The Regulatory Examination Process has clearly evolved in positive directions over the past several years. Thanks in part to these prior process improvements, the SEC, CFTC/NFA and FINRA are able to conduct regulatory exams virtually in response to the COVID-19 pandemic, and member firms are generally able to respond to regulatory requests in kind. Examination staff prepare requests remotely and serve them digitally upon member firms. Member firm response teams can typically access firm documents remotely and coordinate timely production of responsive information without needing to be present in the office.  The growth, development and increased use of data analytics in risk-focused exams has effectively demonstrated both regulators’ capabilities to conduct, control and apply automated surveillance to the examination process and the industry’s ability to meet their obligations.  

The OCIE has published its 2020 exam priorities, and key examination themes include (i) conflicts of interest, (ii) cybersecurity and cyber risk assessment, and (iii) chasing Alpha through alternative investment or alternate data providers, which in turn leads to concerns about sourcing, data protection, controls and governance.[1] This Client Alert presents observations about the impact of COVID-19 on the exam process, focusing on technical developments in the exam process, and considers whether current methodologies are in fact a blueprint for the future. 

Regulatory Key Inquiry Areas

1. SEC Investment Adviser “full scope” exams have narrowed to focus on responses to a smaller set of preliminary firm requests. The smaller set of initial requests reflects the SEC’s increasing use of a risk-based approach that relies on the agency’s data extraction, aggregation and analysis capabilities. In other words, regulators are now using a well-developed understanding of firms’ enterprise risks to reduce the responsiveness burden on member firms and to focus on key areas of inquiry.
2. SEC’s National Exam Analytics Tool (“NEAT”) data requests now are based on a deep qualitative analysis of trading performed in advance of the request process that is designed to generate inquiries into: affiliated transactions, Board oversight of risks, third party advisers and portfolio managers, CCO communications with Board Committees, valuations, Administrator relationships and firm performance.
3. OCIE and Enforcement utilize their text recognition tool to review member firm filings. Consultants’ reports can be analyzed as ‘road maps’ for the examination probes if made available and not protected by a privileged engagement.
4. The regulators continue to analyze internal controls, firm risk assessments, cybersecurity issues (see Department of Homeland Security Releases) and whether firms’ due diligence processes are adequately reconciled to the firm’s books and records and to current regulatory requirements. Firms should expect that regulators will ask, for example, whether the firm’s escalation and reporting policies and procedures are current; whether the firm is doing its basic blocking and tackling (e.g., whether a firm’s WSPs have been updated and are being followed); and whether ‘lessons learned’ about specific events were appropriately documented and the documentation distributed to key personnel.
5. Performance-related exam requests are increasingly prominent. The GIPS 2017 Risk Alert highlighted ten deficiency areas that constitute key areas of current inquiry: misleading or confusing presentation of performance results; false claims; use of hypothetical performance examples; and adequacy of backtesting are all currently focal points of regulatory interest.
6. Firms should also consider the possibility that regulators increasing technological sophistication may prompt them to lead a focus on ‘never examined before’ funds.

Conclusions

The trends of regulators’ use of increasing technological sophistication in examinations and member firms’ increasing reliance on remote technologies to respond to both routine and ‘cause’ requests have reached a point of intersection during this period of social distancing measures designed to combat the COVID-19 pandemic. We anticipate that, in addition to the enterprise-level risks that regulators’ technologies are designed to isolate, regulators will also focus on risks created by member firm workforces that are operating remotely and, perhaps, in reduced numbers. As a result, firms should be especially vigilant in understanding regulators specific exam requests and documenting their responses to these specialized requests.  It is clear that regulators continue to increase the number of completed exams annually and utilize innovative technologies with a more highly trained staff to meet their priorities.

If you have questions, please contact us

If you have any questions or if you would like to discuss the matter further,
please contact Paul Lieberman or the Scarinci Hollenbeck attorney with whom you work, at (201) 896-4100.

[1] For OCIE’s discussion of its 2020 exam priorities, see, e.g., OCIE 2020 Exam Initiatives Release.  https://www.sec.gov/news/press-release/2020-4