SEC Office of Compliance Inspections and Examinations Issues 2020 Examination Priorities
January 13, 2020
On January 7, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued its annual examination priorities for the coming year (2020 Priorities) (available here). The 2020 Priorities are important for regulated entities, including registered investment advisers (RIAs) and broker-dealers, not only because they outline OCIE’s areas of focus for 2020, but also because OCIE routinely collaborates with the SEC’s Division of Enforcement by referring its examination findings to Enforcement and by supporting the investigations and litigations that result from those referrals. The 2020 Priorities are longer than last year’s version, providing somewhat more detail about its target areas this year.1
As in 2019, OCIE is prioritizing the interests of retail or “Main Street” investors, and has RIAs that serve retail investors closely in its sights – including managers of private funds – with a strong emphasis on fees and expenses as well as disclosure of conflicts. Also consistent with last year, the 2020 Priorities highlight cybersecurity and digital assets, AML programs, and issues specific to broker-dealers and municipal securities advisers. In addition, the new Priorities add a section prominently highlighting the importance of compliance programs, make clear that sophisticated investors, complex financial products and managers of private funds fall within the scope of OCIE’s retail investor focus, and address concerns arising from the development of financial technology (fintech).
The Numbers: SEC Aiming to Continue Ramping Up Exams and Referrals to Enforcement
The 2020 Priorities indicate that OCIE will continue its efforts from prior years to increase the number of regulated entities – especially RIAs – that it examines each fiscal year, subject to resource constraints that may impede this goal. In fiscal 2019, OCIE completed 3,089 examinations.2 Though this figure was down 2.7 percent from fiscal 2018, the decrease is not surprising given the federal government shutdown in December 2018 and January 2019 that brought the SEC to a virtual standstill for 35 days. Of the total number of registrants examined, 2,180 were RIAs, 150 were investment companies, 350 were broker-dealers, 110 were national securities exchanges, and 90 were municipal advisers or transfer agents. In terms of industry coverage, OCIE examined roughly 15 percent of RIAs, down slightly from the 17 percent examined in fiscal 2018,3 but still a significant increase from the 10 percent coverage rate it reported for fiscal 2014.4 OCIE will continue to target RIAs that have never been examined, as well as those that have not been examined for several years, in order to evaluate “whether the RIAs compliance programs have been appropriately adapted in light of any substantial growth or change in their business models.”5
The 2020 Priorities also highlight the close cooperation between OCIE and Enforcement, noting that OCIE has so far made over 150 referrals of its exam findings in fiscal 2019 to Enforcement, and “anticipate[s] more to come.” OCIE referrals are a significant source of Enforcement investigations and filed actions, including, to date, numerous settled actions involving RIAs’ selection of higher cost mutual fund shares with 12b-1 marketing and distribution fees when cheaper shares with no such fees were available (the subject of Enforcement’s Share Class Disclosure Initiative in 2018 and 2019) as well as settled actions against advisers to private funds.6 OCIE can be expected to maintain this frequency of collaboration with Enforcement for at least the foreseeable future.
Despite these figures, OCIE cautions that it “does not have sufficient resources to adequately cover the RIA space,” and reports a “significant risk” that resource constraints will limit its ability to maintain its coverage rate given the growth and increasing complexity of the asset management industry.7 The statistics cited in the 2020 Priorities indicate the magnitude of this challenge: in the last five years, the number of RIAs it oversees increased from approximately 11,500 to 13,475; and assets under management of RIAs increased from approximately $62 trillion to $84 trillion.8
Quality of Compliance Programs Front and Center
The 2020 Priorities at the outset stress the critical importance, from OCIE’s perspective, of compliance programs, chief compliance officers (CCOs), firm culture and “tone at the top.” These are not new themes for OCIE, but the 2020 Priorities give them greater prominence, emphasizing this point at the very beginning of the document. Moreover, OCIE’s criteria for evaluating compliance are more precise than in the 2019 version, specifically: (1) whether compliance is “actively engaged” in most aspects of a firm’s operations and is involved at an early stage in business developments such as product innovation or new services; (2) whether the CCO is knowledgeable and empowered with “full responsibility, authority, and resources” to develop and enforce policies and procedures; and (3) “perhaps most importantly,” a commitment from top executives to compliance to set a “tone at the top that compliance is integral to the organization’s success” and that there is “tangible support for compliance at all levels of the organization.”9
Moreover, OCIE is particularly focused on the compliance programs of RIAs, specifically: (1) where the RIA is dually-registered as a broker-dealer, or affiliated with a broker-dealer or has supervised persons who are associated with unaffiliated broker-dealers, the effectiveness of compliance in addressing risks relating to best execution, prohibited transactions, fiduciary advice and disclosure of conflicts; (2) RIAs that use third-party asset managers to advise clients’ investments to evaluate the RIAs’ due diligence practices and policies and procedures; and (3) the accuracy of disclosures concerning new types of investment strategies, such as environmental, social and governance (ESG) investing.10
Retail Investor Focus Extends to Private Offerings, Complex Products
As in prior years, OCIE is prioritizing examinations of RIAs, broker-dealers and dually-registered firms focused on investments typically aimed at retail investors, including mutual funds, ETFs, municipal securities and other fixed-income securities, and microcap securities, with a particular focus on fees and expenses as well as conflicts of interest. Specific forms of fee and compensation-based conflicts that OCIE is concerned about include, among others: revenue-sharing arrangements between a registered firm and issuers, service providers or others; direct or indirect compensation to advisory personnel executing trades for clients; and failure to aggregate accounts for purposes of calculating fee discounts consistent with the firm’s disclosures.11 In addition to these areas, Enforcement Co-Director Stephanie Avakian in a November 2019 speech pointed to cash sweep arrangements of dually-registered investment advisers and broker-dealers and fee structures of unit investment trusts as priority areas for the SEC.12 We therefore anticipate that OCIE’s exam activity in 2020 will be focused on these issues as well.
In a notable addition, the 2020 Priorities make explicit that OCIE is also targeting firms with respect to more sophisticated investors and financial products. OCIE intends to focus on higher-risk products, including private placements and securities in newer risk areas, including (1) assets that are complex or “non-transparent,” (2) assets involving high fees and expenses, and (3) where the issuer is affiliated with the firm making the recommendation.13 The inclusion of accredited investors and more arcane financial instruments in OCIE’s crosshairs illustrates the breadth and adaptability of the SEC’s “retail investor” theme.
Private Fund Managers Also Targeted
While giving prominence to RIAs serving “Main Street” investors, the 2020 Priorities also make clear that certain RIAs to private funds fall within this category – specifically, those that impact retail investors, including firms that advise separately managed accounts side-by-side with private funds.14 Private fund managers should take note, as the SEC in recent years has been particularly concerned with the management of, and disclosure of conflicts surrounding, co-investing arrangements of RIAs to private funds.15 OCIE also makes clear that it will focus on compliance risks at RIAs to private funds, including undisclosed or inadequately disclosed fees and expenses as well as the use of affiliates to provide services to client funds.
As in 2019, cybersecurity remains an OCIE priority, but the 2020 Priorities provide additional detail about the particular risks that OCIE is focused on, including:
- Proper configuration of network storage devices, information security governance, and security of retail trading information;
- The protection of clients’ personal financial information, including evaluation of: (1) governance and risk management; (2) access controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response and resiliency;
- As to third-party and vendor risk management, oversight of service providers and network solutions, including the use of cloud-based storage;
- Compliance with Regulation S-P (the “Safeguards Rule”)16 and Regulation S-ID (the “Identity Theft Red Flags Rule”);17
- Controls surrounding online access and mobile application access to customer brokerage account information; and
- Safeguards around the disposal of retired hardware that may contain client information or potential network information that could create a risk of intrusion.
Fintech Under Scrutiny
The 2020 Priorities also provide greater insight into OCIE’s interest in financial technology and innovation (fintech), including digital assets and electronic investment advice. OCIE is concerned about the rapid growth of the digital assets market and the risks for retail investors, who “may not adequately understand the differences between these assets and more traditional products.”18 Accordingly, examinations will scrutinize: (1) the suitability of recommendations to invest in digital assets; (2) portfolio management and trading practices; (3) safety of client funds and assets; (4) pricing and valuation; (5) effectiveness of compliance programs and controls; and (6) supervision of employees’ outside business activities.
As to electronic investment advice, OCIE will continue to focus on RIAs that use “robo-advisers,” including their eligibility for SEC registration, cybersecurity policies and procedures, marketing practices, adequacy of disclosures and effectiveness of compliance programs.19
Among the issues OCIE has prioritized with respect to broker-dealers are (1) safety of customer cash and securities and (2) trading and risk management practices. With respect to the former, OCIE will focus on compliance with the Customer Protection Rule20 and Net Capital Rule.21 As to trading and risk management, OCIE intends to focus on trading in “odd lots” (orders under 100 shares), the use of automated trading algorithms, and policies and procedures governing trading risk.22
OCIE also plans to make a point in 2020 of reviewing the compliance of broker-dealers and investment companies with their obligations under the Bank Secrecy Act to maintain anti-money laundering (AML) programs.23 In particular, OCIE will continue to prioritize examining those entities with a focus on: (1) verification of customer and beneficial owner identity; (2) compliance with their obligation to file suspicious activity reports with the Financial Crimes Enforcement Network; (3) conducting customer due diligence as required by the Customer Due Diligence Rule;24 and (4) conducting “robust and timely” independent tests of their AML programs.25
The 2020 Priorities are largely consistent with themes OCIE has stressed in prior years, particularly with respect to the interests of retail investors, heavy emphasis on RIAs’ practices concerning fees and expenses and disclosure of conflicts, and cybersecurity. This year’s list, however, also expands upon and provides more clarity regarding OCIE’s concerns – in particular, its strong emphasis on the role of compliance programs, its inclusion of sophisticated investors and complex products within the bounds of retail investor concerns, and its explicit targeting of private fund managers. Given this updated articulation of OCIE’s top agenda items, RIAs and registered broker-dealers should review and adjust their policies and procedures as needed to ensure that they address specifically and effectively each of the above issues that apply to them. Moreover, RIAs that have yet to undergo an SEC exam, or have not done so in recent years, should be prepared to hear from OCIE and for its staff to take a hard look at these issues in the coming year.
3. 2019 Priorities, supra note 1, at 1.
4. 2020 Priorities, supra note 2, at 4.
5. Id. at 15.
6. Id. at 3.
7. Id. at 4.
8. Id. at 3. OCIE also emphasizes the “complexity, interconnectivity, and dependency” of RIAs on various market participants: over 3,700 RIAs manage over $1 billion in assets; roughly 36 percent manage a private fund; more than 55 percent have custody of client assets; more than 60 percent are affiliated with other financial firms; and approximately 12 percent advise a mutual fund, exchange-traded fund (ETF), or other registered investment company. Id.
9. Id. at 1.
10. Id. at 15.
13. 2020 Priorities, supra note 2, at 9-10. With respect to mutual funds and ETFs, OCIE specifies that it will continue to prioritize exams of financial incentives that may influence the selection of particular mutual fund share classes and probe mutual fund fee discounts that investors should receive pursuant to policies or breakpoints, e.g., discounts based on acquiring managed assets of a certain size. Id. at 11.
14. Id. at 16.
15. The SEC brought an action during fiscal 2019 against a private equity fund adviser for failing to allocate expenses to employee funds and other co-investors that invested alongside the flagship funds managed by the adviser. Matter of Lightyear Capital LLC, File No. 3-18958, IAA Rel. No. 5096 (Dec. 26, 2018), available here.
16. 7 CFR § 248.30(a). Among other things, Regulation S-P requires registered broker-dealers, investment companies and RIAs to adopt written policies and procedures designed to protect customer records and information.
17. 17 CFR § 248.201. Regulation S-ID, inter alia, requires regulated entities to adopt written policies and procedures to identify, detect and respond to identify theft.
18. 2020 Priorities, supra note 2, at 14.
20. 17 CFR § 240.15c3-3.
21. Id. § 240.15c3-1.
22. 2020 Priorities, supra note 2, at 16-17
23. 1 U.S.C. § 5311 et seq.
24. 31 CFR § 1010.230.
25. 2020 Priorities, supra note 2, at 17-18.