The chief compliance officer (CCO) has a lot on their plate. Policies, procedures, ethics policies, cybersecurity, team training…the list goes on and on. With everything you do, your team may assume that everyone is in full compliance — but reality often paints a different picture.
Just because a policy is written doesn’t necessarily mean it’s being followed. Policies become outdated (or forgotten), especially as the SEC continuously adopts new rulings to their regulatory requirements.
When compliance policies fall by the wayside, your firm is at risk of violating compliance regulations and facing disciplinary action or hefty fines. How can you identify potential compliance weak points?
A regulatory compliance gap analysis is one strategy you can use to measure the effectiveness of your firm’s compliance program and identify areas where it may be falling short. Here’s a look at how to conduct a gap analysis of your own.
Identify the scope of your regulatory compliance gap analysis
Compliance is a far-reaching concept, and you can’t expect your team to keep every rule in mind at all times. But there may be certain aspects your financial advisory firm can (and should) review more frequently. In developing your own gap analysis, think about what areas of your organization should be included. If you’re not sure where to start, think about your processes, systems and people.
Processes: What current processes are in place to help your team stay compliant? Where do you need new ones? Are there old ones that you can drop?
Systems: Does your tech stack maintain compliance at every level? Are there new pieces of tech that need to be evaluated for compliance purposes and/or integrated with your compliance software?
People: Are all team members operating in accordance with your compliance procedures, or is anyone falling through the cracks?
Your gap analysis should focus on major areas of potential risk. Some suggested areas to focus on include:
- Personal trading
- Cryptocurrency
- Private investment
- Gifts and entertainment
- Conflicts of interest
- Cybersecurity
- Outside business affiliation
- Managing material non-public information (MNPI)
- Marketing material
- Insider trading
- Political contributions
Using compliance monitoring software can help you monitor firm-wide compliance efforts and proactively identify potential conflicts in those areas listed above before they become violations.
Identify regulatory compliance requirements
Next, you’ll need to create a list of requirements that your advisory firm must meet in order to achieve compliance. What you choose to include on your list of requirements will vary based on your specific industry, which regulatory authorities you’re subject to and your company’s internal needs.
For those registered with the SEC, you’ll want to look at Rule 206(4)-7, also known as the Compliance Rule. Financial professionals subject to the Compliance Rule cannot provide investment advice unless they have created and implemented compliance policies and procedures in accordance with the Advisers Act.
Other common rulings to consider when establishing your list of requirements are the SEC’s New Marketing Rule and Fiduciary Rule.
Compare existing controls with regulatory compliance requirements
Comb through your existing compliance-related collateral and document all existing controls within your organization. Identify where your checks and balances are within your policies, procedures and even in your tech stack.
Using the previously identified requirements, consider which are currently covered and what still needs to be addressed. It’s possible there are gaps or deficits within your existing controls, especially if you have not yet evolved your compliance policies to reflect recent rulings (such as the Marketing Rule).
As you compare, consider what could be missing. If your team members have started using social media, for example, are there proper record-keeping procedures in place? Even if you have incorporated comprehensive and up-to-date policies, are all team members following them correctly? Compliance is complex, and it’s possible your team members may misunderstand policies or incorrectly adopt certain procedures.
There are certainly even “gray areas” when interpreting the SEC’s rulings as well. Use this gap analysis as an opportunity to identify them and consider how you can clear them up and better educate team members on how to move forward in a more compliant manner.
Make a plan for fixing the compliance gaps
Once you’ve compared your current operations to your compliance requirements, the next logical move is to start addressing the gaps. Try to prioritize your plan of action based on the potential impact of leaving the identified gap unaddressed.
While you’ll eventually (and promptly) want to fix everything on your list, focus first on the items that are leaving your firm the most vulnerable to violations.
Track the progress of your compliance program
It’s not enough to identify gaps in your compliance program, you need to follow through with addressing them across the organization. Go in order of priority and track your progress over time until all areas have been adequately addressed. Schedule check-ins with the necessary team members to ensure progress is being made. Once you’ve addressed an area of concern, help team members remain accountable by incorporating it into your ongoing trainings and reminders.
A gap analysis is something you can do on a regular basis to help identify potential cracks in the foundation of your compliance program before they grow too big. As the regulatory environment continues evolving, it’s more important than ever to help your firm keep pace with compliance.
Book a demo to learn how ComplySci’s compliance management software helps firms mitigate risk and stay on top of the latest changes.