By Ed Wegener, Mark Norman and Brent Nicks
Keys to Successful Regulatory Exams
Compliance professionals often dread regulatory exams, but there are effective ways to handle them.
In today’s Oyster Stew podcast, hear from Oyster’s experts and former regulators how regulatory exams have become risk-based and data-driven, what is driving exam frequency and what the regulators are looking for.
Transcript provide by TEMI
Libby Hall: Hi, and welcome to the oyster stew podcast. I’m Libby Hall, Director of Communications for Oyster Consulting. Compliance professionals pretty universally dread regulatory exams, but there are effective ways to handle them in today’s podcast. Hear from Oyster’s experts and former regulators, how regulatory exams have become risk based and data driven, what is driving exam frequency and what the regulators are looking for. Don’t miss our next podcast, providing best practices for making the most out of your regulatory exams and what happens after the exam is over. Let’s get started, Ed.
Ed Wegener: Well, thanks so much Libby and hello everyone. I’m Ed Wegner, and I am head of Governance, Risk and Compliance for Oyster Consulting. Today, we’d like to talk about effective practices for dealing with regulatory exams. Over the last several years, examinations have evolved to become much more risk based and data driven. And more recently they’ve been conducted largely on a remote basis and knowing what you can expect during an examination can be helpful in preparing you for the exam and helping you navigate through that process. Today, we hope to discuss what drives the frequency and scope of examinations, how data and risk assessments drive or factor into those decisions. What has changed in the examination process over the years and what is not and talk about best practices that you can employ before, during, and after a regulatory exam. I’m really fortunate to have Mark Norman and Brent Nicks joining me today. Both Mark and Brent are relatively new to Oyster, but both bring years of experience dealing with regulatory examinations, Mark as a former examiner and risk analyst at FINRA and Brent as a former chief compliance officer. So why don’t we start and maybe mark, it’s best to start with you. From your perspective as a former FINRA examiner and risk analyst, I’m sure you have a good idea of how regulators are assessing risk and how they use that to identify the frequency of the scope of examinations. Can you talk about the types of things that regulators look for, including what might cause the frequency of an exam to increase or for them to focus on particular areas of review?
Mark Norman: Sure. Thanks, Ed. FINRA has identified nine areas of risk that are basically the drivers of their examination program, and the risks fall generally into two categories and that’s financial and operational risks, and sales practice and business conduct risks. The fin op risks are credit, market risk, net capital, segregation of customer assets, liquidity, and operational risks. And then the sales practice and business conduct risks are fraud and deception, money laundering, and sales practice risks. And basically what the risk monitoring analyst is doing is constantly looking at how much exposure you have to each of these risks. What controls your firm has in place to monitor and mitigate those risks and then finally, how well the rubber meets the road? How well do you actually control the risks that your firm faces?
Ed Wegener: So Mark, the regulators are looking at these risks and assessing things. Looking at things like focus filings, complaint filings, those types of things, and really using that information and data to help them make those decisions as part of the risk assessments. How does that translate into an exam, and the scope of exam? In other words, how does the risk analyst work with the examination teams, in terms of, helping scope out an exam and determine what to look at?
Mark Norman: For all those nine risk areas, FINRA takes each of those nine risks and says, is it well controlled? Is it moderately controlled, or is it not well controlled? And so for every well controlled risk that you have, that’s a green light, it’s a green flag. It’s a good job, not a risk. Most moderately controlled, It’s middle of the road. And then obviously a poorly controlled risk is a red flag. And the more red flags you have in the nine categories, the faster FINRA is going to come and see you. And then when they do come and see you, it’s those red flag areas that they’re going to focus on first, because they’ve looked at the past exams. They’ve seen your focus filings. They’ve seen your 4530 filings. All the data that they’re getting constantly is sifted through for them to determine how much risk you face. How do you handle that risk?
And then when we get there, here’s exactly what we’re going to look at. And to be quite honest, when we would go to a firm and we would look at things, the categories of things we looked at, most firms weren’t surprised because they had issues with those areas in the past. So, even when they come into your office to talk to you about an exam and you don’t understand what they’re looking at, ask them, they’ll tell you. Usually it’s not a secret as to what FINRA’s looking at and why they’re looking at it.
Ed Wegener: Yeah. I think that’s a great point because, you mentioned one of the factors that helps inform that. You have a lot of complaints in a particular area, or you might be engaged in an area that otherwise would be considered risky. But if you demonstrate that you’ve had strong controls in the area, that will lessen the amount of residual risk and therefore it might not be something that they look at. So it would be really important for firms as they’re building relationships and working with their risk monitoring analysts, to let them know about the controls that you have in place and try to demonstrate to them how strong those controls are. Because if you can demonstrate that the areas that they might otherwise look at are well controlled, they might have a comfort level not to look at that area or if they’re determined in the frequency to maybe not come out as frequently. So educating them on the controls that you have in place would be a really good practice. One of the things that I think firms have experienced over the last several years is prior to an exam, the regulators have been requesting much more data before they come out. Can you talk a little bit about the data that they use, how they use that data and how that really drives what they review?
Mark Norman: Yeah. What you’re talking about is what we used to refer to as broad analytics, and as every firm knows, when they get that request from FINRA, it requests a huge spreadsheet with multiple – 20, 25 – columns of data. And usually that data is just downloaded directly from the clearing firm. And it’s going to be all your trading data, all the products you’ve sold over a given time period. The risk monitoring analysts will put that into their spreadsheet and then crunch the numbers and see what the firm is selling and what kind of products are you selling. And it looks for risky products. It looks for the majority of the products you’re selling, but it also looks for outliers too. For example if you’ve got a branch somewhere that’s the only branch you have, that’s selling REIT or UIT’s and nobody else in the whole firm does that, well, that might raise a red flag to the risk monitoring analysis. They’ll wonder, hey, how come these guys in this branch are the only ones doing this line of business? Is that something we should focus on? But the Blotter analytics tool is really a powerful tool for the pre-exam work for the exam team. Because it really lets them know where the firm is making their money. What’s their bread and butter? And then also, what risks does the firm face by selling those types of products?
Ed Wegener: It seems like doing that kind of blotter analytics helps them identify where the needles are more likely to be in the haystack. So where I think, in the old days doing examinations, one of the challenges that you’d have is that it was kind of a fishing expedition in that examiners would come in and they’d want to make these huge random samples to try to identify where there might be issues. Nowadays, they come in with very targeted samples, but those samples are based on some risk factor that’s identified. This is what they want to look at. So based on these kind of analytics, and I would assume that over time, the analytics get better and better, that they’re getting better and better and honing in where there might potentially be problems.
Mark Norman: Yeah, definitely. And I think for the most part, firms appreciate a well targeted exam. Even if it is looking at the riskier aspects of their business, they appreciate that it’s not a fishing expedition. That you come in here, you’re looking at very specific things. You’re requesting very specific documents. And hopefully that turns into an exam where the exam team is in and out of your hair as quick as possible.
Ed Wegener: Well, because they’re doing that data analytics, they might look at certain areas that they decide not to look at because they didn’t identify any potential red flags by doing the data analytics. So it can really kind of help them, hopefully, be more efficient in terms of how they do the examinations. And I said, hopefully.
One of the things I wanted to follow up on, because I think it dovetails really nicely with the discussion Mark had about the risk assessments, is that initial discussion. When you said that you have a presentation at the beginning of the exam to take control of the discussion and own the discussion, because that’s really an opportunity. You had mentioned that you can talk about your control environment and Mark, to your point earlier, which is when the regulators are making decisions about, how frequently, and they’re going to come out and review and what they’re going to review, they want to know what that control environment is. Because if you can demonstrate that you have a strong control environment, that’s going to impact those decisions. And one way to really impact that is to have those discussions and to be proactive about the discussions around your control environment, especially around things that the regulators have identified as regulatory priorities through OCS letters and the new priorities and the notices and things that you had mentioned.
So having that discussion is really important. And another thing that you mentioned kind of goes along the lines of a lot of this really happens before the exam ever happens. Because once the exam happens and starts, you’re pretty much at the mercy of what you have in place at the time. And so a lot of the preparation, a lot of the effectiveness of an exam really happens with what you do before the exam ever happens. And part of that is building the relationship with the risk analyst so that they really have a good understanding of the firm, understanding of the risks and business activities of the firm, but then also the controls that you have in place. And Mark, just maybe a question for you in terms of somebody who’s been the risk analyst, have you seen firms that have done that management of the relationship really well, where you feel like you’ve built a relationship, so you can maybe give them a little bit of the benefit of the doubt when issues come up and you’re doing those risk assessments.
Mark Norman: You know, past history is not indicative of future results. <Laugh> No, definitely. It definitely helps when you have a good relationship with your risk monitoring analysts when they know that they can trust what you’re telling them that when you say you’re going to get them documents in a certain amount of time, you get them the documents in that amount of time. And they’re what they ask for. They contain the information they want. It definitely helps. You can call your risk monitoring analysts at the same time. They’re actually there as a resource for you, too. As a firm to bounce ideas off of, to talk to them about potential lines of business you may want to engage in, in the future. They’re always there to listen and to talk to you about that. And hopefully during that conversation, you will talk about the risks that this new line of business will have for your firm. Having controls in place when a new rule comes out, it always pays to be proactive rather than reactive.
And by reactive, I mean FINRA, or the SEC comes into your office, and they point out the deficiencies. And now you as a firm have to react and make rules and change the way you’re doing things because they found problems.
Ed Wegener: This has all been terrific. Really appreciate of your perspectives on this. I’m sure that our clients will benefit from that. And we’re always around in case you have any questions. Thanks, Mark.
Mark Norman: Yep. Thanks Ed. Take care.
Libby Hall: Thanks everyone for listening. If you’d like to learn more about our experts and how Oyster can help your firm, visit our firstname.lastname@example.org. And if you like what you heard today, follow us on whatever platform you listen to and give us a review. Reviews make it easier for people to find us. Have a great day.