EXECUTIVE SUMMARY
It is vital that CCOs and compliance teams are aware of what may be coming down the road. Your firm’s success depends on how quickly you’re able to spot risk and handle uncertainty. Compliance leaders must keep an eye on emerging regulations and pay close attention to how the compliance landscape is changing.
In a time of increased uncertainty, it is more important than ever for CCOs to be proactive and innovative with their compliance strategies.
This 2021 edition of ComplySci’s CCO Playbook is intended to help CCOs and other compliance leaders better understand the current regulatory environment. In this year’s report, we review the events and changes that shaped and impacted the industry over the past year, one of the most complex in recent memory.
This playbook looks at the regulatory activity that took place in 2020, as well as the most pressing challenges of 2021, and the strategies you can use to overcome them. Technology continues to be a driving force in the world of compliance, and we cover how technological solutions are being used by compliance professionals to simplify and improve day-to-day procedures.
At ComplySci, we are proud to work closely with thousands of organizations across the globe. We are committed to providing solutions designed to make CCOs’ jobs more manageable, and to help firms get – and remain – in compliance with a complex web of rules.
Thanks for downloading the 2021 CCO Playbook. We hope the insights and information it contains is useful for your firm.
REGULATORY ACTIVITY IN 2020
Stephanie Avakian, Director for the Division of Enforcement for the SEC, stated in their 2020 Annual Report that “the real story of 2020 was COVID-19.” As you will see, almost every aspect of compliance in the financial services sector was in some way impacted by the pandemic.
In 2020, the SEC dedicated substantial resources to address the emerging threats presented by COVID-19 and the ensuing dynamic market conditions. From mid-March through the end of the fiscal year, the Division’s Office of Market Intelligence triaged approximately 16,000 tips, complaints, and referrals (a roughly 71% increase over the same time period in 2019), and the Division opened more than 150 COVID-related inquiries and investigations and recommended several COVID-related fraud actions to the Commission.
At the same time, across the enforcement division, there was focus on highlighting and learning about issues of diversity, equity, and inclusion. Together, with their partners in the Office of Minority and Women Inclusion and the Office of the Chairman, the SEC facilitated many large and small group discussions across the country in an effort to educate and communicate openly around these issues.
Despite the challenges of COVID-19, the SEC still brought more than 700 enforcement cases during FY 2020. While the number of cases the Commission filed was fewer than in 2019, the financial remedies ordered set a new high. Additionally, the number and amount of whistleblower awards exceeded prior years. Awards issued in 2020 accounted for roughly 37% of the total number of individuals awarded over the entire life of the whistleblower program.
ENFORCEMENT ACTIVITY
The SEC’s annual press release provides an overview of OCIE’s enforcement activities in FY 2020. FINRA also released a 2020 report highlighting examination findings.
SEC ACCOMPLISHMENTS: A LOOK AT THE NUMBERS
The SEC brought 715 enforcement actions in FY 2020, 405 of which were standalone actions. Seventy-two percent of those standalone cases included charges against one or more individuals.
In FY 2020, the Commission obtained judgments and orders totaling approximately $4.68 billion in disgorgement and penalties – the highest amount on record.
As a result of its efforts, the SEC barred or suspended 477 wrongdoers and suspended trading in securities of 196 issuers. Additionally, the Division triaged approximately 23,650 tips, complaints, and referrals and opened 1,200 new inquiries and investigations.
The Commission also distributed more than $600 million to harmed investors.
NOTABLE ENFORCEMENT ACTIONS FOR FISCAL YEAR 2020 – SEC
There were a number of noteworthy enforcement actions taken by the SEC in FY 2020.
Actions taken include cases involving:
• Financial institutions providing misleading information to clients and repeatedly failing to recognize red flags and file suspicious activity reports
• Issuer reporting and disclosures
• Public finance abuse
• Individual accountability
• COVID-19 fraud
• Insider trading
• Foreign Corrupt Practices Act
• Criminal coordination
For a more in-depth look at specific SEC enforcement actions in FY 2020, view the complete report.
NOTABLE ENFORCEMENT ACTIONS FOR FISCAL YEAR 2020 – FINRA
FINRA exam findings report identified issues relation to:
• AML
• Cybersecurity
• Books and records
• Regulatory events reporting
• Communications with the public
• Private placements
FINRA-member firms are encouraged to review the complete report.
CCO’S CONTINUE TO FACE NEW CHALLENGES AS ROLE RESPONSIBILITIES EXPAND
What kind of challenges await CCOs and their teams in 2021? Whatever your priorities or the size of your compliance department, you are bound to experience disruption.
In our work with CCOs and their teams, we have found that they’re able to show resilience and adaptability when they know the kind of regulatory challenges they will be facing.
KPMG’S TOP TEN REGULATORY CHALLENGES FOR 2021
As in years past, audit, tax, and advisory services provider KPMG has created a list of what it considers the top ten regulatory issues for compliance professionals.
In this CCO Playbook, we provide an overview of the Ten Key Regulatory Challenges of 2021, but we encourage CCOs to delve into KPMG’s full analysis.
CHANGE MANAGEMENT
Volatility experience throughout 2020 is likely to continue well into 2021, forcing financial services companies to demonstrate agility in their change management processes. Changes in response to COVID-19 will be short-lived, but financial services companies will need to show steps towards effectively identifying and mitigating risks associated with transitions brought about by the pandemic.
CREDIT RISK AND LIBOR CHANGE
The pandemic has continued to be a major topic in credit risk discussions. The consequent uncertainty will keep a sharp focus on credit risk management processes throughout 2021. And with the expected phased discontinuation of LIBOR between the end of 2021 to mid-June 2023, focus will also be on institutions with significant LIBOR exposure or less-developed processes.
CLIMATE AND ESG
Regulators are in the early stages of understanding, monitoring, and measuring ESG risks, but the momentum to account for ESG issues is significant. For 2021, regulatory focus is centered on climate change. Individual companies have begun to publicly announce their commitment to ESG policies across their investment strategies, due diligence, and risk processes, while actively encouraging others to follow suit.
CORE RISK MANAGEMENT
The role of core risk management continues to evolve and is coming under increasing regulatory focus. Common challenges include moving to data-driven assessments. In 2021, there should also be a move to establish risk frameworks that are resilient, adaptable, and address areas of emerging regulatory focus.
OPERATIONAL RESILIENCY AND CYBERSECURITY
As in years past, operational resiliency is once again on KPMG’s top ten list. Last year demonstrated the need to understand and plan for the possibility of multiple converging events and their potential impacts on operational resiliency.
In the current environment, there will be challenges around establishing accountability for resilience, increased regulatory interest, and the return to work. Further hurdles to overcome include the calibration of impact tolerances, service management and execution, and tooling and data requirements.
COMPLIANCE RISK
The disruptions from 2020 resulted in an almost untenable pace of change to operations and risk within compliance departments, which will continue well into 2021.
So far, the most significant challenges include redeployment of resources, reprioritization of compliance activities, rapid roll-out of complex government stimulus programs, and providing new or additional communications and training. There will also be an emphasis on monitoring/data analysis sufficient to maintain compliance amid new expectations.
FRAUD AND FINANCIAL CRIMES
Financial institutions face challenges to enhance financial crimes prevention and detection capabilities while meeting their obligations to provide information to regulators. Among others, there will be regulatory pressures around exposure to COVID-19 related frauds, adapting to Cryptoassets, and the deployment of advanced technology.
CONSUMER/INVESTOR PROTECTIONS
Similar to the immediate aftermath of the 2008 financial crisis, firms should expect intense scrutiny from regulators regarding their treatment of customers throughout 2020 and 2021. Regulatory pressures will create challenges in areas of investor protections, anti-bias and fairness, and data privacy.
PAYMENTS
Financial institutions face challenges in the payments industry because they’re in increasing competition and in shifting partnerships with FinTechs, non-banks, and some of the country’s largest retailers. Regulatory pressures in 2021 will focus on inclusion and access, resilience during COVID-19, and speed of compliance.
EXPANDED REGULATORY AUTHORITY
In 2021, financial services companies may face increased challenges as a result of federal and state regulatory divergence. Firms will also have to adapt to the expansion of regulatory authority to new areas such as artificial intelligence and ESG issues.
INDUSTRY LEADERS SHARE STRATEGIES TO HELP YOU ADDRESS CHALLENGES HEAD-ON
Compliance leaders face challenges every day. While risks like insider trading and conflicts of interest are nothing new, changing technologies mean you need to be vigilant and adapt your policies and procedures to prevent, detect, and correct both new problems and familiar risks coming from unexpected sources.
Compounding those challenges is the fact that you face uncertainty from every direction. Knowing what the regulators expect from you and your firm isn’t always easy to discern, and those expectations can change over time. You are also faced with internal uncertainties related to budgets and staffing.
We spoke to a number of compliance leaders about their take on the state of the industry, and what best practices you should follow to ensure you address today’s challenges head-on.
KELLY PETTIT, CHIEF COMPLIANCE OFFICER, GENERAL ATLANTIC ON SOCIAL MEDIA MONITORING
Over the past few months, the media has been fascinated with GameStop’s miraculous rise driven by r/WallStreetBets, and the story has raised questions around regulatory, compliance, and ethical issues related to employee outside activities
One of the most prominent voices in the Reddit Rally, Keith Gill aka Roaring Kitty, was a licensed securities broker registered with FINRA. Mr. Gill’s Roaring Kitty former employer, MassMutual, has told securities regulators in Massachusetts that it was unaware that Mr. Gill had spent more than a year posting about GameStop on YouTube, Reddit, and other online forums.
As a Compliance Officer, how do you balance your firm’s regulatory obligations with employee personal privacy boundaries? How do you manage the constantly evolving landscape of social media and communication platforms?
This is a question that keeps Pettit up at night. She acknowledges that the line between personal and business is blurred, and while “business is done through apps that are technically impossible or difficult to monitor,” Pettit recommends to still create an acceptable-use policy. “We have to continuously train, monitor, test, remind and train. We are not blind to the fact that it might happen, but we try to minimize business usage and ensure we still retain the records that we are required to retain,” Pettit says.
DAVID BECKER, CHIEF TECHNOLOGY OFFICER, CFI PARTNERS ON AUTOMATION
Building a compliance program has never been a simple task. However, there is now an unprecedented opportunity to leverage technology to succeed.
Becker believes that RegTech solutions can help leverage a team’s resources, especially those with compliance leaders managing multiple responsibilities. To put it plainly, if you’re not taking advantage of RegTech, you’re not setting your compliance program up for success.
Becker explains, “Implementing tech has made our process more efficient. Rather than spend a ton of time on the necessary administrative tasks we need to show regulators we’re completing, I can build workflows within ComplySci to automate many tasks and instead focus on other initiatives to help our small firm grow.”
However, a big mistake compliance officers often make is implementing tech once and forgetting about it. Becker stresses that success is contingent upon compliance teams continually adopting tech and taking advantage of product updates, enhancements, and new features from vendors to ensure processes don’t become stale or outdated.
“If you want to grow and scale up your business, there’s no question: You have to use technology,” Becker says.
DAVID COWLAND, FORMER HEAD OF COMPLIANCE OPERATIONS, FIDELITY INTERNATIONAL ON CHANGE LEADERSHIP
Today’s compliance teams are experiencing rapid change. Not only are we living in a time of fast-moving technological innovation and evolving legislation, but the global COVID-19 pandemic has resulted in a dramatic shift in daily life for many professionals. We have all been pushed outside of our comfort zones. Now more than ever, financial firms need to adjust their compliance risk management practices to adequately respond to changes that include a more competitive and expanding marketplace, added regulatory requirements, and an increasingly remote workforce.
Cowland suggests reframing the role of compliance. He explains, “Compliance needs to be multi-disciplinary. Teams must be more well-rounded with individuals that have specific operational, technological, and analytical skills and an experienced CCO on top, overseeing the team and building insight based on the data collected.”
Cowland acknowledges the cultural norms in place that make change difficult. For many firms, the hardest part about change is the human aspect. “Onboarding new technology is not that complicated, but the biggest challenge is shifting the cultural mindset of an organization. Every company needs change leaders to pave the way.”
Whether changes are temporary or permanent, Cowland believes that compliance officers will succeed when they embed change within the workplace culture from the inside out.
MURRAY MARKOWITZ, CHIEF COMPLIANCE OFFICER, KROLL BOND RATING AGENCY ON DATA MANAGEMENT
Technological advances have meant that organizations find themselves able to gather more data about their operations than ever before. In turn, regulators are acknowledging the integral role of accurate and meaningful data in operating an adequate compliance program.
As firms improve their use of data analysis to monitor the adequacy of compliance risk management programs, regulators all over the world are trying to keep pace by updating guidance and supervisory strategies.
Markowitz states, “Firms need to make sure not only that the information they get is complete, but that it is used in a meaningful way. In other words, brute force data analysis on its own is not enough; good compliance risk management requires subject matter expertise coupled with good judgment to distinguish the signal from the noise in all those data.”
Some suggestions, according to Markowitz, are ensuring that compliance has access to all information relevant to effectively manage compliance risk, providing compliance with relevant information technology/data analytics skills, utilizing data analytics in monitoring/auditing, creating automated dashboards/reports for monitoring compliance, leveraging technology to provide for the delivery of effective compliance and ethics training, and utilizing technology to facilitate risk assessment process.
Today’s CCOs need to understand data, or at the very least, hire people with data management skills. “Comprehensive recordkeeping of compliance monitoring and verification procedures are essential to provide regulators and investigators a clear indication that a strong culture of compliance has been established within the organization,” Markowitz says.
NICK TASSELL, HEAD OF COMPLIANCE, MONTAGU PRIVATE EQUITY ON TAKING CONTROL OF CONFLICTS
Managing the flow of sensitive information is a crucial step in preventing potential instances of market abuse, insider trading, and other conflicts of interest. To do this, however, requires the analysis of an ever-growing amount of data, which can be challenging without the right tools, processes, and procedures in place.
Tassell, Head of Compliance at Montagu Private Equity, explains that firms of all sizes should implement conflict management procedures to proactively identify risks and ensure compliance. “While the largest banks may have separate dedicated teams called Control Room, whose main role is to focus on information barriers, conflict management, and market abuse,” he says, “many of these same considerations are going to be relevant to firms of all types and sizes.”
A Control Room function empowers associates within a firm to participate in building a culture of compliance by proactively informing compliance teams of potential conflicts. By streamlining this process with automated workflows, more people at the firm are likely to come on board, knowing that the process is both efficient and secure.
THE RELATIONSHIP BETWEEN REGULATORS AND TECHNOLOGY
One of the biggest challenges CCOs and other compliance professionals face is being able to identify, implement, and leverage the right tools to mitigate risk. However, nearly every firm agrees that compliance software solutions are no longer a nice-to-have, but a necessary requirement.
The SEC, FINRA, and other regulators have embraced the use of technology to help them mine vast amounts of data to spot patterns and issues. Under increasing budget pressure themselves, turning to technology has enabled these agencies to do more with less.
By dedicating resources to improving technological efficiency, regulators have made it clear they are committed to enhancing surveillance and oversight.
SEC
• Office of Compliance Inspections and Examinations (OCIE)
Uses technology to parse and analyze data to identify firms for examination.
• Technology Controls Program (TCP)
Ensures clearing agencies and securities exchanges have measures in place to maintain ongoing system functionality.
• Market Abuse Unit
Uses artificial intelligence (AI) and machine learning to detect insider trading and other potentially problematic activity.
• Consolidated Audit Trail
This tool will require broker dealers to report certain information about each trade to a central repository, giving the SEC and SROs the ability to query and extract data.
• FINHUB
Released in October 2018, FINHUB is intended to help facilitate the SEC’s involvement with technology entrepreneurs, innovators, and developers. It serves as a onestop resource for information and connecting with the SEC about artificial intelligence machine learning, automated investment advice, blockchain/distributed ledger, and digital marketplace financing.
In December 2020, the SEC announced that the SEC’s Strategic Hub for Innovation and Financial Technology, commonly referred to as FinHub, will become a stand-alone office, strengthening the SEC’s ability to continue fostering innovation in emerging technologies in markets consistent with investor protection.
• Cryptocurrency
In 2019, the SEC expanded its enforcement over cryptocurrency, investigating advisors to evaluate how firms are holding cryptocurrency assets and whether price manipulation is a concern.
• Regulation Crowdfunding
The SEC permits issuers to facilitate securities offerings using crowdfunding technologies. As a relatively new way to raise capital, the SEC’s rules are designed to protect investors and issuers alike by setting investment limits and creating a regulatory framework.
FINRA
In addition to the mainstays that firms have known for years, like the Central Registration Depository (CRD), the Investment Adviser Registration Depository (IARD), Investment Adviser Public Disclosure (IAPD), and BrokerCheck tools, FINRA has recently implemented cloud computing and other tools that allow it to oversee up to 75 billion transactions in securities markets every day.
In 2018, FINRA notably announced its intention to overhaul CRD and other systems, implementing a new WebCRD interface on June 30, 2018. The systems overhaul is expected to be completed this year, ultimately making the system easier for firms, investors, and regulators to use. By leveraging information from other FINRA systems, the revised CRD tool is expected to help firms enhance compliance while lowering the cost of compliance.
In November 2020, FINRA hosted a virtual AI Conference to bring together regulators and leaders across the financial services industry to discuss the use of artificial intelligence and related opportunities and challenges. You can listen to or read a full transcript of the podcast of one of their first conference sessions here: “Industry Views on the Current and Future State of Artificial Intelligence.”
2021 REGULATORY PREDICTIONS
FINRA and the SEC’s stated examination priorities for 2021 provide a useful look at the areas that regulators will be focusing on this year.
SEC EXAMINATION PRIORITIES
SEC regulated firms should review the agency’s stated 2021 Examination Priorities in full. These priorities can be broken into seven main areas:
- Retail Investors
There will continue to be an emphasis on the protection of retail investors, particularly seniors and individuals saving for retirement. Examiners will focus on investments and services marketed to retail investors including mutual funds and exchange-traded products. They will also continue to prioritize examinations of RIAs, dually-registered or affiliated firms, and broker-dealers. - Information Security and Operational Resiliency
The increase in remote operations as a result of COVID-19 has elevated concerns about information security and operational resiliency. Therefore, the SEC will pay particularly close attention to whether firms have taken appropriate measures to safeguard accounts, oversee vendors, address malicious email activities, and manage operational risks associated with the dispersal of employees in work-from-home environments. RIAs should anticipate increased examiner interest in all of these areas. - FinTech
The rapid technological advancement has changed the way firms comply with regulatory requirements and transformed interactions with clients and customers. Examinations will focus on the use of RegTech in firm’s compliance programs and evaluate whether firms are operating consistently with their representations to customers. There will also continue to be an assessment of market participants engaged with digital assets. - Anti-Money Laundering
SEC examiners will continue to prioritize assessments of broker-dealers and registered investment companies for compliance with their AML obligations. Among other areas, they want to see that firms have established proper customer identification programs, are satisfying their SAR filing obligations, and are conducting due diligence on customers. - LIBOR Transition
Examinations will assess firms’ understanding of any exposure to LIBOR, their preparation for the expected discontinuation of LIBOR, and the transition to an alternative reference rate. - Market Infrastructure
SEC examiners will continue their focus on a variety of compliance measures used by Transfer Agents, Clearing Agencies, SCI entities, and national securities exchanges. - FINRA and MSRB
OCIE continues to conduct various oversight examinations and inspections of FINRA and will make detailed recommendations to improve FINRA’s programs, future examinations, and risk assessment processes. Similarly, OCIE will oversee, examine, and evaluate the effectiveness of MSRB’s policies, procedures, and controls.
This list provides an indication of the areas OCIE might cover during examinations. The examination priorities can help compliance leaders and teams plan strategies and evaluate potential risks and controls. However, it is not an exhaustive list and CCOs should ensure that all aspects of their compliance programs are designed to prevent, detect, and correct violations.
FINRA EXAMINATION PRIORITIES
FINRA publishes its own examination priorities each year. FINRA member firms should read the full text of the SRO’s stated 2021 examination priorities.
Some key areas of interest that will impact compliance programs across a large population of member firms include:
1. Reg BI (Best Interest) and Form CRS (Client Relationship Summary)
2. Consolidated Audit Trail (CAT)
3. Cybersecurity
4. Communications with the Public
5. Best Execution 6. Variable Annuities
CONCLUSIONS
Across all industries, 2020 was a disruptive year. Firms have had to adapt in creative ways, and regulators, too, have had to think of new ways to operate and new areas to investigate.
In the future, CCOs must ensure that they are paying attention to every significant change. By staying informed, you can revise your methodologies, policies, procedures, and controls at short notice, based on the needs of the moment.
With the increased uncertainty, it is vital that you get the fundamentals right. By leveraging the power of compliance technology, you can turn challenges into moments of growth and enable your compliance team to progress successfully into the future.
Use this CCO Playbook as a guide. It will keep you informed and give you access to key resources.
As a result, you should be able to simplify the complex movements within the industry and direct your maximum focus on improving your firm’s compliance efforts.
This 2021 edition of ComplySci’s CCO Playbook is intended to help CCOs and other compliance leaders better understand the current regulatory environment.