By Joe Sisti and Evan Rosser
The Market Access Rule: Digging Deeper
In this episode, our consultants discusses the Regulation Best Interest Oyster Consulting often works with clients after they’ve been examined by the regulators, and the Market Access Rule (Rule 15c3-5) is no different. It’s in your firm’s best interest to take a proactive look at your Market Access program and get it in good order, before the regulators do. In this second of 2 podcasts covering the Market Access Rule, Oyster Consultants Joe Sisti and Evan Rosser discuss some of the finer points of a solid Market Access program, including post-trade surveillance, annual certifications and periodic testing.
Transcript provided by Temi transcript services
Joe Sisti: Welcome to Oyster Stew, a mix of financial services, commentary, and insights. Today is Monday the 12th of October. I’m Joseph Sisti and joining me again is Evan Rosser. Last week we shared a conversation about the market access rule, FINRA’s exam priority letter, and our recommendations for you to consider proactive review and assessment of your firm’s 15c3-5 program. This week we’d like to share the second half of that conversation, which takes a deeper dive into some aspects of your market access program that are more detailed and nuanced. Among the topics we cover are post-trade surveillance, periodic testing, and the need for a strong annual certification process.
Evan Rosser: You had mentioned post-trade surveillance, and that is a very important area. And because that goes beyond simply the aspects of the rule involving risk management, that really moves into a potentially manipulative activity. When customers are entering trades, and there are high frequency traders, a review of their activity, their order activity, and their trade execution activity, is really important because you will see numerous cases of FINRA and the SEC bringing enforcement actions around spoofing and layering and other manipulative practices. So you can expect that regulators are going to look very closely at your post-trade surveillance, how it’s done, how frequently it’s done, and what are the parameters that you use to identify potentially suspicious activity, and do you review those parameters periodically to make sure they’re still effective? Who reviews them? Do those people who review them, have the appropriate training to spot suspicious activity, and how are instances of activity requires additional investigation? How would they escalate it? Who conducts those reviews? How would those reviews disposed of?
Joe Sisti: This is really all about the effectiveness of controls, right Evan? So nothing really more sites, the effectiveness of controls from a firm perspective than their annual certification. They’re stating that they have controls in place, that they’ve documented them according to the rule. And then when you talk about post-trade reports and testing methodology, in essence, we’re talking about how effective are those control?. So you want to jump a little bit into annual certification and how that plays in here?
Evan Rosser: There are a whole host of controls required by the rules. We talked about them here: setting up capital limits, credit limits for customers, how do controls around monitoring those limits and making sure those limits are not exceeded. Do you have limits around erroneous trade entry (fat finger trades)? How do you block them? You need controls around that. You need controls around restricted activity. If you have a watch list, do you have controls around trade securities that can’t be traded, all of these, and then you have the post-trade surveillance and the controls and processes around that. Because there are so many different facets here, there’s a requirement in the rule for an annual certification, which pulls all of this together, that looks at all aspects of the rule. It looks at all those controls and how they work. And is your program working?
What that certification does, is look at all of the different facets of the rule, of your controls, of the risks posed by your firm’s business, and the CEO needs to certify that yes, our program does that. Regulators will look very hard at the documentation behind that certification. What kind of testing was done? What kind of reviews were done? What kind of exceptions were noted during the year and how were they addressed? You will find that there are enforcement actions alleged that firms do not have that documentation around their certification, that the certification was, in fact, not supported by documentation. And we have found, and certainly for the larger and more complex programs, that you really need a series of sub-certifications. You need to go out to the onboarding team. You need to go out to Trading. You need to go to IT. You need to go to Compliance and have them certify that each component that is assigned to them under your program is in fact performed and tested. Unless you have that documentation, unless you have that support underlying the certification, regulators may not accept that certification as being compliant with the rule.
Joe Sisti: So Evan, we alluded a little bit earlier to the breadth of clients that we’ve had. Can you go into a little bit about our typical client, who they are, what roles they typically play at the company and how clients come to Oyster for help?
Evan Rosser: As we’ve noted, we’ve done a number of these, and we have done some very large, extensive reviews as an independent consultant required by either an SEC or FINRA enforcement action. I’ve also done very small reviews. In one instance, helping a firm just draft a response to FINRA regarding deficiencies they found in their market access program. We’ve done a lot of things in between, just reviewing the program. We’ve spoken to CEOs who’ve expressed, “How do I have confidence in the certification? How do I know that all the right areas have been covered? That I have the proper documentation to certify?” They want to know, to understand the program so they can make an informed certification, and we can help with that. But we’ve also spoken to CCOs who want us to look at the program and, “Is the program sufficient?” We spoke to a client, a firm, who FINRA at the very outset of their examination, said that they noted that their 15c3-5 Market Access procedures were fewer than five pages.
I can assure you that four or five pages of procedures for a rule of this complexity, a rule that covers so many areas, is never going to be sufficient. We also have spoken to IT people who want to make sure they’re testing the right things, that they’re testing things with the right frequency that relate to the rule. We’ve had another firm contact us because they did not have procedures around credit limits, establishing credit limit limits for customers, and refreshing those limits on a regular basis. We had one firm who FINRA told they were lacking a specific control and they needed help with one specific control. So we’ve done quite a bit. I will say this – I think what is the most effective, and I think what we’re pitching today, is that ounce of prevention.
Joe Sisti: Evan, you mentioned IT testing. Can we talk about that in a bit more detail? What exactly are we focused on when we look at a firm’s periodic testing of their Market Access controls? Neither you nor I are IT professionals, so how would we determine if testing that a firm has in place is reasonable?
Evan Rosser: Well you’re right, Joe, we are not IT professionals, and we don’t write the test scripts, and we’re not going to interpret those test results. However, compliance and the business side personnel have a large role in what controls are tested and how frequently they’re tested. Business and compliance must identify those controls that present the greatest risk, the controls that protect the firm from the greatest risks must be tested more frequently. Controls that have shown problems from previous tests should be tested more frequently, and importantly, the firm must test and review its process and procedures for rolling out new software. That must be tested to make sure that new software is rolled out and is functioning as planned.
So while compliance and staff may not do the actual technical testing, compliance and business personnel must receive assurances and documentation that the controls have been tested and are working as designed. We don’t expect compliance and the business side to actually do the testing. Compliance and business have to decide what poses the risks, and that needs to be tested more frequently. And you need to get assurances from IT and documentation that they are tested, that what you’ve designed, what you are testing, all those controls are working as designed.
Joe Sisti: Thank you, Evan. And thank you everyone for listening. If you’d like to speak with us about your firm’s market access program, or any other aspect of your firm’s business, please reach out to us by calling (804) 965-5400 or connect with us via the web at www.oysterllc.com. And, of course, don’t forget to subscribe to our Oyster Stew podcasts, where our team of industry practitioners will continue to try to provide you with content that will help you run, protect, and grow your business. Until next time.