Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News February 14, 2011 Issue

di Florio Describes OCIE Overhaul

Last week, OCIE director Carlo di Florio spoke to broker-dealer CCOs at the SECís CCOutreach National Seminar. In his remarks, he outlined changes that OCIE is implementing in its examination program that will affect all registrants, advisers and broker-dealers alike.

Changes coming for OCIEís national exam program.

OCIE put itself through a rigorous self-assessment last year, examining its strategy, structure, people, processes, and technology, said di Florio. As a result, OCIE is making changes to its National Exam Program in a "structured and phased manner." Some of the changes address "the demands of Dodd-Frank and the resource limitations that we currently face under a flat budget," he said. He also discussed some of the focus OCIE is placing on governance and enterprise risk management, and some specific current priorities.

OCIE is building an integrated national program to ensure consistency, effectiveness and efficiency, he said. As part of that plan, OCIE will "leverage limited resources" by implementing an enhanced risk-focused exam strategy.

di Florio said the staff has identified four key objectives for the exam program:

  • Improve industry compliance through exams, industry dialogues, and outreach programs;
  • Identify and prevent fraud through risk-targeted exams and better coordination with the Division of Enforcement in the identification, investigation and enforcement of fraud actions;
  • Monitor new and emerging risks through joint initiatives with the Division of Risk, Strategy and Financial Innovation, including the development of new risk assessment and surveillance models and risk analytics.
  • Inform SEC policy as the "eyes and ears" of the agency in the field, through participation in the rule-making process, and by creating dedicated policy support teams on key regulatory reform rules, studies and initiatives.

OCIE will monitor its progress through "Key Performance Indicators" that will help measure its performance and the impact of the national exam program in meeting the identified objectives.

di Florio offered several examples of structural enhancements to the exam program:

  • A new national governance model that involves regional leadership in key strategic planning, policy setting and performance management initiatives;
  • A new Risk Analysis and Surveillance Unit to help identify the highest risk firms for examination and the highest risk issues to focus on when examining those firms;
  • New Specialization Working Groups that will help identify, understand and proactively examine new and complex industry developments. They are already informing risk assessments, exam modules, training programs and inspections, said di Florio. The initial specialized groups focus on new and structured products, valuation, equity market structure and trading practices, fixed income and municipal securities, microcap fraud, and marketing and sales practices; and
  • Exam staffing to break down internal silos and ensure inclusion of staff with expertise appropriate to the specific risks presented in an exam profile, including "deploying joint IA/BD teams to address issues such as some of the lessons learned from the Madoff fraud, or issues regarding dual broker-dealer and investment adviser registrants."

The OCIE/Enforcement partnership will be strengthened as well, he said, to speed alerts, information hand offs, and transitions from OCIE exam staff to the Enforcement Division.

Staffing initiatives.

OCIE itself will be on the receiving end of some of the overhaul initiatives. OCIE is actively recruiting staff with "skill sets that are critical to supervising our modern capital markets," said di Florio. To build a culture of "high-performance, teamwork and accountability," OCIE is implementing a Certified Examiner Training program, improving internal management through a Successful Leaders training program, and introducing mentoring.

Process initiatives.

OCIE has re-engineered the exam process to focus on those activities that add the most value, said di Florio. As a result, the exam process incorporates a more risk-focused approach, enhanced pre-exam preparation, improved multidisciplinary staffing, increased field supervision and more flexible and effective resource allocation.

In addition, said di Florio, OCIE has introduced a number of new mechanisms to "drive standardization, consistency and accountability" across the exam program. OCIE is now developing:

  • An updated, central National Exam Operations Manual; 
  • Its first automated National Exam Workbook;
  • Its own Chief Compliance Officer, "to enhance and monitor compliance with our own policies and procedures, like we expect of our registrants;"
  • Increased presence of supervisors in the field and involvement senior staff on exams;
  • Use of targeted scope correspondence exams to touch a greater percent of the registrant population and to risk-assess registrants with better speed and focus.

Technology developments.

Technology improvements include introducing automation throughout the exam process. Areas such as risk assessment and surveillance, exam preparation, trade analysis, work paper management, data analytics and reporting will all benefit from technology initiatives such as:

  • OCIEís first Technology Committee to oversee technology resources and strategy; 
  • A dedicated Senior Technology Officer who will develop a comprehensive technology strategy, technology architecture and implementation plan;
  • New risk assessment and surveillance technologies;
  • Automated tools to enhance trade analysis; and
  • Management information systems that support key performance indicator monitoring and reporting.

Governance, enterprise risk management, and internal controls.

"We are also focusing our exams on risk management as it pertains to corporate governance, enterprise risk management (ERM) and registrantsí internal controls," said di Florio. In doing so, OCIE will be coordinating closely with its regulatory partners, other federal financial regulators, FINRA and the states.

"As we increase our focus in these areas," said di Florio, "we will generally want to understand how risk management is embedded in key business processes and decision-making at five levels:

  1. How do the business units of an entity ensure they are taking and managing risk effectively at the product and asset class level in accordance with the risk appetite and tolerances set by the board and senior management of the whole organization?
  2. How are key risk management, control and compliance functions structured and resourced to ensure they are effectively embedded in the business process, while having the necessary independence, standing and authority to be effective in helping the organization identify, manage and mitigate risk?
  3. How is senior management ensuring effective oversight of enterprise risk management and embedding risk management in key business processes, including strategic planning, capital allocation, performance management and compensation incentives?
  4. How does the internal audit process independently verify and provide the board and senior management with assurance regarding the operating effectiveness of risk management, compliance and control functions?
  5. How is the board of directors (if one exists in the organization) staffed and structured to ensure it can effectively set risk parameters, foster an effective risk management culture, oversee risk-based compensation systems and effectively oversee the risk profile of the firm?"

In addition to looking at key risk management issues, such as executive compensation incentives, new product review, and model validation, di Florio said OCIE examiners will also seek to understand how effectively the firm is managing key risk and control processes. These include:

  • Setting of risk tolerances to manage and monitor the risk profile of the firm;
  • Risk-based strategic planning and capital allocation;
  • Oversight of risk management policies and processes;
  • Training and communication that support an effective risk management culture and tone at the top;
  • Surveillance systems that effectively flag exceptions to risk management policies;
  • Monitoring and reporting systems that track key risk indicators for decision-making;
  • Issues management processes to ensure timely escalation and remediation of risk and control concerns;
  • Change management controls to effectively implement new changes in the risk management framework and address new products, services, businesses, processes, etc.

"We will incorporate a strategic dialogue of the enterprise risk management framework into our exams so we can effectively distinguish the forest from the trees and then dive into targeted exams in focused risk areas (e.g., products, asset classes, business units) to test effectiveness," he said.

di Florio closed his remarks by outlining key risk focus areas for OCIE in the broker-dealer and dual registrant exam program.

Financial and Operational Risks. Liquidity, valuation, concentration and funding are critical issues, he said, as well as complex structured products, variable annuities, leveraged ETFs, and fixed income securities, including municipal securities.

Trading Practices. Best execution, short sales, algorithmic trading, high frequency trading, sponsored access and key risk controls around these processes are areas of heightened focus, "as technology drives so much of the speed and risk around the trading environment."

Sales Practices. Efforts here are particularly focused on fraud or abusive sales practices in the retail distribution channel, especially where independent or remote branches are present and more so if representatives with disciplinary histories are resident there. "We want to understand what registrants are doing to identify, mitigate and manage the risks in this area and ensure effective compliance supervision."

Protection of Customer Assets and Information. Independent third-party asset verification will continue to be a significant part of exams. The program is implementing streamlined versions of OCIEís methodology for asset verification to produce a targeted review of different types of accounts and custody locations.

Pre-retirement Issues. These inquiries will focus on seniors and good practices, with a view to risks and concerns such as fees, supervision, and conflicts of interest.