Broker-dealer and investment advisor CCOs have the thankless task of making sure all of a firm’s policies and procedures are being followed. So how do you make sure you are following the rules and protecting your firm? Risk assessments help prioritize your tasks and testing, and of course, the rules dictate what is required to be done to remain compliant. An effective compliance calendar helps keep you and your team on track, so attestations, reviews and filings don’t fall through the cracks.
In today’s podcast, Oyster compliance experts, who work a variety of clients and business models, share tips they’ve learned on how to build an effective and efficient compliance calendar.
Transcript provided by TEMI
Libby Hall: Hi, and welcome to the Oyster Stew podcast. I’m Libby Hall Director of Communications for Oyster Consulting. Risk assessments and rules are the drivers for creating a compliance calendar. Risk assessments help prioritize your tasks and testing. And, of course, the rules dictate what is required to be done to remain compliant. So how do you make sure you’re following the rules and protecting your firm? By having an effective compliance calendar. In today’s podcast, Oyster compliance experts, who work with a variety of clients and business models, share tips they’ve learned on how to build an effective and efficient compliance calendar.
Buddy Doyle: Thank you, Libby. I’m Buddy Doyle. I’m pleased to be joined today by Candy, Lance, and Sarah. Welcome Today we’re talking about compliance calendars and how to construct an effective and efficient compliance calendar. And Lance, why don’t we start with you. Maybe you can tell us how do we get started on this?
Lance Whittemore: Hey, Buddy. Thanks very much. I think a good way to do this is to tie this back to a couple of recent podcast series that we’ve done and just talk about how you work from rules into your risk assessment into your calendar, because it’s the rules and the risk assessment that really drive it. A couple of series ago we talked about the new DOL rollover rule, the prohibited transaction exemption, which is PTE 2020- 02 for short. If you’re not familiar with that, it imposes analysis and disclosure obligations on people who participate in rollovers from qualified plans into IRAs. And it had some very severe penalties and also some big, some very stringent requirements as part of the rule itself. Another nice series of podcasts that we just did was a few where we talked about risk assessments, where you analyzed the rules and the risks in the controls in your business. If you take those two concepts and you look at the PTE 2020-02, PTE 2020-02 imposes some very detailed analysis requirements on people who participate in rollovers. And it also imposes very detailed disclosure requirements to your client about the risks and benefits of participating in a rollover.
Among the penalties that PTE 2020-02 imposes are basically a make whole provision where if you do this wrong, you have to make up for any losses that the client has. I mean, if you do it really wrong, the DOL will ban you from participating in rollovers for 10 years, which is a really big problem for most retail-oriented shops. When we talked about the risk assessments, you want to analyze your controls and your environment and the rule itself and how much the regulators care about it. So if you take the requirements of PTE 2020-02, when you do your risk assessment around PTE 2020-02, what you have is a very new rule. It’s one that the regulators have told us they care a lot about. Your controls are untested, you haven’t really even tested the data integrity of the reports that you’re using to determine what your rollovers even are, and your penalties for getting this wrong are enough to kill your entire business.
So when you’re creating your calendar, the rule for PTE 2020-02 says that you have to do an annual review of this thing. But when you look at your risk assessment, what you find out is that if you get anything wrong, the more time passes the more expensive it’s going to be for you. And on a lot of things, if you get a lot of things wrong, it’s going to kill you. So your risk assessment looks like this. We have a new rule, we don’t know how effective our training is. We don’t know how effective our data integrity is. We don’t how effective the reports are that we’ve been using to test ourselves against this rule. And we haven’t tested all our controls yet. So when you look at all those things, your calendar is driven by the things that you have to test, which is your analysis and your effectiveness in delivering these disclosures.
You test that against the information that you’ve been using and the combination of these things and your inexperience with this rule are going to drive you to test this thing almost daily at first. And as you progress and become a little bit more comfortable with your data and your methodology and your testing methods and your people’s ability to understand how to implement these procedures you might back that off to a week or you might back it off to a monthly test. But eventually, the rule itself and the risk assessment are going to drive the frequency of your calendar as well as what you’d have to do to test your implementation of those procedures.
Buddy Doyle: Thank you, Lance. You did a great job of talking about how to implement a new role into your compliance calendar and some of those risk-based considerations. Candy, do you have any additional thoughts on the sort of the new role process and, and how you go through that?
Candy Palugi: Yes. Thanks, Buddy. I agree with what Lance said. It is a great tool to use when implementing a new rule. And I think one of the other aspects you could do is instead of just generally for a new rule, having one item on your calendar that you need to go back and test your rollovers for the DOL PTE rule. For instance, you could also break that down into multiple calendar items if you needed to, for the first quarter, the first six months, the first year, to ensure that you’re covering every little aspect. And then that may help you zone into what your risks are or areas that you need to adjust your practice or processes around. And then with time, those would consolidate back into a few items or less frequency as you move along and understand that you are following the new rule as you need to be.
Buddy Doyle: And Sarah, I think Lance and Candy have done a good job of talking about the new rule process. And I know folks think about new rules and they think about policies and procedures, but it obviously goes beyond that to this risk based approach of compliance. So Sarah, do you have any sort of thoughts about how you would incorporate your new obligations into your existing calendar and maybe reprioritize?
Sure, definitely. Thank you, Buddy. So what I would say to start with is as you’re incorporating these new rules, you’re drafting new procedures and just making sure that your procedures match your calendar and vice versa. So I think that’s really important because at that point in time when you’re writing it, you’re mentally in that space of, okay, what are all the tasks that are involved with these things that I’m saying that I need to do in my, in my policies and procedures? And it gives you the opportunity to then add that, like Candy and Lance both mentioned, just if it’s something that needs to be done quarterly, well then you put it every couple of months. If it’s something that you feel you need to test on an annual basis, then it’s one time a year.
A calendar is also great for not just the new rules, but also some of the old rules and requirements. Some of these could be things like when you have to start filing your 13f form because you’ve hit a certain threshold of assets with your firm and that has to be on a quarterly basis. So it’s great to have a reminder that says, hey, I need to go out and run a list of all of my NMS securities and I need to scrub them against the SCC Edgar list, and I need to upload the information to Edgar. So those are three decent requirements that have to be done for the end result. So you have that in your manual, but do you also have those specific tasks in your calendar? So I think it kind of goes hand in hand with identifying who is responsible for the task. It’s kind of the who, what, where, when, and why. And you have that listed in your calendar and again, that should also match your procedures.
Buddy Doyle: And I think that’s, sorry you complete your thought.
Sarah Sutton: I see it’s also a great way to kind of take a look at what your activities will need to be for the next month, the next quarter, for the year in general. It’s also a good way to see what items that you can delegate to other individuals that may be able to do some of the, I don’t want to say grunt work, but going and pulling reports that you can then review. And it’s also a great way to look at how much time you need to allot over the course of the year or a quarter and make sure that you have the proper compliance resources in place.
Buddy Doyle: Yeah, I think a couple of really good things that come out of that. One is you do have regulatory deadlines and calendars have often been used to say, I’ve got to file my focus report on this date. And FINRA certainly has a good calendar of all their regulatory due dates, but when you look at their calendar and you think about risk-based compliance, what you would see on the FINRA calendar is really the required deadlines and not really the things that Lance is talking about with DOL, which is you have to do it at least annually, but there’s no specific day that you have to have it done like a registration renewal. And so it’s risk based approach to those things as well. And I think having your procedure manual lined up to your calendar can really be important because otherwise you come up with some pretty aspirational procedures that you may not have time to implement that may not have a mechanism for implementation.
And I think you can look at your compliance calendars, a mechanism for compliance because it takes you from the we will do this or we won’t do this, to this person will do this on this day within this timeframe. And I think that is really, really important. Lance, I’ve been fortunate to have the DOL compliance program in place now for a little bit. I’ve done some testing of rollover documentations and things like that a few times and fortunately we’ve had no reason to go back to the DOL and confess or to go back to clients and make adjustments. At what point do you think you start looking at your timeframes of your testing and adjusting those, either dialing it up or dialing it back a little bit?
Lance Whittemore: I think again, it really comes from the SEC’s requirement that your compliance program be tailored to your individual business. And even though there are a lot of generic programs and generic calendars and generic manuals out there, really the approach is, as people have said about other topics, I’ll know it when I see it. When I feel better about something, I’ll back it off a little bit when I feel like my controls are solid and our activities are repeatable and consistent, and I feel good about the data that I’m using to do the testing and my outcomes. And then I might back things off a little bit if I see a problematic area, even if it’s something temporal that’s due to a specific circumstance or activity in the marketplace or new rule making, those are the areas that I want to focus on. So those are the things that I’m going to test more frequently.
Buddy Doyle: Right. And Sarah, I know you’ve worked with our Solutions calendars, which are more automated workflow schedules if you will, but what are some of the challenges that you’ve seen come out of having a compliance calendar that may tell you it needs some tuning?
Sarah Sutton: Well, the first thing I would say is looking at when you start out as a smaller firm or the same person’s doing most of the tasks on the calendar, it’s fairly easy to keep a spreadsheet or a Word document with the things that you need to do for each month and quarter and for the year. As you grow though you have more assets within the firm, you may or may not have additional filings that we’ve discussed that need to be done on an annual or quarterly basis based on the investments that you have. But you also, when you start, when you’re growing and you start to delegate, it gets more difficult to manage from kind of a more manual Word document or Excel spreadsheet. So that’s where we’ve seen some real opportunity with clients utilizing the Solutions compliance calendar, because it, I wouldn’t say set it and forget it, but you have the opportunity to, instead of having everybody have to go to a shared Excel spreadsheet or shared Word document, you can actually assign tasks to kick off and start that are assigned to different individuals and then track and monitor the progress, see which things are open.
It just incorporates the technology into all the requirements that are needed to be done throughout the year and easily be able to manage through the process, see what things have fallen into the wayside, things that need to be completed. But it also, helps you kind of guide your next couple of weeks depending on what’s coming up and what time of the year is. So some years are busier than others. The beginning of the year, you’ve got ADV seasons, what we call it. So you’ve got an awful lot of things to review before you submit your updated ADV documents at the end of March or whenever you need to based on the end of your fiscal year. So it helps keep you organized.
Buddy Doyle: Yeah, Candy, thinking through what Sarah just said, I think as firms grow and there are more and more people doing more and more tasks, I think we often think of compliance as, again, a manual person. The compliance is really about doing your business the way the rules say. And some of these things get beyond the compliance department into trading and operations in other areas where people are having to sort out how they’re going to run their business. Have you seen any sort of examples of where that kind of collaboration works better or works from a calendar program?
Candy Palugi: Yes. I think sometimes it can be both, right? Depending on your business, as Sarah said, the size of your business, how many players you have in the process. But I think a calendar is very helpful in at least ensuring that you have a note, you have documentation, a reminder, if you will, of all of the different areas of the firm that need to be involved in certain aspects of items that are due or reviews that you’re doing routinely. And I think to the point of Solutions or any other software, even if it’s a shared spreadsheet or whatever you’re doing, I think if there are more than one person involved in doing the process, that a shared document is very beneficial. So everyone can see what’s coming up and what’s kind of on their particular agenda coming up in the next couple of weeks so they’re prepared to handle their process equally as important.
I think sometimes it’s a challenge, as you mentioned, to have more than one player in the whole process and doing the review, but there may be a time when you want to, instead of having like one calendar item for something, say preparing your ADV annually, then you may have separate calendar items for the operational operations department. It needs to get the numbers together for you or the list. So that’s kind of their task on that calendar. So I think, again, as both Lance and Sarah and yourself have said it’s very important to tailor it to your business. And in doing so, that includes how granular or how general does the item need to be? Do you need to explain exactly what you’re expecting if another, the trade desk, or someone else, is having to gather that information for you. So I think overall it can work both ways. Sometimes it’s a challenge, sometimes it’s very beneficial to have more than one person involved in it.
Buddy Doyle: So as you get more complex in your organization and you get more people involved, that planning process becomes more important because it’s not just your time, it’s the firm’s time, and it’s figuring out the aggregate impact of the decisions you’re making on everyone. So if you’ve ever been double or triple booked on your calendar for a meeting using Outlook or whatever you use for your email feels a certain way, think of that as a regulatory deadline where you’re double or triple booked, and it can feel tougher. And Lance, well, everybody on this call really has had times where they’re running multiple compliance programs with multiple compliance and clients. And as you’re dealing with a deadline, if it’s a regulatory deadline, they all show up at the same time, right? So the ADVs, I mean, if their year end’s different, it won’t necessarily all be March 31st, but if Lance is working with six clients, March 31st is the same day for all of them, <laugh>. Lance, you and I have had the good fortune of working together for a dozen years on calendars. How do you take those things that aren’t a regulatory deadline and look at your plan and try to spread these things out, so you don’t drive yourself nuts every March and December?
Well, I think it goes again, back to the regulatory expectation that your calendar will be tailored to your business and who I’ve been fortunate enough to work with some very different business models, retail, institutional, private funds, and every firm that I’ve ever worked with has had different nuances to their own business flows. I work with a firm now who the majority of their business happens in December and, June and July. That’s where most of their assets get priced. So it’s just another factor in making sure that you right size your compliance program to your business and made it match your business flows. And you are absolutely, other than regulatory deadlines, you’re absolutely welcome to move things around on the calendar to the extent that it makes sense for you, so that you do have the time to focus on those things and so that you’re not overwhelming yourself with unnecessary items when you have specific things that have to be done by a certain date.
And the other thing that I think you always want to remember is that nothing ever goes wrong by itself. Certainly when you have one problem gathering data in one area of your program, it’s almost a truism that something else will randomly go wrong that never actually goes wrong in real life either. So you always want to plan into that. And I’m sort of like Scotty on Star Trek who used to say, Okay, it’s going to take me a week to get this ready, so I’m going to tell them it’ll take three weeks. You almost have to build errors into your program because it’s either that or you pay for it in sweat and high blood pressure.
Buddy Doyle: Yeah. Sarah, I think you probably have been doing this certainly long enough to know that you have to expect the unexpected and how do you build time for making sure your top 10 number one priorities are in there and that your everything else is anticipated to come at some point, but maybe today, maybe not today.
Sarah Sutton: Well, Buddy, it’s definitely a balance because you don’t want to look at it on the very last day of the month and say, Oh, I need to go get all these tasks done. Because you probably have a lot of other things that you’ve said, Hey, I need to finish these before the end of the month. So spacing them out and delegating is key. And also, like Lance said, he said it perfectly expected to take three times longer and it’s not, and it’s not that you’re going to find anything bad or wrong, it’s just you may go down a path, you may see something where you need to go down that rabbit hole and investigate to make sure everything’s okay and or possibly develop additional procedures, tweak some procedures, go back, and test some additional things. And that takes time. And there’s nothing wrong with that. But make sure you have enough time. You do not want to have high blood pressure and stress levels that are through the roof because you’re trying to do it in a very short period of time. So definitely spreading it out, you really have 365 days to get all of it done. There’s a reason for that. So that’s definitely key.
Buddy Doyle: Right. Candy, any final thoughts for your audience on calendars?
Candy Palugi: Yes, sure. Kind of following along to what Sarah just said, for a moment, I think also with your calendar you could also prioritize. A lot of people like color coding, red for high priority, yellow, green. And because I think sometimes as we’ve talked a little bit about, there are some things that have to be done. We’re required to do them for the broker dealer, for the RIA. Some of them have certain times, those obviously are red items that they just have to happen. But sometimes we have aspirational things like we talked about, that you may want to test this a little more or start looking into this quarterly or monthly. And I think those could be a lower priority item on your calendar. So if you do run into issues as Lance and Sarah talked about, with getting your reports together or you find more problems than you expected, you need to kind of work through those, then you have these lower priority things that you know, are just kind of on a best case scenario, you would have done them and would like to do them, but let’s try for it again next quarter if it didn’t work this quarter.
The other things as I think it’s important to look at your calendar every year, like when you’re ready to start the new year, take a look at what’s changed, what rules have changed have any filing deadlines changed? What are FINRA and the SEC’s priorities for the year? Make sure that you have implemented those into your calendar well, to ensure that your firm’s prepared for an examination. If they come in, you have the proper documentation you need that kind of thing. I think the main thing is to make sure that it’s a, an evolving thing, that you are constantly looking at it, evaluating it, updating it, changing it as it needs to happen with your firm.
Alright, so I’ll leave in one final thing that just leveraging on Candy and Sarah, do you have anything you want to add in there? No, I don’t. All right. So Candy, you mentioned regulatory exams and making sure you have yourself together. That’s probably the final thing to consider in your calendar is when you respond to an examiner with the things that you’re going to do to resolve an issue or a topic, make sure you get that done. Repeat findings are not great things to go through. So a regulatory exam, some of these ripped from the headlines, enforcement action type items are good things to take a look and ask yourself, do I have this covered or not? And if you don’t, put it in that calendar to make sure that it’s there and that it gets dealt with. And that even if it isn’t really closed up and dealt with, that it’s dealt with professionally with your management of your organization to talk through the risks that, that are, that are in your com program and how to tackle those in the right fashion. So I want to thank the team today, Sarah, Candy, Lance, thank you so much for sharing your experience with our listeners and we hope that you will join us again in the near future.Libby Hall: Thanks everyone for listening. If you’d like to learn more about our experts, our Oyster Solutions Governance, Risk and Compliance software or how Oyster can help your firm, visit our website at oysterllc.com. If you like what you heard today, follow us on whatever platform you listen to and give us a review.