On Jan. 7, the U.S. Securities and Exchange Commission’s (SEC’s) Office of Compliance Inspections and Examinations (OCIE) released its 2020 Examination Priorities (the 2020 Exam Priorities).[i] This annual publication provides some insight and visibility into OCIE’s examination program and highlights the existing and emerging risks and trends that affect investors and the U.S. capital markets.

The 2020 Exam Priorities share many of the same concerns OCIE expressed in its 2019 Examination Priorities. Both focus on the protection of retail clients/investors, including the standard of care given to client/investors and the marketing of popular retail client/investor investments (e.g., mutual funds and exchange-traded funds), the need for robust information security and cybersecurity policies, the regulation of digital assets (e.g., Bitcoin), review of anti-money laundering (AML) programs, the protection of critical market infrastructure, and OCIE’s oversight of the Financial Industry Regulatory Authority (FINRA) and the Municipal Securities Rulemaking Board (MSRB).  

This year OCIE referenced significant rule-making from 2019 (e.g., Regulation Best Interest (Reg BI), Form CRS, and interpretations regarding the Investment Adviser Act rules and regulations). Firms should be prepared to implement and address this rule-making as it is a focus of the 2020 Exam Priorities. Additionally, market participants should be mindful of the 2020 Exam Priorities when reviewing and updating their compliance programs and preparing for regulatory exams.

A summary of the 2020 Exam Priorities follows.

1. Protection of Retail Investors

The protection of retail clients/investors, especially those who, historically, have been victimized by unscrupulous advisers and brokers (i.e., seniors, teachers, and military personnel), is paramount to OCIE. Firms with retail clients/investors or firms that market products to retail clients/investors (e.g., mutual funds, exchange-traded funds, and municipal securities) should prepare for exams focused on disclosure of fees, expenses, compensation arrangements, and conflicts of interest, as well as supervision of outside business activities of employees and associated persons. Firms must ensure that disclosures are made as required, and that firms’ actions are consistent with such disclosures. If a firm offers products that are complex or nontransparent, it should be prepared to illustrate how the firm discloses the characteristics and nuances of such products to retail clients/investors.

OCIE will conduct examinations of investment advisers to assess whether such firms fulfill their duties of care and loyalty. Specifically, the SEC’s adoption of Reg BI, its interpretation regarding the standard of conduct for investment advisers, and Form CRS will have a meaningful impact on the retail client/investor experience with firms. For more information on these developments, please see the following client alerts: FINRA Provides Guidance on Regulation Best Interest and Form CRS and FINRA to Broker-Dealers Gearing Up for Regulation BI, “Don’t Panic–Prepare!”

2. Holistic Information Security Policies and Procedures

Due to the heightened risk of cybersecurity attacks, the SEC views robust information security programs as critical to protecting client/investor information, market security, and integrity.

For that reason, OCIE’s 2020 exams will focus on:

  • Proper configuration and monitoring of network storage devices
  • Governance and risk management policies
  • Access control policies, especially for firms that offer access online and/or via a mobile application
  • Data loss prevention policies and procedures
  • Vendor and network management and oversight, especially for firms that utilize cloud-based storage
  • Training of staff on cybersecurity concerns
  • Incident response and resiliency
  • Appropriate disposal of retired hardware that may contain client/investor information and/or potential network information

Firms should ensure that their information security policies and procedures address these topics and are appropriately articulated and implemented.

3. Review of Firms That Leverage Fintech and Innovative Technologies

Firms that utilize “alternative data” and other innovative technology to drive investment decisions or trading automation should be prepared to show how the firm uses data and technology to interact with and provide services to clients/investors and service providers. Firms should also be prepared to demonstrate the effectiveness of compliance and control functions related to these technologies. 

a. Digital Assets

OCIE notes that digital assets present particular risks for retail clients/investors who do not appreciate the differences between digital assets (such as Bitcoin) and more traditional products. Due to what the SEC perceives as a general lack of awareness and understanding of digital assets, OCIE will prioritize exams of firms that provide services related to digital assets. These exams will assess, in part, the investment suitability of the digital assets for clients/investors, as well as portfolio management and trading practices, the safety and security of client/investor funds and assets, how the digital assets are valued, the firm’s compliance program and controls, and the supervision of employees’ outside business activities.

b. Electronic Investment Advice

Similar to what we have seen from OCIE over the past three years, robo- or digital advisors can anticipate OCIE seeking information in the form of a limited or more extensive examination relatively soon after effectiveness of registration. Upon examination, OCIE will look to investment advisers to provide an assessment of their eligibility for SEC registration, the effectiveness of compliance and cybersecurity policies and procedures, marketing practices, and adherence to fiduciary duty, including the adequacy of disclosures to clients/investors.

4. Review of AML Programs

Broker-dealers and investment companies should ensure that they have adequate policies and procedures in place that are reasonably designed, based on such firms’ business, to identify suspicious activity and illegal money-laundering activities. The review of AML policies and procedures will include an assessment of such firms’ customer identification programs, the satisfaction of Suspicious Activity Report filing obligations, the process by which due diligence of clients/investors is conducted, compliance with beneficial ownership requirements, and the robustness and timeliness of independent AML testing.

5. The Protection of Market Infrastructure

OCIE continues to recognize the importance of the security and resiliency of services critical to the functioning of U.S. capital markets (e.g., clearing agencies, national securities exchanges, alternative trading systems, and transfer agents). OCIE will continue to conduct exams of these service providers in an effort to assess the risks they face and the ability of such service providers to respond to these risks in a timely and effective manner.

6. FINRA and MSRB

OCIE’s oversight investigations and examinations of FINRA and MSRB will continue to focus on the protection of clients/investors and market integrity. In its investigations, OCIE will collect and analyze extensive information and data, conduct meetings with key personnel, and reach out to various stakeholders, including broker-dealers and investor groups. OCIE will then make detailed recommendations to improve FINRA’s and MSRB’s programs and policies, risk assessment processes, and future examinations.

7. Additional Market Participant-Specific Focus Areas

OCIE also highlighted focus areas for certain market participants based on services provided.

a. Broker-Dealers

Exams will focus on compliance with the Customer Protection and Net Capital Rules as well as broker-dealers’ trading and risk management practices. As noted above, OCIE exams of broker-dealers will also focus on the manner in which trading algorithms are used. Exams will cover the supervision of such activities, including the development, testing, implementation, maintenance, and modification of the computer programs that support automated trading activities and controls.

b. Registered Investment Advisers

OCIE exams of registered investment advisers will focus on Rule 206(4)-7 compliance programs and whether the programs are reasonably designed, implemented, and maintained based on the adviser’s business operations, investment mandates, and clients/investors. OCIE expects to pay particular attention to the accuracy and adequacy of disclosures that offer new or emerging investment strategies, including sustainable and responsible investing focused on environmental and social issues.

OCIE will prioritize the examination of registered investment advisers that are dually registered as (or are affiliated with) broker-dealers, or have supervised persons who are registered representatives of unaffiliated broker-dealers. OCIE will also prioritize the examination of investment advisers that use third-party asset managers. Newly registered and yet-to-be-examined advisers will also be high on OCIE’s examination list. Investment advisers that have not been recently examined should prepare for an exam that will assess whether an investment adviser’s compliance program has evolved with its growth or any change in business.

OCIE will focus on investment advisers to private funds that also have an impact on retail clients/investors, such as investment advisers that manage separately managed accounts in addition to private funds. These exams will assess compliance risks, including controls to prevent the misuse of material, nonpublic information; conflicts of interest, such as undisclosed or inadequately disclosed fees and expenses; and the use of investment adviser affiliates to provide services to clients/investors.

c. Municipal Advisors

In 2020, OCIE is also prioritizing the review of a municipal advisor’s fiduciary duty obligations, fair dealing with market participant requirements, disclosure of conflicts of interest, and compliance with recently effective Municipal Securities Rulemaking Board Rule G-40 concerning advertisements.

Conclusion

The 2020 Exam Priorities echo OCIE’s historical focus on industry risks and trends that OCIE believes most impact the U.S. capital markets. These priorities are not exhaustive, and while the 2020 Exam Priorities articulate the focus of OCIE’s examinations, the scope of any firm examination is determined through a risk-based approach that includes, among other things, analysis of a firm’s history, operations, services, and products offered.

Firms should ensure that their compliance programs and procedures holistically address their business and client/investor base. Firms should also review and update their information security policies, confirm that they are implementing best practices with respect to the protection of sensitive client/investor information, and be prepared to demonstrate compliance with Reg BI.

Firms implementing new technologies that affect investment decisions or automation of trading should have plain-English explanations and controls regarding these technologies in order to illustrate the care such firms have taken with regard to safety and security.

In addition to the 2020 Exam Priorities listed above, OCIE made specific reference to its eight risk alerts published throughout 2019:

Firms should be aware of these risk alerts as well as the 2020 Exam Priorities when reviewing and updating their compliance policies and procedures and preparing for exams.

Please contact one of the listed authors of this Client Alert or your regular Lowenstein Sandler contact if you have any questions with respect to OCIE’s 2020 Exam Priorities or would like assistance with reviewing your compliance program, including policies and procedures and disclosures.

[i] Available at: https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2020.pdf.