IT Audit Search

Quickly providing cost-effective "right fit" candidates for contract or full time positions.


Author: Todd Ehret, a regulatory intelligence expert with Thomson Reuters Regulatory Intelligence.


Compliance professionals in the U.S. finance industry are lucky to be heading into 2016 without having to blindly depend on unfounded predictions for the new year. Instead, the published exam priorities of the primary financial regulators, the Securities and Exchange Commission, (SEC) and the Financial Industry Regulatory Authority (FINRA), provide informed guidance on what will be on the agenda when they come knocking.

The regulators also are great at underscoring continuing priorities by frequently reminding us what they’ve accomplished in the previous year. Below is a quick overview of 10 top concerns for compliance officers in the coming year, based on what has been revealed so far about exam priorities and other indications of the regulatory agenda. This look at issues likely to keep North American compliance officers up at night could be helpful for year-end reviews and year-ahead planning.

The list below is also in no particular order — all of the items have varying levels of importance at different types of firms. A firm’s size, business type and client type greatly determines their top concerns. We will be sure to dig much deeper into each area throughout 2016 and will also provide multiple analyses of the exam priorities. The FINRA exam priorities for 2016 were released last week, and the SEC’s version is imminent.

1. Insider trading and misuse of material non-public information

A major U.S. Appeals Court decision in December 2014 that restricted the application of insider trading law made 2015 an eventful year. With the Supreme Court declining to review the appeals court decision in the case of U.S. v. Newman, which held that for an insider trading tip to be unlawful, the original tipper must have received a benefit. There were still many settlements in 2015 in lower profile, easy wins for the SEC. Going forward, however, the enforcement emphasis may be on the misuse of material non-public information rather than insider trading.

With material non-public information often widely disseminated in firms, preventing its misuse is a top priority. Such sensitive information must constantly be walled off and documented so as to prevent its spread and possible misuse as well as to prove that such information is handled appropriately.

2. Outsourcing

The trend of outsourcing services, whether it be IT, accounting or other critical business functions, is occurring in virtually every industry. In the financial services industry the selection of vendors as business partners has never been more important. All outside vendors should be vetted rigorously as a failure by a vendor does not remove the regulated financial firm of liability.

Risks inherent in compliance outsourcing were highlighted by the SEC in a Risk Alert published in November 2015. The fact that compliance is outsourced does not remove the responsibility to run a firm with a culture of compliance or allow firms to cut corners. More importantly, outsourcing does not remove the liability of the partners or other officers at a firm.

The most important aspect of successful outsourcing is that while activities can be moved to a third party, the skills to manage those activities must be retained. Careful diligence when vetting an outsourced firm as well as continued monitoring are essential.

3. AML/KYC risk

With the concern over terrorism increased by attacks in Paris and San Bernardino, California, anti-money laundering policies and counter-terrorist financing policies have become vital. For many years in retail banking and brokerage the simple act of “knowing your customer” was seen as adequate AML policy. This is no longer the case, given the level of sophistication and severity of the criminal activity, and an enforcement crackdown by regulators.

AML also is a top concern internationally. Canada this year is awaiting the results of the Financial Action Task Force’s (FATF) audit of Canadian AML policies, and new legislation there could follow publication of the findings. New international regulations tend to quickly make their way to the United States as well so compliance officers must stay abreast of developments.

4. Culture and conflicts of interest

In 2015 there were a number of conflicts of interest cases involving private equity and private fund managers. Many regulatory actions surrounded fees and allocation of expenses. An SEC settlement with Blackrock Advisors involved portfolio manager’s personal investments. Conflicts of interest, or even the appearance of a potential conflict, must be consistently safeguarded against, disclosed, and documented.

Continuous and rigorous education and training are critical components of employee awareness of conflicts. These efforts also go a long way to create a “culture of compliance” within firms. FINRA made prominent mention of compliance culture in its 2016 exam priorities. Therefore, compliance departments will need to take a more quantifiable and measurable approach to culture in the future.

5. Fiduciary standard

Debate in Washington over new fiduciary rules proposed by the Department of Labor may well come to some sort of conclusion in 2016. There has been immense lobbying by industry participants both in favor and in opposition to the Labor Department’s proposed rules, which would impose a fiduciary duty on brokers handling retirement accounts.

The SEC has yet to make its own proposal on a fiduciary standard for brokers, and SEC Chair Mary Jo White has championed a deliberate approach, following an agency study of the impact of a uniform financial industry standard. “We will move on it as expeditiously as we can,” Ms. White said in November. “We must get it right and really take into account the complexities and impact. But we’re very full-out focused on it.” The delay, she said, is because the SEC wants to avoid any unintended consequences.

Any eventual resolution likely require compliance departments to update policies, procedures and disclosures, particularly for retail brokers and investment advisers.

6. Sales practices and risk disclosure

In times of market stress compliance departments must review sales practices, marketing, and risk disclosures. Extra care should be taken in the area of complex products or so-called “liquid alternative” funds. Anything marketed or represented as a “safe alternative” should also be reviewed extra carefully.

Suitability issues are a major international concern. Extra caution should be exercised as regulators have investor protection as a top concern. In the United States the protection of vulnerable, often senior, investors is a particular priority among regulators.

This is evidenced in a May 2015 speech titled “Structured Products – Complexity and Disclosure – Do Retail Investors Really Understand What They Are Buying and What the Risks Are?” given by Amy Starr, chief of the Office of Capital Markets Trends at the SEC.

7. Liquidity risk and valuation risk

There has been much discussion in recent weeks about liquidity concerns in the credit markets, particularly in level 2 or level 3 assets. These thinly traded markets have become so problematic, it has caused the failure or closure of a number of hedge funds, liquid alternative funds, and most prominently, the Third Avenue Focused Credit Fund.

When a portfolio contains illiquid securities, compliance and portfolio managers must continuously analyze and monitor liquidity needs based on various market and redemption scenarios. Illiquid positions must be sold in advance of redemptions and their aggregate percentage within the portfolio must be constantly monitored and not allowed to increase due to redemptions.

Valuation process and procedures should always be a top concern and be constantly monitiored. If illiquid assets represent a growing or significant portion of assets, it becomes even more critical. Accurate and fair valuations that include a liquidity component are critical. The valuation methodologies should be consistently applied as switching valuation methodologies, is sure to raise questions. Any change in policy should be thoroughly documented and defensible.

8. Technology management and data protection

The effective management of a firm’s IT infrastructure is the heart of every compliance program. The protection and storage of data ranging from trading records to all correspondence and virtually all of a firm’s compliance record keeping is critical. Secure off-site archiving and storage, business continuity, and disaster recovery plans all require significant planning and resources. The security of this data, especially sensitive customer data is one of the most important responsibilities of a compliance and IT department.

9. Cyber security

The threat of a data breach, data loss, or theft of sensitive customer data is every firm’s greatest concern. The cost of a breach, its’ remediation, and reputational risk can be enormous and could put an entire firm’s future in jeopardy.

Regulators are taking cyber security very seriously as well. The SEC issued a Risk Alert last year and continues to regularly remind the financial industry of the threat. Regulatory actions such as the SEC case against R.T JonesCapital Management — where the firm was fined for inadequate policies and procedures after a cyber security breach, despite a by-the-book response — should serve as a reminder that cyber security is being taken seriously by the regulators.

10. Personal liability

In the U.S. the Justice Deparmtent’s “Yates memo” drew a straight line between individual accountability and corporate wrongdoing and resulted in the U.S. Attorney’s Manual being updated in November 2015. As a clear statement of regulatory expectations, Sally Quillian Yates, deputy attorney general at the U.S. Department of Justice stated that “one of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing. Such accountability is important as it is seen as a deterrent to future illegal activity and it ensures that the the proper parties are held responsible for their actions.

There were also a number of instances where officers or directors were held personally liable for the failures with their firms. Most notably, the Blackrock case was an instance where a compliance professional was singled out in the regulatory actions. Also, the well-publicized State Street case where two individuals eventually were successful in their appeal, should serve as a reminder to all professionals of the difficulty and lengthy path they might face when the regulator attempts to hold them personally accountable.