Regulatory exams and sweeps are enough to keep any CCO up at night. In today’s podcast, Ed Wegener, head of Oyster Consulting’s Governance, Risk and Compliance team, is joined by Oyster consultant Len Derus. Prior to joining Oyster, Len was a FINRA regulator, who also ran the Special initiatives or Sweeps program.
Join us as Ed and Len walk through what helps inform regulator decisions about what to look for in an exam, how regulators identify areas for a sweep, and how you can use sweep letters to your advantage.
Oyster experts stay current with regulatory and compliance issues and are ready to help you navigate the challenges that your firm faces. Our consultants have regulatory and compliance experience to effectively conduct 3120 Reviews, Branch Exams, AML Testing, as well as help with creating or testing succession plans.
Transcript
Transcript provided by TEMI
Bob Mooney: Welcome to the Oyster Stew Podcast. I’m Bob Mooney, General Counsel for Oyster Consulting. Regulatory exams and sweeps are enough to keep any CCO up at night. In today’s podcast, Ed Wegener, head of Oyster Consulting’s Governance Risk and Compliance team is joined by Oyster Consultant, Len Derus. Prior to joining Oyster, Len was a FINRA regulator who also ran the Special Initiatives or “sweeps” program. Join us as Ed and Len walk through what helps inform regulator decisions about what to look for in an exam, how regulators identify areas for a sweep, and how you can use sweep letters to your advantage. Let’s get started, Ed.
Ed Wegener: Well, thank you, Bob, and hello everyone. I’m Ed Wegener and I am the head of the Governance, Risk and Compliance practice for Oyster Consulting. I am really happy to introduce you to Len Derus. Len is one of our newest consultants, and I’ve had the pleasure of working with Len from way back when we were both in the Chicago office of what was NASD at the time, then became FINRA, and then also when Len was in FINRA’s national office in DC working on the National Examination Program. We’re really excited to have Len join our team. He’s very familiar with regulatory requirements and the examination program of regulators, including both FINRA and the SEC, and it can really help our clients navigate the tricky regulatory and compliance issues that they face. So, welcome Len.
Len Derus: Alright, thanks Ed. Thank you for that introduction.
Ed Wegener: Well, if you could talk a little bit about your career up until now. I know it’s a really interesting one and you’ve got a great background.
Len Derus: Sure. So, I started my regulatory career back in 1998, quite some time ago. As an examiner in the Chicago District Office of NASD, I was able to learn many aspects of the examination program there, everything from mutual funds, variable annuities, all the way to the equity trading reviews that we used to do, municipal securities and, of course, overall supervision. So very well spread out in terms of the knowledge that I gained as an examiner. I also worked for the Cincinnati Stock Exchange as their Director of Examinations. I ran their examination program. They later became The National Stock Exchange. So there, my primary role was building out their examination program to be inclusive of their full rule book and not just cover the trading aspects of their examinations, but also looking at the business conduct of the firms that were trading through them, as well as the ECNs that were trading through them.
I came back to NASD at the time in 2005, to run the sweeps and special initiatives program for Member Supervision. And along the way with that, I became the Chairman of the Risk Assessment Committee for Member Supervision. That was a rotating position. So, I was doing that for about three years. I also was involved in the National CAUSE program. I helped build out the regulatory service agreement program from scratch when FINRA began outsourcing their services. And then most recently, I’ve been involved in maintaining and helping build the tools necessary for their risk analysts as well as their examination teams, making sure everything’s up to date and current.
Ed Wegener: So that’s terrific. And you’ve seen the examination program both from the ground level doing examinations as an examiner and then also at the national level planning the exam program, planning what exactly the examiners look at, the Sweep Exam program and everything. And, I think that provides just a terrific vantage point in terms of helping our clients navigate the regulatory challenges that they face. When you think about FINRA’s examination program from when you started back in 1998 to when you recently left there, managing the National Examination Program, can you talk about how the exam program has evolved during your time there?
Len Derus: Sure.I’m going to talk about examinations generally and how they’re structured. I think that’s the best way to illustrate this. And I think firms have seen this over the years as they’ve been having examinations of various types. So, when I began my career in 1998 with NASD, the examinations were really structured to review compliance with rules and regulations very generally. The examinations that I conducted in the first few years of my career, we added many topics to the initial focus, and then our initial requests would go out to the firm, and we would request many documents to be available once we arrived on site. So that’s really where the exam started for us, other than some prep work that we had. We’d get on site and sometimes we’d have boxes of information to go through based on our request. And it’s at that point that we would start narrowing down what we wanted to look at. So, we’d take a look at what do we want to sample for customer accounts for trading activity and things like that, and that was already into the exam.
If you contrast that to now where FINRA is moving to a more risk-based approach to examinations, and again, you’ve probably seen this, but FINRA staff is requesting more information upfront so they can take a look at the information, review it prior to the initiation of the exam. And then likewise, with the advent of risk monitoring analysts being assigned to each firm, they’re in regular touch with the firms, they’re regularly reviewing information about the firms and all their information about the industry. And they may reach out on occasion to the firms where they have questions and they’re using all of that information we’re gathering to streamline the focus of the examination to those areas where they perceive the most risk.
So when I started, it was like, let’s look at compliance at the firm overall. And now it’s like, how can we best tailor the examination to the firms based on what we know about them, about the products they sell and about the risks that those represent. That’s not to say FINRA’s going to look at a lot of different topics at a firm, but depending on your business model, you’re definitely going to try to tailor it to what your firm does, so they can be more efficient and then that works out better for them. And it probably takes up less time for our firm’s clients as well.
Ed Wegener: You know, it’s interesting. And just as a follow up question, with respect to how FINRA determines what it is they’re going to look at, can you talk a little bit about the types of risks that FINRA’s assessing, when they’re doing that assessment? You said you’ve worked with the risk monitoring program, what are the types of things that they’re looking at that help inform the decisions about what they’re going to look at on an exam?
Len Derus: Sure. So, they have a number of risks that they’ve outlined. It’s available on their site. There’s nine primary risks. I think there may be a 10th, actually, that they’re adding, anything related to business conduct. There’s sales practice, there’s net capital risk. There’s operational risks that are broken out into many different categories and the like. And then within each of those risks, they have certain areas that were built out where they’ll take a look at if we want to look at the sales of this firm, what products are they selling, what do we know about their controls, what do we know about their history, history of complaints, history of previous exams? And they could pull that together to determine where do we think we may have the greatest risk at a firm. So, if there’s a new line of business being added to a firm, that might be interesting to them in terms of a new risk at the firm. If there is an increase in complaints or they’re adding a new branch office that they recently purchased from another company, that’s going to be something interesting that might, you know, change the risk profile of the firm.
Essentially they break down each of the risks into many subcategories, and then they try to determine what do we know about how the firm’s operating there? What do we know about their controls? Are they very good? Do they need some work? What do we think about that? And then, they’ll assess that and compile an overall view of the firm.
Ed Wegener: You mentioned something that I think is really important and, something that’s been more and more a focus of FINRA and other regulators as they become more risk based. And that’s a focus on what controls you have in place. And that’s one of the things that when you’re thinking about the risk analysts that’s doing these assessments, the more they know about the effectiveness of your controls, the better they’re able to take that into consideration when assessing what areas should be reviewed. So, my assumption is that they don’t know anything about your controls, or if they think that your controls are weak, the more likely they’re going to focus in on that area. But if they feel you have strong controls in a particular area that otherwise might be considered pretty risky, there’s a chance that they might not review that area just because they have a comfort level with the controls that you have in place.
Len Derus: Sure. And some of that will relate to how recently they looked at your activity as well. So if they think an activity, particular product, sales process that you have, might be deemed a little bit riskier, they might want to look at that every time they examine you. But they might say, we looked at that last time, it was in really good shape. We saw their controls are very good. We’re going to look at all the areas of the firm at this point. The other thing to think about though, Ed, they may not know what your controls are, right? While they want to assess those controls, they may not know what they are. They may say, well, we’re unsure. So that might be a focus of the examination because they haven’t looked at it before. So while it may not be that risky on its face, if they haven’t looked at it, that might cause them to say, you know what, let’s take a look there. We know this other aspect of the business is in good shape. Now let’s take a look at this one. We haven’t assessed it yet.
Ed Wegener: You know what, and that’s a great point about not knowing what controls you have in place. And when I was in the Midwest, there were some firms that were really proactive about educating the risk analyst on the controls that they had in place. And they would proactively reach out and say, let me talk to you about some controls, just so that wasn’t an unknown. It was something that the analysts could factor into those decisions. And something that, firms might want to think about, in terms of managing their regulatory relationship with that risk analyst, is make sure that you’re keeping them up to speed. If you’ve got good controls in place, it’s important to let them know that so that they can’t consider that. Or when examiners come in to do an exam and they’re going to review a particular area, take time to educate them on the controls that you have in place. Because I think that’ll really help put that all into context. But one thing I wanted to follow up with you on, when I left FINRA, it was right around the time that we’re making the change to a more business model centric framework for assessing firms. And you know, as you talk about how the risk analyst is assessing the firms, have you seen a change in terms of how they do that now, that the risk analysts are really focusing on particular business models?
Len Derus: So that change that you’re talking about is really the development of specialization within FINRA. So, they’re building on this in a couple of different ways, and I’m sure you’ve seen the conferences where they talk about this. But they’re developing specialties within, let’s say product types. So they have expertise in certain product types, but also in business types, like you were talking about. Now, the assessment doesn’t necessarily change based on that, but it allows the risk monitoring analyst that’s doing those assessments to be very familiar with certain types of firms and have a better understanding in terms of what should be in place for a small firm versus a large firm versus a medium firm versus a firm that has many business lines or a firm that has one business line. And that’s the important aspect there, is they can take a look at a firm, they understand it because they’re working within that group. They know what they should have, what they shouldn’t have. And that’s the purpose behind some of that specialization.
Ed Wegener: You know, I do recall firms complaining about, for example, a capital markets firm complaining that they’re being treated like a retail firm. And you always treat us like retail firms. And, hopefully with this new restructuring, they’ll have that sensitivity. And, understanding that capital markets doesn’t necessarily mean you’re less risky, but you’re not a retail firm and you need to look at it through the capital markets lens as opposed to the retail lens. But one of the other things that you had mentioned that you had done as part of your responsibilities at FINRA, was to run the sweep program and that special initiatives program, which included sweep type examinations. And I know that’s something that’s always been of interest to broker dealers, just the sweep process. Can you talk a little bit about how regulators might identify areas for a sweep?
Len Derus: Yeah. The ideas or the topics for a sweep can come up in many different ways. I managed a sweep program for, at the time, the member supervision department. And there could be any number of departments that were involved in a sweep. But one of the things we did, is we had a committee that would meet regularly to make sure we’re not doing the same type of work that someone else is doing. We’re not overlapping on firms too much. Things like that. So the sweep assessment committee that I was involved in also helped manage the process overall for FINRA. And that included topics because there was often interest across departments and topics. Then it was, let’s assess who is best placed to be able to examine for that, investigate for that. And then the topics would come up in many ways. So it could have been data analysis, it could be results of examinations and analysis of complaints, looking at newer or novel issues, new product types, new activities or resurfacing activities. And we felt like at the time, we wanted to get our arms around what was happening in the industry in terms of the sales, the supervision, and the like.
Ed Wegener: Thinking about this from the perspective of a firm that’s involved in a sweep examination, they get that sweep exam letter. Are there best practices that you’ve identified working with these firms in terms of how to best address the issues identified in the sweep exams or get questions answered if they have questions?
Len Derus: Best practices, I think, are very similar to the practices that go along with any examination. I’ll explain that in a second. So, sweep examination or special initiatives review is laser focused. It’s usually a single topic looking at many firms doing the same activity. So, the review is very detailed. Oftentimes the requests that are sent out are going to be very detailed as well. because they’re going to be looking across the board, how did this get introduced to your firm? To how do you supervise it? and everything in between. The best practices aspect is, in my mind, look at that exam as if you were having any other kind of exam. The process is going to be the same. You’re going to get a request, you’re going to provide documents, there’s going to be interviews, you’re going to get questions about supervision, right? Understand that because it’s a sweep or it looks to be a very targeted exam, it doesn’t mean that examination is different.
It just means that it’s very focused on a single issue. Think of it that way. You’ve been through many exams, you can get through this exam, there’s just going to be more details. The one thing I will point out, sometimes when we had sent out these request letters, we’re sending them out to many firms, we might use some generic terminology. So if something doesn’t really match up to how you understand it in terms of a document name or the type of information you’re looking for, pick up the phone, talk to the person who sent you that information, and they can walk you through and make sure you’re providing the right information upfront. That way you’ll save some of the back and forth in terms of additional requests or asking you, “Hey, can you also provide X, Y, Z” as that exam progresses?
Ed Wegener: You know, one of the things that I thought was a really good development in the sweep program is the transparency that FINRA had moved to by posting the sweep letters so that other firms could take advantage of them. Hey, talk about how firms that might not be in the sweep might be able to take advantage of some of that information and leverage for assessing their program as though they were in the sweep.
Len Derus: Sure. And there’s a couple of ways to look at this. So if you see a sweep letter that’s been published, and that’s part of your business type, you can look at that letter, what’s being requested, and you can really get a pretty good idea about what the regulators are interested in. If you’re not in the sweep or you don’t do that business, something to think about is understanding the end results of the sweep. So the end result of a sweep can vary. There could be regulatory action, whether it’s formal or informal, but also FINRA will determine, do I need to communicate anything out to the membership? So a notice to members or regulatory alerts, something like that. Best practices documents often come out of sweeps. So you can use that information to educate yourself if you have that business within your broker dealer, or if you’re considering that business. You take a look at that information, what am I going to need to do or be aware of to best execute this business model, if we decide to take that on.
Ed Wegener: Excellent. You know, we talked about FINRA’s exam program and how it’s evolved, and I was just curious. Are there some things that would be good for firms to understand about the examination program? Or are there particular areas that FINRA is focusing on during their examinations?
Len Derus: Sure. Well, there’s several ways to get a view into what FINRA is interested in as well as any other regulators. So you can even think about this from the SEC perspective or even some of the states that put out information. But first of all, FINRA provides a roadmap every year about what they’re interested in, what’s going to be a main focus of their examinations, and then why they’re interested in it. So that annual letter, it’s changed formats over the years, but it really provides that first glimpse into what you can expect in the upcoming year. If you don’t have an examination or you don’t think you’re on schedule for examination, that’s okay. That’s good information for you to know where FINRA’s interested in because they may come and want to talk to you about that. They may want to examine your firm about that activity because it is a priority of theirs.
Also, as we mentioned a little bit earlier, FINRA’s working to understand the risk at each of the individual firms and how they perceive that risk and where is it greatest within the firm. So one of the things you can do is to take a step outside of your everyday hat and try to think about your firm as a regulator might think about it. And by that I mean trying to look at the firm as an outsider, what would look risky to you if you were an outsider? And some of the things I had mentioned before is a new business line, some rapid expansion, a lot of new hires. There’s any number of things that might raise a risk profile of your firm that would interest a regulator. So every once in a while it’s good to take that hat off of the manager of the business and say, hey, as an outsider looking in, how do I view this?
And is there anything else that we need to be interested in? The other thing to think about here is – what are your other interactions with NER or with the SEC or with the states? Has there been a survey that’s been sent out? If they send you a survey, they’re interested if your risk monitoring analyst is calling you about a particular topic they’re interested in. So take these cues from the regulators, whether it’s a letter that’s sent out or it’s the publication of the enforcement actions they have, or it’s an outreach process through a survey or phone call, understand what they’re looking at and then reflect internally, is there anything I need to think about in terms of my program and how I supervise it at this time?
Ed Wegener: Yeah, as we mentioned throughout FINRA is becoming much more risk-based and data-driven, and firms are now required to provide a lot of information and data to the regulators. And to your point, think about what story that data is telling. So things like complaints and complaint trends and trade reporting, looking at your report cards and saying, how do I match up to my peers in terms of the report card information? Am I an outlier? That kind of information. It’s all, that’s what those risk analysts are assessing and making those decisions based on. And so it’s good to your point is, put yourself in a regulator’s shoes and, what do you think that they would focus on? That’s terrific advice. So based on your perspective as someone who has recently been a regulator, how can firms or how should firms be assessing their compliance and supervisory programs in general? And along with that, what are some best practices in terms of engaging with the regulators,
Len Derus: Aside from the annual testing? So let’s talk about that. We know every year there’s gonna be testing of the programs. How’s our supervision? How’s our controls? We’re going to test that everything is working and/or we’ve made corrections where we need to, I really look at the assessment of a compliance and supervisory program as an ongoing process. So anytime there’s a regulatory change out there, so there’s a new rule filing, there’s a recently approved rule, there’s a rule being implemented next month, anytime you learn that information, that’s a good time to take a look at your business, understand what that change is, and then understand how that may affect how you operate or what you may need to do to supervise the activity. So it’s really a proactive approach, keeping up with change to understand what do I need to do in the future?
We all know though, that a new rule proposal might not be effective for six months, a year, two years, some of these rules take a long time, if at all. But every time you take a look at your program, when you hear something, it gives you a little bit of insight. Hey, what are the regulators interested in? Like we were talking about before, and do I think I might need to do something? If it’s in a proposal phase, great. I know I have time, but you know, something’s coming up. You can build that into your process for updating your procedures, your policies for the next year or in six months, whenever you need to do that, you can plan for it as opposed to being reactive. So that proactive approach is really helpful in terms of trying to understand what they may need to do in the future for their programs.
And then, you were talking also about engaging with regulators. So there’s different ways that regulators engage with firms. So you have the examination process. I talked about this before, but through the examination process, when you get a formal request, be sure you really understand what’s in that request and send them what they’re asking for. You don’t need to over respond or send them too much. That leads to more back and forth. So send them what they’re asking for, help streamline the process for you, help streamline it for the regulator, but also participate in the committee meetings, in the conferences, the various seminars that FINRAl might have or the SEC might have, but participate in those. Get your voice out there, ask your questions, have some open communication that way when your risk monitoring analyst gives you a call asking about something, have an open conversation with them, ask them questions as well. So seek their input. And again, they’re not going to be your compliance department, but they’ll provide resources for you if you have a question about something where you can go to get information.
Ed Wegener: Right. I think it’s in the regulator’s best interest to have firms that are actively working to have good, strong compliance programs. I know that this might sound at odds with people’s experience, but they really are hoping that firms have good compliance programs in place and they’re really there to help firms succeed if you reach out and ask them. And that participation on committees and conferences and those types of things really goes a long way to building that relationship because when you have a professional relationship with the regulators as well as a little bit of a personal relationship, I think that goes a long way in terms of them understanding that you’re doing your best to put in place a strong compliance program.
Len Derus: Absolutely. Just want to touch on one thing. You mentioned findings on an exam. So, what is a successful exam? So variations of that, a successful exam at a regulator doesn’t necessarily mean there is some kind of case brought that doesn’t mean it’s successful. What I always felt was successful within my teams when I was managing them is we go into a firm, everything looks good. We did a really nice analysis, everything looks good there, we’re being successful, we were being successful as a regulator, giving them information. If there’s findings, maybe we need to either communicate better or maybe the firm just needs to do a little better job. And that’s what gets assessed within the regulator.
Ed Wegener: Yeah. On that point though, Len, I think that one of the things I hear often from firms is they’re very concerned about any findings on examinations. And one of the things that has always been my experience is that 90-some percent of the findings end up in some sort of informal action. And it’s really there to identify to the firm that there’s an issue that you need to address. And so I think while it never feels good to have a finding, you don’t panic about those findings because the chances are that they are really just looking for you to fix the issue and not have that issue going forward.
Len Derus: I’ll reiterate that. I think correcting issues before they become a bigger issue, right? Oftentimes we’ll see something in a procedure, but there’s no underlying issues within the business activity. Great. Let’s fix the procedure so they match what you’re doing. And then, you know, that takes care of the issue from a regulatory perspective, and allows the firm to continue on its way as it has been without them having to do any kind of revamping of their supervision or processes that they’ve put in place operationally.
Ed Wegener: Well, look, this has been just a lot of terrific information. Really appreciate you spending time with us today, and also very excited about having you on board. So thanks for joining us today, Len. And thanks for joining Oyster.
Len Derus: Okay. Glad to be here, I really like the team and look forward to working with our clients.
Bob Mooney: Thanks everyone for listening. If you’d like to learn more about our experts and how Oyster can help your firm, visit our website@oysterllc.com. If you like what you heard today, follow us on whatever platform you listen to and give us a review. Reviews make it easier for people to find us. Have a great day.
