Compliance Science, one of the premier code of ethics and GRC monitoring service providers in the industry, recently hosted its second annual User Conference in New York. In rooms packed with representatives from mutual funds, advisory firms, and private funds of all sizes, attendants latched on to the words of industry experts, including FrontLine Compliance president Amy Lynch and Peter Bresnan, litigation partner at Simpson Thatcher & Bartlett, all to discuss resent SEC enforcement actions how to prepare for the inevitable SEC examination.
It's clear that, regardless of size, market, or ownership structure, all the firms have similar concerns about data, security, and technology compliance.
Theodore Eichenlaub of ACA Compliance Group had one pillar of advice: Do as your peers do. There's strength in numbers, and strength in creating the expectation and in creating the standard.
From OCIE's mouth to your ears
We collect information on everyone. We analyze information on everyone. I think people assume, if they're not the 9%, the other 91% are out there doing things off the radar screen. But the SEC has gotten very proficient through hiring and staffing and resourcing of financial engineers. -- OCIE director Drew Bowden, Oct. 31, 2012
What is the SEC expecting when it comes knocking? Eichenlaub outlined some of current areas of focus.
A culture of compliance: The SEC wants to see the firm is "strong on top" and can show evidence of "doing the right thing," including imposing penalties when violations are found.
A written compliance program: Examiners expect to find a dynamic document with regularly updated descriptions of the firm's activities and oversight procedures. They also expect an annual review of the firm's compliance program. This includes reports, memos to senior management, policy amendments, remediation plans and tracking procedures, etc.
Role of chief compliance officer: At this point, it's obvious that "dual hats are OK," Eichenlaub said, though the SEC may ask if you have enough time in the day. The CCO should be knowledgable, of course, and should have the resources to build compliance programs and the seniority and influence to launch them throughout the organization. Furthermore, CCOs must be given a "seat at the table in decision making. This is most important. CCOs must be there when critical issues are discussed."
Use of technology: The SEC expects to find tools to conduct email and instant message review, as well as tools to enable oversight of trade execution and settlement. Examiners may ask if there is technology in place to make sure portfolio management adheres to guidelines and restrictions. "It's always best to emulate your peers. There is strength in numbers."
Oversight of third parties: Examiners want evidence of oversight of the activities of third parties, including fund administrators, proxy voting, valuation, subadvisers, and IT providers. They will also look for adherence to contactual provisions, delivery of quality service, and cost versus use of service. A once-common SEC tactic is re-emerging. "The SEC is going to looking for these documents."
Eichenlaub offers these tips to follow if you've been selected for an examination.
Take the SEC's advice: Only about 5% of examined firms walk away without a further action letter. This may seem obvious, but if the SEC has made note of issues in previous exam, make sure those issues have been attended to by the next exam. If you have been examined, read the letter the agency sent. You want to be on top of those issues. When the SEC sends a document request list, share those requests among functional areas (accounting, investor relations, etc.), as well as with the CTO and senior managers.
Watch the SEC: Eichenlaub suggests understanding the current focuses, trends, and scope of examinations. When the SEC gives public speeches, listen. It is often setting de facto policies.
Talk with peers: Compare your operations with your peers. "The SEC has expectation that you should look like your peers," and firms should understand peer practice with the goal of not being an outlier.
Present: Like the Boy Scouts say, always be prepared. Be prepared to discuss your business in detail early on the first day of the exam. Have an internal control presentation. This is the one document the SEC isn't asking for, so you can format it any way you want. It can be used to present the firm in a strong light. Come to all presentations and interviews with relevant materials, such as organizational charts.
Delegate: "Designate a contact person who is responsible for getting all requested documents, arranging interviews, making copies, etc. Have all information flow though that person." That person should sit in on all interviews. Similarly, "have a contact person touch base with the examiners at least twice per day to answer questions and discuss outstanding requests."
Prepare the employees: Let every employee know about the SEC examination. Conduct mock interviews with employees in preparation for SEC interviews. This is not done enough, according to Eichenlaub.
Yes, you can do that: If you don't know the answer, do not make up an answer. You can try to negotiate down overly burdensome requests on supplementary document request lists. "Invite consultants and/or outside counsel to join interviews and be involved with the examination." And ask the SEC staff questions -- you never know what you might learn.
Good luck.Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio