Compliance Tools: FINRA Risk Assessments
By Buddy Doyle, Bill Reilly and Mary Catherine Wilck-Pond
Subscribe to our original industry insightsStrategies To Get The Most Out Of Your Risk Assessments
Understanding FINRA risk assessments and producing a risk assessment tailored to the firm’s business model and business operations are key components of a broker-dealer compliance program. Each year, FINRA produces its Report on FINRA’s Examination and Risk Monitoring Programs, detailing FINRA rules and topics it will be focusing on, from anti-money laundering (AML) to market integrity. Firms should use this report as a guide for the creation or when updating their risk assessment, as well as the effective practices our experts share in this episode of the Oyster Stew Podcast. In part 2 of 2, our compliance experts continue their discussion about ways to leverage your risk assessment to strengthen your compliance program
“Risk” doesn’t have to be a four-letter word, and risk assessments are something you can’t afford to ignore or become stale.
When you use Oyster Solutions compliance management software, risk is easily managed, categorized, scored and charted. Easy-to-read dashboards give transparency and definition to your firm’s risk management strategy. Oyster Solutions software documents risk, customizes risk tolerance and scores risk based on your firm’s needs. Then you can define and measure your controls through policies, procedures and strategic testing workflows.
Transcript
Transcript provided by TEMI
Libby Hall: Welcome to the Oyster Stew Podcast. I’m Libby Hall, Director of Communications for Oyster Consulting. In our previous podcast about using risk assessments as a compliance tool, our experts shared why they use them and the benefits having a risk assessment can provide. In today’s podcast, Oyster’s experts continue their conversation, sharing best practices and ways to leverage your risk assessment to strengthen your compliance program.
Buddy Doyle: Thank you, Libby. I’m Buddy Doyle. I’m really pleased to be joined today by Bill Riley, Mary Catherine Wilck-Pond, and Mark Norman. And today we’re going to be talking about risk assessments. So while Mark talked about FINRA categories of risk, and in the software the air default risk assessments we have 13 categories. So we have an inventory of conflicts. We kind of say conflicts is a category of risk if you don’t mitigate them. And so we inventoried our conflicts and our risk assessment so we could be compliant with Reg BI and also so we could understand what those controls are around conflicts and where we have more testing, more independent reviews to do. But I do think that it’s important that you make your risk assessment line up to your business and your definitions. Definitions are very important in terms of risk, around the details of client types, as well as how you identify what is a high risk, what is a medium risk, what is a low risk? Do you put dollar thresholds on that? The more scoring you can do of those risks, the more sophisticated you can get. But I wouldn’t let perfect be the enemy of getting started either.
Bill Reilly: Yeah, Buddy. One of the things that you just mentioned about definitions and testing and so forth. There’s a couple things that when I go in to do a review of a firm, and I’m also looking to do a risk assessment is I’m looking at identification of the issue. And as Mary Catherine said when you’re talking about a client that may be overseas but there may be a US citizen that’s over there for a period of time. So I look at identification of issue and identification with clarity, is this person a domestic client, an international client, and so forth. So do you have procedures to identify it? Do you have procedures to implement?
You know, if you’ve identified it as an issue, how do you implement it? How do you monitor it? A third thing that I look at is I look at training. Are you providing training to your staff to make sure that they understand, as in Mary Catherine’s situation where the doctor goes overseas for a year, the person is overseas, but it truly is a US resident. And the last thing that we also talked about was the testing. And it’s always interesting when you come to testing because one of the things on the AML, you’re talking about getting an independent third party. That’s one of their prerequisites of doing that. The other thing when you’re talking about doing testing, a lot of times, Oyster provides the testing and it’s always nice to have an independent set of eyes taking a look at it. If you have someone internal, they may have put the procedures together and they’re testing it at the same time. There may be some potential quote conflicts there. So those are the four items that I’m looking at when I’m looking at a risk assessment or any type of examination that we’re doing of a broker dealer or an investment advisor.
Buddy Doyle: Yeah, I think it’s important to not have rose colored glasses on when you’re evaluating your own controls and to try to pull your bias out of this and really look at it in the cold light of day. And I think that as we build out in the solution software, our risks and our assessments, we try to align them to things to be fact. When we categorize a risk, is it a systematic risk? Is it a financial risk? Is it a regulatory risk? What kind of risk is it? And then what are the regulations that govern this risk? Are there particular products that we need to look at with this risk? And you’re trying to get all the angles. So if you’ve got an AML risk on a product and you’ve got a trading risk on a product, and you’ve got some suitability risk on a product, it helps you look at that product holistically.
Same thing on clients. Location is a component of risk of a client. The objectives and risk tolerance lead you down certain behaviors. Can you follow up on that to see if what’s occurring is what’s expected or not? What systems do you have? And if you look at that and you look at your controls and say, my procedures are okay, but the process really needs work. If you can get around it, it’s easy to get around, then you probably need to focus some attention on that risk to either get some tools to help you or do more time testing to mitigate that risk. Mary Catherine, you may have some thoughts on this.
Mary Catherine Wilck-Pond: Yeah, I just want to piggyback, Buddy, off of what you’re talking about with systems. And one of the things that I think is very important for you to consider is how automated are your firm’s processes? Do you have a lot of manual processes? Do you do a lot of cut and paste? Do you work off of Excel worksheets, spreadsheets? So the importance of how automated your firm is, I think, really comes into play when you are looking at your risk, because you can say, this is the high risk, I see this as high risk, I’ve got to have a control around it. But if you don’t have the systems to help you do that, you are working from a disadvantage.
Buddy Doyle: Absolutely. And I think that when you do have the systems to help you work with these types of issues, then you need to make sure you have an advantage as well. The more systematic you are and the more sophisticated your platform is, the more likelihood you have of your system creating issues for you because of either data anomalies or some code that didn’t imagine a scenario that has come up that you miss. So it really does, again, these risk assessments help you define what you do next to be successful. It may not be testing account agreements, it may be testing the algorithm in your machine learning environment. And boy, these folks that put AI systems in place, if you don’t know how to manage an AI environment, you need to understand machines are dumb until they’ve learned, and they may not know the scenario you’re looking at. So there’s a whole discipline that you just move from one action to a different action. And your risk assessment really helps inform that.
Mary Catherine Wilck-Pond: And I think another consideration, Buddy, there, is if your firm has any thought of a conversion, a system conversion, if you’re moving from one clearing platform to another clearing platform, for example, how is that going to impact this risk assessment and these controls that you have currently in place? Can you maintain that same control with a new platform, a different platform?
Buddy Doyle: A very good lead into change management and how you come back to your risk assessment. And when I think that at Oyster on our cyber security risk assessment process, we use the N framework for cybersecurity, it fits neatly with AML risk and all the other risk if you design your program. But we also assess cybersecurity risk when we put a new platform in, we create a new process, we evaluate our cybersecurity risk when we do a release of a new module in software, when we do a release of existing modules in software, has our risk changed? What’s different? Do we need to change how we’re operating? And as you mature in your risk management processes, you will get faster and faster at that to focus on the big risk sooner, to make sure that as soon as you implement something, you always do that pre-implementation testing.
But the post-implementation circle back to say, is my assessment appropriate or not appropriate? It can be really important if you’re going to get into doing business in Latin America and the bulk of your business has been in the United States. Have a good plan, make sure you get good procedures, make sure you train people well. But when are you going to come back and test? And that can be informed from your assessment. And then if you find issues and your risk assessment says you’re well controlled, you may want to challenge that assessment, and you may want to do more testing more frequently.
Mary Catherine Wilck-Pond: I wanted to jump in, go back to a comment that Mark made about ensuring that you have controls for mitigating your risk. And I want to expand on that a little bit and say that those controls have to be synced to your systems and your governing policies and procedures. Because if you put controls in place, but you don’t have your policies and procedures aligned, you don’t know that your systems have the capacity to handle that control, you are going to have a problem.
Buddy Doyle: Yeah. And I think that. Mary Catherine, having been regulated throughout your career, rather than being a regulator, it is a different point of view that you take when you’re in the firm and you’re looking at your control environment. And it goes from an assessment of where to focus on testing for an exam by a regulator to an assessment of how you’re operating as an organization. Of course it can drive your testing cycles when you look at a high-risk category and you feel like your systematic controls may not be able to mitigate all of that risk. You have residual risk left that you want to put a process around. Regulators look at enterprise risk. But Mary Catherine, I know you all the way to the customer level.
Mary Catherine Wilck-Pond: Yes. And I will use as an example, if your AML program talks about foreign customers being a high risk category of customer, it’s important that you define what you mean by foreign customer. Is that someone who is merely out of the country on a sabbatical? I was thinking about it today, reading the articles about the famine and Somalia. Do you have someone who has volunteered as a Doctors Without Borders to go to Somalia and help the people there and they’re going to be there for a year? What do your policies and procedures around foreign customers say is who is a foreign customer? If it’s someone who is going to be out of the country for six months, what do you do in a situation like a doctor in Somalia? So I think, you really need to think through when you are putting definitions around things, when you are considering customer risk, really think about your customer base. What are they doing? Where are they going to be? Why are they there? Are they a student taking a gap year and living in Germany? So I think, it’s very important to think through when you are taking risks to the customer level exactly how you are defining certain categories.
Buddy Doyle: Bill, you mentioned customer compliance. That’s an indicator that you may have a control environment issue if you start seeing a number of customer complaints on a certain product or in a certain area. I think those are all things that can inform your risk. But how do you look at how you’re controlling risk or managing through that? You all experience risk. You will assess your risk. You will say, I might get this. It’s got a high inherent risk, I got a good control around this thing. But you will experience risk. We have BCP plans for a reason, and that’s because you will experience risk if you are a successful business. And you may not need to focus on every area of, of what other firms have in their BCP. As a small firm, you may rely on your clearing firm for their back-office technology.
You may not be cutting checks to your clients. They may be cutting checks to your clients. You can look at how you’re structured and how you operate. And you don’t have to completely get rid of every single kind of risk. Bill’s in Florida – might be a hurricane in Florida. That would be a risk that is probably a lot more significant than Iowa. But Iowa has risks as well. They might have snowstorms. And of course nobody’s going to get a pandemic, but we still have to have them in our plans, or at least that’s what everybody said during the bird flu. So I think when regulators are talking about things, sometimes it feels like they’re making you do something for no reason. Sometimes you feel that way for years and years. But I do think that you’ve got to make sure that you understand you will have risks.
What do you do when those risks occur? And if there is a cyber breach, do you have a plan to respond to that? Do you know that you’re supposed to contact your primary regulator? Do you know what the reporting requirements are? Do you have a team ready to go to get those things resolved? I think those are all things that you need to work through as you’re doing your assessment. And you don’t have to get it perfect the first time. You can’t get it perfect. It is, to Mary Catherine’s point, it never ends. All right. I want to thank Mark, Mary Catherine, and Bill for sharing their experiences with us and our group here. Thank you so much. And to those of you listening, thank you for listening. If you have any questions, feel free to reach out to us. We’re always happy to chat about things that we know about. And if we don’t know about your topic, we will tell you so. But thank you so much for listening and we hope to join you again soon.
Libby Hall: Thanks everyone for listening. If you’d like to learn more about our experts, our Oyster Solutions, Governance Risk and Compliance Software, or how Oyster can help your firm, visit our website at oysterllc.com. If you like what you heard today, follow us on whatever platform you listen to and give us a review. Reviews make it easier for people to find us.