In early February, the private equity industry finally gained some insight into the current administration’s priorities for the Securities and Exchange Commission’s national exam priorities for 2018. Pause. Wasn’t President Trump in office in 2017? Yes, but the 2017 priorities were a pre-Trump rollover. The good news: despite the new administration and the appointment of SEC chairman Jay Clayton, the newest priorities remain consistent with last year. The bad news: the SEC’s rulemaking and enforcement strategy is picking up momentum.
In the aftermath of over 2,870 examinations in 2017 – an 18 percent increase over 2016 – and release of the 2018 SEC Office of Compliance Inspections and Examination examination priorities, one thing is certain: The SEC is not backing off its examination process any time too soon. As a matter of fact, the latest 16-page document not only renews its zeal for risk-based examinations, technology and big data and transparency, it also introduces four new areas of emphasis. As a result, the introduction of these compliance programs are garnering the attention of private equity firms, broker-dealers and hedge fund managers. Specifically, these include:
- Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board
- Cybersecurity
- Anti-money-laundering programs
- Cryptocurrency
FINRA and MSRB
In an effort to shore up investor protections and market integrity through regulation of broker-dealers, FINRA exams are zeroing in on operations and regulatory programs. As its website states, this is in “order to advance its mission to deter misconduct, impose disciplinary action and detect and prevent wrongdoing in the US markets.” In short, the authority will continue its oversight of 3,700 broker-dealers and 630,000 brokers by executing compliance exams that foster market transparency.
In a similar vein, MSRB examinations will concentrate on broker-dealer activities that involve the effectiveness of select operational internal policies, procedures and controls. Both FINRA and MSRB will assess whether broker-dealers have implemented best execution policies and procedures that are consistent with regulatory requirements, as they pertain to municipal and corporate bond transactions.
Cybersecurity
It should come as no surprise this is an area of tremendous unease – and potential damage – to all industries. Therefore, it also should be no shock to PE that cybersecurity was assigned a greater priority by the OCIE in its 2018 standards. The greatest indicator that the SEC was beginning to clamp down on cyber-risk was the creation of the cyber unit within its division of enforcement late last year. This new unit was born out of major cyber-breaches with far-reaching consequences at home and abroad.
Ongoing concerns fed by these well-publicized cyber-breaches were the catalyst for pushing cyber-risk to the forefront of the OCIE’s exams. Among the key areas under the microscope: access rights and controls, data loss prevention, vendor management, training and incident response. By targeting cyber-related misconduct, the SEC is heightening its incident monitoring as well as cyber-threats to the critical markets infrastructure.
This move demonstrates the SEC’s mounting apprehensions regarding:
- Hackers accessing material and non-public information
- Account intrusions to conduct manipulative trading
- Dissemination of false information to manipulate stock prices
According to WithumSmith+Brown’s cyber security services group, cyberattacks in the US have grown by 144 percent in the past four years. While the scope and severity of cyber-threat risks continue to rise, the SEC is clearly employing a more proactive role to reduce cyberattack impact.
The SEC’s objective to squash the damage of these types of attacks extends well beyond the compromised firm to market participants as well as investors. Of course, the SEC is not limiting its new role to just identifying and managing cybersecurity risks. It is encouraging and mandating private equity funds and market participants to effectively and proactively engage in this effort by shoring up assets and information.
Security is just one piece of the cyber secure ecosystem puzzle. Other critical components and steps involve:
Identification: Know what your most appealing information is for hackers
Protection: Measure your level of preparedness and make sure you have adequate safeguards in place to protect assets and investors
Detection: What measures do you have in place to even know if you were attacked?
Response: Have a clearly defined plan in place to contain a cyberattack’s impact
Recovery: Implement a plan to restore your capabilities as well as your reputation
Anti-money laundering programs
This new area of concentration is – by design – geared toward broker-dealers and investment companies. Be mindful that advisors are not required to adopt AML programs. For broker-dealers and investment companies, the SEC’s ultimate objective is to ascertain whether firms are taking reasonable steps to not only understand the nature of customer relationships, but to sufficiently address risks. Under the 2018 mandates, OCIE also will verify that firms are filing timely, complete and accurate Suspicious Activity Reports with the Financial Crimes Enforcement Network. It is paramount to file these reports wherever and whenever suspicious activity is detected. 
In short, AML program rules require institutions to establish written programs to identify their customers, perform customer due diligence and monitor accounts for suspicious activity. SEC reviews will most certainly encompass the customer due diligence requirement and determine whether these entities are taking reasonable steps to understand the nature and purpose of customer relationships. Not only that, they also will consider whether these entities are properly addressing any and all risks. Specifically, the SEC will evaluate timely filing of complete and accurate SARs as well as whether these entities are conducting robust and timely independent tests of their AML programs.
This new area of emphasis reinforces OCIE is not backing off AML programs or its renewed scrutiny to ensure firms are conducting sufficient – the key word here – independent reviews. The SEC’s end game is to determine whether regulated entities are appropriately adapting AML programs to address their obligations.
Cryptocurrency, initial coin offerings, secondary market trading, and blockchain
Another area identified by the SEC that is undergoing rapid growth and presenting a number of risks is cryptocurrency and the ICO markets. As a result, the number of broker-dealers and investment advisors in this space continues to grow exponentially. Not only is the SEC monitoring the sale of these products, and where the products are securities, they also are examining for regulatory compliance. Once again, the commission’s focus is whether financial professionals are maintaining adequate controls and safeguards to protect these assets from theft or misappropriation.
Another important question: Are financial professionals providing investors with disclosure about the risks associated with these investments, including the risk of investment losses, liquidity risks, price volatility and potential fraud? This is the first time the OCIE has addressed cryptocurrencies, which are the direct outgrowth of FINRA.
In addition to monitoring the sale of products in the cryptocurrency and initial coin offering markets, the OCIE also is examining for regulatory compliance where products are securities. Their goal is to review whether sufficient safeguards are maintained to protect these assets and whether financial professionals are adequately disclosing all of the potential risks associated with these products.
What’s old is new
Now that the OCIE has established what is new, industry professionals may find themselves asking: what is being carried over? Rest assured, the commission is continuing to concentrate on several recent initiatives that have gained traction over the course of the past several years. These include:
• Risk-based examinations
The OCIE is continuing to take aim at higher-risk firms with more frequent and more intensive examinations. Although the OCIE has not disclosed details regarding how they will make their risk-exam selections, rest assured they are forthcoming. Former SEC chairwoman Mary Jo White shifted OCIE resources from broker-dealer to advisor examinations, with the expectation that FINRA would fill the gap created between these two groups. In contrast, the 2018 priorities report is void of any reference to continuing this same practice. However, SEC chairman Clayton has identified this as a priority and the industry can expect the percentage of investment adviser exams to rise in 2018.
• Big data
The SEC’s emphasis on employing technology and data analytics – initiated by White and carried forward by Clayton – remains unwavering. In the past, the SEC has pledged to aggressively pursue the mining and analysis of data that is already in the commission’s possession to flag possible violations and misconduct. The SEC firmly subscribes to the philosophy that utilizing and refining data-analytic tools more often will enhance the detection of violations to improve the efficiency of – and ability to conduct even more – examinations.
• Greater transparency
Transparency is defined as the timely, meaningful and reliable disclosures about a fund’s financial performance in order to allow investors to make informed investment decisions. This basic characterization will most certainly be expanded in this new OCIE era following five Risk Alert Report publications in 2017. Expect the continued roll-out of even more compliance recommendations rooted in OCIE exam findings in the months ahead.
A little more than a year ago, the PE industry was experiencing a great deal of uncertainty and unpredictability regarding where it was headed. Less or more scrutiny? That was the question. It seems we now have an answer, to some degree, with the release of the SEC national exam priorities for 2018.
While the mandates are by no means exhaustive, they can be amended at any time as deemed necessary by the commission leadership. One thing it clear: the SEC is continuing its march toward a more entrenched presence in the private equity arena. Past regulations the commission has worked so hard to impose since 2010 have officially been extended to new areas and/or a wider net has been cast. As a result, PE will have no choice but to adhere to industry practices and enforcement trends to minimize potential inquiries and disciplinary action, which promises to be on the rise. The best advice going forward: Comply. Comply. Comply. PE’s future course has been charted, at least for the next two-and-a-half years.
If you do not receive this within five minutes, please try to sign in again. If the problem persists, please email: