In today’s Oyster Stew podcast, our panel of Oyster compliance experts—Lisa Robinson, Len Derus, Bryan Jacobsen, and Brent Nicks—explore recurring compliance issues from 2023 and guide you through the process of closing existing compliance gaps. Our consultants provide valuable perspectives and what we heard from our clients on key regulatory areas:

  • DOL Retrospective Reviews
  • Outside Business Activity monitoring
  • Private Fund Rules
  • Direct Business
  • Off Channel Communications
  • Cybersecurity
  • FINRA’s Branch Inspection Pilot Program. 

Additional Wealth Management Compliance Resources:

Keys to an Effective DOL Retrospective Review

New Era of Private Fund Adviser Reforms

Proactive Strategies for Reg BI, Sales and Communications

Level Up Your Branch Inspections

Oyster Is the Partner You Need

Oyster’s experts have the FINRA, SEC and state regulatory experience to help solve complex regulatory challenges that are critical to your business. From updating your policies and procedures to testing and remediation, Oyster Consulting provides the compliance, trading reporting, operations and strategic planning your firm needs to stay ahead.

To manage the increasing regulatory burden, firms are turning to compliance management software. Oyster Solutions governance, risk and compliance software’s powerful integration and automation provide the surveillance tools your firm needs, accurate supervision and the reporting structure that regulators demand, all while giving your employees a streamlined, easy to follow experience.


Transcript provided by TEMI

Bob Mooney:  Welcome to the Oyster Stew Podcast. I’m Bob Mooney, General Counsel for Oyster Consulting. Join us today as Oyster compliance experts, Lisa Robinson, Len Derus, Bryan Jacobsen, and Brent Nicks discuss recurring issues from 2023 and how to close out existing compliance gaps. In today’s podcast, you’ll hear our consultants share their perspective on the following areas of regulatory focus, including DOL Retrospective Reviews, outside business activity monitoring, private fund rules, direct business, off channel communications, cybersecurity, and FINRA’s branch inspection pilot program. Let’s get started. Lisa –

Lisa Robinson:  Thanks so much, Bob. It’s great to be here. And, you know, coming into a new year, it’s always good to look back to review and discuss changes and perhaps some challenges to the regulatory landscape and the impact of those changes to our financial services firms. Today, my colleagues and I will provide a high level overview of some of these important areas and share what we’re hearing from our clients, what we’re seeing going on in the industry. So, to start, Brent, there’s a lot of news out there about the DOL Rule and the requirements and how that’s impacting the industry. Can you talk a little bit about the Retrospective Review for us?

Brent Nicks:  Sure. And thank you, Lisa. The DOL, the Department of Labor, Retrospective Review is really a requirement tied to the Department of Labor’s Fiduciary Rule or, Prohibited Transaction Exemption 20-02 as it’s affectionately known. I don’t know how many iterations we’ve had of that thing. Now I make the running joke that the Fiduciary Rule at this point is more like software updates to your cell phone. It seems like we get a new version of this thing about every two weeks. So, one of the things that is standing in all of these iterations is the firm’s responsibility to do a lookback of the entire previous calendar year to assess their effectiveness to that rule. And this one gets, as I talk to people in the industry and talk to my clients, this one kind of caught folks last year because, it’s out of cycle.

So it’s, it’s got a June 30 date for responsibility to be completed. But, you know, in the first quarter of the year, you’re worrying about your 3120, your 206 for the RIA, and then you got this thing that’s another three months later, and it’s kind of out of sight out of mind. One of the things I would absolutely say is, as you’re looking back to after the first year of this review, is you’re pulling a lot of the same information to evaluate your compliance program over time. Pull this information at the same time. What is the purpose of the review? It’s to assess your firm’s procedures, determine whether you’re operating under any educational material exemptions, and then test to those procedures or use of those exemptions to make sure that you’re meeting what you said you’re doing, and are you keeping the records relevant associated with that to be able to verify what you are doing.

And once you’ve done all of that, you’re going to boil that down into a report that includes the methodology of how you tested it, and that’s what you’re going to keep. And you got to keep that thing for six years for the DOL, and it keeps saying DOL, because it’s super important. This is for the Department of Labor. This is not for the SEC, this is not for FINRA. So, a few folks that I talk with go, yeah, we did that, and we incorporated it into our other annual report here, the 3120 or the 206. I would really suggest, as you look about moving into this year, maybe how you did it last year, I would not incorporate that into a larger report. Again, remember the audience, it’s the Department of Labor, or you may be looking at all of this information at the same time.

I would not incorporate this into larger reports that you would have to provide to regulators, to which those reports are not normally part of, or in their purview. So think about that. We’re in year two. Don’t let it sneak up on you. And I’ve got a couple of other points to make maybe in some other areas today, Lisa, but it’s all going to boil down to the same considerations that I want to get to in a second. But for that report think about it early. Use your data points that you’re collecting for other purposes. Now, even if you may not generate the PO report till a little bit later and try not to duplicate efforts. That is my big suggestion and my emphasis for my clients and for those that are listening to this podcast.

Lisa Robinson:  Yeah, that’s really great advice, Brent. Thanks so much. Another topic that I think is noteworthy for a look back of last year certainly isn’t new, but it’s something that still kind of sneaks up on firms, and it’s something that they need to be mindful of is, of course, outside business activities. Brent, could you just talk a little, what are you hearing from clients and what recommendations do you have for them?

Brent Nicks:  Yeah, this one, and I’ll say it’s a little bit of a head scratcher to me, but this falls under basic blocking and tackling, right? This is the oldest of requirements of broker-dealers, the firm is required to maintain this information to make a full assessment as to whether they should allow to limit interaction in or to simply prohibit certain activities on the basis of conflicts to the firm or to the client. Pretty straightforward stuff. Most firms clients, others that I talk with, really good out of the gate, whether it’s a manual process or whether it’s tech. They usually are good about capturing this information out of the gate with their normal onboarding processes, but that’s usually where the firms start to deviate. A lot of this just has to do with drift and a lack of follow up.

So my suggestion is, yes, you have an onboarding, you’re collecting all this information, you have to gather this to get the clients onboard or your reps onboarded. But then what are you doing afterwards? And you’ve got to have effective processes to make sure that you don’t allow that information to stale date. I think one of the things that I’ve, as a former practitioner, as a former CCO, in interacting with my clients and colleagues, if you’ve got OBA information that is stale, dated in your CRD with FINRA, there’s no changes. There’s no updates. I can almost guarantee you that is going to be nitpicked. And this is where the new world of web analysis and AI tools is a very easy way for those arm’s length from you to either validate or honestly tear apart, your reporting of OBAs is not difficult to do.

So what you really need to think about is just focusing on the effort, the follow up. How are you addressing it? So, when I go back to what I said about the Retrospective Review, this kind of all boils down to a couple of things and think about these questions in really this order, if you’re having issues in these areas. I’ve had interactions with some colleagues where something as simple as OBAs has escalated all the way to an enforcement action because of either a lack of ability of the firm to verify that they had the correct information, provided the appropriate approval, and could verify that they adequately reviewed it or simply did not understand that there was a change, or a new one, and didn’t capture it in the first place. So did your WSPs fail? You question one or then if they didn’t, did your process or simply not following up on the process that you have, did they fail you?

Were those processes manual or were they tech-based through the use of attestations or questionnaires? If you are using manual processes, is your firm of a size or of a sophistication where manual processes just aren’t going to work? Do you need to consider a tech solution to help you streamline some of what you’re doing? And if it was tech, then did the tech you implement, are you using it appropriately? Or is it simply not meeting your needs? Have you outgrown it? So this is a great time of the year to assess and update. And that update could include, we all have a responsibility of vendor due diligence. Are they meeting our needs? Do they, have they had cyber breaches? Have they done this? We all have, we know we have to do vendor due diligence, but this, the most simplistic part of vendor due diligence – is what we’re using, meeting our needs?

And if the answer to that question is no, this is a great time of year to investigate new options, new solutions to do even basic things like this. Because once you’ve made that update, and I’m going to use a statement that I make in my other time away from here as director of coaching with both coaches and players. I don’t mind you making mistakes. Mistakes are natural. What you don’t need to do is make the same mistake over and over again. So assess, update, correct and move forward. And these are just two examples, but it’s the same considerations, the same implementation. This is the time of year to review what you did, whether it be the Retrospective Review, your OBAs, where in your software you’re weak. Take a few minutes figure out is it your procedures? Is it your implementation, or is it your tools? And whichever one it is, take the time to fix it.

Lisa Robinson:  Yeah, that’s really great, thank you. And again, it’s been around for many years, but still something that catches people. Bryan, did you have thoughts on that?

Bryan Jacobsen:  Yeah, I want to hit on the Retrospective Review part of it. Because I think that is key. I think we still have a tendency to view OBAs as a kind of one and done activity. You approved the activity, you got comfortable with it as a firm, and you move on. Now in today’s world, it’s obviously impossible to re-review every OBA that’s ever been approved. But at the same time, using a risk-based approach, you do know the OBAs that maybe give a firm a little bit more of a heartache, right? And those should be tracked. And periodically going back to that advisor to make sure that things are the same as what you approved. Have they changed? Has the risk appetite of the firm changed? All of that I think, is key.

I remember once early on in my career when I was just a young pup, I actually sat down at my desk first day on the job. I happened to open up the drawer unit trying to just get organized. And I kid you not, the drawer was full, from bottom to top, of unapproved OBAs. So I had the, I was not the CCO, obviously, it was young in my career, but I had the privilege of going to the CCO and <laugh> and explaining to him yeah, Houston, we might have a problem here. And I’m sure everyone can imagine that person’s reaction when we had that discussion. So definitely looking at the process, making sure it’s solid, making sure that the people are doing what you think they’re doing, and then doing the review of those high risk OBAs, I think is, is key.

Lisa Robinson:  Yeah, that’s really great. So, Bryan, while we got you here, let’s go back to a rule that again, recently became effective at the end of 2023, the Private Fund Rules. What are you hearing and seeing, and what are some of those requirements?

Bryan Jacobsen:  Yes. Private Fund Advisor Rules. So this is a rule, and really a series of rules, that is long in the making. I mean, PRI private fund advisors is over a trillion dollar industry at this point. There’s both registered and exempt from registration private funds, as we all know. So, the SEC actually amended their rules under the IA Act (Investment Advisors Act) of 1940. This was done, they published the final rules in August of 2023. And then the Federal Registrar was published in September of 2023. But in essence, the final publication was 185 pages. I’d like to just start off by saying there’s a lot to unpack with this rule, and there’s no way that we can get through the nuances here, but I’d like to at least touch on some of the highlights.

I think the SEC has gone a long way to try and provide transparency for the underlying clients. You know, the risk of private funds has always been the lack of clarity and transparency and some of the side deals and favoritism that might occur with private funds. So they’ve really gone a long way to really make this much more transparent with the clients. So most of the stuff that they’ve come out fits that bill. For example, they’ve created a requirement for quarterly statements, which I think, especially in the brokerage industry, we’re so used to having a quarterly statement, but there was no such requirement. But going forward private fund advisors will have to provide a quarterly statement.

The statement will include the usual things that we would expect. Things about fund performance fees, expenses, compensation, and if there’s other amounts paid to the advisor. There’s also going to be a private fund audit that’s going to be required where private fund advisors will be required to arrange for financial statement audits of the private funds. They advise the framework of that audit is going to fit very much within the custody audits that were used to under the Advisors act. The other thing I’d point out is there’s advisor led secondaries. This is where the private fund advisor is going to need to obtain a fairness opinion or valuation opinion when offering existing investors the option to sell their investors in a private fund or convert to a private fund. And then the last thing is their books and records requirement is to have detailed WSPs that describe their compliance with the policies and procedures.

I think most people listening to this call probably assume that these are all things that are already in place. But again, with the private fund advisors, definitely a huge change in the landscape. Along with that, they’re also making certain restrictions in private funds. Namely advisors will not be able to charge or allocate fees or expenses associated with investigations without providing certain disclosures and consent from the client. They will not be able to regulate or may not change regulatory or compliance fees without disclosure. And they may not reduce drawbacks by certain taxes without disclosures. And the last big one is preferential treatment. Believe it or not, this one still floors me that in previous generations this was allowed. But with the new rule, it will prohibit preferential terms regarding redemptions from the fund and preferential information about portfolio holding or exposures.

Now, it gets interesting when it comes to the compliance state because there are really three different dates that may apply to when different private fund advisors have to apply. When it comes to the audit rule and the quarterly statement rule, it’s 18 months after the publication in the federal registrar. So that would be March 14th, 2025 for advisor-led secondary and preferential treatment. And the restricted activities rules, it really depends on the assets under management. If advisors have $1.5 billion or more, then it becomes effective September 14 of 2024. And if you have less than $1.5 billion then the effective date is 18 months, or March 14th, 2025. And finally, the compliance rule where you need to have appropriate policies and procedures has already gone into effect, and that is effective November 14th, 2023. So again, a lot to unpack. If anyone has any questions, please feel free to reach out. We’d be happy to discuss this in more detail. Thanks, Lisa.

Lisa Robinson:  Great. Thanks so much, Bryan. So next we’d like to talk a little bit about a business that some would agree may not be the most well understood model, and that is direct business. So Len and Bryan, if you could just talk about that business a little, perhaps some of the challenges we’re seeing with direct business.

Len Derus:  Sure. Thank you, Lisa. I’m happy to start with this, and Bryan, obviously, I know you’re very experienced in this as well, so jump on in anytime you like. So direct business, we’ll think of this as business that is done directly with an issuer of insurance products. So variable annuities as well as direct to fund, mutual fund business. And it does create special challenges, especially in the supervisory area. Now, typically what we see with the client is the applications are filled out and the information sent to a reviewer, whether in a home office or some other supervisory office that gets reviewed there and is then sent on to the issuer, to the fund company, to the insurance company. They’ll get the information, invest the monies that were sent along with it. But the challenge comes in with, especially those firms where you’re also have a clearing firm with a brokerage platform where all of your older business goes through. So if you think about this, you have in investments happening through different channels. You might have variable annuities going into some issuers, some mutual funds, going to some mutual fund companies directly.

But also on that front, you may have some of these transactions also going through the brokerage platform. And the challenge that we see out there is how do you pull all of this together to make sure you’re meeting all the needs you have from a regulatory perspective regarding break points or splitting of transactions, rights of reinstatement, letters of intent, and all of that. So how do you pull that information together is really the greatest challenge. And then especially in those small to mid-size firms where your supervisory and your compliance functions are maybe a little bit smaller. So, how do you pull that together? Different ways you can do it depending on the information you’re receiving back. So is a fund company giving you a blotter with all of your transactions, or do you have something like that?

Len Derus:  And then can you marry that information with your brokerage system information to then get a fulsome look at the account? So I have a customer, they do direct to fund business. I have a customer, they also transact through my brokerage platform. I want to see everything that this customer is doing in one place. Is that even possible? And that’s what people are struggling with. How do I do that? How can I best do that? How can I marry that information together? So Bryan, I don’t know if you’re seeing anything different, but the clients I have are struggling there. So, we’ve worked with them in terms of ways to work with their technology within their own company to say, hey, can you pull this together for me in one blotter? And what should be in there? Are there other supervisory procedures maybe that will help them at least remind them to look at the system when you get this application in so you can ensure that maybe they’re not over concentrated in annuities or they don’t have a large holding already in one fund company, and now where they could get a better break point.

Have you seen anything like that, Bryan or anyone else?

Bryan Jacobsen:  Yeah, great question. You know, let me first start off by saying that I think the direct business can present a huge amount of risk for a lot of firms, for all of the reasons that you mentioned Len. It just tends to be a difficult supervisory structure. One of the things that I think is important to look at is what is the direction of the regulators. We’ve all seen the recent news where they fine a firm, a large amount of money for specifically direct business supervision. And, I think it’s important to understand that when FINRA does that, what they’re really doing is sending a shot across the bow for the rest of the industry saying, look, we expect that there’s probably going to be more of this to come.

And I’d be shocked if this was not a focal point during upcoming regulatory exams. So as you get prepared for your upcoming cycle exams, definitely look at your direct business supervision. What I tend to see is that it comes down to the workflow. And, anymore, I’d say, it’s really more prevalent probably on the variable annuity and mutual fund side, but it’s really more mutual fund now because most firms require variable annuities to be pre-approved by the home office, just based on the supervision rules. But there are some exceptions obviously out there. But either way what I tend to see is firms have a process to establish an account within their books and records and it’s probably a bad term, but I’ll call it a shell account or however you want to frame it, but it’s basically a commission holding account so that they can collect that direct commission feed in, and they can pay out correctly.

Well, what happens is that because there’s no real great communication between the direct sponsors and the firm, many times those accounts stay on the books indefinitely. And firms are typically strapped for resources. So they may not be reaching out to the direct sponsors to find out which accounts were closed directly with them. So what happens is that over time, that amount just builds up and it’s almost impossible to really stay on top of it. So what you see is kind of a natural degradation on the supervision of those direct accounts just because like anything else, junk in equals junk out. So being able to control the universe to a finite and actual universe of direct business is important. But then also, firms always are going to have some type of switch or exchange form that they require, disclosing fees and, the new CDSC fees or whatever occurs with that transaction.

Bryan Jacobsen:  But in many cases that information is coming directly from the advisor completing the form. The advisor then has the client sign it, and it comes into the home office. Well, keep in mind, I mean not saying that you have to review every single form and check every single data point against prospectus, but there should be some type of process where you’re periodically spot checking that stuff to see if there’s an advisor that is either intentionally or unintentionally making mistakes on those numbers. Because, again, any failure on that is automatically an ability for the client to claim rescission and all that good stuff. So, anyway things like that I think are going to be important. And again, I would definitely recommend firms review their process because I do think that this will be a hot topic during the upcoming few years of cycle exams.

Len Derus:  Yeah. And, so Bryan, you brought up something else too, like when this information is coming in for review, you’re getting the full packet. So, and I’m going to tie back now to the Department of Labor Retrospective Review, this is one of those opportunities, I think, Brent, you were talking about, where you’ve got an application coming in, there was a recommendation made, they’re rolling over a 401k into an IRA and then putting it in some new funds. So the recommendations being made there, there’s information that needs to be collected for the DOL review as well as for suitability and Reg BI. So this is the opportunity for you to really take, put the umbrella over all of this. I’ve got a new account, I know I need these things for these different reviews. Is it all here? So make sure it’s all there upfront. So when you do get to the point where you’re doing your annual reviews, you’re doing your overall account reviews, or you’re doing your DOL retrospective, you’ve already got the information you may want to take a look at, and then you can do your testing and your other reviews as you need, because you have it, you have it upfront when was provided initially. So, Brent, anything else on that? What do you think?

Bryan Jacobsen:  No, I think you covered it really well. No nothing to add.

Brent Nicks:  Len, I think I would, right over the top of what you just said there, is bring that all the way back to a lot of times your business model, while direct business is always available, your firm’s business model should be predicated on your ability to be able to supervise it. So if your technology solutions, your interactions, if the things that you have available to you are going to create significant gaps in the maintenance of a blotter, the ability to be able to identify, in this instance, rollover instances, the firm should probably throttle how much of that activity that they’re allowing. And, particularly for those that are maybe introducing or clearing, where honestly, does the use of direct business, mutual funds make sense for a fully introducing or clearing firm that has access to all of that through their normal channels and through their normal supervisory processes. So, again, assess what you’re doing. If you have soft spots come back to them. Is there something you can shore up? If so, definitely do it. Don’t just keep going down the same path.

Lisa Robinson:  Great. Thank you. So the next thing I want to talk about are off channel communications. And once again, in 2023, we saw significant enforcement actions being taken against broker dealers and advisory firms and others relating to these off channel communications. Now, SEC record keeping rules have been around forever, but firms are really struggling to comply when relating to these non-traditional communication platforms. You know, especially since COVID and the significant increase in remote work, employees just aren’t sticking to firm email anymore, right? We’re seeing channels used that some of us, like me, have never even heard of before <laugh>. So from reading these enforcement actions, we see these off channel communications employees conducting firm business on WhatsApp, instant messaging, LinkedIn, messenger, slack, and others. And these, the issue, of course, is that these channels are not being captured, retained, or supervised by the firm.

We’ve also learned from recent enforcement actions that just prohibiting the use of unapproved communication channels  just isn’t enough. Firms really need to examine internal policies, identify gaps, provide training, include attestations at the beginning of employment, and regularly thereafter. And this really is a culture at the top issue. Enforcement actions have noted that high level executives at major firms have been found to have been using off channel communications. So make sure your supervisors and senior leaders are adhering to the rules as well. A big discussion about how firms deal with employees using their personal devices for firm business and how firms have control over, and the ability to preserve business communications on these personal devices. Importantly, the SEC has encouraged firms to voluntarily disclose any such record keeping and or supervisory violations. I would think it’s always better to self-report than have the regulators find it on their own. In fact, the SEC division of Enforcement has advised the industry to self-report, cooperate, and remediate. It’s pretty powerful, right? Overall, employees should only use tools that the firm can capture, store and supervise. Obviously, this is going to remain on regulators radar for 2024 and beyond.

Len Derus:  So thanks for that, Lisa. I just want to jump in here real quick because this is actually an interesting topic, and you were talking about some of the requirements, but, and Brent, you touched on this for all the topics, and Lisa, you just touched on this again, is that understand, before you say, I’m going to allow this, how can you actually supervise it. What can you do to supervise this and understand how that might be implemented within your organization? Not someone you know, how they implement it because that may not work for you. And I have a couple of ideas around this. So first of all, if you decide you’re going to allow certain off channel communications, you’re going to allow social media, you’ve decided you’ll hire a vendor to capture the information for you, get that up and running.

The next decision you’ve decided already, I think I could supervise this. However, you want to see how that supervision works. So consider how you’re going to roll that out. Do you want to roll it out all at once? Do you want everyone to have access all at once? And you don’t know yet what the reports look like, how much information’s coming through or consider for yourself and your ability and the amount of time you have to supervise, whether or not it makes sense to do a rolling production, let’s say. So I’m going to roll it out to this group first, this group next, this group next based on what I see coming in and how I’m able to supervise this, what the reports look like. And if it’s going well early, maybe you can roll it out faster. If it looks like there’s some hiccups along the way, maybe you slow down to roll out. So keep that in mind once you decide you’re going to do this, it’s not an all or none. You don’t have to do it all at once. You can consider rolling it out to allow you to adapt to that new supervisory process that you need. Make sure you’re getting your reports and the support you need. And you have a handle on how it’s being used within the organization. So just something to consider if you do decide to allow certain aspects of communication with your customers.

Lisa Robinson:  Yeah, I think that’s really good. And also, if you do have a technology vendor, work real closely with that vendor. What keyword searches are they using?  Are they identifying like or other things that could alert the supervisors that other unapproved communication channels are being used? So work with the vendor. And I wouldn’t keep it stagnant. Like any searches you have, you should be constantly going back and working with the vendor to make sure that they’re incorporating other things that are happening. I’ve heard some firms survey their reps and even survey customers to ask what type of communication channel do you prefer? And incorporate that and see how you could build that out into your supervision as well. So that’s a great point, Len.

And last, but certainly not least as a look back, but also look forward, is cybersecurity. There continues to be significant risks to firms and customers relating to cybersecurity threats. FINRA notes that cybersecurity remains one of the main operational risks facing broker dealers. And as you all know, in for the exam report that FINRA put out, they have a new financial crime section that deals with cybersecurity and other related topics. We all hear of the just incredible harm to firms, including financial losses, reputational and operational harm due to cybersecurity incidents. No firm wants to be the one in the news that was subject to a ransomware attack or intrusion, or a sensitive customer information stolen. So it’s important that compliance also be part of a firm’s cybersecurity program. It’s no longer just the IT department that has to be aware of these threats and how to handle them, but it impacts compliance and supervision as well. And Bryan, you and I were talking, it could happen to any size firm, right? It’s not just large firms or firms with platforms or websites that have to be aware of the threats and, and do risk assessments to mitigate these threats. It could happen. Yeah.

Bryan Jacobsen:

Yeah. No, that’s exactly correct. And, in a weird sense, I think FINRA tends to focus even more on the smaller firms and their tech stack and the ability to safeguard against cyber-attacks because they know that smaller firms just naturally have less resources to devote to this. So there might be more vulnerabilities and when what Lisa said and what you said about compliance involved, and I think that’s key. I know a lot of times when I talk to a firm and I’m speaking with their compliance staff and I mentioned cybersecurity policies and procedures, so on and so forth, I tend to get a little bit of eyes glazed over and the first thing that they do is reach for the number of the CTO to get that person on the phone with me.

And the thing that I think is important to understand that in today’s day and age. Obviously as a compliance professional, we do not need to understand the ins and outs of the technical capabilities of the tech stack and all that stuff. That’s beyond our scope as a compliance officer. But we have to make sure that the policy procedures, the testing, all of that makes sense, that we as layman people can understand that. And more importantly, that we can explain that to the regulators when they come in, because more than likely they’re going to be coming in, not from a technical background, but from a background similar to ours. So the ability to understand the policies around it is key. And if those policies and procedures, and I’ve seen several of them were, that they’re great, they’re very detailed, but they’re so technically oriented that you really do need to be right in the technology field to even have a hope to understand what they mean. If they’re that technical, then probably you need to think about a more overarching document that just kind of describes the policy in a broader sense.

Lisa Robinson:  Yeah, that’s really great advice. Bryan, just to close the loop on this, real quick looking forward, the SEC has proposed new rules as cybersecurity risk management rule for broker dealers, clearing agencies and other entities, which would require things such as immediate notification to the commission of the occurrence of a significant cyber incident as well as public disclosures. So again this just with all the technology and AI and all this again, just need to be aware and have the right policies, procedures, and other things in place for cybersecurity. So we covered a lot of really key hot topics for 2023. We’re just going to talk really quickly about the SEC approving something in 2023. We don’t have the effective date yet, but it is all, whenever I speak with a client, they seem to be asking about the FINRA branch inspection pilot program. So Len, if you could talk a little bit about that.

Len Derus:  Sure. Thank you, Lisa. Happy to talk about this. It’s definitely something I’ve heard a lot about too. So we do know it’s on everyone’s mind which is good. So that does show that people are looking forward, they have the regulatory change management in mind, so going into the new year, they can be ready for the new things. This pilot program, it’s called a pilot still. As we know, since the pandemic, there was approval provided to the members in the industry to conduct remote branch inspections, branch examinations that you need to conduct on a regular basis. This, the approval of this allows for a continuation of that process, but putting more guardrails around it. So there’s a few things you need to keep in mind here. It’s not a blanket statement saying you can now examine all of your branch offices remotely.

Instead there’s some analysis that does need to happen. First of all, your firm, you have to look at your firm overall. Within the rule, there’s discussion around is the firm or we’re not eligible to be able to do this? And then aside from that, once you say, yeah, my firm can participate in this I have to select branches. There’s some assistance there too within the rule where they have many different factors to look at within the branch office, the type of business, is there any kind of history of the reps within those branches, anything like that. So there’s several questions you need to ask yourself regarding each branch office and whether or not you can conduct that one remotely. And if not, then it’s back to the onsite inspections that you used to do along with that that assessment, you need to document your review.

So your risk assessment of each branch office needs to be documented in some way. Whether you create some tool, you have some kind of a workflow tool or something like that that you use, you’ll need to figure out how to do that. And then there will also need to be some quarterly reporting to FINRA along with that. So is there anything particularly aside from the general data around the numbers of remote reviews, things like that, but was there anything found? And if there’s anything that’s particularly concerning, they’ll want more details around that. So you have a risk assessment process, you have a reporting process. But last but not least, let’s not forget to update your procedures to include all of these things. So you’ve already updated your procedures to conduct branch office reviews remotely. This adds a few layers of requirements on top of that.

So make sure they’re updated if you are going to participate. I’ll talk about that in a second, but also update them or make sure they’re up to date, because not every branch office will probably be remote. So you want to make sure your onsite branch office procedures are up to date current in terms of how you’re going to examine them. And then let’s keep in mind the eligibility and, whether you even choose to participate. So you can go back to, I wanted to do everything on site. I have a very small number of branches, it will just be easier. I don’t have to do this rest of this assessment. Great, you can do that. If you have more branch offices and you want to take advantage of the remote review process, you definitely will have to go through an analysis of each office, document it, and then remember you’re going to need to do some quarterly reporting back to FINRA. So add that into your process, into your expectations of around how this is going to work within your firm.

Lisa Robinson:  Thank you so much. That’s all we have for today. I want to thank again, my colleagues Brent, Bryan, and Len for your insight and these important areas for those listening to this podcast. If you have any questions or need any guidance or assistance in any of these areas, please feel free to reach out to Oyster. We’re more than happy to help.

Bob Mooney:  Thanks everyone for listening. If you’d like to learn more about our experts and how Oyster can help your firm, visit our website at If you like what you heard today, follow us on whatever platform you listen to and give us a review. Reviews, make it easier for people to find us. Have a great day.

About The Podcast Speakers
Photo of Lisa Robinson

Lisa Robinson

Lisa Robinson, former Senior Director of the FINRA Membership Application Program (MAP) group, brings to Oyster’s clients her expertise in Membership rules and processes, as well as guidance on policy-making decisions, program updates, and the impact of regulatory changes on all aspects of a broker-dealer operations.

Photo of Len Derus

Leonard Derus

Leonard Derus is a seasoned financial services professional with over 20 years of experience in Compliance and Risk Management, Control Process Development and Implementation, as well as Program Development,  Management and Training.

Photo of Brent Nicks

Brent Nicks

Brent brings a wealth of experience and expertise in the Chief Compliance Officer (CCO) and Supervision roles, as well as developing sales in wealth management products.

Photo of Bryan Jacobsen

Bryan Jacobsen

Bryan’s role as a CCO for dual registered broker-dealer / RIAs, clearing firms and crypto-based entities enables him to apply his FinTech, financial, crypto, blockchain, and regulatory knowledge when providing practical compliance solutions.

View Our Team