SEC Risk-Based Exam Navigation

Utilize FINRA’s RCA Survey for SEC Examination Prep

Many Investment Advisers pay little attention to the Financial Industry Regulatory Authority’s guidance and news items.  This is a mistake, not only because FINRA has been out in front on issues such as Business Continuity, Identity Theft, AML, and Cybersecurity, but it appears more likely than ever that we are looking at a unified compliance approach, if not the potential for outright FINRA management of RIAs in the future. Yes, “FINRA as the SRO,” is a concept which many investment advisers do not like but should acknowledge as possible.  From a practical standpoint, FINRA is providing actionable guidance for subjects like Cybersecurity, which can be of assistance to Investment Advisers…

 

   

Exam Priorities

FINRA has taken the lead on cybersecurity issues.  The first mention of “cyber attacks” under the subject of “Protection of Customer Information” occurred in the March 24, 2008 Annual Regulatory and Examination Priority Letter.  The concept of cybersecurity was first discussed in March 1, 2010 Exam Priority letter in which FINRA stated:

The financial services industry, like other industries, faces increased information technology (IT) and cyber-security risks. Firms, employees, vendors and customers increasingly rely on technology to support various functions and capabilities. While technology can create efficiencies, it also exposes potential risks, such as individual client account intrusions, system intrusions, hacking, cyber attacks and espionage, data loss, privacy issues, insider threats, corruption of critical supply chain software, and risks involving third-party service providers and industry utilities. Appropriately monitoring and supervising technology-related areas within the firm and vendors helps mitigate this risk.

Notice that FINRA was well ahead of the curve on notions like internal employee and vendor-related risks which are emphasized in current guidance.  FINRA also mentioned, in the same 2010 letter, the “cyber event” as a form of disruption to be considered within your Business Continuity Plan.  The language has not changed much, but broker-dealers were put on notice more than 5 years ago about the potential for cybersecurity issues as part of the examination process.  Investment advisers should review FINRA’s Exam Priority Letters or, at the very least, the current FINRA Letter along with the SEC’s current Exam Priority Letter, both of which, naturally reference cybersecurity.

The Risk Control Assessment (RCA) as a Guide to Future SEC Exams

The RCA, which has been around since 2012, is described by FINRA as:  “an important part of FINRA’s risk-based examination program because it allows examiners to streamline their examinations and focus on areas that may pose a real risk to investors.”  The RCA is still a voluntary process, but FINRA encourages its use in order to create efficiencies in the exam process.  Most broker-dealers interpret this as a not-so-subtle way of stating that, if you do not execute on the RCA, examiners may need to take more time at your firm to make risk-based determinations.  While Investment Advisers must provide their own specific and descriptive disclosures within Form ADV, parts 1A and 2A, FINRA’s RCA is both an important information gathering tool and a means of understanding what is critical to the regulator.

A quick read of the RCA survey begins with the section entitled “Risk Governance.”  The assessment immediately dives into issues of Enterprise Risk Management and Governance which we have emphasized as important in past posts and bulletins (see Innes Weir’s post “3 Principles of Governance”):

  • Does your firm have a formal process in place to periodically assess and prioritize the risks it faces?
  • Who is ultimately accountable to the CEO and Board of Directors for managing risks in your firm?
  • Does your CEO, Executive team, and Board of Directors receive a report listing the firm’s main risk exposures, and with what frequency?

 

The SEC has emphasized Enterprise Risk Management in past years, and this goes hand-in-hand with the concept of the risk-based examination approach.  These RCA questions are very similar to the SEC’s examination agenda and could be what you hear from the SEC at the outset of an exam.  In fact, these are good notions to rehearse as there is a well-understood expectation that RIA’s will have risk management mechanisms in place.

IT Security and Cybersecurity have also been identified by federal, state, and agency initiatives as best served by a risk-based approach.  This fits well with the notions of the Enterprise Risk Management expectations of the SEC and the NIST CSF tenet that cybersecurity risk be considered within your firm’s risk process.  The second and extensive section of the FINRA RCA is “Cybersecurity” in which the following questions are posited (to name just a few):

  • Does your firm manage or store any customer personally identifiable information (PII) i.e. any information about an individual maintained by a firm, including any information that can be used to distinguish or trace an individual’s identity such as name, social security number, birth date and place?

This critical question underscores business and regulatory risk and also goes to the heart of the major concern of State law regarding breach notification with respect to PII.

  • How frequently does your firm report to executive management on the implementation and effectiveness of the firm’s cybersecurity program?

  • Has your firm performed a cybersecurity risk assessment in the past year to identify key cybersecurity risks (this can include a risk assessment performed at the enterprise level that includes the Broker Dealer)?
  • Does your firm plan to perform a cybersecurity risk assessment within the next twelve months?

 

Conclusion

The Risk Control Assessment proceeds to ask specific questions regarding breach. RIAs can benefit from understanding this risk-based survey for both compliance and IT security issues.  Investment advisers have already put to use FINRA’s templates for Business Continuity, Red Flags (Identity Theft), and Anti-Money Laundering, which have served as standards.  For example, we have seen SEC deficiencies written to RIAs who were missing one or more of the 10 Critical Elements defined in FINRA’s BCP template under Rule 4370.  In this case, FINRA is serving the purpose of defining regulatory expectations which may be lacking in SEC guidance and also assisting regulators in determining baselines.

In addition, the rumblings are back concerning a pending SEC Rule which requires AML policies and procedures for investment advisers.  Once again, this is an area in which FINRA has provided a light.  The Risk Control Assessment, which stresses ERM and Cybersecurity, could be a precursor to the SEC data gathering process of the future.

Finally, we have mentioned in several other posts that FINRA’s February “Report on Cybersecurity Practices” is comprehensive and offers detailed guidance in key areas which can be of assistance to investment advisers.

FINRA’s Exam Priority Letters
https://www.finra.org/industry/annual-regulatory-and-examination-priorities-letters

SEC’s 2015 Exam Priority Letter
https://www.sec.gov/news/pressrelease/2015-3.html

FINRA’s Risk Control Assessment
https://www.finra.org/industry/risk-control-assessment-rca-survey

FINRA’s Report on Cybersecurity Practices
https://www.finra.org/file/report-cybersecurity-practices

 

FINRA Resources which can, and in many cases, are used by advisers:

FINRA’s BCP Template
https://www.finra.org/industry/small-firm-business-continuity-plan-template

FINRA’s Red Flags Template
https://www.finra.org/industry/sec-identity-theft-red-flags-rule

FINRA’s AML Template
https://www.finra.org/industry/anti-money-laundering-template-small-firms