Friday, May 17, 2019

OCIE head highlights key compliance considerations, potential internal controls enhancements

By Amy Leisinger, J.D.

In recent remarks, the SEC’s Office of Compliance Inspections and Examinations Director Peter Driscoll urged chief compliance officers and firms on the whole to remain vigilant in their efforts to protect investors. According to the director, to effectively protect retail investors, these individuals and entities should consider the effectiveness of their anti-money laundering programs and efforts to keep pace with technological changes and attendant cybersecurity concerns. He also identified issues surrounding microcap securities and safeguarding of client assets as potential compliance concerns that could also directly affect investors.

AML. Certain financial institutions are required to maintain AML programs and report suspicious activity to the Financial Crimes Enforcement Network, which helps authorities to pursue misconduct that could threaten investors and market integrity, Driscoll noted. Broker-dealers and mutual funds should take care to ensure that their programs are tailored to address the risks specifically associated with their respective businesses and consider their size and activities and the types of transactions in which their customers engage when determining whether their programs are reasonably designed to mitigate risks, according to the director. Firms also need to take reasonable steps to address red flags identified through AML monitoring and should periodically reassess their AML programs to address emerging risks and evolving business practices, he said.

“Unfortunately, OCIE examiners continue to identify firms that are not conducting independent tests, are not conducting tests on a timely basis, or conduct ineffective tests that cannot identify failures in the firm’s AML program,” Driscoll noted.

Cybersecurity. Ensuring that firms have effective cybersecurity and technology controls has been and remains an OCIE priority, according to Driscoll. OCIE has recently identified risks associated with storage of customer information in connection with certain network solutions, including those using cloud technologies, he explained. Driscoll also stated that examination teams also have observed that some firms’ policies and procedures did not cover standard security features such as encryption and password protection. In addition, the director noted, some firms’ policies and procedures did not sufficiently address requirements for implementing secure configurations and/or engage in comprehensive vendor management.

“Strong and effective cybersecurity is critical to protecting clients’ and consumers’ privacy,” he stressed.

Microcap securities. OCIE continues to prioritize elimination of microcap fraud and remains vigilant in monitoring for manipulative market schemes that threaten to harm investors, Driscoll stated. OCIE plans to examine the role of transfer agents in the issuance of microcap securities and the removal of restricted-stock legends and will also examine firms’ adherence to quotation requirements under the SEC’s rules, he noted. The director urged firms to scrutinize red flags of fraud and manipulation when publishing quotations of over-the-counter securities.

Safeguarding assets. “Safeguarding of client funds is at the bedrock of investor protection,” Driscoll explained, and firms should never become complacent in efforts to ensure that safeguarding frameworks are effective. OCIE examines broker-dealers for compliance with customer protection rules, but technological developments have changed the landscape since rules were first adopted and firms must adapt, he noted. As such, the director encouraged firms to consider new and emerging risks when evaluating processes for safeguarding customer funds in their possession.

“Strong safeguards protect investors, firms and the marketplace—and are in everyone’s interest,” Driscoll concluded.