By Buddy Doyle, Ed Wegener, Evan Rosser and Jeffrey Hiller
2021 Exam Priorities: The Importance of a Risk-Based Approach
Join Oyster CEO Buddy Doyle, Ed Wegener and Evan Rosser (former FINRA regulators) and Jeffrey Hiller (former SEC regulator) as they discuss the importance of viewing the FINRA’s 2021 Exam Priorities and your compliance program through a risk-based lens.
Transcript provided by Temi transcript services
Oyster: Welcome to the Oyster Stew podcast, where we discuss what’s happening in the industry based on what we see as we work with regulators and clients. Oyster consultants are industry practitioners; we aren’t career consultants. We’ve done your job and we know the issues you face. You can learn more about Oyster Consulting and the value we can add to your firm by going to our website – oysterllc.com
Buddy Doyle: Hi everybody. I’m Buddy Doyle, Chief Executive Officer of Oyster Consulting. And I am joined today by three members of our team, Evan Rosser, Jeffrey Hiller, and Ed Wegener. Today, we’re going to be talking about the 2020 report on FINRA’s examination and risk monitoring program and give you a little bit of overview of their reaction to the report.
Ed Wegener: What I found interesting is that many of the areas in this year’s letter had been addressed in prior priority letters – things like cybersecurity, AML, outside business activity, private securities transactions, variable annuities. What was interesting, and what I think is new, is how the letter looked to apply traditional rules and requirements to new and technology enabled products and tools. So things like focusing on digital assets came up quite a bit throughout the priorities letter, the use of digital apps and specifically game-like tools that you can use in an app. So I found that very interesting. And then, you know, with communications, communications has always been an area of focus, but the specific focus on communicating using new digital methods for communicating things like the communications that are in digital apps using social media and to the sites such as Reddit. The interesting thing was it was taking traditional rules and requirements and applying them in this new and quickly changing environment.
Buddy Doyle: You know, the other thing that I noticed in this document that was scattered everywhere is the term risk, how often they were talking about assessing risk, risk-based approaches. And it seems to me like, as we’re going through this, there is a risk process that you need to be thinking about in your organization. Risk assessments aren’t required by FINRA, but they are alluded to so frequently, it’s kind of come up with the question of how you take a risk-based approach, in compliance without a risk assessment. I’m not sure we’ll be able to answer that question here. Any thoughts on the risk-based approach to, to this document and, and really to your compliance program that comes out of this?
Ed Wegener: You know, Buddy, I think to your point is there isn’t anywhere that says specifically as part of the rule requirements that you do a risk assessment. But like you said, I think if you look throughout the rules and the guidance that’s come out and things like these priorities letters, it kind of is a theme throughout all of those. And you know, one of the things that the rule requires is that you tailor your procedures to your specific business and that tailoring would necessarily, I think, involve an assessment of where are the areas of particular risk of my firm. And do I have controls in place over those risks in order to be able to make sure that my supervisory system is reasonable. So I think that that’s an important thing. And the other thing they have to take into consideration is what you’re hearing from the regulators is they’re all saying that they’re taking a risk-based approach to their examinations.
And so as part of what they’re doing to identify where they want to focus and put their attention, they’re taking a risk-based approach to their doing their own risk assessments against all of the firms along the different risk areas that they’re focused on and doing an assessment. Then using that to drive things like how frequently they do exams and what they look at when they get there. So I think that whether we’re wired specifically or not, I think it’s really incumbent on firms if they want to do a good job of man bridging the regulatory risk is to do some type of risk assessment and then determine whether they have controls over those risks.
Jeffrey Hiller: I think it’s implied in the policies and in the principle-based approach that you do in fact have to do. You can’t assess your compliance department effectively without doing a risk assessment. And those risk assessments will change. Something may become more risky or less risky over the course of a year as the regulators information evolves, as other colleagues in the industry are noted for what ttheir conduct is. So I would pretty much say that it’s implied that you must do it and that you ought to do it just because it’s probably the most effective way to capture some of what we need to capture.
Evan Rosser: And I would suggest that a risk assessment should begin with, or at least have a large component devoted to conflict identification, because that would be a major risk for a lot of firms. And there’s certainly several many other areas of risk for broker dealers, but identifying conflicts, mitigating those conflicts, eliminating them when possible would be a major part in my mind of any risk assessment.
Buddy Doyle: So one of the things that the instructions talk about is conducting a gap analysis and I think that is an obvious plan for firms to do, but some of these issues are going to be relatively large to go through and analyze and implement. So I think as you go through and do your gap analysis, one of the questions is what do you do when you find a gap? Evan, you’ve done a lot of work with us as an independent consultant for regulatory orders. And some of those things are pretty hard and lead into pretty big initiatives. Any thoughts on how firms can assemble their team and start down a path of closing the gap?
Evan Rosser: I would start with, when we talk about risk assessments and gap analysis, firms should remember that in some respects, your 31/20 review is a gap and risk analysis. If you have branches, an OSJ is your branch exam program and helps identify gaps and deficiencies in your program and risks. Your email review can help identify gaps and risks. So you already have a number of processes that you can use to put together a risk analysis and a gap analysis. And when you address those gaps, sometimes that’s easy; sometimes that’s hard. But you have to identify who’s doing what at the firm. Who’s responsible for certain areas of the firm’s business? How’s your supervisory structure? Is it being reviewed properly? Could you have caught that gap had you had done something differently? How did you identify that gap? If you identified that gap, then maybe however that was, you need to do more of in the future. ut it is a way to identify these gaps and to bring them to the attention of the staff. This can’t be something that’s handled strictly by compliance or strictly by supervisors. It has to be a firm wide effort, or at least a department wide effort, depending on the size of your firm. But yes, we have been through that process with firms, and it does take a little work to get to the root of the problem, the cause, and addressing it takes procedures, it takes people, it takes training, and it can be a challenge, but it can be done. And it certainly is done.
Jeffrey Hiller: The only other thing I would add is as a practitioner , and Oyster has a benefit that we have a lot of experienced regulators. And so what, the only thing I would add to Evans is that as you identify a gap, have a plan to fix it. Evan’s gone through and explained that you may need a department here or more people in the firm but have a plan. And by that, I mean a written plan so that if you identify a gap today through your analysis and know that you have to enhance a policy procedure, and if it may take more than a day, then have a written plan of how you’re going to go about doing that. Because if the regulators come into your firm before you complete that item, but you can show them that you’ve identified it, you have a plan to fix it, and you’re adhering to that plan, that mitigates some of the risk that you’ll encounter as you move forward.
Evan Rosser: A lot of times when we find a risk or we find a gap, it’s because the firm wasn’t looking at the right thing. They weren’t looking at the right metrics. They weren’t looking at the right facts or statistics. And maybe it’s sometimes addressing that gap is simply looking at something differently and looking at a new set of facts to help find those gaps.
Ed Wegener: And I think just one of the things too, to emphasize why this is so important is that the shift that the regulators have made as they’ve implemented their risk-based exam programs, they focus less on whether or not you have procedures and supervisory procedures over a particular area, and more about the effectiveness of those procedures and controls. So they’re going to come in and say, okay, well, show me how you’re controlling those particular risks. And they’re going to want to understand, not just that you have procedures in place, but they’re going to want to know, are those procedures effective? Do they mitigate the risk that they’re concerned about? Are they being implemented appropriately? So they’re going to test to make sure that they’re being implemented. So unless you do this type of gap analysis, you can leave yourself exposed when the examiners come in and really do a very thorough assessment of the effectiveness of your controls.
Buddy Doyle: And I would caution people though, as they find a gap and they try to close that gap, that if it’s a difficult one to deal with, a difficult issue, it’s going to take a while, take steps towards mitigating the risk and don’t get so aspirational in your initial procedures that you can’t follow them. So do realize that you may have to work through some things. You may need some work arounds in the interim. Don’t be afraid to move towards a reasonable approach in a deliberate fashion, rather than trying to, you know, scenario a perfect approach to the topic that just takes you a lot longer.
Evan Rosser: And, you know, Buddy, sometimes you need a new set of eyes, but some of these deficiencies, some of these gaps, it’s hard for people that have been working with them to see the gap, and to see a resolution. So it can be very helpful to get a different perspective on the program, on the risk, on the conflict or the gap in the program. A lot of people have been working around that have been accommodating it. Have been, you know, kind of working around it and new set of eyes to take a fresh look at it can be very helpful.
Buddy Doyle: Ask your Sales team, ask your ops folks, ask your traders, ask your finance people. Those are all good influences because a lot of these things aren’t necessarily around a manual they’re around a process. And so don’t be afraid to get the folks, including the creative ones, the marketers, and all those in a room to bounce it around. We learn an awful lot here in our compliance practice at Oyster from our ops team or grow team. And so I think it’s a good idea to definitely make sure that you you’ve pulled in resources that go beyond your own head and your compliance department to get some practical solutions to move forward.
All right. Thanks everybody. Hope you have a great week.
Oyster: Thanks for listening. And if you like what you heard, make sure to follow the Oyster Stew podcast on whatever platform you listen to. If you’d like to learn how we can help firms start, run, protect, and grow their business, visit our firstname.lastname@example.org.