Regulation is Still Shifting as Fast as the Markets and Macroeconomic Forces Around Them – Stay Alert!

The US Financial Industry Regulatory Authority, like many other regulators right now, is considering a change to its rulebook to adapt to the likelihood of more telework after the pandemic. Robert Cook, FINRA’s CEO, said that this will have an impact on the way the regulator goes about its role and its supervisory oversight. FINRA is applying to the SEC to limit onsite exams to the larger BDs so that small firms with limited securities activity can be supervised digitally.

FINRA recently filed a rule proposal with the Securities and Exchange Commission to give broker-dealers until March 31, 2021, to complete their office inspections under Rule 3110. FINRA has a suspicion this extension may not be enough for many firms and is encouraging them to lobby the SEC if this is the case. The comments reflect how regulators and regulated are adapting to a sizeable shift initiated by this pandemic and underlines how important it is to be communicating proactively with the regulators now to shape these changes.

Across the pond, Nikhil Rathi will start as the new chief executive of the UK Financial Conduct Authority in October. He recently appeared before Members of Parliament on the Treasury Select Committee, and said he wants to encourage diversity in all its dimensions as a key cultural change at the regulator. He said that the Black Lives Matter movement had “touched a nerve” in organizations and was elevating the discussion of diversity among employees. He added, “There are deep issues in the financial services industry and I’m sure they are challenging the FCA as well.”

He sent a distinct message on what those regulated by the FCA can expect under his stewardship — he does not want to be feared but he has not applied for the job to be liked. He signaled the road ahead for firms under his supervision: “I would like the FCA to be defined as tough, as assertive, as thoughtful, as decisive and working with pace and agility.” 

The regulator is at a fascinating juncture in its evolution – a new CEO, the uncertainty of what Brexit means for the UK financial services community, an ongoing pandemic, and potential significant economic disruption. Good luck to Mr. Rathi and all those he regulates.

Finally to Europe where last week its highest court, the European Court of Justice, rescinded an agreement, the Privacy Shield, that allows EU companies to move data from the EU to the U.S. It was created in 2016 and the court ruled that it does not comply with European privacy rights. It was a recent victory in the ongoing battle waged by privacy activists who object to personal data being shipped to jurisdictions where data protection is not equivalent. It creates more uncertainty for the 5000+ companies that have relied on the shield. A workaround is the goal for European and U.S. authorities, and appropriate data-transfer contracts are still acceptable but the cost of compliance just went up a notch or two. This decision highlights the increasing gap between the U.S. and Europe in terms of data handling and storage. The higher regulatory standard will be felt at the grassroots level by enterprises that are less flexible in their approach to data management. This impedes their ability to properly optimize their systems by using cloud applications and SaaS — this has started to separate the U.S. from the EU in terms of performance and cost control. 

FINRA Does Everyone a Favor

FINRA has helped all those it regulates during the pandemic. It sent a regulatory notice sharing practices for transition to, and supervision of, remote work environments. This is manna from heaven for busy, stressed compliance people dealing with a number of issues of significant uncertainty. The guidance charts a course for any firm struggling with recommended practice at this tricky time. The kicker here is the risk involved with charting a different course or failing to take note and use best efforts to apply some or indeed all of the practices highlighted.

FINRA’s interactions with firms of all sizes resulted in the conclusion that those relying on web-based tools, electronic document management systems, comprehensive remote supervision capabilities, and cloud-based services faced fewer difficulties transitioning to a remote work and supervisory environment.

The advisory has some basic but perhaps easily forgotten protocols around issues like location monitoring and key contact lists for remote work. It also lays out expectations around senior management’s responsibilities and the frequency and content of their communication. It suggests the use of communication tools and enhanced monitoring to improve supervision. It concludes with commentary on email review, key word surveillance, recorded lines, and chat restrictions.

The words of advice demonstrate how proactive the regulator has been and lay down the gold standard for how regulators and regulated should interact, cooperate, and help each other in the future. The cynical might question this and call this a pipedream but it must be the ambition for the way forward. 

FMSB Algo Trading Guidance is First Step to Best Practice Standard

 

The FICC Markets Standards Board issued a statement of good practice on algorithmic trading. As algo trading becomes more prevalent, regulators are keen to lay down some guidelines and this is the aim of this progressive market trade association. It promotes governance and conduct across all FICC asset classes. The statement comprises 10 good practice statements to help govern and control conduct risk, especially in less regulated asset classes and markets. The FMSB has taken the lead in trying to define acceptable market behavior and note instances where poor conduct is evident that affects a market’s reputation.

The statements recommend a proper governance framework for algo trading that includes senior management supervision with an appropriate escalation procedure, as well as established lines of responsibility in the second and third line of defense to provide independent oversight. They call for a list and description of all algos in use such that these can be understood by management, the second line, and regulators. This is essential practice and needs to be applied across the application of AI in financial services to diminish the “black box” effect. Risk control is covered, suggesting the use of specialist second line supervisors, as well as sharing information across asset classes where a conduct breach has occurred.

Firms should map their standard risk assessment approach to their algo trading to achieve equivalence. There should be a process required for development change of each algo, including testing in an environment resembling production before the code is deployed. An audit trail for the changes should be present. The statements demand holistic oversight to identify and manage the risks in algo trading. There should be monitoring of messages between the trading entity and the trading venue to identify any market abuse.

The statements are packed with practice guidance that all operators of algorithms should adhere to as the world seeks more transparency in a field of data science that is a growing influence on everything we do. They call for significant engagement and oversight from the second line of defense which will no doubt become the expectation of supervising regulators when they come to examine a firm’s electronic and algo trading practice. It sets out a robust set of practices that would stand any organization in good stead when the regulator comes knocking.

OCIE’s Adviser Risk Alert Maps Out Future Exam Priorities


 

The SEC’s Office of Compliance Inspections and Examinations put out a seven-page risk alert recently based on observations from exams of private fund investment advisers. This encompasses private equity and hedge funds. It focuses on deficiencies and compliance issues in exams: investors paying more in fees/expenses than they should; falling victim to conflicts of interest; policy around MNPI. Most of the failures relate to inadequate disclosure of conflicts and the unequal treatment of different investors with many preferential investors getting better outcomes. In other cases, fees and expenses were allocated inconsistently with investor disclosures and agreements. Valuations were being inflated resulting in higher management fees.

The Code of Ethics rule requires written policies and procedures to prevent misuse of MNPI. Adviser employees are potentially at risk of exchanging MNPI with executives of public companies, consultants set up by expert networks, and value-added investors with “special knowledge” about investments. In addition, individuals without authorized access are sometimes able to access MNPI related to a private transaction in a public company. 

Many advisers are failing to address these risks and also to enforce policy controlling them. In addition, some are not monitoring personal trading in securities on restricted lists, and the receipt of gifts and entertainments from third parties relating to the business. In other cases, firms were failing to address those who had access to sensitive information who were then trading on that information. 

This is a clarion call to hedge and private equity funds for any impending regulatory exams and a warning to get their house in order at a time when there is a glut of MNPI. The current environment has weakened the usual protections around data access. Physical information barriers are under strain in a WFH scenario, especially when there is so much extra corporate activity on the credit side. You have been warned.

Regulatory Relief – Reading the Tea Leaves

 

At a time when compliance heads are trying to read the tea leaves and predict how regulators will treat them in the past 15 weeks, there have been two clear, noteworthy messages from senior regulators on both sides of the Atlantic.

In the United States, Raphael Bostic, the CEO and President of the Federal Reserve Bank of Atlanta, was extremely helpful to the regulated community when he told the Wall Street Journal that his agency would not penalize banks for “emergency decisions” made in response to the pandemic.

“We’ve tried to be as clear as possible that we will remember that banks have operated in an emergency situation, have made emergency decisions, and we won’t penalize them for that nine to 12 months from now when we do our regulatory reviews,” Bostic said. “I’m going to make sure we hold to that.”

His remarks were very much designed to encourage banks to do their utmost to help their customers through a very tough time.

In the United Kingdom, Chris Woolard, the interim chief executive of the Financial Conduct Authority, admitted that the new conditions were the first real test of corporate banking rules designed after the 2008 financial crisis. He added that the regulator’s ability to take action was currently “limited.”

He qualified this stark admission with a strong hint about how the regulator would instead be deploying the latest tool in its regulatory toolkit, the Senior Managers’ and Certification Regime (SMR).  The added spice is its impact on individual liability. He told the Financial Times, this time “is the first real test of SMR.” Woolard said it allows the regulator to pry into previously unseen parts of a firm’s business.

“One thing I have said, both inside and outside the FCA, is that I am utterly determined not to see the kind of misconduct we have seen in the past,” Woolard said. 

Busy compliance officers are coping remarkably well with volatile markets, a distributed team, new technology, and a front office over which they have limited physical oversight. These clear messages from regulators help compliance officers do their jobs and gain comfort at a time when there is so much uncertainty.

On July 16 (EU) and July 23 (US), we will host the next chapter of our Modern Compliance Webinar series, “Regulators — Relief, Relations, Resilience, and the Road Ahead.” The webinar will cover the extent to which firms can rely on sympathy and forgiveness from their regulators in this extraordinary time. It will also cover areas of zero tolerance where regulators will be as exacting as ever.

Our speakers will provide guidance on how best to communicate with regulators, how the environment may change in the future, and the sort of retrospective reviews all compliance people must consider to future-proof their firm. We hope you will join us.

To learn more and register, please visit:

EU Regulators – Relief, Relations, Resilience, and the Road Ahead

US Regulators – Relief, Relations, Resilience, and the Road Ahead

 

There’s gold in these words from regulators — compliance must adapt to shifting risk


 

Things are finally settling down, and everyone seems to have got into the rhythm of working from home, as well as having more visibility on what happens next as lockdowns are eased and many companies contemplate a return to the office. 

With 11 weeks of remote work under our belt, initial panic subsiding, and generally successful adaptations to a distributed life in financial markets, the first official views of what was, and is, important are emerging.

Reuters ran an interesting piece last week, that was then picked up by The New York Times, where Behavox revealed that escalations have risen by 18 percent since March across a broad range of behaviors: potentially unlawful or unauthorised disclosure, profanity, moving dialogue offline, sending materials to personal emails, and advising friends and family on financial matters. 

That percentage rise on its own is not surprising – the market conditions have been extraordinary, and the fact that the data being monitored has also increased significantly, because so much more dialogue and interaction is now online, means that there will, of course, be more hits. Of more interest is the percentage mix of new behaviors that are being identified in the data – and that is a noteworthy change.

Especially so because regulators, like the UK FCA, have been pronouncing on where firms need to be looking, which is gold dust for any compliance people worrying about how they and their firms are going to be assessed during this unusual period. Perhaps more important is how compliance folks act now that the regulatory expectation is laid out for them. FCA’s Market Watch 63, which is always a must-read for us monitoring geeks, is pretty specific.

I particularly liked this quote on MNPI: ‘In the context of the pandemic, the nature of the information that is material to a business’s prospects may have altered, and what now constitutes inside information should be carefully assessed.’ Added to the concern that we all have about the reduced control over so much sensitive information, which is usually held to some effect within the confines of an office, is the realization that the current market conditions are breeding an exponential increase in sensitive information related to issuer plans for raising capital, as well as their current performance, and even their plans for normal business resumption. The FCA circular is packed with good advice that, as always, is kind of a supervisory roadmap that firms should expect from their regulators in the next set of visits and examinations; albeit these might be remote and data-driven in many cases.

Here are the golden takeaways from FCA’s pages of wisdom: mandatory compliance leave is great compliance hygiene for front office folks (as Warren Buffett says, ‘you only find out who is swimming naked when the tide goes out’); training comes to the fore and a refresh on MNPI receipt and disclosure might be worthwhile now, as well as making your supervising regulator happy when they come to check what you did during this period; on that subject, keep watertight records of all your regulatory and governance decisions that were tailored for this tough time so they can be reviewed and explained when your friendly regulator comes knocking; enhanced monitoring to account for pockets of increased risk as well risk-based reviews are very sensible; communicate with your regulator especially if you are unsure of the right approach; make sure anything you delay doing is done eventually. 

The FCA even suggests doing a rejig of the risk assessment, but we all know that is not something that can be done overnight and is an eye-stabbing pain to do more than once a year!

To hear more on risk assessment, join us for our upcoming webinar on Risk-Based Approach for Ensuring Effective Compliance — Wherever You Are in the EU on June 11 and the US on June 18.

Stay safe and stay compliant…