For financial services compliance professionals faced with an expanding universe of responsibilities and risks to manage, constantly assessing, prioritizing, and allocating resources across a long list of concerns is a vital but inexact science.
Each January, Regulatory Intelligence highlights the top concerns for compliance officers for the year ahead. The list is based on observations and discussions with industry practitioners. It represents areas, or risks, that present significant challenges for compliance professionals, and it is aimed at helping compliance teams in their planning, prioritization, and reviews.
Topics are not ranked in any particular order, as a firm’s size, business type, and client type greatly influences the importance of the entry to an organization.
The top U.S. securities regulators, the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA), also offer excellent guidance on top concerns, in their annual exam priorities letters.
Each area on the Regulatory Intelligence top concerns list will be followed closely and in more depth through 2019. Regulatory Intelligence also publishes a progress report late in the year, reviewing how the concerns unfolded.
1. Regulatory change and political uncertainty
The election of Donald Trump as U.S. president brought widespread anticipation of a regulatory rollback. Two years later, as compliance and legal departments have grasped subtle regulatory changes, the political winds have once again shifted with the Democrats taking control of the House of Representatives in last November’s mid-term elections.
This shift in power likely won’t have a major impact from a legislative and regulatory standpoint. However, the political rhetoric and voice in support of consumer, and retail investor protection, and in opposition to large banks and ‘Wall Street’ in general, is sure to be louder.
Although the shift in political power could potentially stall President Trump’s deregulatory agenda, real regulatory change takes time and still rests in the hands of the agencies. Big changes at this level occurs at a snail’s pace.
Investigations, talk of impeachment, and overall divisiveness in Washington are worth monitoring. International regulatory and political events should also not be ignored as, for example, the EU’s General Data Protection Regulation, (GDPR), which took effect last year, has extraterritorial reach. It also serves as a model for future possible U.S. regulations in the critical area of data privacy and cyber security.
The political partisanship and balance of power may cause angst no matter which side of the aisle one sits. But the significant changes take years.
2. All things “tech,” including data protection and cyber security
In the enormous and expanding universe of technology, risks and complexities related to the compliance profession remain a persistent top challenge.
Areas such as privacy, data protection, and associated regulations such as GDPR are the tip of the iceberg. Cyber security and its associated risks, complexities, and costs also rank high among concerns in compliance departments. A result of news stories of cyberattacks and losses or misuse of personal data is a heightened public awareness and political focus on data privacy and cyber security. Look for stiffer, and or new rules and regulations.
The speed of change in technology also causes concern. In Thomson Reuters annual surveys on the Cost of Compliance, technology expenses and challenges associated with legacy systems rank high as a top issue. Regulators are also engaging with industry participants and continue to signal that they are not falling behind the technological curve.
Technology for many ‘non-tech’ professionals such as compliance officers remains a concern, as the importance and integration of technology into the compliance suite continue to evolve. Compliance officers may not need to become technology experts, but they do need to ensure that cyber risks are addressed within their firm’s corporate governance framework. Compliance must be aware of rules and regulations from every jurisdiction with authority over the firm’s activities.
A shift has also continued toward technology solutions in finance and compliance, dubbed “fintech” and “regtech.” The use of artificial intelligence and other new technologies in the compliance and finance sectors keeps growing. Ignoring or avoiding the subject is not an option.
3. Conflicts of interest and outside business activities
Conflicts of interest is a catch-all problem at financial services firms. At the largest firms, it is common for firms to prohibit virtually all outside activities as they commonly create or raise questions of conflict of interest. At smaller to mid-size firms, the prohibitions are often less strict but are still problematic.
Within the private equity (PE) industry, conflicts and their adequate disclosure remain problematic. In recent years regulators have made examinations of PE firms and their complex structures top priorities.
In 2017 regulators warned over outside business activities by brokers and advisers, including private investments and investment opportunities. Although the number of cases has slowed, most major, or well-known firms still see outside business activities as a risk.
Any conflicts of interest, the appearance of a potential conflict, or any incomplete or inaccurate disclosure, must be consistently safeguarded against. Disclosure and meticulous documentation and monitoring by compliance departments is critical.
4. Retail protection, suitability, sales practices, and Reg BI
In recent years regulators, lawmakers, and the general public have pushed for investor protection, particularly when it comes to retail investors. Regulators have made protection of the retail investor a perennial top concern and priority. There have been countless cases related to mutual fund share class selection, product suitability cases and commission disclosures, as well as the churning and misappropriation cases. Enforcement directors at the SEC and CFTC continue to bring actions wherever investor harm is detected.
In response to the hotly-debated Department of Labor “fiduciary rule,” which was struck down in court, the SEC’s Regulation Best Interest (Reg BI) and associated rules were proposed in 2018 and received more than 3,000 comments. Look for changes and finalization of Reg BI in 2019 as SEC Chair Jay Clayton has signaled their priority on the agency’s agenda.
Compliance departments must continuously review sales practices, marketing, and risk disclosures. Regulators are sure to scrutinize all supervisory systems and controls over recommendations and sales practices. At the core of this compliance task is adequate training related to sales practices and products.
5. Market risk and high-risk products
In 2018 the U.S. stock market experienced nearly a 20 percent decline, taking many by surprise and causing pain and uncertainty for many investors. Compliance departments are aware that when bull markets end, or market volatility increases, investor complaints also often increase in lockstep. Mistakes are made by financial advisors as well as customers, hard-earned savings can be lost, and in some instances, financial advisors and customers make poor decisions.
The financial crisis of 2008 and 2009 brought an abundance of cases related to suitability, churning, sales practices, and inappropriate risk-taking. Although a repeat is not likely in the cards, and the market has recovered slightly in early 2019, the outlook for 2019 remains uncertain.
Compliance departments should be mindful of overall market conditions, exercise extra caution and oversight particularly at retail facing firms where mistakes become more prevalent in difficult market conditions.
Extra care should be taken with any complex or higher-risk products, including so-called “liquid alternative” funds, as well as leveraged and inverse Exchange Traded Funds (ETFs). Anything marketed or represented as a “safe alternative” should also be reviewed extra carefully.
For institutional managers, times of market stress also expose other risks, topped by liquidity risks. Liquidity also has a direct correlation to pricing, particularly in the credit markets, and in level 2 or level 3 assets. These thinly traded assets and markets have become so problematic historically during periods of market volatility, they have caused the failure or closure of a number of hedge funds, liquid alternative funds, and even mutual funds.
6. AML/KYC and ultimate beneficial ownership
Anti-money laundering (AML) and counter-terrorist financing (CTF) policies remain top concerns globally in financial services. Given the level of sophistication, complexity, and severity of the criminal activity, regulators are taking enforcement seriously. This is clearly evidenced in the ongoing 1MDB scandal.
Foreign Corrupt Practices Act (FCPA) violations continued to rake in significant fines to regulators as well.
Global sanctions risk with Iran and other countries remains a serious concern of senior managers of virtually all businesses, particularly financial institutions.
AML also is a top concern internationally. Lapses in AML, know-your-customer (KYC), beneficial ownership, and sanctions compliance have resulted in some of the largest penalties handed down by regulators.
AML/KYC and counter-terrorist financing duties are often outsourced to custodians for smaller firms. However, outsourcing does not remove the responsibility and liability. Regulators have signaled that all firms regardless of size can’t take this area lightly. Failures related to the accurate and timely filing of Suspicious Activity Reports (SARs) are of the highest importance to regulators.
7. Insider trading and market manipulation
Insider trading is always an enforcement priority. Regulators have greatly enhanced their data gathering and surveillance capabilities, thus making it quicker and easier to connect the dots of suspicious trading. Regulators are better equipped than ever to spot these violations and are not hesitating to bring cases.
The Commodity Futures Trading Commission continued its run of successful convictions or settlements related to the manipulative trading practice known as “spoofing” as well as benchmark rigging settlements in 2018.
Regulators are getting better every day at detecting all sorts of trading abuses. These successful regulatory actions increase the likelihood of more success, as the legal precedent strengthens with every case.
Compliance departments are also taking similar actions to deter and detect such activities before the regulators do. Therefore, prevention in these areas and the severity of the infractions and penalties make it a persistent top concern.
8. Importance of cooperation credit and self-reporting
In 2018, regulators have emphasized the importance of self-reporting and rewarded firms with decreased fines and penalties for their cooperation efforts. The CFTC went as far as to issue a detailed “declination” letter on a decision not to penalize Deutsche Bank. The letter noted the multiple things Deutsche did right in its handling of alleged mismarking of swaps positions by a trader.
The case sent a strong message encouraging firms to come forward and self-report. Large firms that are regularly in communication with regulators and who have experience in handling exams, inspections, and enforcements likely welcome the chance at a lesser penalty.
However, smaller firms, with no prior experience with exams or enforcements may be venturing into uncharted waters when considering self-reporting.
The handling and remediation of a compliance breach, its resolution, as well as documentation and prevention against future or repeat violations are critical aspects of all compliance programs. The self-reporting aspect to regulators is a relatively new development with conflicting viewpoints within the legal and compliance community. Therefore, compliance departments should be cognizant of this new development and consult counsel and weigh the risks and rewards of self-reporting and cooperation credit.
9. Conduct risk and sexual harassment
Conduct risk and the #MeToo movement captured headlines in 2018 as the spotlight on sexual harassment, sexual assault, and sexual discrimination, particularly in the workplace remains a serious risk to executives and companies.
Although most high-profile news and cases on the subject have largely been centered in the media and entertainment industry, financial services companies — or all companies for that fact — are not immune to risks associated with sexual discrimination, assault, or harassment claims.
Global regulators continue to highlight conduct risk, personal accountability or liability and have set expectations that firms must consider how culture and conduct risk affect every aspect of their operations.
Although firms and compliance departments may consider sexual discrimination and harassment claims as a legal or human resources matter, the issues can easily become compliance issues. Supervisors or managers, along with compliance departments, must review such policies and procedures and remain vigilant to ensure that the financial services workplace is fair, honest, non-discriminatory and safe.
10. Personal liability
In recent years regulators and law enforcement have emphasized the importance of ‘naming names’ and holding individuals accountable or liable for corporate wrongdoing. Chief compliance officers (CCOs) are therefore nervous about their own well-being simply because of the positions they hold.
Despite leadership changes at the major financial regulators since the 2016 presidential election, appointees by President Donald Trump have stayed the course in continuing to emphasize the necessity of personal or individual accountability. This is evidenced in cases announced by both the SEC and CFTC throughout 2018.
SEC enforcement co-directors, Steven Peikin and Stephanie Avakian addressed the importance of personal accountability in last year’s Annual Enforcement Report for Fiscal Year 2018. The agency cited individuality in a recitation of its “Core Principles,” which also included a focus on the retail investor, keeping pace with technological change, imposing remedies that most effectively further enforcement goals, and assessing the allocation of resources.
Regulators seem to be taking reasonable approaches as to when to hold individuals personally liable. However, the fear is still significant as the ramifications of being personally named can be a career ending event.