Navigating Regulatory Exams: Insights from Former Regulators

Ever wondered how to turn a regulatory exam into a strategic advantage? Join our discussion (Part 1 of 2) with former regulators Patrick Dennis, Evan Rosser, Ed Wegener, Jeffrey Hiller and Bill Reilly as they share their insights into what regulators consider when they come in to do exams, the art of managing document request lists, and how to enhance your firm’s credibility.

In this episode we’ll explore:

• The shift in the role of risk analysts and how their insights are reshaping the scope and frequency of firm evaluations
• The various types of exams, from routine to for-cause and sweep exams
• The art of managing comprehensive request lists
• Why having a single point of contact for regulators within your firm is important
• How proactive communication and self-reporting enhances your firm’s credibility while fostering a collaborative relationship with regulators

Insights from Former Regulators

Ed Wegener spent over 20 years at FINRA as Senior Vice President and Regional Office Manager for FINRA’s Midwest Region. Ed led examination teams and pioneered risk-based approaches at FINRA, and now serves as a Managing Director for Oyster’s GRC practice.

Jeffrey Hiller is a former SEC Enforcement Senior Counsel, veteran compliance officer who serves as a COO and CCO of several national advisory firms, including Merrill Lynch and Morgan Stanley. Jeffrey offers unparalleled insights into federal examinations.

Evan Rosser is an experienced attorney and former FINRA examiner, specializing in regulatory risk management. Evan provides insights into compliance and risk management best practices.

Patrick Dennis is a former FINRA executive, bringing decades of expertise in regulatory frameworks and enforcement strategies.

Bill Reilly was a State of Florida regulator for over 30 years with a wealth of knowledge on multi-state regulatory oversight and enforcement. He now serves as a Director at Oyster Consulting.

Regulatory exams can feel daunting, but with the right approach, they can also be an opportunity to enhance your firm’s operations, build trust with regulators, and demonstrate your commitment to compliance. Our panel of former regulators will provide you with actionable insights and practical strategies to navigate these challenges confidently.

Additional Resources for Navigating Regulatory Exams:

Managing Regulatory Exams: 8 Steps To Minimize Risk Of An Enforcement Action

Dispute Resolution: Managing Customer Complaints and Regulatory Inquiries

How to Successfully Manage Regulatory Remediation

Proactive Regulatory Exam and Compliance Solutions

Oyster Consulting is the partner you need to help prepare you for regulatory examinations by conducting reviews to identify areas of non-compliance. We can help your firm avoid regulatory findings by identifying areas where policies, procedures and controls requirements are not being followed. Then, we will help your make the necessary changes to ensure compliance. Our regulatory compliance experts also provide guidance on remediation efforts and help firms develop strategies for addressing findings identified during examinations. When facing regulatory challenges, swift and effective remediation is crucial to safeguarding your firm’s reputation and financial well-being. Reduce the risk of enforcement actions, protect your reputation, and show regulatory agencies your dedication to compliance.

Transcript

Transcript provided by TEMI

Libby Hall: Welcome to the Oyster Stew Podcast. I’m Libby Hall, Director of Communications for Oyster Consulting. This week we present Part 1 of 2 podcasts featuring former regulators Ed Wegener, Evan Rosser, Jeffrey Hiller, Bill Reilly and Patrick Dennis.  Join us as they share their insights into what regulators consider when they come in to do exams, the art of managing request lists, and how to enhance your firm’s credibility.

Ed Wegener spent over 20 years at FINRA as Senior Vice President and Regional Office Manager for FINRA’s Midwest Region. Ed led examination teams and pioneered risk-based approaches at FINRA, and now serves as a Managing Director for Oyster’s Governance, Risk and Compliance practice. Jeffrey Hiller is a former SEC Enforcement Senior Counsel, veteran compliance officer who served as COO and CCO of several national advisory firms. Evan Rosser is an experienced attorney and former FINRA examiner, specializing in regulatory risk management.  Patrick Dennis is an attorney and former FINRA executive, bringing decades of expertise in regulatory frameworks and enforcement strategies. Bill Reilly was a State of Florida regulator for over 30 years and brings a wealth of knowledge on multi-state regulatory oversight and enforcement. He now serves as a Director at Oyster Consulting.

Let’s get started.

Patrick Dennis:  Let’s talk a little bit about what you should expect from regulators and, from our previous experience, what we think we can help people out with by what to expect. So, let’s start with Jeff Hiller, if you want to tell us your thoughts on this?

Jeffrey Hiller:  Sure. One of the things the SEC and FINRA both do is put out a list of their top 10 areas where they find most violations, and they put out a list of their priorities. And the first thing is on an ongoing basis to incorporate the items that the SEC notes, whether there’s supervision or custody, whatever it be, to include those into your compliance calendar and include them into your ongoing review so that if they came in, they would see that you have their priorities within your own set of priorities, in terms of what you want to review and make sure that the firm is compliant about.

Patrick Dennis:  Evan, do you have any thoughts on that?

Evan Rosser:  I think that one thing firms can also anticipate from regulators, be it the SEC or FINRA, they’re often looking, if there are new rules, new products, new regulations. I think the regulators are not immune from the press, and if there’s an issue in the financial world that is getting public attention, there’s a good chance the regulators will be looking at it to see how your firm’s responding to it.

Ed Wegener:  You know, in addition to these sorts of broader topics about things that are going on externally, and sort of the broad topics that the regulators are looking at, what I’ve found is that they’re also getting much better at having a better look into specific unique issues and risks at firms. I can speak to FINRA specifically over the last several years, one big driving factor of what they look at on exams is the risk assessments that are done by the risk analysts. They used to be called regulatory coordinators. These are individuals that are responsible that firms are assigned to and for the firms that they’re assigned to, the analysts are responsible for assessing the risk on an ongoing basis at those firms. They use a lot of different data to do those assessments, and those assessments are really the first step in narrowing the scope of the examinations and making them more risk based.

So, one factor that I think is a primary driver of what examiners are going to look at on an exam are those assessments that are done by the risk analysts. Another thing that’s become a significant factor in narrowing the scope of examinations is the data analytics that are done. Examiners, before they can come out and conduct an examination, are requesting electronic access to things like blotters, and then running analytics against those blotters. Where in the past they were more apt to do random samples to decide what it is they’re going to focus on, they’re now going to come out and have a better sense of where they think the problems are and ask for specific transactions where they might see risks. So, I think the things that everybody has talked about already, like priorities and new rules, sort of national scope issues, are big factors as well as those more micro areas that they’re finding doing this risk analysis and blotter analytics.

Patrick Dennis:  Bill, anything to add from the state side of things? I know that, obviously, they come in and do exams on a regular basis and for cause, et cetera. But go ahead.

Bill Reilly:  In addition to what everyone has said earlier, a couple things: the states are all members of the North American Securities Administrators Association, also known as NASAA. There is a substantial amount of coordination by the states. One of the things that we talked about are looking at products and processes. I think one of the things that you’re looking at is some of the exams you might see are exam sweeps. These are situations where it may be the topic of the day and so forth.

Patrick Dennis:  To interrupt you for a second, maybe we ought to back up and talk about our approach. This originally was with the idea of talking about routine exams. Maybe we’ve got to spend a minute or two talking a little bit about the different types of exams that I think are routine exams, “for cause” exams, and sweeps. Ed, do you want to address that?

Ed Wegener:  I think each regulator has different variations of these, but I would say that examinations really fall into three buckets. There’s the routine examination where they come out and test your controls, look at particular areas that might be priorities. At FINRA, those exams are going to take place at a minimum every four years. But the reality is that the frequency of the exams are going to be driven by those risk assessments that the analysts are doing. The analysts are the ones that, based on those risk assessments, will determine the frequency of those examinations. Then there’s cause examinations. Cause exams are really investigations into a particular activity. Then finally, there are sweep examinations, and sweep examinations are exams where a regulator or, like Bill had mentioned, the combination of regulators like the SEC or FINRA, and potentially the states, might see that there’s a potential industry-wide and decide to look at the activity across a number of different firms. One of the things that FINRA has done that’s been really helpful, along the lines of having more transparency into their programs, is when they do initiate a sweep examination, they’ll publish the document requests that they send out to those firms so that other firms that might not be part of the sweep can get an idea of the types of things that they’re looking at.

Patrick Dennis:  Evan, any thoughts?

Evan Rosser:  When I was with FINRA in the enforcement department, we made it very clear that it was not a routine exam because we wanted the firms to have that expectation that we were going to focus on a particular security, or issue, or person. I think that’s just is effective for both the firm and for the regulator so that they know, because for each one of these, the rules are slightly different. I think it’s important for a firm to determine, and the firm is entitled up to a point to know, the nature of the exam that’s being conducted there. Regulators are never going to tell you everything that they have or why, but to the point Ed made earlier, whenever a regulator comes in, they will have done their homework. They will know what the firm is up to. And you should be aware as well, that if you have a change in your business, chances are it’s going to be an item that’s going to be on the routine exam.

If you have terminated someone for cause you can expect to have an exam on that issue. If you have a series of customer complaints around a particular individual or a product you can expect a cause exam around that issue. So those exams are a little different. They come from different places and your response to them will be a little bit different. One point as well, that whenever you get an exam request, it will likely have a review period on it, and you don’t have to provide anything outside that review period. So, when you get those requests, either verbally or in writing, see what the exam review period is, because that’s the period that until FINRA comes back to you or any regulator, that’s the period in which you are working, and you don’t need to give them anything outside that period.

Patrick Dennis:  I think you can do yourself a big favor by making sure you stick to that period and that period only. In fact, there’s certainly times that I remember discussing with the regulator or negotiating time periods and things like that, on what we had, what we didn’t have, what we were going to provide. Sometimes it’s more challenging than others and occasionally regulators will work with you on time periods and things in terms of whether it seems inordinately long or short or something. But Ed, did you have anything to add?

Ed Wegener:  I think you bring up a good point there. It’s something that I think from a regulator standpoint, when we would start an examination, whether it was a routine examination or a cause exam or a sweep, we had a goal in mind. We wanted to review whatever it was that we were reviewing. We wanted to do it efficiently, but make sure that we had had done it effectively. The requests that we made were usually based on the information that we had at the time and did not have a lot of information about how a firm kept those books and records. So, I would recommend that if you do receive a request, and whether it’s the review period seeming like it’s very long, or whether it’s the request for the information that’s being requested seems overly broad, is to feel free to reach out to the person making the request, discuss with them and negotiate with them the things that they’re requesting. Because I think you’ll find that they’re generally open to those types of negotiations as long as they’re able to investigate what they need to investigate and do so as efficiently as possible.

Patrick Dennis:  In this segment, we’re going to talk about exam document requests and the importance of good communications with the regulators.

Jeffrey Hiller:  I might touch base on a point that everybody’s been discussing, which is the document production. I have found that there are times when the SEC or FINRA will request something and really not understand that they’ve just requested 2 million pages of documents, or three. So, I have found that if you have a good relationship early on and ask them if that’s really what they want or how you can hone it, I’ve always had success in that area.  If I’ve explained it and you have the initial rapport, that they know you’re not trying to do anything untoward.

Patrick Dennis:  It’s certainly been my experience that the best way to do this is to assign a single point of contact or a single point person in connection with the regulators All of the requests come to that person – all of the requests for interviews, all of the additional document requests, all the need for clarification. It’s best if you can have one person that manages the entire exam for your firm, whether that’s the CCO, or in-house legal, or however you want to do it. But that’s certainly been my experience, but would love to hear your thoughts on that, Ed.

Ed Wegener: I think you are right Patrick, having a point person is really important. The regulators generally are assigning a point person for the examination and they’ll usually announce who that is in their introductory letter. And doing that early is important too, because the document requests start now, not when they show up on site, but several weeks before they show up on site. So, what you’re going to see are requests being made electronically with the expectation that documents are provided electronically back, in advance of the examiner showing up on site so that they can do those types of analytics that we were talking about earlier. So, assigning a point person at the time the examination is announced is critical. But one nice thing about the records being produced electronically is it makes it so much easier to manage document requests. I remember when we would do exams and we would be requesting them some via paper, some via email, some in person, that it would get very difficult to keep track of all that. And then, when firms would respond, knowing what’s been responded to often was an area that we would have discussions about because those things are provided electronically.  Now you can see exactly what was requested, you can see what was responded to, when it was responded to, by whom. I think that that makes that part of the examination go much better.

Jeffrey Hiller:  My practice has always been to meet with them every day for five minutes to make sure that we’re on target, that we’re getting the documents we need. If there is something that we changed our minds about or they said, “you don’t have to produce X amount, you can produce y,” that we document that and go over it in the morning. A good point person with good communication skills is probably one of the most important things at the outset of an examination.

Patrick Dennis:  If we could talk a little bit about the data that people are asking for, how they’re doing it, how we can do that and how you can organize that kind of stuff would be helpful. Evan, thoughts?

Evan Rosser:  Going back to that point person and on the data production, you want that point person to understand what’s being produced so that what is being produced to the regulators is in fact responsive to the regulator’s request. A lot of times the regulators, and I think they should do this, they should ask you to provide an index or some other document, so they can tell what you’re producing in response to what request. So they don’t have to go through and figure out, well, is this responsive to the item A or B or C? But the other thing too, and I’ll address this from a FINRA standpoint, FINRA has very broad jurisdiction. However, its jurisdiction does have limits. They are limited to broker dealer records. However, there are a lot of documents that they feel are within their purview and are related to the broker dealer. My only point on that would be you can certainly ask why they want certain documents, what’s their basis for asking for certain documents. But I would not get into a jurisdictional debate on certain documents with any regulator without the advice of counsel.

Jeffrey Hiller:  I think that you want to review every one of these documents before you submit them to the SEC because you need to know what you’re saying, in addition to what you’re telling them. It would not be unusual for any firm in the course of producing documents to find an exception. Well, maybe they reviewed everybody, they got all 99.9% of their certifications back, but they were missing one. You’re going to find stuff like that.  Just note it, note that you found it, correct it, tell them that you corrected it. So, my experience has been really a lot of candor, and there are firms that have said, “well, we’re going to say that attorney-client privilege search to our internal audit, internal audit records or whatever.” I would be very cautious in what I would withhold and what I would give them. I would try to be as cooperative as possible, work with your counsel to favor disclosure and transparency over not, but I think you do need to talk with counsel.

Patrick Dennis:  Well, let’s talk about that a little bit in terms of, if you find a problem or if you realize as you said, you didn’t get all the certifications back that you thought you did. What’s the best approach here?

Jeffrey Hiller:  Usually, I have a spreadsheet where some columns the regulators can see and some columns the regulators cannot see. But the one of the columns they see is item number 17, you requested X, then there’ll be a row that on June 20^th, we agreed that we could hone the request and make it the following. And so I have a record of that. To the extent I find things before the SEC or FINRA or any regulator comes in, depending on the nature and scope, 99 times out of a hundred I would say to them during our opening meeting, during the course of producing the documents, “we found these exceptions, we’ve corrected them. If during the course of the exam you find anything and you can let us know because we know that there are human errors, we try to fix a quote quickly.” And so you can use that to your benefit. I think you gain credibility upfront if you can have that discussion.

Ed Wegener:  I think there’s a lot of debate about when and whether to let the SEC or FINRA or the states know you’ve identified a problem gathering information before they find it. And to Jeffrey’s point, I would agree. I think you get a lot of credibility when you identify them. “Hey, we noticed these issues, we wanted to let you know about it. Here’s what we’ve done to fix those issues.” I think you get a lot of credibility. So, I would recommend doing it. I think it’s important though to investigate fully when you identify those is issues, identify why they happened, identify any systems that may have caused them to go unidentified until the examination started. And make sure not just fixing the issue, but fixing some of the underlying reasons for the issue would go a long way as well.

Libby Hall: Tune in and join us for Part 2 as our experts share strategies for navigating regulatory interactions and fostering a culture of compliance. If you’d like to learn more about our experts and how Oyster can help your firm, visit our website at oysterllc.com. Have a great day.