By James Hamilton, J.D., LL.M.
In a letter to SEC Chairman Christopher Cox, Senator Charles Grassley asked the Commission to remedy its failure to tap investigative resources provided by the SROs by implementing a plan allowing the SEC to consider such information as part of its work to safeguard market integrity. Sen. Grassley, Ranking Member on the Finance Committee, made his appeal following the completion of a new GAO audit indicating that the securities industry reports mountains of information about suspicious transactions but SEC computer systems cannot search the data. The senator asked for an explanation of why the SEC has been so slow to act on this matter and a description of the Commission’s plans for ensuring that the SEC begins to routinely obtain and review internal SRO audits and investigations. SROs include the New York Stock Exchange and the Financial Industry Regulatory Authority.
The GAO report is the second of two reviews that Sen. Grassley requested as part of his congressional oversight work. The first report, issued in September, criticized the SEC for failing to close cases and keeping them open for years even though there was no ongoing investigation. Both requests stemmed from allegations made by a fired SEC Enforcement Division attorney and, according to the senator, in both cases the GAO findings validated those charges.
In the senator’s view, the SEC also needs to review the internal audits that the SROs put together in order to make sure they are credible and even-handed. Reliance on SROs to police their members can work effectively only if their operations are open and transparent, said the member, who was disturbed to learn that the SEC does not obtain copies of internal audits and investigations conducted by SROs.
According to the GAO, he continued, it recommended four years ago that the SEC routinely use such internal audits and investigations to plan and conduct inspections of SROs. The SEC did not implement that recommendation. Recent SEC guidance calls for SROs to merely allow on-site access to internal documents during SEC inspections. The senator emphasized that this is not an adequate substitute for actually implementing the GAO recommendation by obtaining copies and reviewing the documents to inform the planning of SRO inspections.
He urged the SEC to ensure that Commission staff obtain and review internal SRO audit reports on a routine basis. While the SEC told GAO that it intends to study and consider how reliable such reports may be, he noted, that does not go far enough toward implementing GAO's recommendation from four years ago. If the SEC had begun routinely obtaining these reports four years ago, remarked Grassley, it would already have an idea of how reliable they are. It should not take this long to do something so basic, he said. Given that the SROs are entrusted with direct regulation of the securities industry, there is no excuse for them being anything less than completely transparent to the SEC.
For its part, the GAO made three recommendations designed to strengthen the SEC’s oversight of SROs. First, the SEC chair should establish a written framework for conducting inspections of SRO enforcement programs and broaden current guidance to SRO inspection staff to have them consider to what extent they will use SRO internal audit reports when planning SRO inspections. Second, Market Regulation should make certain that SROs include in their periodic risk assessment of their IT systems a review of the security of their enforcement-related databases, and SEC staff should review the comprehensiveness of the related SRO-sponsored audits of SRO enforcement-related databases. Third, the SEC should ensure that any software developed for tracking SRO inspections includes the ability to track SRO inspection recommendations and consider IT improvements that would increase the staff’s ability to search for, monitor, and analyze information on SRO advisories and referrals
More broadly, the GAO noted that, despite the inherent conflicts of interest because of the dual role of SROs as both market operators and regulators, Congress adopted self-regulation, as opposed to direct federal regulation of the securities markets, in order to prevent excessive government involvement in market operations. But part of this arrangement is that, for industry self-regulation to function effectively, the SEC must ensure that SROs are fulfilling their regulatory responsibilities.