The introduction of RegEd’s Pre-audit questionnaire (PAQ)
functionality for Audit Management has enabled compliance and audit
professionals to ensure that all pertinent data collected via questionnaires is
automatically populated, reducing the need for manual transfer and
significantly improving audit cycle time, while reducing the risk of input error.
With PAQ’s, auditors and audit schedulers can complete their
audit cycle workflows from within a unified tool – schedule audits, designate
auditees, assign pre-audit questionnaires, or make changes to distribution
recipients from within the solution, for example.
With pre-audit questionnaires, compliance programs are able
to benefit from:
Reduced travel requirements,
amount of time required onsite
(program-wide and per audit)
satisfaction (reduced disruption, time required outside of core activities,
Reduced risk of erroneous or
Increased time spend on core
functions outside of audits
Three examples of how clients are using PAQ functionality to
enhance their audit processes:
Firm uses PAQ’s
to deliver iterative sections of an audit module to intended recipients ahead
of an audit. The firm is able to save time by allowing auditors to capture data
without the need to schedule meeting time with those representatives that
respond prior to the day of the audit. Additionally, any representatives that
have scheduled unavailability (out of office, travel plans, etc.) or are
otherwise remote have an extended window of time to provide the responses
necessary to complete the audit.
utilizes PAQ’s to conduct their branch inspections. By using PAQ’s in
combination with the Audit Management solution, the firm is able to collect,
analyze and report on all of the necessary elements of the branch inspection
module. This significantly reduces the amount of time required on-site per
branch inspection, while allowing branch examiners the flexibility to
prioritize onsite visits based on the results of the pre-audit
questionnaire(s), associated risk of exposure, and potentially resultant
heightened supervision status.
clients benefit from delivering a pre-defined number of pre-audit
questionnaires to multiple audit modules ahead of the onsite audit to capture
information that is not considered time sensitive. This provides firms with the
capability of collecting vital information ahead of the audit cycle while
assuring unannounced audits can be performed as often as required to maintain
compliance with evolving regulations.
One of the findings in the report pertains to failure to
effectively monitor for and react to regulatory changes. Firms are required to review regulatory
changes against their supervisory systems, including their written supervisory
procedures and training programs. FINRA
found that some firms did not adequately respond to recent regulatory changes
such as FinCen’s new Customer Due Diligence (CDD) obligations and requirements
around Financial Exploitation of Specified Adults among other recently adopted
or amended rules.
In addition, branch supervision and inspection programs were found to be inadequate at some firms. The following areas were specifically cited as supervisory and risk management gaps:
Failure to fully understand the activities that are taking place at branch offices, including the unique products and services offered at each branch location;
Failure to conduct periodic inspections of non-branch locations;
Failure to determine relevant areas of review, taking into consideration the nature and complexities of product and service offerings or indicators of irregularities or misconduct;
Failure to reduce the inspections and reviews to a written report;
Failure to follow through with necessary corrective action.
Suitability once again made the Sales Practice and Supervision hit list. Specific findings included:
Inadequate supervision of product exchanges;
Failure to identify and respond to red flags;
Inadequate oversight around customer account information changes;
Failure to recognize unsuitable transaction patterns;
Inadequate supervision of trading activities (excessive trading or churning);
Inadequate training of supervisors;
Unsuitable options strategies to unsophisticated customers.
Digital communications made it into this year’s report. FINRA specifically noted some firms that prohibit for business-related communications the use of text messaging, social media and collaboration applications such as Facebook, did not maintain a process to identify and respond to red flags around the use of the prohibited digital channel communications. Red flags could have been detected through adequate customer complaint management, email monitoring, outside business activity (OBA) reviews as well as advertising reviews. Some effective practices to manage digital communication were flagged, including:
Establishing comprehensive governance structures by leveraging marketing, compliance and technology departments as well as third-party vendors;
Defining and controlling permissible digital channels though supervision; records retention; policies and procedures; blocking prohibited channels; restricting use of messaging and collaboration applications that limit the firm’s ability to retain records;
WSPs to manage the lifecycle of video content which includes live-streamed public appearances, scripted commercials or video blogs;
Training prior to providing RRs access to firm-approved digital channels;
Disciplining misuse of digital communications such as temporarily suspending or blocking channels and requiring additional training.
FINRA also shares a number of cybersecurity-related observations and best practices in their 2019 report in hopes of assisting firms with strengthening their cybersecurity programs. The report reminds firms to evaluate each of the best practices and controls described in the report. Highlighted best practices include:
Maintaining branch-level written cybersecurity policies to protect confidential data;
Implementing procedures to verify that branch office controls were implemented and are functioning adequately;
Documenting formal policies and procedures on vendor and third-party management that include onboarding, ongoing monitoring, off-boarding and disposal of sensitive client information;
Establishing and regularly testing written formal incident response plans that outline procedures to follow when responding to cybersecurity and information security incidents;
Establishing data protection controls such as encryption of confidential data (customer and firm information) whether it is stored internally or at vendor locations;
Ensuring system patching is timely applied;
Applying a ‘Policy of Least Privilege’ around access controls, by only granting access to systems and data when required and removing such access rights when no longer needed;
Implementing multi-factor or two-factor authentication controls for RRs, employees, vendors and contractors accessing firm systems and data from outside the organization;
Maintaining an inventory of critical information technology assets, including hardware, software, data in home and branch offices; legacy assets that vendors no longer support as well as corresponding cybersecurity controls to protect these assets;
Implementation of data loss prevention controls to protect sensitive customer information such as SSN, dates of birth, bank information, driver’s license numbers;
Training for RRs, personnel, third-party providers and consultants;
Implementation of change management procedures to document, review, prioritize, test, approve, manage hardware and software changes.
Training staff on how to implement firm business continuity plans (BCPs) was cited as a BCP best practice in addition to engaging in annual testing of the BCP. Note: FINRA is currently conducting a retrospective review of FINRA Rule 3270 ~ Business Continuity Plans and Emergency Contact Information. See FINRA Regulatory Notice 19-06.
Note:RegEd is not engaged in rendering legal, accounting or other professional services. If legal or other professional advice is warranted, the services of an appropriate professional should be sought.
About the Author
Margie Webber is the Director, Regulatory Compliance BD/IA at RegEd, Inc.