Why Outsourcing Your Testing Makes Sense
By Cat Depasquale, Mark Norman and Candy Palugi
Subscribe to our original industry insightsMany firms follow the best practice of using an independent firm every few years to conduct their annual testing. In this period high compliance turnover, the value of having an outside resource to carry some of the load, provide conflict-free validation and a fresh perspective makes sense. In today’s Oyster Stew podcast, our experts share their insights on the value of having an independent resource provide your testing.
RIA and Broker-Dealer Testing
Registered Investment Advisors (RIAs) must adhere to SEC Rule 206(4)-7. The rule requires an annual review of compliance policies and procedures. Our consultants conduct comprehensive compliance audits and risk assessments. For broker-dealers, establishing and testing controls is vital for maintaining compliance. Our team of CCOs, former regulators, and compliance experts offer independent testing services, from Supervisory, Anti-Money Laundering (AML), branch office examinations and Market Access to email retention system controls.
Several key rules govern supervisory testing and ensure adherence to standards:
- FINRA Rules 3110, 3120, and 3130: These rules mandate that firms maintain a robust system to supervise the activities of associated persons. Additionally, they require supervisory control policies and procedures (SCPs) to test and verify a firm’s supervisory procedures. Firms must also identify principal(s) to serve as a Chief Compliance Officer (CCO) to FINRA. Annually, the firm’s CEO(s) must certify that these measures are in place, designed to achieve compliance with applicable securities laws, regulations, and FINRA rules.
- FINRA Rule 3310: This rule necessitates that firms develop and implement a written Anti-Money Laundering (AML) compliance program. Key components include designating an AML Compliance Officer to FINRA, providing ongoing employee training, and conducting independent testing. Notably, there are no exemptions or exceptions to the requirement of having an AML program.
- The Bank Secrecy Act: Under this act, firms must establish a Customer Identification Program (CIP) and implement procedures for identifying and reporting suspicious activity.
- SEC Rule 206(4)-7: Registered Investment Advisors (RIAs) are subject to this rule, which mandates an annual review of compliance policies and procedures to assess their effectiveness.
Additional Resources
Critical Insights: How to Tackle 3120 Testing
8 Best Practices for Conducting Your Annual Compliance Program Review
Having an AML Program Isn’t Enough – Are Your Firm’s AML Tools and Procedures Effective?
5 Things You Should Review in Your Market Access Program
Branch Exams – Equip Your Firm For Success
Transcript
Transcript provided by TEMI
Libby Hall: Hi, and welcome to today’s Oyster Stew podcast. I’m Libby Hall, Communications Director for Oyster Consulting and with me are our experts – Candy Palugi, Cat DePasquale, Mark Norman, and Evan Rosser. People come to consulting firms in our industry for a variety of reasons. And one of them is to conduct independent testing or reviews of their compliance programs. This podcast is going to explore when it makes sense to leverage an independent resource for these types of projects. Before we get into the benefits of using a consulting firm or other independent resource, let’s talk a bit about the different ways firms can approach their compliance programming, Candy. Could you start us off?
Candy Palugi: I think a lot of firms use the risk-based approach as far as doing a good review of what the business currently is. What are regulatory priorities? What are examiners focusing on, what new businesses or occurrences may have happened at the firm? And so they do a risk-based approach in that aspect where instead of maybe testing or reviewing every item that possibly happens at the firm, which takes excessive man hours that we’ve already discussed, most firms don’t have. Then they will just focus in on those higher risk items. See what the firm is doing to be compliant in those areas. How are they matching up to what regulators are seeing, what regulators are looking for that way they can provide a good response back to the management team, or the CCO can get a good feeling for where they are on the high level item.
Some firms may at times think that taking the risks worth it on some items, they maybe don’t want to do a full review and kind of document or put into a discoverable piece. Exactly what’s going wrong at the firm, or maybe they know some things that are not perfect, but you know, they choose to just wait and see. Maybe it won’t be found by examiners or won’t be highlighted in any exam, or maybe they’ll just get lucky and there won’t be an exam. However, when firms take that approach, sometimes what they end up doing is getting into an exam that they maybe didn’t expect. And then things get a lot worse than they ever expected. They could. And with enforcement actions and penalties and such, sometimes those don’t turn out so well. So it’s always better for the firms to take a good risk based approach. And either take the time, put in the resources to do the review themselves or to consult it out to a firm like us who has a lot of experience. We have a lot of people that we can rely on as a team, see what’s happening in the enforcement areas and can help them with those thorough reviews.
Cat DePasquale: I would add that we also have resources available that once these risks are identified, that we can help them to mitigate those risks. Even a risk assessment, very difficult to do a conflict free risk assessment with the people that are employed at your firm. Litigation risk is probably the most expensive when you run into a problem where you have to actually litigate, probably your supervision in some instances. And yeah, that gets very costly. A lot of firms end up settling because the costs are so high. So that should absolutely be part of that section where you need to have a discussion about litigation risk as well as regulatory risk, et cetera.
Libby Hall: Cat, some compliance officers or senior management may hesitate at the idea of paying an outside source to come in and test or do their reviews financially. When would it make sense for a firm to invest in testing and reviews?
Cat DePasquale: I think there isn’t a compliance department that exists that doesn’t have to justify their expenses, because they’re not a production area. And nobody has an unlimited budget. I don’t care how big they are. So you do need to do a conflicted risk approach to let the committee, whoever it is that needs to approve the expense, have an understanding of how expensive it can get. If you don’t have a good compliance program and you don’t mitigate the potential risks that are out there in your business and to look at some of the fines, post some of the fines for them, because I doubt that who whoever’s approving your budget is aware of the things that have happened in the industry and how much it can cost. So that’s the way I would approach it to give some justification to the budget. That’s necessary to get an independent review, to really know where you stand with no conflicts and hopefully some backup support to help you get where you need to be.
Libby Hall: Evan, can you share some examples of projects involving new or updated rules where firms have benefited from using an outside source?
Evan Rosser: Yeah, there are a lot of those right now we have helped firms in a number of areas for the SEC registered advisors. There are all new SEC marketing rules that are changing the rules around testimonials and performance advertising around the use of solicitors or promoters, as they’re now called on the broker dealer side. You have reg BI, which is still fairly unsettled as to what adequate reg BI disclosures are. And then you’ve got form CRS and you’ve got DOL rollovers that really apply to both advisors and to broker dealers. And we have been called in to help firms put those initial procedures together. It does take some time to get up to speed on those. And as we’ve all mentioned, it’s hard to do that while you’re performing day to day compliance functions. So to have someone come in and help, understand those rules and put some procedures in place is helpful for some firms but necessary for others.
Libby Hall: Let’s talk about resources. Recently there has been a lot of turnover in the compliance part of our industry. How can firms take advantage of outside resources for their compliance projects.
Evan Rosser: In several instances, we’ve been called in by a new CCO or new management who want us to take a look at the program to see where it’s reviewed. Anytime you do a review or testing of your program, it should be conflict free. Some rules require it AML 33-10, FINRA’s 33-10 AML rule, requires a level of independence in that testing. People involved in the AML program can’t be involved in that. And even in some of it in the supervision rule that testing of internal systems branches OSJ’s needs to be conflict free. And it doesn’t specify exactly what that would be, but it only makes sense that to get a good perspective, a good review of your programs, both compliance and supervisory, that that review is done by people who don’t have any conflicts in that process, and can look at it fresh. And in a number of instances, that’s what new CCOs, new CEOs are looking for when they join a firm.
Libby Hall: CCOs, especially at the smaller or mid-size firms, are often working at or over capacity. So it makes sense from a resources standpoint that smaller or mid-size firms will often outsource their testing and review projects. When does it make sense for a larger firm to use an outside resource or outside consulting firm?
Evan Rosser: Yeah, we have been called in to assist very large firms with large compliance departments. However, they simply don’t have the extra staff for a special project, such as the rules around the new DOL, the ERISA DOL rollover, or the new marketing rules. They need some assistance on special projects, a new initiative, a new regulation that they simply just can’t bring people on board to do. And we’ve done that, both bringing some specialized expertise and some independence and putting something together and helping firms put that in place. And I think what both Cat and Candy, in order to identify your risks, you really need to do an assessment of those risks. You can’t really identify what needs to be addressed until you’ve determined where your risks are. And I’ve seen a lot of 31-20 reviews and a lot of 206-47 reviews by advisors where they take a very safe route, and they only cover those things that they know they’ve done.
And it might look good in the file, but I don’t think it’s very meaningful for firms to only review those areas where they think they are safe. Now I understand very well that firms may not want a negative or deficiency filled review in their files for regulators. However, we can work with firms to identify those risks, help mitigate, or remediate those deficiencies in a way that does not result in a big red flag in your files. There’s a way to do that and we just make sure that before we write things up, we have a plan to fix it. We have a plan to address that deficiency. So we don’t have a report full of unaddressed problems in the file.
Mark Norman: Having been a regulator for 20 years. I, I totally understand what you’re saying. I can see where a firm doesn’t want to have a report that says here’s 5, 6, 7, 8 glaring problems. And then you hand that report over to FINRA. You hand that report over to the SEC. You hand that report over to your state regulator, and then they just follow suit and check the boxes and cite you for all kinds of stuff. Having worked for FINRA for almost 20 years, that’s not an approach that I ever took or that I was ever asked to take, and to get a firm’s internal reports and then just cite them for the work they’ve already done. And I don’t think that any regulator wants a firm that does a good job internally to take the firm’s own internal work and then cite them for those deficiencies that they’ve already found and are hopefully addressing and improving upon. That’s not a tack that I’ve ever seen, but I can see where a firm would be apprehensive. The only time I’ve ever seen, like for example, a 31-20 report come into play would be, if FINRA came in and found something completely egregious, then as part of an enforcement action, FINRA might use the 31-20 report as either mitigating circumstances or aggravating circumstances depending on what that report found.
Evan Rosser: No, and I think that’s a good point and to their credit and I can’t, <laugh> no one can guarantee this, but I do think regulators and FINRA, particularly, they do not want to use the 31-20 review as a map for their exam against firms. They know that would have a chilling effect on a complete and candid review by the firm. And they want firms to do that. And as Mark said, I think the problem would arise, if they find a problem, they may go back to that 31-20 and say, okay, did you identify this? And did you address it? Then if they don’t find it there, then you might have a problem. Because in addition to the problem, you’ll probably get hit with, you had an inadequate review or your 31-20 was not sufficient. Your procedures around that review were insufficient in that it didn’t identify the problem. So, I would really encourage firms not to be afraid of being candid and thorough in their reviews, because it might be a problem not to be candid more than it would be if you were.
Cat DePasquale: I would equate it to AML where, you know, you get into a lot of trouble, if you ignore red flags. So you do an assessment, there’s a risk and you just totally ignore it. No, that’s not going to fly, but if you’ve looked at it, you’ve come up with a plan to mitigate or eliminate those risks, I don’t see a regulator, even if you haven’t completed your mitigation or remedy, that they would have a problem with that. As long as you’re taking steps to get there, to get it to where it needs to be.
Libby Hall: Evan, you mentioned the importance of a risk assessment. What are some other types of testing and reviews that could benefit from an independent point of view?
Evan Rosser: Well, I can address where independence is very important for a number of reasons, and that was assisting firms with the form CRS and reg BI. And in doing both of those documents with firms, we found conflicts, potential conflicts that the firm never recognized. Having someone independent to come in and look at revenue streams and incentives and compensation arrangements. We identified conflicts that we found were material to customers and should be in the reg BI, should be reflected in the Form CRS, but the firm did not recognize. And we identified those for a number of firms and made sure they were included. And I know we talk a lot about regulators and, you know, making sure that we pass regulatory muster, but when it comes to form CRS, when it comes to reg BI, the concern comes also from your customers and your clients. Because if you have a customer complaint, if you have a client complaint, the first document they will review, the first document you will hear about from the customer or from, let’s hope not, the customer’s lawyer is your Reg BI disclosures were not complete. You didn’t disclose this particular conflict. You didn’t identify this issue in your CRS. So it’s not just the regulators who will be reviewing those forms, but it’s also your customers and clients, particularly those that may be dissatisfied or unhappy.
Candy Palugi: Another aspect of the annual reviews for both the broker dealer side and the RIA annual reviews would be considering things like working in the current year’s exam priorities from the SEC or from FINRA, make sure that you’ve reviewed those and are going through what your firm’s doing to address those. That’s somewhere where the expertise of a group of people can be very beneficial to what the firm, what we are seeing with multiple firms, with exams, with regulators. We can offer different perspectives on things that maybe the people, just the people you have in your firm may not consider. Like Evan said, considering all of the conflicts of interest. Sometimes you are so close to the arrangements and the relationships and the firm’s business that you fail to see some of these things and having someone on the outside, come in and take an independent review of that helps as well.
When it comes to branch exams, I think this is where the expertise and the independent look from an outside firm could be very useful to a broker dealer or an investment advisor sometimes, actually many times, inside branches when your staff is overworked and just the burdens are heavy for the things that need to be done. Oftentimes I think the branch exams become a check the box kind of thing. Or even if you’re not anticipating having it as a check the box item, sometimes again, you’re so close to the business, to the people who are doing the business, that you think you understand everything that’s going on in those branches. And so often an independent look into what really is going on can highlight things that maybe your management has not considered or didn’t even realize was actually going on in the firm. Asking the right questions of the staff and everyone in the firm observing what’s going on, can sometimes open up conversations to bring out things that maybe management wasn’t aware of. But it’s very important to be aware of. I personally think the branch exam is one of the best resources a firm has. If it’s utilized correctly to be in compliance, to know what’s going on. If you really use those branch exams to find out really what’s going on, to educate the people in your branches, I think you are in a much better position to be compliant to the regulators.
Evan Rosser: There are some reviews that become very complicated and very extensive. And one such review is the annual review required by the market access rule, SEC Rule 15-C 35, that is applicable to any broker dealer who provides direct market access to any of its customers or through its own proprietary trading. There are a lot of pieces to that rule, and it requires an annual review and an annual CEO certification that the system is working as designed and it’s complying with the provisions of the rule. It’s complicated and it involves compliance supervision, technology, finance, onboarding, and there are pieces of that, that some firms don’t always consider. And that is a particular review that the regulators look to be a very thorough review. It is not going to be a simple review. Firms have tried that and they don’t get away with it, and the certification has to be complete.
And it must state that the system is working, that they are complying with the rule. This is not a reasonably designed standard in all respects. So it’s just one of the specialized reviews that I think firms may not always understand the value of expertise. They may not appreciate the value of independence in conducting those reviews because they are different. They are different both in scope and in thoroughness from say a 31-20 review. That review is very prescribed in what needs to be done. And it is very helpful to have some outside expertise help you work through that review and make sure you’re hitting all the right areas for review and surveillance.
Libby Hall: Okay, everybody, it looks like we are starting to run out of time. So let’s do a quick round-robin on what folks should be looking for when they do decide to hire an independent firm to do their testing and reviews.
Mark Norman:
I was just going to say that everybody knows that the most overworked and underappreciated people at every brokerage and IA firm is the compliance and back-office staff. They typically have 10 to 12 hours of work to do every day in an eight-hour day. And then you have all these annual projects and independent audits of various functions that the firm does that these people are expected to do on top of their regular job. So the simple fact is, it is just this number of hours in a day. And most back offices are stressed as it is with their day-to-day stuff, let alone the annual things that a compliance officer is supposed to take on. And I think that’s a role where Oyster can come in on an al carte basis to, to do some of these independent audits. And so these guys can concentrate on their day to day business of processing business. Processing trades, or doing trades and making money for the firm and outsourcing some of these other compliance functions to people like us.
Candy Palugi: In my opinion, the best indicator of a strong consulting firm is a firm that ensures that the consultants that they use to provide these services are senior compliance people in the industry. They have a multitude of backgrounds to pull from within the consultants and that they’re also senior people or have been senior people in their careers. They’re licensed, they’re experienced at the high level compliance or operational areas within our industry and as a team, if not independently, but definitely as a team can provide a wealth of knowledge and experience that a singular firm may not have, may not have experienced or come across. And, so that, for me, I think in summary is having a very experienced and licensed staff of consultants is a great indicator of a strong consulting firm.
Mark Norman:
Obviously experience is huge. And having been in the industry is great, but also like Evan said, I think just being curious, just asking the firm, what do they do and how do they do it? And just because the firm does something a certain way that I haven’t seen before, but if it works for them, great. If they’ve never had any problems and it complies with the rules, great. But if it doesn’t, if they’ve run into problems, if they’ve had problems with regulators saying that that their processes and procedures aren’t sufficient, well, now let’s change it. Let’s adapt and let’s enhance things. And that comes from seeing their paperwork, from asking their people how they do it, from not just talking to the CCO, but all right, talk to the operations guys who are processing paperwork every day to see if there’s some sort of procedural enhancements that we can help bring to them to make their job easier, more efficient and more compliant.
Candy Palugi: To add on to what Mark was saying, I think another quality of a good consulting firm is that the consultants are looking to help your firm find the areas of weakness and to help you find a resolution. Not just to come in and point out, this is wrong, this is wrong, but to help you resolve that and find a good solution and leave you in a better place than you were at the beginning of the relationship with the consultant.
Cat DePasquale: There are a lot of companies out there that will give you WSPs and they have basically a cookie cutter format that they provide to you. If you have a written supervisory procedure that nobody does because they don’t even know how to begin to do it, it’s useless, and it can get you into more trouble than not having a procedure at all, because you have one and nobody’s doing it. So, yeah, don’t just give me a report and tell me everything that’s wrong, make yourselves available to help me to fix this and with a solution that we can live with and that we can actually do – diversification. I like that term. It’s very catchy today. But in my mind, not strictly senior people, but the more diversified that team of consultants, the better off you are. You want people who have done the grunt work, that program, all of these things come into play when you’re trying to mitigate or fix something or create more useful flags for your firm. You need all those different types of knowledge. And if I was looking for a consulting firm, I would try to find one that had the most of that to offer.
Evan Rosser: I can’t add much to what Candy and Cat have said. You just want a firm that has had experience with regulators, and also either knows your business or can learn your business. You can’t provide meaningful assistance, if you don’t understand a firm, understand its structure and are willing to learn that structure. And I think the people we have at Oyster learn that very quickly because we do have a lot of experience. And I think we have a lot of regulatory experience as well to help firms when they work on their compliance program, when they work on their supervisory program, they understand with our help, regulators expectations. So, I think that’s very valuable to help firms through the entire creation, review, modification and execution of all their procedures and processes.
Libby Hall: Thanks everyone for listening. If you’d like to learn more about our experts and how Oyster can help your firm, visit our website at oysterllc.com. And if you like what you heard today, follow us on whatever platform you listen to and give us a review. Reviews, make it easier for people to find us. Have a great day.