Whitepaper

2019 CCO Playbook

Jul 19, 2019

ComplySci’s CCO Playbook empowers Chief Compliance Officers and other compliance leaders to stay ahead of regulatory changes and a constantly shifting market landscape. In this must-read guide, we explore the impact that recent changes have had on the current regulatory environment as well as look ahead to the coming year and what the future will hold for regulated firms.

EXECUTIVE SUMMARY

To be effective in their roles, compliance officers in financial services firms must keep a watchful eye on the future while understanding how past events and pending regulation may shape that future. 

As the types of risks CCOs face continue to evolve rapidly, taking a proactive approach to firm compliance is more critical than ever. 

This 2019 edition of ComplySci’s CCO Playbook is intended to help CCOs and other compliance leaders better understand the current regulatory environment. We’ll review the events and changes that shaped and impacted the industry over the past year. This understanding can, in turn, help identify potential strategies and solutions designed to protect you, your firm, your personnel, and your clients. 

As in years past, this playbook also looks at some of the top challenges CCOs face today and explores strategies for addressing those challenges. Rapid changes in technology are continuing to drive regulatory changes, and regulators increasingly rely on technology to help them spot issues

Because of this, RegTech plays an even greater role in the industry, helping firms avoid costly and potentially brand-damaging compliance violations. This playbook explores why and how technology solutions are a critical component of any firm’s compliance program. 

Finally, we’ll look to the year ahead, sharing some predictions about what the future may hold for regulated firms, based on our review and analysis of regulators’ stated priorities. 

At ComplySci, we are proud to work closely with thousands of organizations both in North America and Europe. We are committed to providing solutions designed to make CCOs’ jobs more manageable, and to help firms get – and remain – in compliance with an often complex web of rules. 

Thanks for downloading the 2019 CCO Playbook. We hope the information it contains is useful for your firm.

REGULATORY ACTIVITY IN 2018—A LOOK BACK

A critical aspect of inspecting a compliance program is to look back at significant developments in regulatory compliance over the past year, as such events often impact the regulatory landscape for years to come.

SEC examination and enforcement activity increased in the past year, with Chairman Jay Clayton committed to “deter bad conduct and remedy harms to investors” through the agency’s Office of Compliance Investigations and Enforcement (OCIE). 

It is notable that this increase in enforcement activity occurred while the SEC is still under an agency-wide hiring freeze. In fact, staffing levels in the Division of Enforcement have fallen approximately ten percent since FY 2016. 

The SEC’s four-year strategic plan, released in Fall 2018, documents the agency’s intention to improve collaboration between departments, leverage and increase the use of technology, and focus on enhancing the agency’s workforce to accomplish the following three overarching goals: 

  1. Understanding investors’ long-term interests.
  2. Embracing innovation to effectively allocate agency resources.
  3. Improving agency performance through continued investments in data and technology

ENFORCEMENT ACTIVITY 

The SEC’s annual press release provided an overview of OCIE’s enforcement activities for the agency’s FY 2018. FINRA also released a 2018 report highlighting examination findings. 

SEC ACCOMPLISHMENTS: A LOOK AT THE NUMBERS 

The SEC brought a total of 821 enforcement actions in FY 2018, an increase of nearly 9 percent over the FY 2017 total (754). That number included 490 standalone cases, compared to 446 standalone cases in FY 2017.

Penalties imposed on firms and registered persons totaled $1.439 billion in FY 2018, a significant increase over the $832 million in penalties assessed in FY 2017. However, disgorgement numbers for FY 2018 decreased slightly to $2.506 billion compared to $2.957 billion in FY 2017. Nearly 550 individuals and firms were barred or suspended from the industry as a result of enforcement actions in FY 2018.

NOTABLE ENFORCEMENT ACTIONS FOR FISCAL YEAR 2018 

SEC 

The top five percent of OCIE’s enforcement actions in FY 2018 accounted for 77 percent of the total monetary relief ordered. Actions taken included cases involving: » Ponzi schemes or ponzi-like schemes » Offering fraud » Failing to safeguard investor assets » Failures in cybersecurity policies and procedures » 56 individuals charged with insider trading violations For a deeper look at specific SEC enforcement actions in FY 2018, view the complete report.

FINRA 

FINRA’s exam findings report identified issues related to: » suitability for retail customers » fixed income mark-up disclosure » reasonable diligence for private placements » abuse of authority » AML issues » best execution violations FINRA-member firms are encouraged to review the complete report.

GDPR 

Firms operating in the EU or firms located elsewhere that handle data from EU citizens or residents saw the implementation of the General Data Protection Regulation in May 2018. Firms subject to the new regulatory framework should understand its obligations and best practices. This blog post provides a concise overview of the regulation and recommended steps for covered firms.

CCOs TODAY FACE CHALLENGES, BOTH FAMILIAR AND NEW

In our work with CCOs and their teams over the years, we have learned that no two firms’ compliance departments or programs are identical. 

Although the overarching framework of rules is essentially the same across firms, the risks they face can – and do – differ based on firm size, the types of products and services offered, firm culture and more.

KPMG’S TOP TEN REGULATORY CHALLENGES FOR 2019

As in years past, audit, tax and advisory services provider KPMG has compiled a list of what it considers the top ten regulatory issues for compliance professionals. 

In this CCO Playbook, we are providing an overview of the Ten Key Regulatory Challenges of 2019, but encourage CCOs to review KPMG’s full analysis too.

  1. DIVERGENT REGULATION With divergence in global regulations,a shift in focus on recalibrating federal regulations, actions by individual states’ legislations and attorneys general, and a growing awareness of reputational and strategic risk, CCOs must develop and manage compliance programs that can adequately address a fragmented regulatory framework.
  2. RISK GOVERNANCE AND CONTROLS Firms must strengthen their risk management practices, address third-party risk management, and control for greater risks related to information technology and data governance. Key actions may include engaging stakeholders and building change management steps into project plans.
  3. DATA PRIVACY Continued high-profile data breaches have put a spotlight on firms’ protection of sensitive client and firm information. State laws are being enacted and federal legislation is being explored. In addition, the GDPR’s framework applies to firms around the world if those firms also handle EU residents’ personal information. Firms must develop, implement, and maintain strong policies and controls for data privacy. 
  4. COMPLIANCE PROCESSES CCOs should evaluate how advances in automation and RegTech could help them meet changing compliance priorities, mandates, and expectations. Key actions include refining compliance metrics and data analytics, identifying opportunities to streamline compliance, and developing ways to achieve better “real-time” compliance. 
  5. CREDIT MANAGEMENT There is speculation that the financial services industry could experience an increase in credit related risk in 2019. Firms are encouraged to ensure their credit strategy aligns with their appetite for credit risk, and to perform gap assessments to ensure the adequacy of credit management processes.
  6. CYBERSECURITY The regulators continue to identify cybersecurity as an area of concern and focus, and attacks themselves are becoming more sophisticated. However, there is not a unified standard method for identifying or addressing potential cybersecurity risks. CCOs are encouraged to conduct threat simulations to test their firms’ readiness, and to develop and implement comprehensive strategies designed to protect the firm, its stakeholders, clients, and employees. 
  7. ETHICS AND CONDUCT As in years past, ethics and conduct are once again on KPMG’s top ten list. Challenges to managing this risk include overly broad definitions, evolving frameworks, and governance expectations. Firms should revisit policies and procedures, and invest in RegTech tools that will aid with supervision and reporting. 
  8. CONSUMER PROTECTIONS The regulators have indicated that investor protection is of paramount importance. However, regulators’ expectations for consumer protection may not align with consumers’ own expectations, or with firms’ capabilities. CCOs should evaluate and strengthen their consumer protection programs and to invest in tools that help them identify trends while improving surveillance, monitoring and testing.
  9. FINANCIAL CRIMES As digital transformation continues, regulators increasingly expect firms to be able to aggregate data across the organization and standardize and integrate efforts to prevent, detect, and correct financial crimes including AML, anti-bribery and corruption. Automating and integrating processes can help lower firms’ risks of being victims of financial crimes. 
  10. CAPITAL AND LIQUIDITY Finally, banking institutions will face changes in 2019 related to regulatory requirements for capital and liquidity. Compliance officers in affected organizations are encouraged to ensure stress testing processes are sufficient, strengthen internal governance for capital models, and to enhance data management efforts.

STRATEGIES TO HELP YOU ADDRESS CHALLENGES— HEAD-ON

You face challenges in your job every day. While risks like insider trading and conflicts of interest are nothing new, changing technologies mean you need to be vigilant and adapt your policies and procedures to prevent, detect and correct both new problems and familiar risks coming from unexpected sources. 

Compounding those challenges is the fact that you face uncertainty from every direction. Knowing what the regulators expect from you and your firm isn’t always easy to discern, and those expectations can change over time. You are also faced with internal uncertainties related to budgets and staffing.

Updating your own skill set by enhancing your problem-solving methods, critical-thinking skills and ability to collaborate with your organization’s leaders can arm you with the tools you need to face these challenges and emerge stronger.

ENHANCING YOUR ABILITY TO ADDRESS AND RESOLVE PROBLEMS

Before you can solve a problem, you need to be able to identify and define it, clearly and accurately documenting its scope.

Effective problem solvers do more than simply apply a pre-determined patch. Of course, every problem is different, so there is no single “best” way to go about resolving problems. Skilled problem solvers seek to identify various solutions based on the underlying facts, exploring the potential advantages and disadvantages of various approaches. 

Choosing the easiest, fastest or seemingly most-obvious solution to a problem could inadvertently backfire. Review potential solutions with a critical eye, considering whether a given solution could, itself, create other issues or problems that would require additional resolution and greater resources.

BECOMING A CRITICAL THINKER 

Thinking critically means actively and intentionally cultivating excellence in thought. According to the Foundation for Critical Thinking, critical thinking means finding ways to deliberately think more strategically while being mindful of our native egocentrism and socio-centrism. Skilled critical thinkers raise questions, defining them precisely, gather and interpret information, and form conclusions and solutions based on that information. When you improve your ability to think critically, you’re also intentionally taking an open-minded approach and striving to communicate effectively with others.

As a CCO, thinking linearly about problems can lead to issue-blindness, where by taking a narrow approach to potential issues or violations, you fail to see larger or related issues. Deliberately trying to improve your ability to move beyond a knee- jerk response can help make you a more effective leader.

IMPROVING YOUR ABILITY TO COLLABORATE WITH OTHER LEADERS 

Improving collaboration can be helpful for people in almost any role within a financial services firm, but perhaps for no role more so than the CCO.

According to an Entrepreneur article, collaboration is most successful when it includes:

  1. A COLLECTIVE VISION FOR COLLABORATION. In compliance-speak, this is the “tone-from- the-top” goal most firms strive for
  2. TRANSPARENCY. You will likely be more successful as a CCO if you are able to demonstrate transparency as to the work your team is doing to keep the organization in compliance – and off the regulators’ radar screens.
  3. ACCOUNTABILITY. Hold your team accountable, and hold other executives accountable. Similarly, you need to ensure you have clearly defined your objectives for the compliance department and can demonstrate what you’re doing to achieve those targets.
  4. A PROCESS FOR OVERCOMING ROADBLOCKS. Don’t look at roadblocks as the end of the world; actively look for and implement strategies to overcome objections and strive toward your goals. Good collaboration means identifying and helping others see long-term advantages that may not be immediately apparent.
  5. FEEDBACK. Collaboration is a give-and-take process. Actively give – and seek out – feedback about the process. Then, implement what you’ve learned to improve and enhance your working relationships with operations, sales, finance and other key divisional leaders in your organization.

CCOs who get “buy-in” and adoption from department heads and the firm’s senior leadership are likely to see better results getting approval for staffing, technology and other resource expenditures. However, successful collaboration involves more than simply communicating effectively.

FINDING WAYS TO MINIMIZE RISK 

The specific risks your firm faces may be similar to the risks your competitors face, but they’re likely not identical. Depending on the size of your firm, the products and services you offer, how your distribution and operations functions are designed, and the nature and extent of your compliance and risk mitigation efforts, your firm’s specific risks can vary – sometimes drastically – from other financial services firms.

Effectively analyzing your firm’s risks involves taking a close look at each and every part of your policies, procedures and processes. Then, rank those risks “high”, “medium” or “low.” 

One of the most effective ways of mitigating potential risks is by implementing compliance automation and technology solutions, discussed more fully in the next section.

WHERE COMPLIANCE AND TECHNOLOGY MEET

One of the biggest challenges CCOs and other compliance professionals tell us they face is being able to identify, implement and leverage the right tools to help mitigate risks and increase the compliance department’s effectiveness. However, there is little debate that firms need compliance technology solutions. 

The SEC, FINRA and other regulators have embraced the use of technology to help them mine vast amounts of data to spot patterns and issues. Under increasing budget pressure themselves, turning to technology has enabled these agencies to do more with less.

By dedicating resources to improving technological efficiency, regulators have made it clear they are committed to enhancing surveillance and oversight. 

In our white paper, Catching up to the Regulators, we describe the tools and resources the regulators are employing and discuss why firms need to implement their own compliance technology systems and tools to keep pace. 

Some of the ways regulators are leveraging technology include the following:

SEC

  • Office of Compliance Inspections and Examinations (OCIE) Uses technology to parse and analyze data to identify firms for examination.
  • Technology Controls Program (TCP) Ensures clearing agencies and securities exchanges have measures in place to ensure ongoing systems functionality.
  • Market Abuse Unit Uses artificial intelligence (AI) and machine learning to detect insider trading and other potentially problematic activity.
  • Consolidated Audit Trail This tool will require broker-dealers to report certain information about each trade to a central repository, giving the SEC and SROs the ability to query and extract data.
  • FINHUB Released in October 2018, FINHUB is intended to help facilitate the SEC’s involvement with technology entrepreneurs, innovators, and developers. It serves as a one-stop resource for information and connecting with the SEC about artificial intelligence machine learning, automated investment advice, blockchain/distributed ledger, and digital marketplace financing.
  • Cryptocurrency In 2018, the SEC expanded its enforcement over cryptocurrency, investigating advisors to evaluate how firms are holding cryptocurrency assets and whether price manipulation is a concern.
  • Regulation Crowdfunding The SEC now permits issuers to facilitate securities offerings using crowdfunding technologies. As a relatively new way to raise capital, the SEC’s rules are designed to protect investors and issuers alike by setting investment limits and creating a regulatory framework.

FINRA 

In addition to the mainstays that firms have known for years, like the Central Registration Depository (CRD), the Investment Adviser Registration Depository (IARD), Investment Adviser Public Disclosure (IAPD) and BrokerCheck tools, FINRA has also implemented cloud computing and other tools that allow it to oversee up to 75 billion transactions in securities markets every day. 

In 2018, FINRA notably announced its intention to overhaul CRD and other systems, implementing a new WebCRD interface on June 30, 2018. The systems overhaul is expected to be completed in 2021, ultimately making the system easier for firms, investors, and regulators to use. By leveraging information from other FINRA systems, the revised CRD tool is expected to help firms enhance compliance while lowering the cost of compliance. 

In addition, one of FINRA’s stated examination priorities for 2019xii is RegTech. Not only is FINRA interested in the regulatory technology member firms use and how technology strengthens firms’ compliance programs, the regulator also stated its intention to enhance its own use of RegTech, stating:

CFTC 

The CFTC has also demonstrated its commitment to technology by implementing FinTech designed to give it oversight of automated trading and to be more responsive to emerging technology innovators.

BENEFITS OF IMPLEMENTING COMPLIANCE TECHNOLOGY 

Regardless of what the regulators are doing, there are many compelling reasons for financial services firms to implement and adopt compliance automation and other technologies. 

GET—AND STAY—IN COMPLIANCE 

First, doing so creates process and resource efficiencies that simply make it easier to remain in compliance with whatever rules your firm must operate within. 

MINIMIZE YOUR RISK 

When you automate processes, you help eliminate the “human” risk factor that can, by itself, create extra risk within your organization. Automation can be used to identify and manage potential issues with code of ethics certifications, manage the preclearance and employee trading process, manage gifts and gratuities programs and much more, without requiring someone to manually advance the process forward and introduce possibilities of human error with each step.

COST-EFFECTIVE SOLUTION 

Just as the regulators are using compliance technology to do more with less, automating aspects of your firm’s compliance program can also help you maintain the oversight you need with a leaner budget. 

STAY IN FAVOR WITH THE REGULATORS 

Having compliance technology and automation tools at your fingertips makes it much easier to respond promptly to regulatory inquiries and requests, which can be viewed favorably by regulators. Being able to produce reports and other information when needed can help demonstrate that you have an effective culture of compliance at your organization. 

ATTRACT CLIENTS AND EMPLOYEES 

Knowing that your firm has a strong compliance program, backed by state-of-the-art tools and resources, can be an attractive selling point both for prospective clients and skilled compliance professionals alike.

When it comes to choosing a technology platform and compliance systems provider, be sure to evaluate the following:

  1. Does the vendor have experience working with similarly-sized firms? What about with other companies offering the type of products and services you provide? There are many technology vendors holding themselves out as able to meet the needs of financial services firms. However, when you investigate more closely, you may find the vendor doesn’t specialize in any particular industry. In other words, they may offer financial services compliance technology, automation tools for school districts and government offices, health care organization compliance, etc. Because of the complexities and nuances involved in financial services regulatory compliance, working with a provider who truly specializes in helping broker-dealers, investment advisory firms, clearing firms, investment companies and other financial services entities may better meet your needs.
  2. What types of solutions does the vendor make available? Do they have products or components designed to do what you are looking for? How will the system help you carry out your compliance responsibilities for the firm?
  3. What security measures and protections does the system and vendor have in place to address increasing cybersecurity concerns? 
  4. How intuitive is the system? Look for a platform that is user-friendly and leads users through the process naturally. If a compliance technology tool isn’t straightforward, users can easily become frustrated. This can lead to a decrease in adoption and usage.
  5. Is the solution architected for your compliance needs both today and the changing dynamics of tomorrow? Is the platform mobile-friendly, allowing for full range of function for employees and supervisors who are on-the-go?
  6. Is the data reliable when regulators come knocking for evidence of supervision and records? Will the system allow you to easily generate reports if your firm is audited by a regulator?
  7. Does the vendor provide customer support when you need it? Does the vendor make it easy to help firms implement and set up the solution tailored to your firm’s needs?

2019 REGULATORY PREDICTIONS

The SEC’s and FINRA’s stated examination priorities for 2019 provide helpful insight into those areas the regulators deem most important this year. 

SEC EXAMINATION PRIORITIES 

SEC-regulated firms should review the agency’s stated 2019 Examination Priorities in full. Those priorities are broken into six main areas:

  1. Retail Investors, Including Seniors and Those Saving for Retirement OCIE’s efforts will continue to assess things like how fees are calculated and assessed, conflicts of interest, portfolio management and trading, the adequacy of disclosures to investors, the execution of orders, supervision of registered persons and other areas related to the “Main Street investor.”
  2. Compliance and Risk in Registrants Responsible for Critical Market Infrastructure The proper functioning of capital markets continues to be a priority, so OCIE intends to continue examining clearing firms, entities subject to regulation systems compliance and integrity, transfer agents and national securities exchanges.
  3. Focus on FINRA and MSRB OCIE intends to oversee FINRA’s examination program, as well as its operations and regulatory programs.
  4. Digital Assets New to the list of priorities for 2019,OCIE recognizes the unique risks the growth in the digital assets market poses to investors. OCIE will examine firms engaged in the digital assets market to evaluate the adequacy of processes for portfolio management, trading, safety, pricing, compliance, and internal controls.
  5. Cybersecurity Firms inspected by OCIE in 2019 should also expect to document and demonstrate their cybersecurity initiatives, including governance and risk assessment, access provisioning, incident response and more. Of course, CCOs don’t need to be experts in all things technology, but they do need to ensure their firms have the right people and systems in place to stave off would-be attackers.
  6. Anti-Money Laundering Program Finally, firms must be prepared to demonstrate their compliance with all applicable AML program requirements. Specific focal areas in 2019 include SAR filing obligations, how well firms are implementing all aspects of their AML programs, and whether firms are conducting independent testing for AML.

Of course, the list of stated exam priorities is just that; a list of priorities. It is not meant to be taken as an exhaustive list of all areas OCIE intends to cover during examinations. CCOs must ensure all aspects of their compliance programs are designed to prevent, detect and correct violations. Still, the examination priorities can be helpful as you evaluate and rank your firm’s potential risks and controls.

FINRA EXAMINATION PRIORITIES 

FINRA also publishes its own examination priorities each year. FINRA member firms should read the full text of the SRO’s stated 2019 examination priorities. At a high level, those priorities include the following:

  1. Online distribution platforms.
  2. Firms’ compliance with their mark-up or mark-down disclosure obligations on fixed income transactions with customers.
  3. Regulatory technology.
  4. Sales practice risks, including suitability, senior investors, outside business activities, and private securities transactions.
  5. Operational risks, including supervision of digital assets and firms’ compliance with FinCen’s Customer Due Diligence (CDD) rule.
  6. Market risks, including best execution, market manipulation, market access, short sales, and short tenders. 
  7. Financial risks, including credit risk, and funding and liquidity.

ENHANCED CONSUMER PRIVACY REGULATIONS 

In addition to familiar Federal privacy legislation including Gramm-Leach-Bliley and Reg S-P, FINRA’s customer information protection rule, and GDPR for firms working with EU residents’ information, financial services firms must also be cognizant of state-specific rules.

In 2018, California passed the California Consumer Privacy Act to protect the state’s residents. Among other requirements, covered firms working with CA residents must let clients know what information they are collecting, whether that information is sold or disclosed to others, and allow Californians to access their own information and prohibit the sale of their personal information. 

Financial services firms should survey approved and pending legislation in the states where clients live and ensure firm policies and procedures are designed to comply with all applicable legislation.

CONCLUSIONS

As technology changes and shapes the way financial services firms interact with their customers and employees, CCOs must continually adapt their methodologies, policies, procedures and controls. There is no room for complacency when it comes to meeting regulatory requirements. 

While regulations continue to change, CCOs can take heart knowing that regulators’ ultimate goal remains unchanged: protecting investors from harm. 

With uncertainty from both inside and outside of the firm, staying on top of your compliance requirements in 2019 will undoubtedly be challenging. However, by working on improving your problem-solving, critical thinking and collaboration skills, and by leveraging the power of compliance technology, you can be better prepared to handle whatever challenges come your way. 

Use this CCO Playbook as a resource throughout the year, helping keep key links and recommendations close at hand. Doing so should help you focus your efforts and resources to maximize the effectiveness of your firm’s compliance efforts.