Commentary – RegEd.com

Regulatory Insights Regarding Compliance Assessments of Regulation Best Interest and Form CRS

These are certainly interesting days. So much is taking the attention of compliance professionals. By now everyone has implemented their business continuity plans (BCP) and likely made modifications to them here and there as the true test of these plans has been realized. BCP has now become yet another compliance ball to juggle for the foreseeable future. BCP recordkeeping will be important so be sure to track as you go. Regulators are certain to ask about this in upcoming exams.

Now that everyone is settled into their temporary work environments and any BCP gaps have been shored up, the looming June 30, 2020 compliance date for Regulation Best Interest (Reg BI) and Form CRS (client/customer relationship summary) is once again the primary focus for most broker-dealers (BDs) and investment advisers (IAs). SEC Chairman Jay Clayton has recently signaled there will be no regulatory relief around the June 30^th compliance date.

On April 7^th, the Office of Compliance Inspections & Examinations (OCIE) released two Risk Alerts providing BDs and IAs with insight around initial regulatory examinations to assess implementation of Reg BI and Form CRS. OCIE’s implementation assessment exams will likely occur within one-year of the June 30^th compliance date. FINRA also released a statement that they will take the same approach as OCIE on their initial examinations of firms’ compliance with Reg BI and Form CRS.

OCIE Risk Alert: Examinations that Focus on Compliance with Regulation Best Interest

OCIE (and FINRA) will assess whether firms made good faith efforts to implement policies and procedures that are reasonably designed to achieve compliance with the general obligation of Reg BI to make recommendations that are in the best interest of the retail investor before or at the time the recommendation is made. You demonstrate compliance with the general Reg BI obligation by complying we each of the four (4) component obligations of Reg BI. The Disclosure Obligation, the Care Obligation, the Conflict of Interest Obligation and the Compliance Obligation.

The Disclosure Obligation requires BDs, prior to or at the time of a recommendation to a retail customer, to provide written, full and fair disclosure of all material facts relating to the scope and terms of the relationship with the retail customer; and all material facts relating to conflicts of interest that are associated with the recommendation being made to the retail customer. BDs can expect regulators to review the content of their disclosures as well as ‘other firm records’ to make a compliance assessment.

Do your disclosures define the capacity in which the recommendation is being made?
Do your disclosures provide applicable material fees and costs?
Are any material limitations on the securities or investment strategies involving securities that may be recommended to the retail customer included in your disclosures?
Are you making your disclosures ‘timely’ (prior to or at the time of recommendation)?

The Care Obligation requires BDs to exercise reasonable diligence, care, and skill when making a recommendation to a retail customer.

Does the BD understand potential risks, rewards, and costs associated with the recommendation?
Were these factors considered in light of the retail customer’s investment profile?
Was the recommendation made in the retail customer’s best interest?

BDs can expect regulators to review the information collected from retail customers to develop their investment profiles (i.e. new account forms, correspondence, agreements between customer and BD). Regulators will want to understand:

The process taken by the BD to determine a reasonable basis exists to believe that the recommendations are in the best interest of the retail customer.
Factors considered by the BD to assess potential risks, rewards, and costs of the recommendations in light of the retail customer’s investment profile.
BD’s process for having a reasonable basis to believe that it does not place its financial or other interests ahead of the interest of its retail customers.
How the BD makes recommendations related to significant investment decisions, such as rollovers and account recommendations, and how the BD has a reasonable basis to believe that such investment strategies are in a retail customer’s best interest.
How the BD makes recommendations related to more complex, risky or expensive products and how the BD has a reasonable basis to believe that such investments are in a retail customer’s best interest.

The Conflict of Interest Obligation requires BDs to establish, maintain, and enforce written policies and procedures reasonably designed to address conflicts of interest associated with its recommendations to retail customers. Of course regulators will review the BD’s policies and procedures to determine compliance.

Do your policies and procedures address conflicts that create an incentive for an associated person to place its interest or the interest of the BD ahead of the interest of the retail customer?
Do they include material limitations such as only limited product menu, only offering proprietary products, or products with third-party arrangements?
Has the BD eliminated sales contests/quotas/bonuses/non-cash compensation based on the sale of specific securities or specific types of securities within a limited period of time?
Do the policies and procedures establish a structure for identifying the conflicts that the BD or its associated person may face?
Do they provide for disclosing, mitigating or eliminating conflicts?

The Compliance Obligation requires BDs to establish, maintain, and enforce written policies and procedures reasonably designed to achieve compliance with Reg BI as a whole. Regulators will assess compliance with this obligation by reviewing policies and procedures and evaluating controls, remediation for noncompliance, training, and periodic review and testing of the BD’s policies and procedures.

Included in this Risk Alert is an Appendix that should be reviewed as it provides a sample list of information the regulators may request in order to determine compliance with Reg BI.

OCIE Risk Alert: Examinations that Focus on Compliance with Form CRS

Unlike with Reg BI, the Form CRS obligation applies to IAs as well as BDs. BDs and IAs are required to deliver to retail investors a brief relationship summary (Form CRS) providing information about the firm. By June 30, 2020, the Form CRS must be filed with the SEC through Web CRD for BDs, or IARD for IAs (both Web CRD & IARD for dual registrants using one Form CRS for both brokerage and advisory services). In addition, if the firm has a public website, the Form CRS must be posted there. After the June 30^th compliance date, regulators will assess for a good faith effort to comply with the Form CRS obligation.

Has the firm filed its Form CRS including any amendments?
Does the firm have a public website and if so, has the Form CRS been posted there?
What is the process for delivering Form CRS to existing and new retail investors?
Does the firm’s policies and procedures address the delivery process and dates?
Does the Form CRS include all required information; does it contain true and accurate information; does it omit material facts?
How does the firm describe the relationship and services it offers, including statements regarding account monitoring and investment authority?
How does the firm describe fees and costs?
How does the firm describe its conflicts of interest, including incentives related to proprietary products, third-party payments, revenue sharing, and principal trading?
Does the firm accurately disclose if the firm or its financial professionals have legal or disciplinary history?
Is the Form CRS formatted in accordance with Form CRS instructions?
Do policies and procedures provide for Form CRS updating?
Has the firm retained applicable records related to its delivery of the Form CRS?

Firms should expect regulators to review records of the dates that each relationship summary was provided to retail investors to validate whether the firm has complied with the delivery obligations.

For existing retail investors, firms must deliver the summary by July 30, 2020 and before or at the time of:
- Opening a new account that is different from existing accounts held by the retail investor;
- Recommending a rollover of assets from retirement accounts into a new or existing accounts; or
- Recommending a new brokerage or investment advisory service or investment that does not necessarily involve the opening of a new account and would not be held in an existing account.
For new retail investors, Form CRS must be delivered before or at the earliest of:
- Entering into an investment advisory contract with the retail investor;
- Recommending to a retail investor an account type, a securities transaction, or an investment strategy involving securities;
- Placing an order for the retail investor; or
- Opening a brokerage account for the retail investor.

A thorough review of these two (2) risk alerts should enable firms to be ready for the initial compliance assessments expected by OCIE and FINRA within one year of the June 30, 2020 compliance date.

Note: RegEd is not engaged in rendering legal, accounting or other professional services. If legal or other professional advice is warranted, the services of an appropriate professional should be sought.

About the Author

Margie Webber is the Director, Regulatory Compliance BD/IA at RegEd, Inc.

Market Conduct Exams: Best Practices to Ensure a Smooth Process and Stay Under the Radar for Future Examinations

By Merlinda Johnson FLMI, ACS and Rebecca Vasquez, Esq.

For an insurance company, the key objective of a market conduct examination (MCE) is to avoid it. As regulators pay more attention to problem areas, behaving well in the marketplace in the first place mitigates the chances of being examined. The No. 1 defense against an unscheduled market conduct examination is a documented and well managed compliance program, and companies that follow a few best practices find they can stay under the regulatory radar, and when they are selected for examination, they can be fully prepared to make it go smoothly.

1. Know the handbook.

The NAIC’s Market Regulation Handbook Examination Standards Summary (available free of charge as a downloadable PDF) is a high-level compilation of the market conduct standards found in the more complete Market Regulation Handbook, available from the NAIC, details each function within an organization that a market conduct examiner would review during the exam process.

Make sure your policies and procedures align with each standard in the summary. If they do, you probably have a robust compliance framework already, and you’d be prepared for a regulatory examination.
Monitor and measure these standards. For example, one standard is complaint handling. During an MCE, an examiner will review a company’s complaint records to ensure it follows these standards. This includes complaints being recorded properly and the company taking adequate steps to resolve them appropriately.

2. Understand common exam triggers.

Regulators pay close attention to these areas. Manage them successfully to lessen the frequency of being examined.

Complaints: The most frequent trigger for a market conduct exam.
Claim denials and slow payments
Policy cancellations and non-renewals
Drastic changes in premiums
Regulatory action or activity in other states: State departments of insurance (DOI) compile data in their jurisdictions and share it with other DOIs. A red flag in one state can trigger investigations in others.
Market Conduct Annual Statement (MCAS) outliers: MCAS results can be a strong indicator of a possible market conduct examination. Regulators look for outliers in the results, like the number of complaints, claim denials, and other metrics.
New laws and regulations: New laws and regulations are being adopted around evolving functions, such as cybersecurity and health care, and regulators focus on how insurers keep on top of the changes.
Market share and premium growth: Larger organizations may tend to be examined more often than smaller market participants.

3. When it comes time for an exam, be prepared and establish a defined process.

If you are chosen for an exam, show that you have your house in order and conduct yourself positively for the best possible result.

Appoint an exam coordinator who has thorough knowledge of the company, its organization, and its processes. A well-appointed coordinator can expedite the process and encourage a positive result.
Prepare for the examiner’s arrival in advance, having read the coordinator handbook, if relevant. Provide a comfortable, welcoming workplace and fully functioning technology to avoid unnecessary delays. Being friendly, accommodating, respectful, and collaborative can only help—especially when negotiating points in the final report.
Respond to exam criticisms quickly. Acknowledge any deficiencies, own them, and work with the examiner to develop a remediation plan in a timely manner to keep the project on track.
Build a process to manage workflow and data. Ideally, an organization would use technology to facilitate the exchange of information between examiners and different parts of the company.

4. Utilize technology that is designed for the job.

Many organizations still use ’90s-vintage technology—email, spreadsheets or a secure file share—for market conduct exams, making the process ad hoc, reactive, cumbersome, and unreliable. A system that orchestrates all the moving parts can ensure a vastly better outcome.

A purpose-built solution that manages tagged and searchable market conduct content specifically, rather than fishing for information in email and shared files manually. This allows for more timely and accurate responses to examiners’ criticisms during the market conduct exam process.
Created by people experienced in the market conduct exam process and uses structured project templates to replace manual task tracking.
Accommodation of staff involved by identifying and notifying each one in advance, allowing for preparation of any obligations and tasks well ahead of deadlines, and enabling collaboration among them during the process.

5. More Best Practices

Create, test, and verify the implementation of policies and procedures for each exam-triggering area. For example, analyze complaint data to identify trends and implement appropriate corrective action. Implement a solid complaint tracking system that allows for effective management of complaints, and any uptick in complaints should be investigated immediately.
Go to the regulators before they go after you by self-reporting compliance issues before they rise to a regulator’s attention. Most DOIs look favorably on companies that do this.
Review recent examination results of other companies, which are published on some state department of insurance websites. These can provide insight into different states’ market conduct priorities. For example, one state may be more focused on privacy issues while another looks closely at property & casualty claims.

RegEd is ready to assist insurance companies manage the process of a market conduct exam, including task management, document management, communication with the examiners, documentation, audit trails, reporting, and more, supported by efficient and enabling technology and people with deep experience in the process.

Learn more about our Market Conduct Exam Management solution.

About the Authors

Merlinda Johnson

Merlinda Johnson is the Director of Insurance Regulatory Compliance at RegEd, Inc.

Rebecca Vasquez

Rebecca Vasquez is a Senior Regulatory Analyst/Publisher at RegEd, Inc.

Key Takeaways: FINRA’s 2019 Report on Examination Findings and Observations

On October 16, 2019, FINRA published its 2019 Report on FINRA Examination Findings and Observations. This report is a useful resource for firms to leverage to improve their compliance and risk management programs.

One of the findings in the report pertains to failure to effectively monitor for and react to regulatory changes. Firms are required to review regulatory changes against their supervisory systems, including their written supervisory procedures and training programs. FINRA found that some firms did not adequately respond to recent regulatory changes such as FinCen’s new Customer Due Diligence (CDD) obligations and requirements around Financial Exploitation of Specified Adults among other recently adopted or amended rules.

In addition, branch supervision and inspection programs were found to be inadequate at some firms. The following areas were specifically cited as supervisory and risk management gaps:

Failure to fully understand the activities that are taking place at branch offices, including the unique products and services offered at each branch location;
Failure to conduct periodic inspections of non-branch locations;
Failure to determine relevant areas of review, taking into consideration the nature and complexities of product and service offerings or indicators of irregularities or misconduct;
Failure to reduce the inspections and reviews to a written report;
Failure to follow through with necessary corrective action.

Suitability once again made the Sales Practice and Supervision hit list. Specific findings included:

Inadequate supervision of product exchanges;
Failure to identify and respond to red flags;
Inadequate oversight around customer account information changes;
Failure to recognize unsuitable transaction patterns;
Inadequate supervision of trading activities (excessive trading or churning);
Inadequate training of supervisors;
Unsuitable options strategies to unsophisticated customers.

Digital communications made it into this year’s report. FINRA specifically noted some firms that prohibit for business-related communications the use of text messaging, social media and collaboration applications such as Facebook, did not maintain a process to identify and respond to red flags around the use of the prohibited digital channel communications. Red flags could have been detected through adequate customer complaint management, email monitoring, outside business activity (OBA) reviews as well as advertising reviews. Some effective practices to manage digital communication were flagged, including:

Establishing comprehensive governance structures by leveraging marketing, compliance and technology departments as well as third-party vendors;
Defining and controlling permissible digital channels though supervision; records retention; policies and procedures; blocking prohibited channels; restricting use of messaging and collaboration applications that limit the firm’s ability to retain records;
WSPs to manage the lifecycle of video content which includes live-streamed public appearances, scripted commercials or video blogs;
Training prior to providing RRs access to firm-approved digital channels;
Disciplining misuse of digital communications such as temporarily suspending or blocking channels and requiring additional training.

FINRA also shares a number of cybersecurity-related observations and best practices in their 2019 report in hopes of assisting firms with strengthening their cybersecurity programs. The report reminds firms to evaluate each of the best practices and controls described in the report. Highlighted best practices include:

Maintaining branch-level written cybersecurity policies to protect confidential data;
Implementing procedures to verify that branch office controls were implemented and are functioning adequately;
Documenting formal policies and procedures on vendor and third-party management that include onboarding, ongoing monitoring, off-boarding and disposal of sensitive client information;
Establishing and regularly testing written formal incident response plans that outline procedures to follow when responding to cybersecurity and information security incidents;
Establishing data protection controls such as encryption of confidential data (customer and firm information) whether it is stored internally or at vendor locations;
Ensuring system patching is timely applied;
Applying a ‘Policy of Least Privilege’ around access controls, by only granting access to systems and data when required and removing such access rights when no longer needed;
Implementing multi-factor or two-factor authentication controls for RRs, employees, vendors and contractors accessing firm systems and data from outside the organization;
Maintaining an inventory of critical information technology assets, including hardware, software, data in home and branch offices; legacy assets that vendors no longer support as well as corresponding cybersecurity controls to protect these assets;
Implementation of data loss prevention controls to protect sensitive customer information such as SSN, dates of birth, bank information, driver’s license numbers;
Training for RRs, personnel, third-party providers and consultants;
Implementation of change management procedures to document, review, prioritize, test, approve, manage hardware and software changes.

Training staff on how to implement firm business continuity plans (BCPs) was cited as a BCP best practice in addition to engaging in annual testing of the BCP. Note: FINRA is currently conducting a retrospective review of FINRA Rule 3270 ~ Business Continuity Plans and Emergency Contact Information. See FINRA Regulatory Notice 19-06.

These are just some of the numerous highlights from the 2019 Report on FINRA Examination Findings and Observations to take into consideration when assessing the adequacy and effectiveness of your firm’s supervisory and risk management operations.