By Ed WegenerSubscribe to our original industry insights
Understanding Risk-Based Regulatory Exams
For registered financial services firms, regulatory exams in the past have instilled the gamut of emotions from annoyance to anxiety, to outright fear. Fortunately, much of this could be mitigated with a better understanding of the exam process, the necessity for robust risk assessments, and by nurturing the firm’s relationship with it’s regulatory contact. This week’s Oyster Stew podcast features Oyster Managing Director Ed Wegener, formerly a SVP and Midwest Regional Director of FINRA, discussing risk assessments and how FINRA is using those assessments to help determine the scope, depth, breadth and frequency of their examinations of broker-dealers.
Transcript provided by Temi transcript services
Oyster: Welcome to this week’s serving of Oyster Stew, a mix of financial services, commentary and insights. Each week, we’ll discuss what is happening in the industry based on what we see as we work with regulators and clients. We hope you come away with the knowledge and tools to help you make the best decisions for your firm’s future.
Buddy Doyle: Hi, everybody. This is Buddy Doyle. I’m the Chief Executive Officer of Oyster Consulting. I also have the pleasure of running the firm’s Governance, Risk and Compliance team. We’re joined today by Ed Wegener, Managing Director of Oyster Consulting. Ed is also a former SVP and Midwest Regional Director from FINRA, which was Ed’s last job before joining us. So welcome, Ed.
Ed Wegener: Thanks Buddy. I’m really happy to be here and excited to be joining Oyster.
Buddy Doyle: Ed, maybe you could start off by sharing a little bit about your background so that folks can understand the perspective you bring to topics for broker-dealer compliance and risk.
Ed Wegener: Sure. So I’ve been with FINRA for just about 22 years. I started in 1998. I started as an examiner as which at that point was an ASD in their Chicago District Office.
Since then I’ve had a number of leadership positions within the Chicago District Office, ultimately becoming, as you had mentioned, the Regional Director of the Midwest. In that role I was responsible for leading the Midwest Risk Assessment Examination and Investigation Programs for the region. But I also had the opportunity to work on several national initiatives, including the development of FINRA’s risk-based examination program and the development of FINRA’s cybersecurity exam program. And I also, most recently, was involved in the development and the leadership of FINRA’s digital asset program. So I really enjoyed my time there. It really provided me an opportunity to get exposure to a large variety of types of firms, different types of business, and a number of different issues that firms face on a day-to-day basis with respect to their compliance programs.
Buddy Doyle: Well, I’m excited about having your background and experience coming into the firm and your ability to help our clients go through all these hot topics. And boy, there’s probably a series of podcasts we can do out of that list of things that you’re responsible for, or were, at FINRA. Maybe you could talk a little bit about the risk assessment process. We often talk to our clients, some are large, some are small, and they all are like, well, I think risk assessment, that sounds like big-firm to me, but maybe you could tell us a little bit about how FINRA’s approached risk assessment and their decision-making process. That’ll help our listeners understand things they ought to think about.
Ed Wegener: Sure. It’s definitely been a very interesting evolution as the exam program has continued to adapt. When I first started with FINRA, I remember that when we used to think about things such as how often we should conduct an exam and what we should review when we do conduct an exam, it was a very simple process in terms of frequency. It was really dependent on what the firm’s net capital category was, which really didn’t have a lot of applicability to the firm’s risk. And when it came to the things that we would scope on an exam and the types of things that we review, it was pretty static. We would look at the same things pretty much on every examination, regardless of the type of firm, the types of customers they service and the products that they sold. Over time that has become much more sophisticated and much more effective.
Ed Wegener: The exam program has evolved to become much more risk-based. And as a result of that FINRA, like most regulators, have developed fairly sophisticated risk assessment and scoring to help in their decision-making about things like which firms to review, how frequently to conduct examinations, what to focus on during those examinations, and, importantly, what branch offices to focus on, what products they’ll look at and what representatives to review. So the risk assessment process has become much more involved, much more sophisticated, but I do think there’s a lot of opportunities for firms to have influence over how the regulators perceived risk at their firms. A couple of things that come to mind are really taking the time to understand the particular risk that the regulators are concerned about. For FINRA, in their risk assessment process, they’ve identified nine high-level risks that they focus and score. Knowing what those nine risks are, I think is really important to having a good understanding and being able to influence the regulators’ perception of risk, especially at FINRA. Making sure that the firm has strong controls over those areas that have been identified, and then, importantly, and this is where I think I’ve seen some firms do a really good job with this and other firms that haven’t, is educating the regulator about the controls that the firm has in place and how those controls mitigate the risk.
I think that if the regulator believes that a firm has strong controls over the risks that they’re concerned about, that that goes a long way in terms of helping them feel more comfortable that they could do exams maybe less frequently, that they can more narrowly scope and focus their examination. So I do think that there are a lot of opportunities for firms to influence that. At FINRA, the risk assessments are done by individuals that, you may recall, were being known as “regulatory coordinators.” These were the point of contacts that each firm had at FINRA.
They’re now called “risk analysts,” which is much more fitting to the role. These analysts are responsible for formally assessing and scoring the risks at firms. I think it’s really important for firms to take the time, to build strong relationships with their assigned analysts, and to actively engage in a dialogue about the controls that firms have in place. I see firms set up periodic meetings with the risk analyst just to go over what’s new with the firm, talk about controls, and to also really get a sense from the regulators and from the analysts, what are the concerns that at FINRA or, in the case of the SEC, what the SEC is concerned about, and using that to help develop and continue to refine the controls that firms have.
Buddy Doyle: Great. When I think about risk, and how we built Oyster Solutions in particular, we took a classic approach to risk where we look at the inherent risk of a particular issue, whether that’s a product risk geographic risk of our clients, dealing with ages of clients, different types of clients, and get a hard look at where you believe the actual risk is just by doing what you do or being in the business that you’re in. And then we take a look at policies and procedures and the outcome of the testing that we’re doing and try to get a sort of mitigating controls score to go along with that inherent risk. And where there’s risk that is uncontrolled, that residual risk is where we spend a lot of time. How different is that from, from what FINRA is doing?
Ed Wegener: It’s almost exactly how the analysts go about assessing the risk at firms. So what they’ll do is they’ll use the information that they have about the different products a firm sells and the riskiness of those products, the different customer types that the firm has, whether the firm focuses on institutional clients (which might be less risky) or senior customers, which are more vulnerable and pose greater risk. Looking at things like the backup of the registered reps at a firm and their backgrounds, and the overall culture of the firm to get a sense of the inherent risk at the firm. But as I mentioned before, and as you mentioned, an important part of that is how do the firms mitigate those risks? What controls do they have in place to address those? And then really using that to determine, well, what’s the risk after you take those controls into account? And then really focusing the risk scoring on that residual risk, which is important because if you think there may be firms out there that are involved in some fairly risky activities or risky areas, but they have very strong controls over those areas.
Therefore the residual risk might not be as high as it otherwise would be; whereas you might have a firm that’s engaged in some less risky activity, but their controls are awful, and their residual risk might be higher than the first firm’s. So that’s important for FINRA to consider when they do this risk assessment and determining how they’re going to approach each of these firms. The approach that you said that firms should be using in terms of assessing their own risks, I think is exactly the way they should be doing it – to align with how the regulators are perceiving risk, but then also making sure that the firms are taking a look and understanding what are the areas that the regulators are concerned with. FINRA has been very transparent about that process.
I know that they did a discussion, which is on their website, with two of their Executive Vice Presidents from the exam program, Mike Raffino and Bill Wallman, where they went down the risks in the hierarchy and talked about the different ways that they view risk, and how the analysts assess those risks. So, knowing what the risks are, understanding how the regulators are approaching those risks, are important, and then using that to kick off how you’re going to control and mitigate those risks through your controls.
Buddy Doyle: And Ed, could you maybe reel off the top of your head the nine risks that FINRA is looking at?
Ed Wegener: Sure, sure. Again, these are high-level risks, and within each of these risks there are a number of different factors under them, but the scoring really happens at the higher level. The risks that they’re focusing on are really broken up into business conduct and financial and operational risks. From a high level under business conduct, there are areas of just sales risk, fraud risk, anti-money laundering risks, operational risks, which kind of straddles between business conduct and financial; and in the financial space, there’s a liquidity risk market, risk capital risks, the typical net capital risk credit risk, as well as a customer protection risk or the reserve computation that firms do. So those are the nine risks that they look at from a high level.
Buddy Doyle: All right. So those of you listening, that’s the nine risks they’re looking at from a very high level.
Obviously, the devil’s in the details and how you get to your own version of liquidity risk or market risk or fraud risk. And that really comes down to the tools that you have at your disposal and how you deploy them, as well as the kind of business that you’re doing. If you’re an introducing firm it’s obviously much different from customer protection rule, then if you’re an investment bank that never touches money, then if you’re self-clearing. And so, all those things will go into consideration. When they take those nine levels of risks or nine categories of risk and bring them in, I’m sure they apply their own judgment, but the outcome you mentioned, they look at what they’re going to look at in exams and the frequency of exams. Can you talk a little bit about how that influences the examination process?
Ed Wegener: Yeah, I mean, it really, from the examination perspective, in addition to identifying how frequently they’re going to conduct the examinations (and typically they won’t go beyond four years for the lowest risk) there’s been talk about potentially looking at alternatives, but importantly, it really helps shape the scope of the examination. So that’s where the examination planning starts. The examiners are provided the risk assessment, so they know exactly what the analysts have been reviewing. They know exactly how the analysts have assessed the risk at a particular firm, to the extent that the analysts know about the controls that the firm has in place. That’s other information that they provide to the examiners, and it really starts the process of scoping the examinations out. One of the big changes that FINRA has made over time to its examination program, and I think technology has really been a great driver for this, is that they spend a lot more time before they come on site in doing analytics and assessment to really narrow the scope of the examinations.
So the process has changed such that they’ll announce an exam, and they’ve probably already started doing a lot of background work and a lot of analytics, but they’ll start asking for information and having you send things like electronic blotters and ledgers and things like that, so that they can conduct analytics against that, so that they can really focus their efforts on trying to pinpoint where they think the specific risk is that they need to examine. So they’re starting from the risk assessment, doing all this analytical work before they come out and really letting that set the scope. The good thing about that is they should be spending a lot less time onsite at your firm because of all of this work that they’re doing. But they’re also going to have a much better sense of where they think the issues might be. So when they come out to the firm they’re going to be much more targeted and focused in areas that are going to be asking specific transactions about specific reps, to the extent that there’s a complaint that they’re concerned about – really focused on those things. I think it’s a much more efficient way to conduct an examination, but also a lot more effective.
One of the things that they have been very focused on in the past, and I think continue to be, is on the assessment of branch office locations. Firms with large branch office networks have probably seen on examinations recently that the examiners will conduct onsite examinations, and they’re moving to doing some more offsite examinations of branch offices but doing more assessments of the locations where the activity is actually taking place. And that’s another place where the analytics and the assessments come into play. They do a lot of analytics to determine what are the branch offices that they think that pose the greatest risk, and what is it about those branch offices that creates that risk? So then when they go on to conduct the branch offices, they’re very much more focused. So the exams continue to evolve.
Ed Wegener: There’s a lot of new leadership at FINRA. They’re taking a look at the exam program and looking to see where they can evolve the programs to make them more effective. I would anticipate that you’re probably going to see some additional changes, but it’s all sort of in this evolution to make the programs more risk-based and targeted.
Buddy Doyle: All right. Well, thank you for sharing that with us. I do think those nine risk categories are a place where our clients could spend a little bit more time. Generally speaking, on the risk assessment side, I mentioned at the beginning that some of our small to midsize clients are like, “Hey – risk assessments, those are things that big banks do and wire houses, and we’re just here with our 400 reps trying to help people meet their goals. Is there a line that FINRA looks at to say where you should really have a formal risk assessment process? They talked a lot about that a few years ago, risk assessments and enterprise risk assessments. Is there a too small an enterprise to have something like that?
Ed Wegener: I think even at the smallest firms, that approach of understanding the risks that are present and having controls in place to mitigate those risks, that should be something that every firm does regardless of the size of the firm. The sophistication of those types of reviews and the formality of those types of reviews is clearly going to be greater, depending on the nature of the risk and the size of the firm. I would expect that even at the firms, they should be thinking in terms of risks and, importantly, how the regulators perceive the risks at their firms because they’re conducting those risk assessments of all the firms that are members of FINRA. I think it’s in a firm’s best interest to go through that process on a periodic basis. And then, for the larger firms, clearly to have a much more robust program.
Buddy Doyle: I used to try to predict where FINRA was going to go back when I was regulated, and I was licensed and worked at a reasonably large firm with, with a lot of branches and I always went to the colorful CRDs, right? So where are the employees with colorful CRDs? And I would go to recent customer complaints and kind of our perspective on those complaints, whether they were a hot topic or an anomaly in the firm. Or, sometimes one complaint would lead to a few, and we’ve all seen lawyers advertising on TV. So your broker and things like that, some of them are pretty effective. And then I looked for anomalies and the types of products or business that might be happening in a particular branch where if you’re a retail oriented firm that does a lot of financial planning and kind of getting into the RIA space a little bit, and then you have one branch that’s sort of an institutional middle office or running stock plans for firms and things like that, that’s a different thing with a different profile. Is that pretty close to how FINRA looks at risk?
Ed Wegener: Yeah. You know, especially around sales risk and operational risk, those are the types of things. It’s not changing the drivers that they use to assess risks. They’re always going to be focused on things like understanding the products, taking a look at complaints and seeing where there might be issues, looking at the background. So for the reps, I think the sophistication is really developing around the tools that they have in order to conduct those assessments, any of the types of data that they get in order to do that. I think that those are definitely still areas to focus on. Another thing that’s been a really great development with both FINRA and the SEC is their transparency around what they’re looking at. And so they regularly will publish examination priorities. They’ll regularly publish things like common examination findings, and they publish disciplinary actions.
So those are areas that I think are really good sources of information to look to and say, “what are the types of things that FINRA is looking at, or that the SEC is looking at, and are those areas that I’m involved in? And if so, how are my controls in those areas?” Because there’s a fairly good chance, if it’s a priority in a given year, that the regulators are going to come out and look at it, if you have an exam scheduled for that year. Another thing – I would recommend is engaging in a dialogue with your contacts at the regulators, the risk analyst at FINRA, and talk to them. Ask them, “what are the things that you particularly care about for firms that are like me?” And one of the things that FINRA has done in its recent examination restructuring is to reassign contacts, especially around the risk analysts, based on the type of business that the firm is engaged in.
So an individual who’s responsible for doing risk assessments for an independent contractor retail firm would be different from somebody who’s doing the risk assessments for a firm that’s engaged in mergers and acquisitions and capital markets. And the reason that they’ve done that is to develop a greater understanding by the risk analysts of those different industries. One of the nice things about that is that those analysts can look across the firms that they’re responsible for, which should look like your firm, and have a good sense of what they’re seeing at those different firms, both in terms of the risks and the controls that they have in place. I think they would be a great source of information and intelligence about what it is that you should be looking at and what are some best practices that they’re seeing in terms of controls.
Buddy Doyle: Yeah. I always found the coordinators, back when they were called coordinators, to be very good to talk to about things and have a conversation. They were never in “gotcha mode” with me. And I know there’s always that fear of talking to a regulator because if you’re in the industry, your perspective is they’re the people that would come in and you get in trouble, whereas they’re very good at helping to guide you.
Ed Wegener: I think importantly, in that role, the separation between that role and the examination program, I think it’s important for just that reason. It does provide them an opportunity to do an independent assessment of the risk, but it also allows them to build a strong working relationship with the firms, and hopefully firms, after they built those relationships, have a greater comfort level about engaging with the risk analyst. I think that it would benefit both the regulator from the perspective of having a better sense of what the firm does, but also the firms in order to influence the regulators in terms of educating them on the controls that they have in place. One thing though: with the reassignments, who an analyst is for a particular firm may have changed recently. So I think one of the things that firms really need to focus on is, if they have had that change, is to rebuild that relationship with their analysts because it might be somebody new. So they might want to meet with them, talk about the background of the firm, educate them on the controls, and really build relationships between the key people at the firm and the analyst.
Buddy Doyle: So thank you again for your time and thank you to our listeners for coming back.
Ed Wegener: Thank you, Buddy.
Oyster: Thanks again for listening to the Oyster Stew podcast. Don’t forget to subscribe so we can continue to bring you resources to help you make the best decisions for your firm. If you’re struggling with a topic and you’d like us to do a podcast on it, or you’d like a free consultation, feel free to reach out to us at (804) 965-5400 or by visiting our website at www.oysterllc.com.
Subscribe to our original industry insights
"*" indicates required fields