How to Make the Regulatory Exam Process Work FOR you
How you manage the process of responding to a regulatory exam, whether it is routine exam, a sweep or an investigation can influence how the exam goes, and possibly the outcome of the exam as well. Will they need more information? How much should you tell the regulators? How can you make the exam process and exam management easier? If there are enforcement actions or corrective actions required, how can you use these to make your compliance program better? As part of our series on managing exams and your regulatory relationships, our experts provide best practices for compliance officers to manage the process of responding to exam requests.
When performing a regulatory exam, regulators require all kinds of documentation to demonstrate that your policies and procedures are being followed correctly. Oyster Solutions compliance management software provides the automation and documentation you need to make the exam process easier.
Transcript provided by TEMI
Libby Hall: Hi, and welcome to the Oyster Stew Podcast. I’m Libby Hall, Director of Communications for Oyster Consulting. How you manage the process of responding to a regulatory exam, whether it is a routine exam, a sweep, or an investigation, can influence how the exam goes and possibly the outcome of the exam as well. As part of our series on managing exams and your regulatory relationships, in today’s podcast, Oyster’s experts provide best practices for managing the process of responding to exam requests. Let’s get started, Ed.
Ed Wegener: Well, thanks, Libby. And hello everyone. I’m Ed Wegener, Managing Director of Governance, Risk and Compliance for Oyster. We continue to do a series of podcasts where we share best practices for managing regulatory relationships and regulatory examinations. And today we wanted to talk about how best to manage requests that you receive during an examination. And this could differ. There are different types of examinations that you might become subject to. They can range from routine examinations that you receive every few years to sweep examinations, which are part of industry-wide assessments to investigations where regulators are looking at specific activities where they believe that there might have been a violation or misconduct. So the types of requests that you get will vary depending on the type of examination that’s being conducted. And how you respond will likely vary as well. In any case, how you manage the process of responding to these regulatory requests could make a lot of difference in how the examination goes, and possibly, to the outcome of the examination.
So, to help me discuss best practices, I’m very fortunate to have Evan Rosser, Jeffrey Hiller, and Brent Nicks with me. Evan and Jeffrey worked at FINRA and the SEC respectively. And all three of you have worked in financial services and with financial services firms in compliance roles, and have been subject to many different types of examinations. So I’ll throw this out to the group and feel free to each sort of share your best practices. When you receive requests, could you share some of the best practices that you’ve employed or seen employed during your typical regular routine examination of either a broker dealer or an investment advisor?
Sure. Ed. This is Brent. I’ll take that and kind of maybe give it a fly over. The first piece of advice I would probably give anyone is just after the requisite two minutes of hair pulling, take a deep breath and then take a look at what you’ve got in front of you. A lot of that is going to be things that you’ve seen in previous routine exams. But right out of the gate, after you’ve absorbed what’s in there, take a look at what you’ve done already during the year, or in the most recent reports, internally. Take a look at your 206(4)-7 controls report, your 3120 on the BD side, if applicable, or things such as NF, a self-exam results. Make sure you understand in light of the request, where you’ve already identified potentially some soft spots or things that you have already began to remediate.
And then once you’ve got that in place, begin your control room process. And when I say a control room is a bottleneck, whether it’s the CCO or a delegate, but someone needs to manage both the intake and the exporting of information and make sure that that’s being quality controlled. If you’ve got questions on the front end, be sure you clarify it with the examiner. If you have questions about time periods for any of their request items, make sure you clarify that. And as you develop your responses, the most important thing for coming back to and answering concisely for follow-up requests would be to make sure that you’re using a standard naming convention, archiving everything in one place relevant to the exam, and try to label it as closely as you can to the inquiry numbers, question numbers or request numbers coming from the regulators, so you can easily access what you’ve already told them. And don’t step on your feet or don’t potentially give non-controlled or conflicting information down the road and, QC everything. So that would be my high level. No matter the type of exam, do those things.
Jeffrey Hiller: I would add, most people have different approaches. My approach really relies on communication with the SEC or regulator at every opportunity. What I do, and it’s not necessarily what everyone should do but, I make a spreadsheet, which has the request. It has who’s supposed to produce it, and when it’s supposed to be produced. There’s a couple other columns for comments, and then there’s a column for communication with the SEC. And as you go through your document production, you may find that one of their requests would be thousands and thousands of pages. So I would call them up, tell them exactly what, where we are with this, ask them if we can modify it, and then put it on my spreadsheet to make sure that this was communication with the SEC or the regulator. Daily, I try to manage their work daily, and it’s been successful.
I use this spreadsheet, take out all of the confidential columns, and then show them really sort of when we’re producing it and our discussions with them so that there’s no misunderstanding down the road, that we have said we’re only going to produce dates, shorter dates because of the volume of work. So that’s one of my keys is just really ongoing communication. And the other, the other two are, if during the course of your document production before the SEC gets, the SEC regulator comes in. If you find something that’s an exception, one, fix it immediately if you can. And then two, in your open meeting with the S EC, your initial meeting, tell them that you found this, that you’ve fixed it, and it’s not a big deal. You’ve engendered trust. So those are sort of my tips. Initially,
Evan Rosser: I would say before you even consider producing a document to a regulator, make sure you understand the review period. Do not provide anything outside the review period. I would also make sure, as Ed alluded to earlier, for FINRA, there are different types of examinations. They can, if the request is pursuant to FINRA Rule 82-10, you are compelled to comply. But that request must be in connection with an exam, an investigation, a complaint or proceeding. If it’s not pursuant to 82-10, then it’s not in connection with any of those. And it is most likely a voluntary request that with which you need not comply. There is a one thing that to keep in mind. First of all, if any regulator ever shows up at your unannounced at your office, call your counsel immediately.
Jeffrey Hiller: Hmm, good point.
Evan Rosser: And don’t produce any documents until you’ve spoken to your counsel. I know FINRA doesn’t always take that approach. However, I don’t think you should produce documents pursuant to an unannounced request and examination. There is also a provision, and you will look at this closely in FINRA rule 82-10 to produce documents in your possession, custody, or control. And FINRA is doing this a little more often than they used to. This provision of 82-10, in FINRA’s mind anyway, allows them to ask for perhaps tax returns, perhaps bank statements, personal bank statements, items that are not firm records, however they deem relevant that are in your possession, custody, or control. Again, if you’re being asked to produce those types of documents, I’d certainly ask why. And I’d also speak to counsel before I produce those documents.
I think a thing is that FINRA will do, which sometimes allows for some gentle pushback. If they ask you in their request to create documents, generally the scope of 82-10, they can copy and inspect your records. They should not, in my opinion, be asking you to create documents in an examination. Now, they might ask for a list of customers that bought something that you can easily pull out of an existing firm record. But if it goes beyond that I would be careful in producing documents that they’re asking you to create. They should, their request should, stick primarily to those that you are required to create and maintain.
Ed Wegener: You know, speaking about those requests, and I think you all alluded to the further conversations that you have with the regulators, once you receive the request, whether it’s for clarification or whatnot, one of the things that can happen, and I recall when I was at FINRA that we would get questioned about is the volume of the things that are being requested, and especially when the things that they’re requesting are burdensome. They might not know when they’re asking for a particular item, just how burdensome that is. But what have you done in managing the relationship with the regulators during an examination to have that discussion around requests that you might deem to be overly voluminous.
Jeffrey Hiller: My experience has been that they’re very responsive. If I call them up and say, look, I’m not sure you know what you’re asking for, but here’s what it entails. And could we sort of get a different date, timeline? And I would say nine times out of 10 or every time I’ve asked that they’ve been very reasonable about it. But that always goes back to my premise of communicate. I thought of one other thing, and that is when there’s an examination at the firm, I sent a note to all employees under the CEO’s letterhead stating that we’re having an exam. Be cooperative. Don’t talk about anything confidential in elevators or whatever. If you’re approached by the regulators, contact us immediately. And that’s just a standard letter I have that I keep in my file and I issue any time it is. So that’s just another point.
Brent Nicks: That’s a good one, Jeff. In fact, even in previous lives where the examiners during the initial conversations have been provided a contact point or a control room point, where if interviews or direct contact with subject matter experts or others are being requested, that those requests are coming through a central person to set up the time and to get that established. In understanding what the line of questioning or what they’re working to gain from that interview even, is so much as at times a chaperoning that request that’s coming from that interview. If I feel the information coming on the area isn’t all with that person, this may be a task or a function that is handled by multiple departments. And sometimes the answer received from one person may give an incomplete picture.
And by being there and hearing what was provided gives you a good opportunity to remind the examiner or the interviewer, hey, and oh, by the way, please remember, in this aspect, this department, or Hey, our options in margin area, whatever may be handling other parts of this, we can certainly get you information in that area and making sure we’re filling in those gaps. And someone doesn’t walk away with either an incomplete picture or believing they heard something that they necessarily did not. And that goes much easier during the initial request review, when you’ve identified those key personnel that very likely are going to have that contact point or going to need to be a subject matter expert at some point during that exam and talking to them prior to even past communicating via letter. I don’t like the idea of a mock exam, but just sitting and talking with them and saying, Hey, here’s the kind of information they’re going to be asking for. Let’s make sure that we give full and complete answers. Or, hey, let’s make sure we touch on this point. It’s important. And making sure that the request coming from those interviews is full and complete, and the examiner’s getting everything they want out of them.
Evan Rosser: You know, Ed, I’ve found that if a production is going to be larger, voluminous it’s the staff, the regulatory staff is usually much more agreeable during a routine exam than during a cause exam. That’s why it’s important for you to know what kind of exam you are iin what kind, why are they asking for these documents? Because what, what FINRA recalls, non-routine exams they call cause exams, meaning that they have a cause to go into your firm. They already have some indication there might be a problem. That’s why it’s called a cause exam. Routine exams, on the other hand, are done routinely and they’re done on a cycle. So, I find it a little easier to push back on requests, particularly large or luminous requests in a routine exam. Mm-Hmm. It’s harder in a cause exam because they already know, or they already suspect or have some indication that there’s a problem that they need to investigate. It is a difference. And in both instances, particularly during a cause examination, it’s important to know what you’re producing, get an idea, especially if these are, well, actually it’s true of any document, even the most mundane blotters and records. Know what you’re giving them and explain when it comes into particular files, personnel files, correspondence, make sure you know what is in there so you can be prepared for any follow up questions that come.
That’s a really good point. And I think when you started talking about cause exams, I think it’s super important to understand your audience in a cause exam or an investigation, which very often you may need to be thinking about. These requests are being made potentially on behalf of enforcement in your responses. Cause if these are known issues, it’s an investigation, there’s a good chance you already knew where these soft spots were to make sure that when you’re providing your document requests, that you’re already building in and talking about things that the firm has already identified or discussed, any remediations that are already in place, that can complement the request. And honestly try to go ahead and start taking some of the sharp edges off of anything that you feel the request as being reviewed potentially by an enforcement attorney or other person to go ahead and start, the mitigation process as much as you can even during those initial phases.
Ed Wegener: Oh, those are terrific pieces of advice. And I think one of the things, that in some cases makes it easier, in some cases complicates it, is the nature of the exams really starting during and post the pandemic, being much more apt to be done on a remote basis. So that requires a lot of coordination in terms of responses from people who might not be on site with you as well as, to your point earlier, Brent, those interviews. And those interviews are going to be done probably by video. And I think your point about requesting someone from compliance to be there just to make sure, first of all, that you’re hearing the answers and understanding what types of things they’re asking for so that you can be responsive. But also, I think to make sure that you’re clarifying any questions.
So if a regulator asks a question of an individual that may not be involved or have knowledge of a particular area, you don’t want them speculating about how it’s done and, you want to make sure that, you can clarify anything that they might say that might be outside their area of expertise. And, I wonder if you guys having been through examinations recently that have been done remotely, are there any complications, challenges or best practices that you’ve seen that have been specific based on how the examinations are now being done remotely?
Brent Nicks: Yep. Ed, absolutely. One of a real recent example had almost to do with the communication style that is coming through now on the remote basis with some of the examiners. Particularly those that only wish to communicate via secure electronic methods. Say for example, the SEC secure mail system don’t make themselves available for phone contact on our, or at varying levels of responsiveness makes it, or at least in my eyes, is making it harder to have those negotiation discussions that we talked about previously where before you may be able to just walk into the conference room, show them what 30 days of the output would’ve been. Hey, this is what it’s going to look like for the remainder of the year. Do you want to start with this?
Take a look, make sure you have any other questions, and be able to in a five- or 10-minute conversation, be able to come to some agreement on a document production that may be less than what you were doing. And now, even if you eventually come to it in some respects, sometimes it takes days and really slows down the document production process. And, I find the whole process in general is taking a longer period of time overall simply because you’re producing it remotely. It seems to be less drive for them to review and get it turned around if they were on site. And sometimes it seems like things go into a black box for days. And I think it’s causing exam cycles, particularly in this request and review period to take longer in this remote phase than it was before. Which obviously is a drain on resources from both the firm and the regulator standpoint.
Ed Wegener: Well, that’s something that I’ve experienced personally in helping clients manage the exam process in this current environment. And also that we’ve heard from other clients, just in terms of some of the challenges that you used to not have when people were onsite. Because when the examiners would come onsite, let’s say they scheduled a week or two weeks, they had that definite time period that they knew that they needed to get most of their work done, that they had the most access to you. So there was some urgency in terms of getting things done within that time period. And I think now with the remote exams, that urgency isn’t there because there isn’t an onsite start and stop time. So these things can drag on. But I think one of the biggest challenges for compliance professionals during a remote exam is the not knowing what the next steps are.
You provide documentation and you don’t have somebody that you can touch base with periodically and just drop in and say, how are things going? Can I help you? And so you might have these long periods of time where you’re not getting a follow-up request or any response and just not knowing what’s the status? Are things going well? Are they finding things, are there things that I should be doing? And I think that adds some concern and anxiety on the part of compliance people. And what my initial reaction is, is reach out to the examiner, check, and see what the status is. Like you would do if they were in your office. You have their email, or you have their phone, reach out to them. I know there’s a reluctance sometimes because what you don’t want to poke the bear and so I understand that. But that can be a little bit of a challenge I’ve seen and, and it does definitely seem like the duration of the exams in the remote environment in terms of when they stop and when you get that final closeout letter has definitely expanded. I don’t know, Jeffrey and Evan, if you’ve seen the same thing or have experienced some of the challenges in dealing with remote exams.
Evan Rosser: I much prefer the remote exams. It makes it much more controllable when you have examiners in your office. It is so easy for them to ask for follow-up documents to bump into people in the office and chat with them and find out, ask them questions, kind of, off the record to say, well, what’s in these file cabinets over here? Or what do you, how do you use this tool over here? It’s so much easier and controllable to get their very specific requests and give them specific responses in some instances that that can take a little longer. But honestly, the duration of an exam is all not because of the document production, it’s because the staff doesn’t let me. The length of the investigation is, I think, the responsibility of the staff. And to tell you the truth, whether they’re onsite or not, offsite, I’ve never found the staff to be particularly forthcoming about what they’re finding anyway. You kind of have to read between the lines and the questions they ask and the documents they request. So I’ve never found them particularly forthcoming by being in the office. You know, maybe to some extent that might be the case but a lot of them aren’t going to really tell you a whole lot until they’ve had a chance to look at what you’ve produced to them.
Ed Wegener: Jeffrey, have you noticed any changes or issues as it relates to remote exams?
Jeffrey Hiller: I really haven’t managed a remote exam. I guess I’ve had a lot of questions during the course of the pandemic, but I haven’t sort of full-blown managed an exam during that period. If I was to do that, I would follow Evan’s recommendations. He’s dead on.
Ed Wegener: You know, one of the things that I think that is a good practice during any examination is to have that initial meeting with the examiners where you sort of jointly talk about the ground rules, so you understand what their process is. And you can also at least make some recommendations in terms of the ground rules, in terms of what I would recommend is that have all of the requests go through a central point. I think one of you had made that comment before, one of the challenges with the remote exams, unlike in-person exam. With the in-person exam, you can kind of keep an eye on the requests that they’re making, who they’re asking of. But with the remote exams, most requests are done either through their electronic file sharing tools or by email.
And I’ve had situations where, during an examination one of my colleagues, the client came to me and said, I got this request from the examiners and I wasn’t aware that the request had been made. It had been made quite a while ago. I had no idea that they were looking for things that I could have gotten pretty quickly, but also wanting to stay in the loop as the compliance officer. So I think it’s just important to make sure that you set those ground rules with the examiners, if you want to have requests go through a single point of contact make sure that they understand that and they’re doing it or at a minimum be copied on any requests that go to other individuals just so that you’re in the know about any requests that are being made.
And to your earlier points is you want to have an opportunity to review any of the responses before they’re given to the examiner. So you want to make sure that process is happening. Let’s shift and talk about the types of things that the regulators have been asking for recently. As I mentioned early on, we’re in this period where we’re waiting to get the regulators’ priorities and their list of common exam findings. So I think we’ll know much more once they issue those things, the beginning of next year. But I wonder if you can talk about, on the exams that you’ve been part of recently, are there common things that you’re seeing that they’re asking for or common areas that they’re focusing on?
Brent Nicks: Sure, Ed. A couple things that I’ve had the opportunity in my short time here with Oyster to have already assisted or directed a few examinations, most particularly with the SEC. So I’ll focus a little bit on that. But requests and inquiries on aspects of Reg BI are starting to find their way in there in regards to not only the policies and procedures, but some of the disclosures and implementation. So those are becoming, we’ll say, part of the standard request deck that’s coming. So a piece of excellent advice would be, recently we’ve spent a lot of time reaching out to clients talking about the retrospective reviews, to go back soup to nuts and make sure that you’ve got all of the pieces and parts in for Reg BI because it’s now becoming an active part of a lot of the requests.
Two other common areas that were in each of the exams that I’ve looked at so far in 2022 was a much deeper dive in regards to mutual fund share class. Really diving into the firm’s policies and procedures and processes for determinations, not only on the retail side, but for certain firms, on the side of share class determinations for ERISA plans. So that has been a repeating event and then kind of a niche one, but it’s been in each one. So I know it’s in their scope because, I think it was early in 2022, the commission had put out some guidance and language regarding arbitration clauses and the uses of use of hedge clauses and investment management agreements to try to limit fiduciary responsibility or skirt certain responsibilities, requests and comments on those types of language related to kind of draconian adherence to arbitration, potentially downplaying the fact that the clients should have access to other remediation opportunities towards them and up to and including litigation for potentially certain activities – antitrust, fraud those types of things.
The use of hedge clauses in those contracts. And then standard death and disability clauses in those contracts that may fly in the face of certain state rules under their uniform codes. So again, that was something that showed up in all of the examinations that I looked at this year, specifically looking for key language in those investment management agreements.
Ed Wegener: Jeffrey and Evan, what about you? Have you seen anything in particular that they’ve been focusing on during examinations recently?
Evan Rosser: You know, I don’t think I have. FINRA will know a lot about the firm before they ever send you the document request. So they’ve been through your 4530 customer complaint findings. You know, they’ve been through your focus reports, they know where you make your money, they know what kind of business you’re in, they know your sales staff to some extent. So I have found that the first request in a routine examination, I haven’t seen a lot of similarity in those requests. Now, having said that, I think in that first round, and probably in the second round of requests, follow up requests, they’re always focused to some extent on outside business activities of the registered people. They focus certainly on cybersecurity selection. They will be looking at, I have had some requests on Reg BI in a recent exam, but CRS, they looked at the disclosures there in connection with the information that they’ve seen in the firm’s documents. But I do think that OBA cybersecurity, reg BI and CRS going forward are going to be brought up at some point in every examination.
Jeffrey Hiller: I would say it’s the same thing for an SEC exam. What they’ll do is look at your ADV, then come in and see if your policies and procedures and practices are consistent with the ADV. So I have always suggested to firms that’s something you should look at on an ongoing basis, and as your policies change, you reflect it there. But otherwise I would say if you put the FINRA top 10 exam priorities alongside the SEC’s exam priorities, I think they’d be pretty close in many cases, whether it’s cybersecurity, the new advertising role, I think they’re pretty consistent in what they’re asking for. Even though some things may be unique to a broker dealer some things may be unique to an investment advisor, but otherwise I would concur with my colleagues.
Ed Wegener: Yeah. You know, one of the things and just to echo what you’ve all said, and particularly, Evan’s point in terms of them knowing your firm before they come in, I think it’s what you’re finding is that as the exams have become more risk based, they’ve also become more tailored based on that risk. So what they’re going to be looking at is going to be specific. So what I’ve seen on examinations over the last several years as this has evolved is that initial request that you used to get, which would say back before remote exams and before things were more data driven, is they would ask for a bunch of boxes of things, and they would go through and sample in those boxes. But now that things are more electronic, they’re requesting things like blotters and things that they’ll do data analytics against.
And so when they make that initial substantive request, it’s usually very tailored, which is good because they’re not doing a fishing expedition as much as they used to, and it’s much more narrow and hopefully less time consuming. But they’re very narrowly focused on areas where they think that there might be problems. And I think that makes them more effective in terms of identifying where the problems may be as part of exams. And as a result of that, each exam’s going to be slightly different depending on how those risks manifest through those data reviews. So that’s just something to be aware of, is every exam’s going to stand on its own and be somewhat unique. You know, just to follow up on the Reg BI items, one of the things that both FINRA and the SEC had said going into this year, is that they were pivoting from these good faith effort type reviews and looking at things such as the procedures and the disclosures that are really starting to look more at the substantive areas around the care obligation.
And making sure that the recommendations are in client’s best interests, making sure that the reasonably available alternatives are assessed those types of things. So it’ll be interesting to see when we get their examination reports at the beginning of next year to see what types of things they’ve been finding as part of those reviews. And just another area that clearly is an area of focus for at least the SEC, but I would presume FINRA too, is electronic communications. But they started with some of the largest firms, and you’ve seen in the big fines that have come out through those sweep exams. But we’ve been hearing from other firms, smaller firms that they’re starting to get those types of requests as well. So electronic communications is clearly an area that they’ve identified concerns and will be taking a look at as well.
So, I really appreciate you guys sharing your thoughts, recommendations, and experiences on these exams. Managing examination requests isn’t easy. It’s very challenging, but it’s also very important that it’s done well and, these types of best practices are extremely helpful. So, really appreciate you sharing them. Look forward to talking next year as the regulators issue their best PR or their priorities and common exam findings, and we can talk about what they’ve been saying throughout 2022. So appreciate it. Take care, and Happy Holidays everyone.
Libby Hall: Thanks everyone for listening. If you’d like to learn more about our experts and how Oyster can help your firm, visit our website at oysterllc.com. And if you like what you heard today, follow us on whatever platform you listen to and give us a review. Reviews make it easier for people to find us. Have a great day.