By Ed WegenerShare Article
Preparing for Modern Regulatory Exams
The pandemic has changed how firms operate as offices close and staff work from home. Regulators have also had to change their examination practices to accommodate these changes. In this episode, Oyster Managing Director Ed Wegener, a former SVP and Midwest Regional Director of FINRA, shares his insider views on:
- the changes in the regulator’s examination program
- the kind of the people that are doing examinations
- what firms should expect when an examiner walks in now.
Transcript provided by Temi transcript services
Oyster Consulting: Welcome to this week’s serving of Oyster Stew, a mix of financial services, commentary and insights. Each week we’ll discuss what is happening in the industry based on what we see as we work with regulators and clients. We hope you come away with the knowledge and tools to help you make the best decisions for your firm’s future.
Buddy Doyle: Hi everybody. I’m Buddy Doyle, Chief Executive Officer of Oyster Consulting, and we’re continuing our conversation with Oyster Managing Director Ed Wegener. Thank you for joining us again today. So in our last time together, we talked about risk assessments and how FINRA is using risk assessments to help them determine the scope and depth and breadth of their examinations of broker dealers and the frequency. I thought that was a really good podcast. If you haven’t listened to it, you might want to go back and take a look at that. You can still hear this one today and go back and get some information from that old one. So you don’t need to cut away. Ed, maybe you could share with us a little bit about some of the changes in the examination program and the kind of the people that are doing examinations, and what firms should expect when an examiner walks in now?
Ed Wegener: Sure. Well, I think one of the things we mentioned on the last podcast is, a big change to the examination program after the last several years is to first, not expect that the examiners are going to walk in shortly after announcing the examination. They are doing a lot more pre-examination work that starts with the review of the risk assessments that are done by the risk analysts at FINRA. They use that as a jumping off point to really start honing in on where they think the risk is. As part of that process, one of the first things that they’re going to do is make a records request from the firm. But, instead of saying, “Have these things available to us when we show up onsite,” they’re going to say, “Upload this into our system.”
And so they’ve developed a terrific system for requesting information and getting information electronically, which is helpful, both because it does allow this pre-examination type work to happen. But it’s also a great way to track requests and make sure that everybody’s on the same page about what was requested and what was provided. I know that when I would conduct an exam there would be a lot of things that we would be requesting, and it was difficult to keep track. And there were times where we would get into a discussion with the firms about, well, “Did you provide that or not?” And they would say, “I provided it,” and then we’d have to go and look for it. And there was a lot of back and forth with respect to that. Now the system will automatically track that and you can see what was requested and you can see what was provided.
So it eliminates that, but it does allow the FINRA examiners to do a lot more pre-examination work, do analytics, against things like electronic blotters, to really help focus in on what areas they’re going to be reviewing, but also the specific samples that they’re going to be requesting. So, for example, if you send in your blotter and one of the areas they want to focus in on is 529 share classes, they’ll run analytics against your blotter, and they’ll take a look and say, “These are the particular transactions that look like we might have to ask some questions.” It’s good from the perspective of they’re less likely to come and do a fishing expedition and ask for a bunch of things and do really large samples. The samples really should be much more targeted based on what they see in the blotter.
The challenge for firms is that they are going to be much more informed about where the needles might be in your haystack. So that’s something to keep in mind in terms of the pre-examination work. When they do come out, a nice thing is they’re going to be spending less time, presumably in the firms that go to this work that they’re doing prior to coming out, and that time should be really targeted doing the things that they need to be on site in order to do. So expect shorter times. They are going to know what they want to see when they come out and they’re really going to focus in on those areas that the risk assessments and the pre-examination work pointed them to. One thing that I would always focus on in a particular year, if you get a call, is to take a look at that year’s examination priorities, because those are always one of the starting points that they have. If you’re engaged in an area that has been identified as a priority, it’s a high likelihood that they’re going to spend at least some time looking at those areas.
Buddy Doyle: I think that one of the things that we’ve struggled with in the past when I was in the industry, and I’ve seen clients go through this, is you get an examination request, and there’s a particular document that they ask for. And then there’s no specific fields on a blotter that they want to see, and maybe you have 27 or the 28 fields that FINRA wants. How should firms handle something like that, where they’ve got records, they’re in the ballpark, but they don’t have a bunch of programmers to write custom programs for an exam? Is there a conversation that generally takes place there?
Ed Wegener: I think that absolutely has to happen. And I think there’s a reluctance on the part of some firms to engage in those discussions, and they try to get the documents exactly the way the regulators have asked for them. But one of the things you have to understand is when those initial requests go out, they only know so much about the firm. And so the requests tend to be somewhat generic. They don’t know how you keep your records. So they might ask for something in a particular way that might be really difficult, but they don’t know that that’s difficult for you to produce. What they really want to do is do an effective exam and try to be as efficient as they can in conducting the exam. So I absolutely encourage firms to reach out when they get that initial request and just say, Hey, let’s go through the request and see if I have any questions.
I always encourage examiners to reach out right after a request went out and say, “Hey, do you have any questions? Are there things that we should talk through?” And don’t hesitate if something’s going to be a challenge to provide, to raise it up to them. One of the challenges that they have is doing the data analytics. There are certain fields and things that are very helpful in doing those analytics, so they’re going to want to try to get as much of that information as they can, but they’re also open to discussing what information you can provide them. They don’t want you spending weeks trying to get something because it’s just going to slow down the examination.
Buddy Doyle: So we do a lot of testing of broker-dealer compliance programs – 3120s, AML testing, maybe even targeted product reviews where a firm just wants to feel confident about how they’re doing things. And one of the things that I’ve always tried to do, and I think FINRA is sort of moving in that direction, is to have an expert in the particular product area or the particular process to come in and take a look at things. So when Oyster goes into a firm to do a trade desk review, we often have regulatory professionals and former traders as part of the team to get that conversation going and to really understand how things work. I’ve noticed that FINRA has kind of come out with a reorganization and said, “Hey, we’re kind of aligning the examinations less regionally and more to the type of business that’s being done.” Can you talk a little bit about that evolution and the thought that went into that?
Ed Wegener: Sure. You know, it’s interesting because I think one of the things that the regulators have always understood are the challenges between having generalists and specialists. If you’re going to run an examination program, you only have so many examiners. They have to, to some extent ,be generalists, but the industry is so complex. The products are so complex that you can only be so effective with generalists. So what FINRA is, and I know a number of the other regulators have done as well, is to look to see, especially in those areas that are extremely complex, to try to bring in people who have that expertise both to conduct examinations in those areas, but also to provide support to the generalist examiners who are doing area exams in those areas. Some examples include Cybersecurity. I know FINRA has hired a number of individuals who come from a background that involves Cybersecurity, which is very different than the compliance program.
That has to happen, because if you’re really going to understand things like Cybersecurity, you really have to understand the technology behind it and the controls in place, something that your typical examiner might not be able to do. Another area is variable annuities. That’s a product that continues to get more and more complex. So they brought in people that understand very little of these really well. Because of the success of doing that, one of the thoughts was to assign both the risk analysts, but also the examiners, to focus in on particular business areas. So instead of managing the program geographically and having every firm, no matter what type of firm it is, funnel into a particular geography, what they’ve done is to align the firms into different business models. The people responsible for doing the risk assessments and the people responsible for conducting the examinations have much more experience in that particular business line. I think what the idea behind that is to make sure that they have a better understanding of the firm’s business when they come in. That’s been a very common complaint that the regulator has received, that all regulators receive, is that “you don’t understand my business.” This was an opportunity to address that by making sure that the examiners have a much better understanding of a particular business line.
Buddy Doyle: I think our clients are going to appreciate that. I think that there is an educational process that happens at the beginning of exams, that firms should explain to the regulators who they are, how they operate, what their philosophies are even to help get an understanding of that. And to have somebody on the other end of that conversation that really understands the difference between the hedge fund marketer and a trading firm, I think is really important.
Ed Wegener: And you can’t just flip a switch and say, just because we’ve assigned these examiners here they automatically have that knowledge. It’s going to develop over time. So I think there’s going to have to be a little bit of patience as they develop that understanding. But one of the things firms can do is exactly what you said: when an examiner comes in, spend some time educating them on the business and, also importantly, on the controls that you have in place. We talked about that earlier on in this podcast and in the other podcast, but having the examiners having a good understanding of controls is critical. The program has changed such that where examiners used to come out and just have a sample and they would test that sample, and however many things they found in the sample that were problematic, that’s what they cared about.
It’s changed now to the first thing they want to understand is, okay, here’s a particular area that you’re focused on. How well is that controlled? Because when they leave, it doesn’t matter what happened in that sample. What they want to know is, when I leave the firm, how comfortable am I that that firm’s got controls in place that are going to mitigate the risk and protect investors. So the more you can educate the examiners on your business, the risks that are associated with your business type, and then the controls you have in place, the much better they’re going to be at doing the exam, the much more relevant your exams going to be, and it’s going to over time, develop more expert examiners. So when they come in the next time, they should have a much better understanding of your firm and how it operates in its industry.
Buddy Doyle: That should make for a more fluid exam process for our clients. But one of the things that I’ve noticed is when FINRA is coming in, they’re kind of allocating their time differently. And it seems to me like there’s a difference in how they’re approaching the home office and going into branches and looking at the actual point of sale, if you will, process. So can you tell me a little bit about the way FINRA is approaching that? And am I really seeing that, or does it just feel like that?
Ed Wegener: I think it really goes back to the risk assessments that are being done on an ongoing basis, so that the analysts on a regular basis, they’re getting information about the firm, getting information about its activities, complaints, new people coming aboard. They can look at that from the perspective of the firm overall, but also parse that down into the branch offices. They’re doing risk analysis, both at the firm and on the branch offices, as well as the individual representatives at the firm. That’s done on a regular basis, but then when they start requesting information, one of the things they’re going to want are not just the blotters as they pertain to the whole firm, but information about where that activity is taking place so that when they do analytics, they’ll say, “Okay, we’re thinking about branch offices. We’ve identified this one that we’re considering conducting an exam at. I’m starting to parse the blotter and do analytics based on the activity that’s happening at that branch office.”
So that could lead them to a branch office that they’re particularly concerned about. It used to be the branches that had the greatest revenue or the branches that had the highest number of complaints or the branches that were involved in a particular area, that’s the priority. Those were really the three drivers of where they decided to go. Some people thought it was always like, what was the warmest place in the winter time, or the branch office in Las Vegas. Those aren’t part of the analytics that they do, but they’re really doing a much better job of assessing where they should be focusing their time and really understanding what’s happening at the point of sale. They want to see where you’re meeting with customers. They want to see how the branch offices are conducting their operations and keeping their books and records. And importantly, from a Cybersecurity standpoint, that’s one of the big focuses is how the branch office is implementing the Cybersecurity program, because you can have a great Cybersecurity program, but if it’s fallen apart at the branch office, then there’s going to be a problem.
Buddy Doyle: That’s very good information, Ed. Thank you for that. I think one of the things that’s been on our clients’ minds, there’s been a lot of conversation about this and FINRA has been good about talking about it, but on June 30th we had the new Reg BI implementation date. It went off on time, so I lost the pool over that one. I thought there would be an extension in the pandemic, and there was not, so congratulations to folks who won that pool from me. But I think now firms have had some expectations put on them. Can you tell us a little bit about how FINRA was approaching Reg BI in 2020 exams?
Well, it’s not unlike how FINRA typically will review a significant new rule. They can’t expect firms are going to hit it out of the park when the rule first goes into place. They’re going to take a look at it and look to see whether the firms made a good faith attempt to comply, to the extent that they identify gaps or findings that don’t indicate that the firm really messed up. They’re going to treat those as informal items, really with an eye towards telling the firm that these gaps exist and asking the firms to address those. Importantly, the SEC is taking that same approach. One of the things that the SEC announced during the period that Reg BI hit, and the analysis before it became effective, is that the SEC is going to work very closely with FINRA and make sure that they’re taking a coordinated approach to how they’re conducting those examinations.
Ed Wegener: So one of the things hopefully you’ll see is that you’re not going to have wildly different expectations between when the SEC comes out and when FINRA comes out. That’s huge. I know that’s a concern that firms have had, but they’re going to identify those gaps to the extent that there’s gaps. I would encourage firms to try to fix those as quickly as possible to the extent that you can start fixing those while they’re still onsite. That always goes a long way, but the honeymoon period is going to come to an end at a certain point. There’s going to come a point where they say we’ve done a number of these exams and we’ve been out there long enough, and they’re going to start expecting full compliance with the rule. So those firms who’ve had exams, and have had opportunities to address any gaps that they say, I think they’re going to be in a good position for those firms that haven’t had examinations.
I would work with your consultants who may have worked with firms that know the types of things that the regulators are focusing on and understanding what gaps there might be. Talk to other firms in the industry. See what has FINRA been focusing on. What has the SEC been focusing on? Are there findings that we should be looking at? Then look at your procedures and see if there are things that you need to update. I would also encourage you to attend conferences, see what the regulators are talking about. Like we mentioned earlier, they do tend to issue things like commonly found exam findings. Keep an eye out for those things, and where you see those, take a look back at your procedures and see if there are things that you need to change. O.
Buddy Doyle: Well Ed, thank you for walking us through some of the expectations of an exam. Any final thoughts for the audience?
Ed Wegener: I’m really getting a great perspective of the challenges that compliance people have in doing their dayto-day work and making sure that they’re addressing issues. I think it’s important though, that one way to really mitigate those risks and to help you sleep better at night is to develop strong relationships with the people at your regulators, and people that can do the risk assessments. Understand what other things that they’re concerned about, and really take the time to demonstrate to them how you have those areas under control. I think it just goes a long way. And you know, one of the things that I think is important is working together with consultants who can be there to help you out in those efforts.
Buddy Doyle: All right. Well, thank you so much for sharing your wisdom with our listeners today. If there is anything else, you’d like to hear from Ed about, you’re always welcome to reach out to Oyster consulting. We can be found on the web at www.Oysterllc.com. Or, you can just pick up the phone and call (804) 965-5400, and we’ll be able to connect you with Ed. So thank you again for your time and thank you to our listeners for coming back.