What just happened?
Remarks made by OCIE Director, Peter Driscoll at the National Regulatory Services (NRS®) Spring 2019 Compliance Conference on April 29 are causing investment advisers and broker-dealers to reconsider how they determine the appropriate amount of resources to direct to compliance.
In a speech titled “How We Protect Retail Investors”[1] Mr. Driscoll said the following:
We cannot underscore enough a firm’s continued need to assess whether its compliance program has adequate resources to support its compliance function. For without adequate resources, compliance professionals are like swimmers swimming against the tide constantly working to keep up and not lose ground. We are concerned when we hear directly from industry participants and read press reports that compliance resources and budgets are being cut or are not keeping up with firms’ risk profiles.
These remarks have spurred IAs and BDs to revisit one of the fundamental compliance questions: How do I know I’m doing enough?
What does this mean?
It is clear from Mr. Driscoll’s speech that examiners will assess how firms determine what resources must be directed to compliance. A generous compliance budget is one way of demonstrating a firm’s commitment to compliance (the “tone at the top”) that the SEC looks for. However, there is no universally-accepted metric for evaluating whether a compliance program has adequate resources.
Some compliance professionals look to the percentage of the firm’s revenue allocated to compliance, with some suggesting that 5% of revenue is an appropriate target. However, a fixed percentage of revenue may not be reasonable for all firms, as different firms may have widely different needs based on their business models.
The size of the firm is also a complicating factor in trying to develop such a guideline because, for example, 5% of revenue may be too little for a small firm, while 5% of a large firm’s revenue may be more than adequate to meet their compliance needs.
While it is understandable that market participants desire that the SEC or FINRA proclaim a “rule-of-thumb” that allows them to feel confident that they’re doing enough, the reality is that it is implausible to adequately address the wide variety of businesses and constantly changing circumstances firms face in a one-size-fits-all model.
Immediately following the 2009 market crash, then-OCIE Director Lori Richards pointed out that compliance resources may need to increase even as firm revenue is decreasing:
As you know, under the Compliance Rule, compliance policies and procedures should be designed to prevent violations from occurring, to detect violations that have occurred, and to correct promptly any violations that have occurred – and they must be adequate to this task.
At the SEC, many of us have cautioned against making resource reductions to compliance programs that could undercut their effectiveness.
In conducting the annual review of the effectiveness of the implementation of the compliance policies and procedures, the CCO will want to consider whether the program has adequate resources. If a lack of resources undercuts the CCOs ability to perform an effective review, or undercuts the effectiveness of their implementation, the CCO should include this information in the CCO’s annual report or other indication of the annual review.[2]
Rather than look to a fixed percentage of revenue, other compliance professionals suggest regularly re-evaluating a firm’s risk profile and allocating resources based on the perceived risk.
The NRS Spring 2019 Compliance Conference also included a presentation titled “How Do I Know I’ve Done Enough?” by Steven Trigili, the CCO of Garden State Securities, Inc., and Rob Stirling, Executive Consultant with NRS. The presentation offered a hierarchy of reviews for identifying and addressing gaps in a compliance program:
- Review the firm’s most recent regulatory review or action
- Thoroughly update risk assessments – regularly revisit nature and scope of risks. Begin with currently mandated risk assessments in these areas:
- Compliance
- Identity theft
- Cybersecurity
- Complete and regularly revisit the annual review of policies and procedures – incorporate findings in risk assessments
- “Closing the circle” of agreements, disclosures, procedures and marketing materials to ensure they are consistent
- Verify accuracy of all disclosures, contract provisions, etc. – especially long-standing, “baked-in” statements
- Ensure that all delivery and updating requirements have been met
- Stay current on recent news, regulatory guidance, enforcement actions, etc.
What do I do next?
Be prepared to explain to an SEC examiner your process for allocating resources to compliance. If you do not have a formal process, but instead allocate resources on an ad hoc basis, consider reviewing your recent decisions and documenting the rationale behind those decisions.
There is no bad time to review the resources your compliance program needs. Use the hierarchy of reviews listed above to see if there are areas that may need immediate attention. In making your resource assessment, be sure to include time and personnel as well as monetary expenditures. If you conclude that your compliance program is under-resourced, share your findings with senior management.
How can NRS help?
NRS offers a wide variety of technological, educational and consultative services that can help firms to identify potential problems and develop practical solutions for those problems. One of our most popular offerings is the NRS Partnership Program that includes an annual review of compliance needs and results in a budgeted compliance cost for the coming year.
Please contact us and we’ll develop a package of services customized to the specific needs of your firm.
If you would like to develop a package of services customized to the specific needs of your firm, contact us today.
[1] https://www.sec.gov/news/speech/speech-driscoll-042919#_ftnref17
[2] Compliance in Today’s Environment: Step Up to the Challenge. https://www.sec.gov/news/speech/2009/spch031209lar.htm#P87_16144