CCOutreach Conference

Regulatory Compliance News you can useRegulatory Compliance News you can useRegulatory Compliance News you can use
RETURN TO JUNE NEWSLETTER HOME

FINRA and the SEC meet with Broker/Dealer CCO in Washington, DC

The first annual CCOutreach Conference – March 7, 2007

By: Laura Crosby-Brown

A “Culture of Compliance.” This theme resonated throughout the first annual CCOutreach conference for broker/dealers. Modeled after a similar program that SEC has for Investment Advisor and Investment Company CCOs, this meeting was designed to allow CCOs to hear about some of the issues they face on a day-to-day basis from the top members and staff of the SEC and FINRA as well as their peers.

The meeting opened with short speeches from Christopher Cox, Chairman of the SEC, and Mary Shapiro, CEO of FINRA. Both of these regulators talked about the challenges and opportunities that CCOs face each day given the changing tide of regulation and technology. Mary referred to Compliance Officers as the “unsung heroes” in their firms since these individuals work diligently and often without recognition to create a strong compliant organization. She also discussed a topic near and dear to all of our hearts: the consolidated rulebook. This project is ongoing but she again stressed the five guiding principles that the staff is working under in this project. The principles are:

  1. Don’t just pick an existing rule from either rulebook – stand back and ask if there may be a better way, then write a new rule if that is what is needed.
  2. Look at each rule with the various sizes and business models of member firms in mind and develop tiered rules where it makes sense to do so.
  3. Create a manual organized in such a way that it is easy to identify rules that apply to a topic by eliminating redundant rules and combining rules into a single rule or rulebook section, where it makes sense.
  4. Rewrite existing rules as needed to address changing technology and business models of the members.
  5. When it relevant and possible, develop more principle-based rules so that firms have latitude to construct their internal policies and procedures based on their business model and size.

Ms. Shapiro offered no timeframe on completion but indicated this is priority they are looking to have resolved as quickly as possible. .

Following the speeches from Mr. Cox and Ms. Shapiro were five sessions which ran between 1-1.5 hours each. The sessions included a panel discussion about topics that were suggested by CCOs during the registration process. Each panel contained at least 2 regulators (1 from the SEC and 1 from FINRA) and 2 industry representatives (1 from a small firm and the other from a large firm).

The first session dealt with the role of the CCO and the compliance program within an organization. During the first panel we heard the term “Culture of Compliance” for the first time but this theme was carried throughout the day. The SEC representative, speaking from a regulatory perspective and  after giving their normal disclaimer, indicated that when they visit a firm they are looking to see if the firm has such a culture and how it is communicated through the organization. For a ‘culture of compliance” to exist, a commitment to compliance and ethical behavior must exist at all levels of management and must be communicated to everyone in the organization through words, actions and follow through and supported by training and reporting.

Some ways that the industry representatives indicated they foster this within in their organizations is through being available and accessible to all levels of staff. This helps to build trust and provides an opportunity for staff to be involved. They also talked about understanding the company’s business, customers and internal politics as well as the regulatory environment in which they operate. Getting commitment from top management to support the CCO when they make decisions and in taking advice from the CCO about issues were also stressed.

The session also included a discussion on identifying risk and developing procedures. This topic is very important in a number of areas in which compliance is involved, including their AML programs and the 3012 testing requirements. Firms need to look at their business and identify those areas where the greatest potential for a breech in policy or a threat to the firm could exist. To do this a CCO must truly understand all aspects of the firm’s business and its customers, including relationships with affiliates and vendors. Procedures need to be reviewed to ensure they reflect what is actually happening and should be revised as frequently as needed to reflect changes not only in regulations but also in business processes, personnel and technology. Some ways to assess risk include looking at areas identified as the regulators through notices or reviews, by reading industry publications or Congressional reports to identify areas that are causing concern and by reviewing customer complaints or inquiries. These risk areas can change depending on the firm’s business and should be assessed at least annually, although both industry representatives indicated they review this quarterly.

Some issues the regulators identified in this area included firms not testing systems to ensure they are performing as expected such as verifying the email system is actually capturing and retaining all email or that an exception report actually captures data as intended and firms not following up on error or incident reports or developing procedures or processes to address deficiencies.

As for drafting policies and procedures, the overriding theme here was having procedures that truly reflect not only the regulations but the firm’s actual processes and that these documents must be updated or revised frequently to address internal as well as external changes. Issues regulators identified included firms having template manuals that reflect regulation and “best practices” but that have not been customized to the firm’s internal processes or to delegated duties. In addition, they have found that firms do not really know what their procedures say so  CCOs were reminded that they need to know what the procedures say and what they mean not only from a regulatory sense but from a business sense. Some suggestions offered by the industry reps in creating and maintaining procedures included using all the tools available including templates to begin the process as needed but to make sure that the final version is customized to your unique processes and identifies all levels of supervision so that duties delegated to staff is also captured, such as opening mail or processing registration data; keeping the manual current by constantly reviewing regulatory notices and industry news;  gathering information from regulators and peers at conferences and meetings; and talking to front line supervisors and staff about how things are actually done.

The next topic for the panel was structuring the compliance department and program. Here the theme was separating the CCO and compliance function/department from supervision. It became very clear that the regulators would like to see the CCO’s role to be separate from any supervisory responsibilities.  The regulators indicated supervision cannot truly exist unless the person designated in that role has the power to hire and fire the individuals they supervise. In the eyes of the regulators and the industry panelists, a CCO should be in a position where they are creating, updating, maintaining, implementing, testing and verifying compliance procedures. Per the regulators on the panel, the CCO is generally not in a position where they can make employment decisions and therefore do not really function as a supervisor. They also talked about creating a clear delineation in duties so as to foster independence from bottom-line pressures.

Some important observations also included:  (1) that the CCO should have the ability to counsel and provide input to senior management and supervisors on important matters and their advice should be heeded; (2) Compliance should partner with business units to assist them in developing processes and for making decisions about new products or services and then should create the procedures to reflect those new business lines or processes; and (3) Compliance should not be involved in day-to-day operations or work flows and should operate in an oversight, consultative role within an organization.

Both industry panelists indicated that if they were pressed to be in the role of a supervisor without having the authority to make employment decisions, they would seek another job.

The final topic of this panel was compliance communications. The theme stressed here was establishing open communication lines with all levels of the organization and with regulators, whether formal or informal. In communicating throughout the organization, communications should be accurate and concise. However, information should be only disseminated when needed to address an immediate need as too much communication can cause people to shut down and view all of it as unimportant so then nothing gets through and the message is lost. Being visible and accessible to all members of staff and management was again stressed so as to aid in keeping the lines of communication open as was establishing a partnership with business units so the CCO can stay in touch with what is going on within the business. Both industry panelist agreed that being involved in sales, marketing, budgeting, and other management meetings and being able to provide input where relevant is very important if the CCO is going to be effective in their job. The other important thing they both brought out was being able to say “no” when needed and having that decision supported from the top levels of management; but also not saying no all the time. Being able to offer alternative ways of doing things without just saying no leads to an environment of trust and fosters a culture where people know they can rely on compliance not just for regulatory answers but for providing other ways to do things.

The final session before lunch dealt with conflicts of interest. This session primarily dealt with issues the regulators see with regard to investment banking and research and the various rules which firms need to understand to determine whether such conflicts could exist in their organization and how to mitigate the risks associated with inherent conflicts. Some methods include prohibiting certain acts or providing disclosure regarding relationships or activities that might foster such conflicts. The regulators reminded us all that unresolved conflicts can lead to enforcement actions such as what occurred with research firms a few years ago. Some deficiencies identified by the regulators included the leakage of information between departments such as banking and research or with customers; preferential allocations in IPOs to large institutional customers, such as hedge funds; gifts and gratuities being provided outside published limits; and the failure of firms to safeguard non-public information.

In identifying potential areas in which conflicts could arise, industry panelists stressed that compliance needs to be a marriage between business and rules to ensure that everyone is committed to the same goal and understand the expectations for managing these conflicts. They also suggested using the clearing firm, when applicable, as a resource for information on where conflicts could arise and identifying when they have occurred. Understanding the relationship of affiliated companies to the BD and how they impact potential conflicts is also an important consideration. Training and communications regarding the risks and the rules should be provided to staff as needed and both industry panelists included discussions regarding insider trading, use of non-public information and other areas where conflicts could exist in the annual compliance meetings.

Conflicts can also arise when a new rep joins the firm, so the CCO should have a voice in the pre-hire review and hiring decision to help the firm identify any potential risks and take steps to mitigate them. Both representatives also indicated that one way their firms had eliminated conflict in supervision was to remove the supervisors from a sales-based compensation program, such as overrides, and make them salaried employees of the BD.  At both firms represented, compliance works to identify potential conflicts, drafts procedures to try to mitigate the risks identified and then works with business units to ensure that the procedures are working as intended through testing.

Following the conflicts of interest session we were given a lunch break during which we were left to dine in one the restaurants in the area and to visit the SEC gift shop. Yes, they have a gift shop at which you can purchase, for cash only, SEC-branded merchandise, including mugs, t-shirts and portfolios.  

The afternoon started promptly at 1:30 with a session on sales practices. Again the first topic of discussion was the delineation of duties between the CCO and supervisors. The regulators talked about importance of separating to roles of compliance and supervisor. They stressed that the CCO should provide advice to their firms and develop policies and procedures while the supervisors should conduct the day-to-day oversight of staff and processes and that a supervisor must have the requisite power to discharge supervisory duties, including the ability to hire and fire.

The industry representative agreed and indicated that in both their firms they have separated these functions. In this separation, supervisors were responsible for the day-to-day activities of staff and registered reps, had the ability to take disciplinary actions when warranted and acted in partnership with compliance to ensure that policies and procedures were followed. Compliance in turn supports the efforts of the supervisors by identifying patterns and trends that require additional monitoring and conducting investigations when problems or issues are identified by the supervisors that need additional review. Supervisors are seen by these firms and the regulators as the first line of defense in preventing and identifying issues within the firm and for working with compliance to keep policies, procedures and processes up-to-date given current business needs.

During exams FINRA looks for procedures which reflect accurately who is doing what, how reviews are conducted, how they are documented and that when deficiencies are discovered they are addressed promptly. The biggest key is to know what the procedures say and either follow them or change them to reflect your actual processes. They also want to be able to identify the firms ‘culture of compliance” and be able to identify how it is communicated throughout the firm.

Another topic during this session dealt with mutual fund and annuity sales.  Both firms said they have developed disclosure documents and information that is easily understood and that they require representatives to review the information with customers and to obtain their signature attesting to their understanding. They also encourage representatives to use online tools provided by FINRA and others when reviewing breakpoints, class shares and product features. Exception reports created by the clearing firm or internally play a key role in identifying trends and helping identify potential problems. These should be reviewed monthly and/or quarterly, in addition to daily trade reviews, so it is easier to identify trends.

In identifying emerging issues, the industry reps stressed the importance of open communications with business units and regulators as well as staying in touch with peers and trends through conferences, publications and dialogue. The discussion also included the introduction of new products and centered around the importance of having compliance involved in the development or review stage so that potential conflicts or challenges can be identified before the business is being done. FINRA indicated that it is also important that management respect what compliance has to say and if that if the firm decides to implement a new product against the recommendation of compliance, senior management must be aware of the decision and they need to document why they chose to proceed against compliance’s advice. FINRA also indicated that firms needs to not only approve a product but need to set parameters around the sale such as to whom it can be offered and any conditions under which sales cannot be made.

The final topic of this session was exam trends. The FINRA and the NYSE examination programs have been consolidated and dual members will now receive only one exam. Examinations are also scheduled based on a number of risk based factors, including the products and services offered, the type of customers the firm works with, the firm’s regulatory history and the regulatory history of its reps.

The last session of the day was the annual compliance report or as we all know it:  the 3012 testing report and the 3013 CEO certification. While a discussion was held about the differences between reporting requirements of NYSE members and other firms, this discussion was not relevant to most of our clients and therefore, will not be covered in these notes. If you would like more information on the requirement specific to NYSE members, you should refer to NYSE Rule 342. However, the rules the majority of our clients are required to follow are 3012 and 3013. There has been much anguish over the testing and verification portion of 3012 and the regulators again reminded us that firms do not have to test all their procedures. Firms need to conduct a risk assessment based on their business model and to review those areas where the firm has identified a potential risk. Now does that mean you can determine there is no risk and do nothing – No. However, some firms make this much more difficult than it needs to be. So what do you need to do? Here it is in a nutshell: 

  • Take an inventory of your product lines and how you conduct your business keeping in mind that some administrative type procedures such as registration or licensing may be impacted by the types of business you do.
  • Identify those areas where a problem or violation could have an impact on the firm’s reputation or pocketbook.
  • Review the rules applicable to these areas
  • Review your procedures to ensure they capture the spirit of the rules
  • Review your procedures against your processes – do they procedures reflect accurately what you are doing and how you are doing it
  • Document what you are reviewing and your findings
  • Document how you are going to address any deficiencies and the timeframe for making the changes, if not immediate.
  • Present the report to the CEO or an equivalent member of senior management.
  • Have the CEO sign the annual (3013) certification.
  • Keep everything together in a file for a period of at least 3 years.
  • Pull the file out when you start the process again and review those areas where deficiencies were identified before in addition to other areas identified in the new risk assessment.

No firm’s test will be exactly the same as someone else’s since they need to be tailored to each firm’s business, size and customers. In fact a formal process is not even needed if the firm is documenting their reviews and corrections as they make them throughout the year and keeping this documentation in a file with their annual certification. The regulators also reminded the audience that these tests need to be done by internal staff since the purpose is to promote a familiarity within the firm as to its policies and procedures and to involve senior management in the oversight process.

FINRA and the SEC want to see that firms are conducting these tests and they are addressing deficiencies promptly. Some of the issues that have been identified in examinations include the failure of firms to do testing at all, lack of documentation even when the tests are being conducted, the failure of the CEO to sign the certification and the failure of firms to include reviews of their reps and branches in the testing documentation since offsite reps pose a risk to all firms.

The SEC also stressed that, other than AML procedures which are required under Federal law, no firm is required to have procedures for things they do not do. FINRA mirrored this sentiment and when a question arose from the crowd about examiners asking for things in the field that are not applicable and even including such in exit reports.  Both regulators said that firms need to discuss these issues with the supervisor or contact the appropriate corporate management in Washington to address such issues since they should not be occurring. They reminded the audience that examiners are not always correct in their assessments and firms need to be confident they can voice their disagreement when warranted without fear of reprisal.

The conference ended with a brief wrap-up by members of FINRA and SEC staff with a thank-you to the people behind the scenes and a synopsis of the key points – “Culture of Compliance”, communications and delineation of duties. Regional sessions are being scheduled through the country which will be half day event that are designed to provide an overview of this conference and provide CCOs a chance to network with their peers and talk to their local regulators.

For more information on topics covered in this meeting or if you have questions about these notes, please feel free to contact me directly at 603-434-3594 ext 118 or by email at lcrosbybrown@regulatorycompliance.com.

RETURN TO JUNE NEWSLETTER HOME

Copyright ©2008 - Regulatory Compliance, LLC. All Rights reserved