Best Practices for Modern Regulatory Exams
By Ed Wegener, Mark Norman and Brent Nicks
Subscribe to our original industry insightsIn our previous podcast Keys to Successful Regulatory Exams, our experts, some of whom who are former regulators themselves, shared how exams have evolved in recent years, and how knowing what you can expect can help you prepare and navigate through the process.
In today’s podcast, we share best practices for making the most out of your regulatory exams and what happens after the exam is over.
Transcript
Transcript provided by TEMI
Libby Hall: Hi, and welcome to the Oyster Stew podcast. I’m Libby Hall, Director of Communications for Oyster Consulting. In our previous podcast about modern regulatory exams, our experts, some of whom are former regulators themselves shared how modern regulatory exams have evolved in today’s podcast. They share best practices for making the most out of your exams. And what happens after the exam is over. Let’s continue with their discussion.
Ed Wegener: Well, thanks so much Libby and hello everyone. I’m Ed Wegner, and I am head of Governance, Risk and Compliance for Oyster Consulting. Today we’d like to talk about effective practices for dealing with regulatory exams. Over the last several years, examinations have evolved to become much more risk based and data driven. And more recently they’ve been conducted largely on a remote basis and knowing what you can expect during an examination can be helpful in preparing you for the exam and helping you navigate through that process today, we hope to discuss what drives the frequency and scope of examinations, how data and risk assessments drive or factor into those decisions. What has changed in the examination process over the years and what is not and talk about best practices that you can employ before, during, and after a regulatory exam, I’m really fortunate to have Mark Norman and Brent Nicks joining me today, both Mark and Brent are relatively new to Oyster, but both bring years of experience dealing with regulatory examinations, Mark as a former examiner and risk analyst at FINRA and Brent as a former Chief Compliance Officer. Brent from your perspective, as somebody who’s been through a number of examinations both prior to joining Oyster, as a CCO, but even as an Oyster consultant, helping out our clients through regulatory examinations. What are some of the challenges that you’ve faced and what are some of the best practices that you’ve developed?
Brent Nicks: Thanks Ed. So from a challenge standpoint for an examination period, it’s honestly getting the balance of time. And getting the stakeholders in the firm to really understand that this is not a compliance lead event. This is not a compliance exam. This is an evaluation of the risk and of the business itself. So getting the attention of the proper stakeholders, understanding the scope of the exam, and identifying the key personnel, those individuals that are likely to be interviewed, coordinating, and in trying to bring forward, and making sure that they’re prepared. But beyond that, the document production, the volume of it, Quality Controlling it, coordinating that effort to make sure that it’s getting eyes on it before it is regimented and archived and prepared and ready to go out the door. So it is getting the firm focused on addressing the exam in a timely manner and giving the staff examiners the courtesy in the time and making it part of the time during their visit and before and after, and not, we’ll say avoiding the effort, trying to hide in daily activities, but being active and making sure that the firm is presenting a good impression and seems to have a good handle on their business.
That is a massive kind of nebulous challenge, but it is getting the firm focused on responding adequately to the request. So how do you address that? Probably the one thing that you can do to address it most effectively has very little to do with the exam. And that’s being an effective proactive firm, in particularly CCO and compliance department, making sure that each year that you’re reviewing the OC hot items and looking at the regulator notices and the alerts, taking a look at that against your firm practices, self-mitigating, and self-regulating during those times. And correcting before it really is brought to attention. Reviewing your previous years, 206(4)-7 reports or your 3120 report for the BD. If you have any outstanding loops, make sure that you’re, that you’re getting those addressed in a timely manner. Don’t allow them to hang out there for too much time, check your own retail exam branch findings.
Look at the results of your own examination program and close those loops in a timely manner, and then keep a good open dialogue and communication with your contact points at your regulator’s, whether it be the regional officer, the SEC, or your coordinator with FINRA. But if you’re doing those things on the front end, by the time the exam comes around, you’re going to have a good thought on where the risk items are, what your responses will be, if and when those are questioned. But once the exam comes, what do you need to think about? Well, understanding your policies and procedures is probably first and foremost, and just knowing what your own manual says and ensuring that your dialogue with managers and stakeholders that the practices we’re employing actually match with that manual. As almost all of us know, very often, we are judged, not so much by violations of black and white against regulations, but more against what the written word is in our firm versus what we may be doing in practice.
And often it’s the manual that gets us. So know your WSPs – know what they say. If you’re informed on that document, you’re going to make a good impression. What the staff understand, who your points of contact are going to be and when the areas of focus come in, know who should be presented or identified for interviews. Make sure that we know who the stakeholders are that know the information, ask questions of the staff, and make sure that you’ve identified the right people. It may not be the department head who may have the most information to provide the right answers and detailed answers to the staff. And then prepare those individuals for an interview. Do a mock if you need to, sometime before the exam, or honestly have that as part of your ongoing compliance program to periodically prepare individuals or do internal inquiries, to get them accustomed to the kind of things that they may be pressed on later.
And one of the biggest things I’ll tell you is creating it. You’ll update it obviously as the firm amends. But having a presentation at the beginning so when that kickoff call comes, whether it be remote or zoom or conference call or otherwise, have a presentation for the staff where you go ahead and set the tone with giving them an overview of the organization. Talk about the products and services that you’re currently offering. Make sure that coincides with their expectations. Talk about your control environment and your current compliance culture. Maybe talk about some processes and workflows, if you have a particular type of business or it’s niche, and then make sure that if there’s anything that you know is going to be material, go ahead and have that ready early in the examination.
And then on the back, end of it, check everything before it goes out the door. If you see it, label your exhibits, label your data, order it in the same manner that you received the letter, make sure that you’re referencing it with folders and that that’s going to become your central archive. Because your responses and your follow ups are all going to end up in that same place. So you have a good effective bottleneck, and you know what that communication has been with staff during the entire scope of the exam. And you don’t end up stepping on your toes.
Ed Wegener: So, well, that’s a great segue into the next question. So you’re in an examination, you’ve done all that prep, got everything prepared, had that discussion with the firm, things are going well. And then there’s an issue that they found. Brent, can you talk about what are some good practices when an issue is identified by a regulator during an examination?
Brent Nicks: I think step one would be take a deep breath and let your heart rate come down. Because that’s usually the first indication of you’re like, oh man, But really it’s two words, assess and triage where you can. So did you identify it during data production? Was it brought to your attention by the staff on site or remotely or otherwise, and then kind of answering the question, is this a real regulatory concern or is this a mismatch between internal practices and your WSPs. The current bolt on to every SEC exam at the moment is the static questions that come with regulation best. If they’ve showed up, I think assessing a triage, if you’ve not properly distributed a form CRS or you don’t have appropriate BI disclosures in place. Your triage year is to begin discussion and understanding where you need to get to for the exit interview.
But if you are in a situation where you don’t have a hundred percent of your acknowledgements, that a client received your best interest disclosures, now, now you’re talking about procedural thing that you can work on internally and have a dialogue to communicate during the staff exam. Get clarity where you need it, ask questions, understand the scope of what they believe that they’re looking at or the true nature of the concern.
And you’re right, Ed. If you can address it prior to the exit, if it’s not something that they deem to be systemic, you have a really good opportunity of having that be, we’ll say a verbal on an exit phone call, a little discussion rather than – hey, when you get the letter, it’s going to say this. You have the opportunity to maybe bubble wrap that a little bit, showing some proactive approach, addressing the concern, and honestly getting a dialogue while they’re focused on your firm to maybe build it in a way that’s satisfying with them, offer them up.
This is what we’re contemplating as a solution. This is where we think we’re going. Go ahead and have that dialogue because either way, you’re going to have to address it. So might as well have it as an interactive piece rather than addressing it with or without counsel on the back end and hoping it doesn’t end up in enforcement if it’s severe enough. But I guess the last thing I would say is don’t minimize or hide an event if it’s in the data. Most likely they’re going to see it. If you found it first, and if they’ve brought it to you don’t downplay its severity. You need to match the staff’s concern with a same level of concern for the issue and get to the heart of the matter and try to get it addressed as quickly as you can.
Ed Wegener: Thanks, Brent. That’s a really good segue into the next part of our discussion, which is really – what happens next. Mark, so let’s say an examination has come to a conclusion, an exit has been issued with their findings there. The firm’s responded to those findings. Now the regulator goes back and has to determine how they’re going to dispose of the matter. Whether it’s going to be something that’ll be a cautionary item, or does it rise to a level of something that might be referred to enforcement. Can you talk a little bit, maybe from your perspective at FINRA? It might be a little bit different than what happens in other regulators. What’s that process for making those determinations?
Mark Norman: Yeah, we get done with the exam in the field and take all our findings back to the office. And from there, an exam manager would review the findings and confirm, hopefully, what we found in the field, or in some cases they would say, we don’t, you don’t have enough here yet. I mean, it looks like it’s a problem. Let’s get some more information or even potentially from there, we could have a finding where I found 10 accounts that did this, and my supervisor might say, well, okay, let’s look at the whole universe of accounts that had that same type of activity. So it could get expanded from that point, but there’s going to be a several sets of eyes that review the exam findings. It’s not when an exam report is issued.
It’s not an examiner’s opinion versus the firm’s opinion. It’s really a collaborative effort in the FINRA office to seek to reach a consensus between the exam team and management. And then if necessary, the legal team is this a finding; is this really a violation? And then of course, what does that violation amount to? And to be honest, most violations amount to, well, sometimes they amount to nothing. It was a finding on the exit report and the firm fixed it and it was let bygones be bygones. The firm took corrective action. The next step would be a cautionary action, which is when a firm gets a letter that says, we found findings A, B and C. Tell us how you’re going to fix A, B and C and it’s water under the bridge, hopefully. And, and hopefully the firm has put corrective actions in place and, and it won’t happen again.
And then obviously from there after a cautionary act, well, there is another one. A firm can be called in for a compliance conference with the staff where basically the firm’s compliance and staff would come in and talk to the FINRA staff and the FINRA management team about – Hey, this stuff is serious. We want to make sure that you understand how serious this is, because we were really close to a formal action here. So let’s make sure that the firm and FINRA are on the same page. Because if we come in again and find it again, it’s going to be a lot more serious. And then from there, it would be matters, and would result in informal action, which means FINRA attorneys and probably firm attorneys. And then you’re never running the risks of fines and suspensions and all kinds of bad things. So that’s, that’s generally how an exam wraps up.
Ed Wegener: Yes. So if a determination is made or consideration is given by the exam team in terms of making a referral to enforcement, how does that happen? What’s the communication between the exam teams and enforcement before something is an official referral.
Mark Norman: Most firms realize from the records, we’re for how serious a matter is. And you can always ask your examiner – Hey, what’s going to happen here. They might not know to be honest, but the escalation of it would be that you would start hearing from FINRA’s management. And in turn, eventually you would hear from FINRA’s enforcement department, if in fact the matter was going to be referred to enforcement. Jjust because it’s referred to enforcement again, that doesn’t mean that it’s a finding yet. It means that this matter is serious, and it has the potential for a fine or a suspension. When the attorneys get involved, that’s when you know, it’s pretty serious.
Ed Wegener: That’s an important piece of it, because I think just a couple of things there is that before the final determination that’s made, there’s a number of people that are reviewing the findings to make sure that a, there truly is a violation. So they’ll look and make sure that it meets all the elements of a particular violation and that they have the evidence to prove that. But then also assessing whether it’s something that should be an enforcement action. So looking at the aggravating factors, were there customer losses involved? What was the nature of the customer? What type of customer was it – was it an institutional customer, a retail customer, a vulnerable senior investor, those types of things, and mitigating factors – what are the mitigating factors there? And then making a determination of whether it’s something that can be proven rises to the level of an enforcement action.
But I think an important part that you had said, is that there are a lot of opportunities to make your case. That it’s not something that should be taken as a formal action, starting from the fact when the time when the examiners are in the field to responding to the exit, to responding to the examination report, if it does get referred to enforcement, responding to a Wells notice. So usually by the time something gets to the enforcement part, there’s been a lot of opportunities to make your case. And so in closing out the loop on the examination, Brent, when let’s say you have an examination, you receive a letter of caution, the exams come to a conclusion, what are some of the best practices for remediating any regulatory findings that they have?
Brent Nicks:
Sure. So I want to make a very important point. The letter that you received, the findings that you may have received from your examination, it’s very important for you to review and understand the tone of the letter. To understand the number and types of findings or potential violations that were in that letter. Because you need to make, assess the issues, and understand are these things that you are going to be able to fully address to a level to where you do get back to just a letter of caution or some verbal discussions and a little bit of a wag of the finger. Or do you feel like enforcement or referral to enforcement is a likely outcome. Because if that’s the case, the response letter that you’re drafting, the audience really isn’t the examination staff at that point, the audience is the enforcement attorneys and the enforcement staff, because what you’re trying to do is reduce the significance of some of the findings. Trying to build the procedural walls and how you have mitigated and things that you have done, or maybe reinforcing things that you felt were minimized by the staff during the exam.
And what you’re trying to do is build a strong enough case to honestly make the whole event fairly uninteresting to enforcement. You’d like to be able to stay with the examination staff and to be able to remediate in other manners. But once you’ve got down to the body of the findings themselves, deconstruct the letter, turn it into action items, make sure you keep the stakeholders that are responsible for any area involved, not only in the response back to staff, but then whatever we’ve committed to after the fact. How are we going to remediate that and set timeframes when you’re going to get it done? Because you can’t put something in print. That’s just sounds great. But six months later, and they will come and ask when that revisit occurs or they ask on the next cycle exam- Hey, how’d you address this?
And it’s still an outstanding item. There’s no amount of response language that’s going to address a fairly significant repeat finding when you told him you were going to fix it before. So you’ve got to put yourself on a timeframe. You’ve got to close your loops. Quality Control all your responses when you’re responding back to the letter and make sure in that same file that you’ve set your folders for the original document production, your responses to the supplementary inquiries, the final notices, any production to show that you’ve remediated. And your final responses all need to be archived in that same spot. So whether it’s one year, two year, three years, when you have to circle back to it, people are not struggling to locate all the aspects of the exam. If I have one real, I wouldn’t even call the best practice, you need to do. This needs to be a central file room for the final event, from original data production to the completion and remediation of it, all in one place.
So you can look at the full cycle and that that’s going to help quite a bit to make sure that nothing ends up falling through the cracks and then incorporate. And the last thing incorporate that into your 206 and your 3120 reporting. Comment on what you did, make sure you involve the results of the exam into your testing, into your comments and those reports, because those are going to be reviewed on the next cycle exam to show that you took it seriously, you’ve addressed it. You incorporated it into what you were doing, and you remediated. That’s the best way to show that you ended up remediating the soft spots.
Ed Wegener: Well, absolutely. And then that process starts all over again. You close out this exam and you prepare for the next one, whether it’s two years, three years, four years, hopefully four years down the road. And that’s when you start re-engaging with the risk analyst or your contact at the regulator and continuing to keep those relationships strong.
So this has all been terrific. Really appreciate both of your perspectives on this. I’m sure that our clients will benefit from that. And we’re always around in case you have any questions. Thanks, Mark. Thanks, Brent.
Brent Nicks: Yeah. Thanks Ed. Take care. Have a great day.
Libby Hall: Thanks everyone for listening. If you’d like to learn more about our experts and how Oyster can help your firm, visit our website@oysterllc.com. And if you like what you heard today, follow us on whatever platform you listen to and give us a review. Reviews make it easier for people to find us. Have a great day.