report outlining effective practices to manage liquidity and funding in times of market stress.
Panel 1: Cybersecurity
Moderator Christopher Hetner, Lead, Technology Controls Program, Office of Compliance Inspections and Examinations at the SEC, asked the panel what cybersecurity actors, threats, and potential impacts exist for companies.
Lon T. Dolber, Chief Executive Officer and Chief Information Officer of American Portfolio Financial Services Inc, said the real risk regarding cybersecurity threats, is “with the public” because companies have little control over what they do and said clients are often impersonated by hackers. She noted that prevention would require verification of every wire transfer. Dolber then continued that a preventative two factor identification system, though beneficial, is often resisted by consumers who prefer convenience to preventative measures.
Jenny Menna, Cybersecurity Partnership Executive of U.S. Bank, informed the panel that cyber crime is a growth industry due to the low risk for criminals in countries that do not hold residents accountable or who lack extradition. Menna explained that every company in the room has been targeted.
Daniel M. Sibears, Executive Vice President of FINRA, said ransoms are becoming more sophisticated and stressed the importance of having independent evaluation of risks and weaknesses. Sibears explained that FINRA uses encryption at three points (motion, rest, and use), as a strong credentialed approach whereby information access for employees is based on need and staff education in policy with the use of fun educational tools.
Menna stated that the financial services sector “is the most mature in sharing threat information,” which allows it to take preventative measures, adding that “what is one person’s detection becomes everyone else’s protection.” Menna highlighted that the industry has invested in Soltra which provides this “machine to machine automated indicator sharing.”
Sibears stated that some firms are skeptical to share information because they think they might release something unseemly for their company or something that puts them more at risk. Sibears explained that this reluctance is unfounded because there is anonymity in the file sharing and that firms can feel safe.
Hetner then asked the panel how they “protect the crown jewels in your enterprise” and to identify the most important things in their company.
Lon T. Dolber said his company started with the “Sans 20” and provided an example of e-signatures, saying, “We are not just looking at operational efficiency, now we are looking at risk.”
Sibears stated that there is a connection between risk management and governance; and that the board needs to be interested in cybersecurity and understand risk management approach. He highlighted the need to cover legacy systems since there are many that companies ignore that continue to collect information and subsequently pose a threat. He also stressed the need to ensure that the board understands that breaches will occur and what the response plan will be so the company can recover.
Hetner then asked the panel to discuss best practices and practical measures toward implementing a cybersecurity measure.
Menna said cyber attacks are often successful due to basic and inexpensive practices that were not followed rather than a lack of technology. She highlighted the need for “least privilege” practices which restricts certain employee access and suggested that companies keep logs of their systems so that if something does go wrong, it can be figured out and fixed.
Sibears continued that a basic function of cyber protection is handling threats from disgruntled employees. He said measures must be put in place immediately to restrict system access and ability to download documents.
Questions from the Audience
When asked how many breaches have happened because of insecure third party vendors and how third party risk can be managed, Hetner advised asking what kind of access third parties have to data and if the task is outsourced entirely. He argued that companies need oversight of third parties like they would over their own company.
Dolber explained that FINRA established a vendor review committee and discussed the benefits of a single log in for companies who use third party vendors rather than logging in to multiple sites since this would afford companies more control.
Menna highlighted that SIFMA is working on an auditable standard for vendors to hold them accountable.
Sibears pointed out that some of the largest breaches have occurred through access to vendors and elaborated that this is a greater risk for larger actors since they tend to outsource more frequently. Sibears highlighted that vendors need to “know your standards in your own environment” and that companies need to include contractual constraints regarding cybersecurity standards.
When asked about the role of the Chief Compliance Officer (CCO) in the cybersecurity landscape, Hetner responded that the legal and compliance functions are key components of the governance steering community. He explained that the CCO will be able to inform on legal consequences of a cybersecurity breach holistically and held that there is definitely a role for CCO.
Panel 2: Anti-Money Laundering
Customer Due Diligence
Sarah Green, Senior Director, Enforcement, FINRA, noted that the upcoming Customer Due Diligence Rule (CDD Rule) will be a “real game changer” for the industry. The four elements of the proposed rule are: (1) identifying and verifying the identity of customers; (2) identifying and verifying the identity of beneficial owners of legal entity customers; (3) understanding the nature and purpose of customer relationships; and (4) conducting ongoing monitoring to maintain and update customer information to identify and report suspicious transactions. Green noted that the second element, identifying and verifying beneficial owners, is likely to be the newest challenge for the industry once a final CDD Rule comes into effect. She did not provide any information on the timeline of the final rule.
Sterling Daines, Managing Director, Global Compliance Division, Goldman, Sachs & Co., expressed appreciation for how the government agencies involved in the CDD Rule conducted extensive industry outreach during their proposed rule drafting process. Daines noted that larger firms are still figuring out how to best identify beneficial owners, which can be challenging. He said there is still an open question about whether pooled investment vehicles and other entities would be subject to the final CDD Rule.
Pamela K. Ziermann, Senior Vice President, Doughtery & Company LLC said smaller firms will need to train more people to because “we all know it is never as simple as the rule on paper.”
Regarding a potential customer risk profile requirement in the final CDD Rule, Green noted that this profile process is “more entrenched in the banking side” than it is in the securities side of the industry. When discussing the ongoing monitoring and reporting requirement, Ziermann explained the need to make internal staff aware of this part of the CDD Rule and that explaining why this requirement exists is likely to lead to better compliance.
Suspicious Activity Reporting (SARs)
Denise Saxon, Assistant Regional Director, Denver Regional Office, SEC, noted SEC Enforcement Director Andrew Ceresney’s February speech that called into question “what the industry as a whole is doing” regarding SARs reports. Greene noted that the SARs form has expanded and that firms should perform their own risk assessments and that as regulators should ask whether firms are adequately investigating all alerts and whether they are capturing relevant activity in their monitoring systems.
Daines noted that SARs reports have recently involved illicit or suspicious activity trading. Therefore, he said, it is important for anti-money laundering supervisors to work closely with employees who run trading surveillance.
Ziermann explained that, at smaller firms, anti-money laundering and trade surveillance is “all taking place at the same spot.” She also explained that she considers SARs filings to be “like telling a story.” She has experienced technical issues with electronic SARs filing and stressed the need for compliance professionals to make sure they have a paper acknowledgment form if there are electronic technical issues.
Micro-Cap Securities
The SEC’s Division of Trading and Markets put together a set of FAQs on micro-cap/low -priced securities that the industry has found helpful. Some helpful pointers based on the FAQs are that it is insufficient to rely on a clearing firm’s failure to raise an issue about a low-priced security. More due diligence on the broker-dealer end may be necessary. Green reviewed recent micro-cap cases and mentioned some potential issues that would be helpful for the industry to keep in mind include: (1) coordinated account openings; (2) customers or insiders promoting of micro-cap securities; (3) underlying owners of foreign financial accounts; (4) issues regarding debt conversion agreements; (5) daily trading volumes; (6) sufficiency of independent inquiries; and (7) compliance system ability to retrieve proper information to comply with the law.
Ziermann explained that nothing in the AML rules indicates that you must do a risk assessment but it is a good idea to conduct one in this space. Daines noted that the recent Brown Brothers Harriman case sent shock waves through the industry.
One audience member asked if any regulators could expand upon the definition of legal entity in the context of the CDD Rule, but Green said that this definition is still being determined.
Panel 3: Firm and Branch Supervision and Sales Practice
Outside Business Activities
Regarding outside business policies, Gloria Greco, Managing Director, Co-Chief Compliance Officer, Bank of America-Merrill Lynch, Pierce, Fenner & Smith Inc. said that her firm tracks rules and requires employees to get pre-approval before engaging in outside business activities from supervisors and the compliance department. Greco explained that her firm encourages employees to be involved in outside business activities, especially charitable ones.
Marion S. Halliday, Senior Vice President, Chief Compliance Officer, Janney Montgomery Scott LLC, said her firm takes similar approaches. She explained that it is important to remain alert to any changes in employee status with regard to such outside business activities. Greco noted the importance of making sure that any outside business activity issues are flagged for new managers when they arrive.
Daniel Gregus, Associate Regional Director, Broker-Dealer Examination Program, Chicago Regional Office, SEC, explained that the SEC is particularly interested in transient registered representatives who have moved from one firm to the next, especially if they have been under heightened supervision. He also said the SEC may look at broker compensation. If such compensation is very low, one may wonder if other sources of income are involved.
Customer Complaints and Trends
Halliday said she is not seeing any particular new trends but said supervisors need to be more vigilant as more employees are able to work remotely. She also said it is important to make sure any complaints are properly escalated. Greco noted that, although there is an overall increase in complaints across the industry, they are not sales practice but customer-service related. When asked about trends, Gregus noted that there are still firms that engage in the traditional type of excessive trading in penny stocks. He has also seen excessive trading in fixed income.
Activity in Retirement Accounts
Greco explained that 401(k) rollover is an important issue that requires making sure the client has full disclosure. Informed consent is imperative because a rollover cannot be reversed. For seniors, Greco says her firm looks at the client’s age in the context of suitability.
Halliday commented on annuity accounts and said they have a centralized team review annuity transactions to ensure consistency and comprehensive review.
Senior Investors
Gregus cited some general trends and statistics. He noted that approaches to retirement are changing rapidly as more and more people are now required to manage their own retirement money. Furthermore, he said 77% of firms have written procedures for senior customers, “which is a good thing.” However, he noted that there is concern regarding the complexity of products in which many seniors are invested. For example, 78% of firms examined by the SEC reported that seniors are purchasing variable annuities, 20% of firms are putting seniors into non-traded REITs, 11% are in hard-to-understand structured products, and 15% of firms have seniors invested in alternative investments and leveraged ETFs. Gregus finally said he is concerned about the use of senior expert investor designations that may be misleading to investors.
Halliday said it can be frustrating for firms when they want to do the right thing for senior investors when they are vulnerable. She said they use electronic surveillance tools to create customer profiles and spot issues. When looking out for potential senior investor issues, her firm casts a wider net and tries to notice any other life-changing personal events that could affect judgment. Greco said her firm has hired a gerontologist to help them address senior investor issues.
Panel 4: Insights from SEC and FINRA Examination Programs
Kevin W. Goodman, National Associate Director, Broker-Dealer Examination Program, Office of Compliance Inspections and Examinations at the Securities and Exchange Commission (SEC) and Bill Wollman, Executive Vice President, Member Regulation – Risk Oversight and Operational Regulation, FINRA discussed some topics in examination programs.
First, they discussed SEC and FINRA coordination during examination. Both explained that even though the SEC and FINRA may seem as if they are “stumbling over each other or even competing,” he stressed that they are trying avoid duplication unless it is necessary, as both have limited resources. Goodman said with exam plans, the SEC conducts document analysis to understand what FINRA has done, how is it different, and why FINRA looked at certain areas. Wollman also emphasized that FINRA shares information with the SEC, and has quarterly calls as well as business and risk meetings with them. Communication in the compliance department, Wollman said, is the key to express any possible burdens or duplication caused by FINRA and SEC examinations.
Wollman said there may be certain times where the examination may or might appear to be duplicated and explained that for the SEC, this occurs when a normal exam turns to be an oversight exam, however he noted that these cases are fairly limited. Another time, he explained, is when a tip or complaint is received about a high profile firm or if the firm is having financial difficulties. In these cases, he said, the SEC and FINRA will work together to leverage their expertise and share the information.
Goodman and Wollman mentioned that the SEC and FINRA may request the same documents even though they may be looking at different areas, but added that they are trying to coordinate on access to each other’s documents.
Regarding giving notice, Wollman explained that FINRA is fairly focused on “pre-work,” explaining that FINRA gives pre-announcement 60-75 days ahead of its actions and requests that information be submitted 2-3 weeks after the pre-announcement. In this way, examiners and directors can share the information and make risk decisions up-front. He said this process helps the exam to be more targeted and run more efficiently. Wollman noted that the opening phase of an exam is key, especially receiving requested documents, and stressed the importance of a firm’s willingness to explain records and allow examiners to have interviews with the employees.
Wollman noted that FINRA currently runs an exam program called “Request Manager” that tracks all the requested and submitted documents. Wollman and Goodman suggested that firms keep track of when a request was received and when the request changed, noting that firms can utilize Request Manager to coordinate with FINRA.
Goodman said that SEC welcomes discussion with compliance professionals during the exam process. EVP Wollman suggested that when the exam team comes into a firm, it is important to talk to the manager of the exam and have discussions to make sure the exam does not go down the “wrong path.”
When preparing people outside the compliance department for an exam, Goodman suggested that the preparation should be different from preparing for a deposition. He said it should be open communication, and that it may not be best to say “go in and answer narrowly.”
Wollman also said the examiners know when answers are different and that offering additional information provides greater degree of comfort. He added that merely giving just the “right answer” or talking about what an employee does not know may raise suspicion on the part of examiners.
During the exit interview, Goodman stated that listening carefully and giving feedback is important, noting that this is the time to make changes before the deficiency letter is actually sent out. FINRA meets with firms on a periodic basis, he explained, and offers status updates during the exam period. He also noted that during the exit meeting, FINRA provides a written document to state what the issues and outcomes are.
Wollman said FINRA is trying to look at conflicts of interest during examination, so compliance officers should also try to monitor possible conflicts within their firms.
Closing Remarks – Director Goodman and VP Rufino
Michael Rufino, Executive Vice President, Head of Member Regulation – Sales Practice, FINRA, summarized the several takeaways from this event.
First, he emphasized “tone at the top,” and stressed that commitment from the board and executive management is essential for compliance. On conflicts of interest, Rufino said it is important for firms to have the ability to identify and mitigate conflicts and have escalation procedures.
Next, Rufino stressed that firms should not consider compliance as a cost, but understand that good compliance means good business, and so compliance functions need budgetary support from the executive management.
Finally, Rufino asserted that compliance should always consider the customers first, and that ethical behavior is the “only behavior” and firms should settle for nothing less.
For more information on this meeting and to view an archived webcast, please click here.
,Blog Tags:,Blog Categories:,Blog TrackBack:,Blog Pingback:No,Hearing Summaries Issues:General,Hearing Summaries Agency:SEC,Publish Year:2015
Securities and Exchange Commission
The 2015 National Compliance Outreach Program for Broker-Dealers
Tuesday, July 14, 2015
Key Topics & Takeaways:
- SEC Input from Compliance Officers: SEC Chair White emphasized that the SEC remains open to input from compliance officers on risks and vulnerabilities they believe the SEC should focus on, and noted the significant opportunities for collaboration in the future
- Cybersecurity: Menna stated that the financial services sector “is the most mature in sharing threat information,” which allows it to take preventative measures, adding that “what is one person’s detection becomes everyone else’s protection.”
- SEC and FINRA Coordination: The SEC’s Goodman and FINRA’s Wollman discussed SEC and FINRA coordination during examination. Both explained that even though the SEC and FINRA may seem as if they are “stumbling over each other or even competing,” he stressed that they are trying avoid duplication unless it is necessary, as both have limited resources.
Speakers:
- Mary Jo White, Chair, Securities and Exchange Commission (SEC)
- Kevin W. Goodman, National Associate Director, Broker-Dealer Examination Program, SEC
- Susan F. Axelrod, Executive Vice President, Financial Industry Regulatory Authority (FINRA)
- Lon T. Dolber, Chief Executive Officer, Chief Information Officer, American Portfolio Financial Services, Inc.
- Jenny Menna, Cybersecurity Partnership Executive, U.S. Bank
- Daniel M. Sibears, Executive Vice President, , FINRA
- Christopher Hetner, Cybersecurity Lead, Technology Controls Program, SEC
- Sterling Daines, Managing Director, Global Compliance Division, Goldman, Sachs & Co.
- Sarah Green, Senior Director, Enforcement, FINRA
- Pamela K. Ziermann, Senior Vice President, Doughtery & Company LLC
- Denise Saxon, Assistant Regional Director, Denver Regional Office, SEC
- Gloria Greco, Managing Director, Co-Chief Compliance Officer, Bank of America-Merrill Lynch, Pierce, Fenner & Smith Inc.
- Daniel Gregus, Associate Regional Director, Chicago Regional Office, SEC
- Marion S. Halliday, Chief Compliance Officer, Janney Montgomery Scott LLC
- Bill Wollman, Executive Vice President, FINRA
- Michael Rufino, Executive Vice President, FINRA
- Bill Wollman, Executive Vice President, FINRA
Welcome and Opening Remarks – Chair White, Director Goodman, and VP Axelrod
Kevin W. Goodman, National Associate Director, Broker-Dealer Examination Program, Office of Compliance Inspections and Examinations at the Securities and Exchange Commission (SEC), welcomed participants to the event and highlighted the importance of programs to empower firms’ compliance professionals due to limited SEC resources available.
SEC Chair Mary Jo White emphasized the critical importance of compliance professionals on the front lines to assist the SEC and the Financial Industry Regulatory Authority (FINRA) in creating, implementing, and enforcing strong, comprehensive policies. She noted that compliance and risk management must be an “organization-wide” effort and responsibility, especially considering the limited resources available.
White highlighted that transparency is a priority of the national exam program, which the SEC has sought to enhance through its risk alerts and press releases about findings from prior examinations. She noted that the SEC’s intention is not to “target” compliance professionals, but instead to take action where misconduct occurs.
White closed by emphasizing that the SEC remains open to input from compliance officers on risks and vulnerabilities they believe the SEC should focus on, and noted the significant opportunities for collaboration in the future.
Susan F. Axelrod, Executive Vice President, Regulatory Operations, FINRA, highlighted the role of compliance professionals and regulators in creating a strong “culture of compliance” within their institutions and the markets as financial markets increase in complexity and the regulatory framework extends with them. She noted that open, constructive dialogue benefits everyone and enables regulators to identify issues before investor harm occurs.
Axelrod touched on FINRA’s program to enhance early recognition in the cyber-sphere through in-depth reports, such as the February 2015 report. With the frequency and sophistication of cyber attacks increasing, she said, responding to cyber threats is of the “highest priority.”
Axelrod spoke extensively about FINRA’s efforts in the senior investor sphere, noting that an April joint report from the SEC and FINRA outlined both firm’s policies and practices on senior investors. She highlighted the extent of the FINRA helpline for investors which began in April and has received 867 calls across 47 states and four countries (U.S., Israel, Vietnam, and U.K.). She added that the helpline has brought to light several areas where FINRA can help with investor education.
In the future, Axelrod noted, FINRA will continue to publish additional guidance to bolster controls and compliance procedures, specifically in the form of an upcoming report outlining effective practices to manage liquidity and funding in times of market stress.
Panel 1: Cybersecurity
Moderator Christopher Hetner, Lead, Technology Controls Program, Office of Compliance Inspections and Examinations at the SEC, asked the panel what cybersecurity actors, threats, and potential impacts exist for companies.
Lon T. Dolber, Chief Executive Officer and Chief Information Officer of American Portfolio Financial Services Inc, said the real risk regarding cybersecurity threats, is “with the public” because companies have little control over what they do and said clients are often impersonated by hackers. She noted that prevention would require verification of every wire transfer. Dolber then continued that a preventative two factor identification system, though beneficial, is often resisted by consumers who prefer convenience to preventative measures.
Jenny Menna, Cybersecurity Partnership Executive of U.S. Bank, informed the panel that cyber crime is a growth industry due to the low risk for criminals in countries that do not hold residents accountable or who lack extradition. Menna explained that every company in the room has been targeted.
Daniel M. Sibears, Executive Vice President of FINRA, said ransoms are becoming more sophisticated and stressed the importance of having independent evaluation of risks and weaknesses. Sibears explained that FINRA uses encryption at three points (motion, rest, and use), as a strong credentialed approach whereby information access for employees is based on need and staff education in policy with the use of fun educational tools.
Menna stated that the financial services sector “is the most mature in sharing threat information,” which allows it to take preventative measures, adding that “what is one person’s detection becomes everyone else’s protection.” Menna highlighted that the industry has invested in Soltra which provides this “machine to machine automated indicator sharing.”
Sibears stated that some firms are skeptical to share information because they think they might release something unseemly for their company or something that puts them more at risk. Sibears explained that this reluctance is unfounded because there is anonymity in the file sharing and that firms can feel safe.
Hetner then asked the panel how they “protect the crown jewels in your enterprise” and to identify the most important things in their company.
Lon T. Dolber said his company started with the “Sans 20” and provided an example of e-signatures, saying, “We are not just looking at operational efficiency, now we are looking at risk.”
Sibears stated that there is a connection between risk management and governance; and that the board needs to be interested in cybersecurity and understand risk management approach. He highlighted the need to cover legacy systems since there are many that companies ignore that continue to collect information and subsequently pose a threat. He also stressed the need to ensure that the board understands that breaches will occur and what the response plan will be so the company can recover.
Hetner then asked the panel to discuss best practices and practical measures toward implementing a cybersecurity measure.
Menna said cyber attacks are often successful due to basic and inexpensive practices that were not followed rather than a lack of technology. She highlighted the need for “least privilege” practices which restricts certain employee access and suggested that companies keep logs of their systems so that if something does go wrong, it can be figured out and fixed.
Sibears continued that a basic function of cyber protection is handling threats from disgruntled employees. He said measures must be put in place immediately to restrict system access and ability to download documents.
Questions from the Audience
When asked how many breaches have happened because of insecure third party vendors and how third party risk can be managed, Hetner advised asking what kind of access third parties have to data and if the task is outsourced entirely. He argued that companies need oversight of third parties like they would over their own company.
Dolber explained that FINRA established a vendor review committee and discussed the benefits of a single log in for companies who use third party vendors rather than logging in to multiple sites since this would afford companies more control.
Menna highlighted that SIFMA is working on an auditable standard for vendors to hold them accountable.
Sibears pointed out that some of the largest breaches have occurred through access to vendors and elaborated that this is a greater risk for larger actors since they tend to outsource more frequently. Sibears highlighted that vendors need to “know your standards in your own environment” and that companies need to include contractual constraints regarding cybersecurity standards.
When asked about the role of the Chief Compliance Officer (CCO) in the cybersecurity landscape, Hetner responded that the legal and compliance functions are key components of the governance steering community. He explained that the CCO will be able to inform on legal consequences of a cybersecurity breach holistically and held that there is definitely a role for CCO.
Panel 2: Anti-Money Laundering
Customer Due Diligence
Sarah Green, Senior Director, Enforcement, FINRA, noted that the upcoming Customer Due Diligence Rule (CDD Rule) will be a “real game changer” for the industry. The four elements of the proposed rule are: (1) identifying and verifying the identity of customers; (2) identifying and verifying the identity of beneficial owners of legal entity customers; (3) understanding the nature and purpose of customer relationships; and (4) conducting ongoing monitoring to maintain and update customer information to identify and report suspicious transactions. Green noted that the second element, identifying and verifying beneficial owners, is likely to be the newest challenge for the industry once a final CDD Rule comes into effect. She did not provide any information on the timeline of the final rule.
Sterling Daines, Managing Director, Global Compliance Division, Goldman, Sachs & Co., expressed appreciation for how the government agencies involved in the CDD Rule conducted extensive industry outreach during their proposed rule drafting process. Daines noted that larger firms are still figuring out how to best identify beneficial owners, which can be challenging. He said there is still an open question about whether pooled investment vehicles and other entities would be subject to the final CDD Rule.
Pamela K. Ziermann, Senior Vice President, Doughtery & Company LLC said smaller firms will need to train more people to because “we all know it is never as simple as the rule on paper.”
Regarding a potential customer risk profile requirement in the final CDD Rule, Green noted that this profile process is “more entrenched in the banking side” than it is in the securities side of the industry. When discussing the ongoing monitoring and reporting requirement, Ziermann explained the need to make internal staff aware of this part of the CDD Rule and that explaining why this requirement exists is likely to lead to better compliance.
Suspicious Activity Reporting (SARs)
Denise Saxon, Assistant Regional Director, Denver Regional Office, SEC, noted SEC Enforcement Director Andrew Ceresney’s February speech that called into question “what the industry as a whole is doing” regarding SARs reports. Greene noted that the SARs form has expanded and that firms should perform their own risk assessments and that as regulators should ask whether firms are adequately investigating all alerts and whether they are capturing relevant activity in their monitoring systems.
Daines noted that SARs reports have recently involved illicit or suspicious activity trading. Therefore, he said, it is important for anti-money laundering supervisors to work closely with employees who run trading surveillance.
Ziermann explained that, at smaller firms, anti-money laundering and trade surveillance is “all taking place at the same spot.” She also explained that she considers SARs filings to be “like telling a story.” She has experienced technical issues with electronic SARs filing and stressed the need for compliance professionals to make sure they have a paper acknowledgment form if there are electronic technical issues.
Micro-Cap Securities
The SEC’s Division of Trading and Markets put together a set of FAQs on micro-cap/low -priced securities that the industry has found helpful. Some helpful pointers based on the FAQs are that it is insufficient to rely on a clearing firm’s failure to raise an issue about a low-priced security. More due diligence on the broker-dealer end may be necessary. Green reviewed recent micro-cap cases and mentioned some potential issues that would be helpful for the industry to keep in mind include: (1) coordinated account openings; (2) customers or insiders promoting of micro-cap securities; (3) underlying owners of foreign financial accounts; (4) issues regarding debt conversion agreements; (5) daily trading volumes; (6) sufficiency of independent inquiries; and (7) compliance system ability to retrieve proper information to comply with the law.
Ziermann explained that nothing in the AML rules indicates that you must do a risk assessment but it is a good idea to conduct one in this space. Daines noted that the recent Brown Brothers Harriman case sent shock waves through the industry.
One audience member asked if any regulators could expand upon the definition of legal entity in the context of the CDD Rule, but Green said that this definition is still being determined.
Panel 3: Firm and Branch Supervision and Sales Practice
Outside Business Activities
Regarding outside business policies, Gloria Greco, Managing Director, Co-Chief Compliance Officer, Bank of America-Merrill Lynch, Pierce, Fenner & Smith Inc. said that her firm tracks rules and requires employees to get pre-approval before engaging in outside business activities from supervisors and the compliance department. Greco explained that her firm encourages employees to be involved in outside business activities, especially charitable ones.
Marion S. Halliday, Senior Vice President, Chief Compliance Officer, Janney Montgomery Scott LLC, said her firm takes similar approaches. She explained that it is important to remain alert to any changes in employee status with regard to such outside business activities. Greco noted the importance of making sure that any outside business activity issues are flagged for new managers when they arrive.
Daniel Gregus, Associate Regional Director, Broker-Dealer Examination Program, Chicago Regional Office, SEC, explained that the SEC is particularly interested in transient registered representatives who have moved from one firm to the next, especially if they have been under heightened supervision. He also said the SEC may look at broker compensation. If such compensation is very low, one may wonder if other sources of income are involved.
Customer Complaints and Trends
Halliday said she is not seeing any particular new trends but said supervisors need to be more vigilant as more employees are able to work remotely. She also said it is important to make sure any complaints are properly escalated. Greco noted that, although there is an overall increase in complaints across the industry, they are not sales practice but customer-service related. When asked about trends, Gregus noted that there are still firms that engage in the traditional type of excessive trading in penny stocks. He has also seen excessive trading in fixed income.
Activity in Retirement Accounts
Greco explained that 401(k) rollover is an important issue that requires making sure the client has full disclosure. Informed consent is imperative because a rollover cannot be reversed. For seniors, Greco says her firm looks at the client’s age in the context of suitability.
Halliday commented on annuity accounts and said they have a centralized team review annuity transactions to ensure consistency and comprehensive review.
Senior Investors
Gregus cited some general trends and statistics. He noted that approaches to retirement are changing rapidly as more and more people are now required to manage their own retirement money. Furthermore, he said 77% of firms have written procedures for senior customers, “which is a good thing.” However, he noted that there is concern regarding the complexity of products in which many seniors are invested. For example, 78% of firms examined by the SEC reported that seniors are purchasing variable annuities, 20% of firms are putting seniors into non-traded REITs, 11% are in hard-to-understand structured products, and 15% of firms have seniors invested in alternative investments and leveraged ETFs. Gregus finally said he is concerned about the use of senior expert investor designations that may be misleading to investors.
Halliday said it can be frustrating for firms when they want to do the right thing for senior investors when they are vulnerable. She said they use electronic surveillance tools to create customer profiles and spot issues. When looking out for potential senior investor issues, her firm casts a wider net and tries to notice any other life-changing personal events that could affect judgment. Greco said her firm has hired a gerontologist to help them address senior investor issues.
Panel 4: Insights from SEC and FINRA Examination Programs
Kevin W. Goodman, National Associate Director, Broker-Dealer Examination Program, Office of Compliance Inspections and Examinations at the Securities and Exchange Commission (SEC) and Bill Wollman, Executive Vice President, Member Regulation – Risk Oversight and Operational Regulation, FINRA discussed some topics in examination programs.
First, they discussed SEC and FINRA coordination during examination. Both explained that even though the SEC and FINRA may seem as if they are “stumbling over each other or even competing,” he stressed that they are trying avoid duplication unless it is necessary, as both have limited resources. Goodman said with exam plans, the SEC conducts document analysis to understand what FINRA has done, how is it different, and why FINRA looked at certain areas. Wollman also emphasized that FINRA shares information with the SEC, and has quarterly calls as well as business and risk meetings with them. Communication in the compliance department, Wollman said, is the key to express any possible burdens or duplication caused by FINRA and SEC examinations.
Wollman said there may be certain times where the examination may or might appear to be duplicated and explained that for the SEC, this occurs when a normal exam turns to be an oversight exam, however he noted that these cases are fairly limited. Another time, he explained, is when a tip or complaint is received about a high profile firm or if the firm is having financial difficulties. In these cases, he said, the SEC and FINRA will work together to leverage their expertise and share the information.
Goodman and Wollman mentioned that the SEC and FINRA may request the same documents even though they may be looking at different areas, but added that they are trying to coordinate on access to each other’s documents.
Regarding giving notice, Wollman explained that FINRA is fairly focused on “pre-work,” explaining that FINRA gives pre-announcement 60-75 days ahead of its actions and requests that information be submitted 2-3 weeks after the pre-announcement. In this way, examiners and directors can share the information and make risk decisions up-front. He said this process helps the exam to be more targeted and run more efficiently. Wollman noted that the opening phase of an exam is key, especially receiving requested documents, and stressed the importance of a firm’s willingness to explain records and allow examiners to have interviews with the employees.
Wollman noted that FINRA currently runs an exam program called “Request Manager” that tracks all the requested and submitted documents. Wollman and Goodman suggested that firms keep track of when a request was received and when the request changed, noting that firms can utilize Request Manager to coordinate with FINRA.
Goodman said that SEC welcomes discussion with compliance professionals during the exam process. EVP Wollman suggested that when the exam team comes into a firm, it is important to talk to the manager of the exam and have discussions to make sure the exam does not go down the “wrong path.”
When preparing people outside the compliance department for an exam, Goodman suggested that the preparation should be different from preparing for a deposition. He said it should be open communication, and that it may not be best to say “go in and answer narrowly.”
Wollman also said the examiners know when answers are different and that offering additional information provides greater degree of comfort. He added that merely giving just the “right answer” or talking about what an employee does not know may raise suspicion on the part of examiners.
During the exit interview, Goodman stated that listening carefully and giving feedback is important, noting that this is the time to make changes before the deficiency letter is actually sent out. FINRA meets with firms on a periodic basis, he explained, and offers status updates during the exam period. He also noted that during the exit meeting, FINRA provides a written document to state what the issues and outcomes are.
Wollman said FINRA is trying to look at conflicts of interest during examination, so compliance officers should also try to monitor possible conflicts within their firms.
Closing Remarks – Director Goodman and VP Rufino
Michael Rufino, Executive Vice President, Head of Member Regulation – Sales Practice, FINRA, summarized the several takeaways from this event.
First, he emphasized “tone at the top,” and stressed that commitment from the board and executive management is essential for compliance. On conflicts of interest, Rufino said it is important for firms to have the ability to identify and mitigate conflicts and have escalation procedures.
Next, Rufino stressed that firms should not consider compliance as a cost, but understand that good compliance means good business, and so compliance functions need budgetary support from the executive management.
Finally, Rufino asserted that compliance should always consider the customers first, and that ethical behavior is the “only behavior” and firms should settle for nothing less.
For more information on this meeting and to view an archived webcast, please click here.