SEC’s Marc Wyatt: Where adviser inspections and exams are headed

SEC's chief examiner discusses how the agency is meeting the challenges of an industry that has grown exponentially in the past 21 years.

This is an edited version of a speech given Oct. 17 by Marc Wyatt, director of the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations, at the National Society of Compliance Professionals 2016 national conference in Washington.

I think of [the Office of Compliance Inspections and Examinations] as the eyes and ears of the commission. We support the SEC’s mission by improving compliance, preventing fraud, monitoring risk and informing policy. I call these our “four pillars.” We do not make policy, and we are not enforcement. That said, we view the SEC’s policy and enforcement divisions, along with the chair, the commissioners and other SEC divisions and offices as customers of our examinations. As chief compliance officers and compliance personnel, you are also OCIE stakeholders. OCIE and CCOs share a mutual interest in promoting compliance, which in turn protects investors. As such, you are the first line of defense against compliance violations materializing into harm to investors, and OCIE views you as a key partner that we aim to inform and support.
2016 represents a milestone for OCIE as the national exam program turns 21 years old. Since OCIE was founded in 1995, our “portfolio” has expanded as our population of regulated entities has grown in type, number, size and complexity. In OCIE’s inaugural year, investment advisers managed approximately $10 trillion in assets, and the mutual fund industry had $2.7 trillion in assets under management. That year, OCIE conducted 1,075 adviser exams, and those firms managed $876 billion. In contrast, today, OCIE might cover over $3 trillion in AUM in one exam of a single investment adviser. In 1995, the largest IPO was Netscape and it was also the largest internet company with a market capitalization of $4.5 billion. Today we have several internet companies with market capitalization in excess of $500 billion and we have several pre-IPO companies with valuations of $30 billion or more. One last 1995 factoid: of the top 10 IPO underwriters in 1995 only three exist today. The capital markets are increasingly complex and the technological innovations are changing the competitive landscape on a daily basis. As one of my favorite poets wrote “changes aren’t permanent. But change is.”

Not only has the registrant base evolved dramatically in the last 21 years, but OCIE’s designated responsibilities have also significantly expanded. Today, OCIE has examination responsibility for over 28,000 registrants, including
• more than 12,000 investment advisers
• approximately 11,000 mutual funds and exchange-traded funds
• over 4,000 broker-dealers
• over 650 municipal advisers
• more than 400 transfer agents
• 18 national securities exchanges
• the Financial Industry Regulatory Authority
• the Municipal Securities Rulemaking Board
• the Securities Investor Protection Corporation,
• the Public Company Accounting Oversight Board
• eight active clearing agencies
In addition, recent legislative changes enacted in the Dodd-Frank Act and the JOBS Act have further expanded our responsibilities to include examinations of, among others, major security-based swap participants, securities-based swap execution facilities and crowdfunding portals.

OCIE is responsible for examining this complex, growing and evolving registrant base with our team of approximately 1,000 staff in the home office and 11 regional offices. To put this in context, some financial services firms have compliance staffs that are multiples of this size, not including consultants. Granted, many of these firms are overseen by a myriad of regulatory bodies, but the comparison in resources is dramatic. To meet our responsibilities and fulfill our mission, OCIE has to effectively allocate our resources. We also need to provide our talented examiners with tools that optimize their skills.
20%Portion by which the agency has increased staffing in the investment adviser/
investment company examination program over the past year.
My experience as a portfolio manager has taught me to view the world through a capital-allocation and risk-based framework. At the end of the day, we are all asset allocators. That asset could be money, time or worry (mindshare). Through this lens, my primary task is organizing and mobilizing OCIE in a way that puts us in the best position to address the greatest risks among our registrant populations. Over the past year in particular, I believe we have evolved as an office to more optimally allocate our valuable resources. These changes became effective the first day of this Fiscal Year 2017.

First, we bolstered staffing in the investment adviser/investment company examination program by roughly 20%. The SEC is the sole regulator for the vast majority of SEC-registered investment advisers, which constitute one of our fastest-growing groups of registrants. Over the past two years, over 2,000 new advisers registered with the SEC, joining OCIE’s examination pool. Unlike our broker-dealer registrant population, there is no self-regulatory organization over investment advisers. We want to make sure OCIE is doing our utmost to expand our reach into this key population, and I believe our recent redeployment of staff puts us in in the best position to do that.

ENHANCED FOCUS ON FINRA

Of course, there is no free lunch. As OCIE devotes more resources to one program area, those resources are reallocated from another part of the [national exam program]. Specifically, a significant number of these new [investment adviser/investment company] examiners transitioned from our broker-dealer examination program. We are not forgetting about the registered broker-dealer population. However, we are optimizing our oversight of these important registrants. First, OCIE will maintain a significant presence overseeing registered broker-dealers nationwide, including in market centers such as New York and Chicago. We want to ensure we have the capabilities to mobilize to address key risks in this population across the country, including those brought to our attention through tips, complaints and referrals.

Finra and the SEC together have historically examined approximately 50% of broker-dealers each year, and this broad presence has served to identify risks and protect investors. As a result of OCIE’s resource allocation, OCIE is working to enhance our oversight of Finra because we will be somewhat more dependent on them for broker-dealer exams in the first instance. We are doing this by establishing a dedicated Finra inspection team focused on assessing Finra’s operations in terms of its core mission of regulating its member broker-dealers, including with respect to its regional examinations of broker-dealers. And, as always, we will continue to coordinate with them on examination initiatives in order to minimize duplicative efforts as well as leverage their regulatory reach into the broker-dealer industry.

INVESTING IN TECHNOLOGY AND DATA ANALYTICS

As the financial industry has continued to grow in its use of “big data” and cutting-edge technology, so too has OCIE. [SEC chairwoman Mary Jo White] said it best when she described how the SEC will protect the investing public: “Hard work and hard data.” We have developed an impressive arsenal of data within the SEC, and various groups within OCIE have been continually building the technological capabilities to utilize that data for both industry surveillance and examination work. This year, we consolidated these offices within our newly created Office of Risk and Strategy.
My time as an examiner showed me that exam experience is critical in developing tools to leverage data in ways that drive OCIE’s four-pillar mission. Any new analytical tool designed to enhance productivity must justify its utility to the examiner during an exam. Pete Driscoll, a seasoned member of OCIE’s senior staff, was chosen to lead the [Office of Risk and Strategy] based on his leadership abilities and his experience in the [investment adviser/investment company] exam program. Under this new office, we are integrating the work of our quants with our staff that has direct exam experience to develop tools to identify risks among our registrant populations, both with respect to registrants and the products and services they provide to investors. Pete and his team are meeting with risk teams from industry and other regulators to understand how others are monitoring and mitigating emerging risks in the marketplace.
As the number and complexity of our registrants grows, our ability to conduct industry surveillance is increasingly important. Although every firm is not examined every year, the total population of registered entities and their activities provide input to the development of our risk-based strategy. OCIE’s critics have cited OCIE’s 10% coverage rate in the investment adviser industry and wrongly assume the other 90% of the firms are not reviewed at all. I can assure you that is not the case. If a fund holds the stocks of 100 companies, would you assume that the portfolio manager conducted due diligence on only those 100 companies? No. Most people would rightly think that the portfolio manager and their teams refined the investable universe by applying various screening methodologies based on their investment criteria. The team then, presumably, would conduct further analysis and due diligence on hundreds or perhaps thousands of companies to arrive at a portfolio which best reflects their investment thesis. The same is true for OCIE’s examination program. We analyze data from our entire registrant population, apply various screening methodologies and arrive at the list of firms we believe expose investors to the most significant risks. It is imperative that OCIE continually try to improve our ability to identify risks and to incorporate new information and technology into this process, and that we assimilate new insights and learn from the exams we perform.

SPECIALIZED EXPERTISE

A key component of our risk-based strategy is having staff with specialized expertise. A common myth I heard before I joined the commission was that examiners were not knowledgeable and did not understand the businesses they examined. When I first arrived in OCIE, I found this was not the case. I was awed by the knowledge of the OCIE staff. Many of my new colleagues had an encyclopedic knowledge of the federal securities laws, which they gained from working many years at the commission and/or in the private sector. We are complementing this experience and knowledge by bringing in industry and technical experts to advise us on the most current market developments in the industries we oversee and help us develop exam modules to more efficiently identify risks.
The SEC has recruited specialized staff in derivatives, valuation, options, prime brokerage, trading and quantitative analytics, to name just a few areas. For example, in 2015 OCIE hired a fixed-income trader with over 20 years of experience trading a multitude of fixed-income products at one of the largest mutual fund complexes. We hired a professional geoscientist with a background in geophysics, geochemistry and reservoir evaluation who has assisted in examinations involving the energy sector. By leveraging these experts’ knowledge in particular exams, larger examination initiatives and program-wide training, OCIE stays current on industry trends and practices and improves its capabilities and examination efficiency. We organize these experts into working groups focused on key areas of the market such as fixed income and municipals, microcap fraud and new and structured products.

Another area where we have supplemented our expertise is the technology controls program. The program focuses primarily on examining entities covered by Regulation SCI, such as clearing agencies and the national securities exchanges. Since November 2015, Reg SCI has required these registrants to have comprehensive policies and procedures for their technological systems, including business continuity plans, to review annually their automated systems, and to take appropriate corrective action when system issues occur. These entities must also file notifications and reports with the commission about system disturbances, known as “SCI events” under the regulation, which include systems disruptions, compliance issues and security intrusions. Examining for compliance with Reg SCI, as well as monitoring and responding to registrants’ reports, requires a unique skill set and extensive training. The team is comprised of technologists, cybersecurity experts and information technology consultants. In addition to their Reg SCI mandate, this team also serves as a resource for adviser and broker-dealer examination teams when they confront issues involving technology at the firms they examine.

BEHIND-THE-SCENES OF AN EXAM

I’d be remiss in describing OCIE’s risk-based strategy without stating that OCIE is not only judicious in deciding who we examine, but also what we examine once an exam candidate has been chosen. One of my early observations upon joining OCIE was the amount of work that takes place prior to an exam. Once a registrant is identified as an exam candidate, the team will typically pore over filings and other data to determine the appropriate scope for that exam based on the risks inherent in the business model. The team may reach out to one of our industry experts who I mentioned earlier. Once the scope is determined, the team will work to divvy up responsibilities for risk areas and will customize exam toolkits and modules for the scope areas. All this takes place prior to our making any contact with the registrant and sending our document request list. Once on site, the staff may request the key principal provide an overview of the firm. Some registrants mistakenly assume this introduction is the first time the staff is learning about the firm. I can assure you, that is not the case. These risk¬-based exams and pre-exam work allow our staff to draw on their vast pattern recognition to focus their time on the areas which represent the biggest risks to investors.

MAKING AN IMPACT

Now that I’ve described critical components of OCIE’s strategy to execute on our mission, a key question is: How does one measure the impact or success of OCIE?
2,400Number of exams OCIE completed in fiscal year 2016 across all its program areas.
OCIE’s success is most often judged by the number of exams we do in a year. While I’m proud of our accomplishments, I think it’s important to convey what this single metric reflects and why I do not see exam numbers, in and of themselves, as the sole or best measure of OCIE’s impact. In fiscal year 2016, we completed over 2,400 examinations across all our program areas. This is a more than a 20% increase over 2015, which was itself a six-year high. We will continue to optimize our resources and investment in technology in order to keep pace with the growth, complexity and innovation of the capital markets and our registrant base.

(Related read: What advisers can expect from an SEC exam)

To fully appreciate the exam number metric, it is important to keep in mind that all exams are not created equal, and that there is a significant amount of work done before an exam team ever shows up at a registrant. Holistically OCIE strives to strike an optimal balance among a variety of key variables, including the number, type, scope and depth of exams. The number of exams conducted in any given period reflects the diverse types of registrants we examined, risks inherent in the current market environment and the various initiatives we have undertaken. As our registrants vary in size and complexity — from a small adviser operating out of a house to a huge global firm — so do our exams vary in scope and length, depending on the risk being targeted. Exams also vary in purpose, as we use exams to fulfill each part of our four-pillar mission. Thus, a single exam included in this total number could reflect a highly targeted review for compliance with a single focus area at a small newly registered firm conducted by a small exam team, or it could reflect a complex analysis that took months to complete at a large, global entity, by a large exam team, with input from highly specialized experts across our program. In either example, the goal of the exam is to deliver on our four pillars.

MEASURING THE IMPACT AND SUCCESS OF THE NATIONAL EXAM PROGRAM

To more fully evaluate the success of the national exam program, one needs to define a successful exam. Some of you may define a successful exam as any exam that does not include your firm — fair enough, from your perspective, but that benchmark doesn’t work for OCIE. What does OCIE view as an effective exam? Is an effective exam only one that results in an enforcement referral or in a registrant voluntarily remediating deficiencies that our examiners identify? Is effectiveness measured by the number of deficiencies an exam team finds? Is an examination effective if no deficiencies are found? What if that exam was used to inform the commission or its policy-making divisions about an emerging risk or new industry practice? In my view, the outcome of an exam does not determine its success. While an exam that results in a deficiency being identified or an enforcement referral is more directly successful to some, an exam that identifies areas needing policy guidance or updated rulemakings is, in my opinion, equally successful. So, while an exam may not identify any compliance deficiencies — and, yes, there are such things as “no comment” letters from OCIE — the information our examiners collect in the course of the exam is invaluable as it may empower compliance staff at a registrant; it may identify a new risk or it may assist our efforts to inform policy.
Simply put, I measure the impact and success of an examination, and OCIE’s influence and impact as a whole, using the four pillars of OCIE’s mission: improve compliance, prevent fraud, monitor risk and inform policy. And, we must strike the right balance among these metrics. As I mentioned earlier, you as CCOs have a stake in this, and in each of these areas OCIE is aiming to engage with you and leverage your influence.

IMPROVING COMPLIANCE

The first pillar is “improving compliance.” While I believe all of OCIE’s four pillars are important — and like my four children, I do not have a favorite — “improving compliance” has an impact on each of the other pillars, and as such, may get the bigger bowl of ice cream for dessert.
Clearly, improving compliance in today’s capital markets is not easy to measure quantitatively or qualitatively. There is no traded index measuring compliance — and if there was, I’d hope your codes of ethics would prevent compliance officers from trading it. In addition to the very tangible but bespoke benefits to a registrant subject to an examination, I believe OCIE can help improve compliance by providing registrants — and you, as their compliance officers — with information so they can assess their own compliance programs, based on their unique business model, and undertake steps to develop solutions which address any potential gaps. For example, for the past four years, OCIE has published an annual public statement of examination priorities to inform investors and registrants about areas that the staff believes present heightened risk. We hope that you will use this information to evaluate your own firm’s practices in these risk areas and make any needed improvements.
OCIE also publishes risk alerts with descriptions of some of our larger upcoming initiatives such as the supervision initiative and exams focusing on cybersecurity. These sometimes even include specific risk areas and sample document request lists that firms can use as tools in their own compliance programs. After conducting examinations, OCIE often shares descriptions of areas where examiners have identified potential compliance issues across firms so that you can assess whether your firms may be facing similar challenges. CCOs can use the information to promote compliance by reinforcing the need for additional compliance resources if needed, or by highlighting emerging business practices in need of review.
In addition to publications, OCIE regularly hosts outreach events, and OCIE staff speak at numerous industry-focused events such as this. For example, in 2016, OCIE conducted over 150 outreach conferences with the industry and securities regulators, both regionally and nationally, and OCIE staff appeared at roughly 150 events in order to promote transparent communications and coordination among industry participants and regulators. In this way, we aim to improve compliance by sharing with you what we are seeing, including potential areas of improvement.
“If an adverse compliance event were to materialize … I believe the loss of trust that would naturally follow could devalue a business far beyond anyone’s predictions.”
While you, as compliance officers, are OCIE’s main audience, our speeches, priorities, risk alerts and outreach should be consumed by more than just CCOs. The principals at your firms should understand that they have a vested economic interest in improving compliance. The financial services industry is founded on trust — investors need to trust the people who are handling their money. Compliance with the federal securities laws is a huge part of building and preserving that trust. Some stakeholders may view compliance solely as a cost center for their firms; some may even calculate how little they can get away with investing in compliance based on a perceived low probability that their firms might get singled out by the SEC and have to pay a fine. From my perspective, these people are severely underestimating the potential loss that would likely follow from a compliance failure. It’s much more than just legal fees and a fine. If an adverse compliance event were to materialize, in the form of an SEC action or monetary loss to investors, I believe the loss of trust that would naturally follow could devalue a business far beyond anyone’s predictions.

OTHER PILLARS

The second pillar of our mission is to “prevent fraud.” There are some quantitative measures for this objective, but like the monolithic number of exams we perform each year, the statistics do not tell the entire story. One metric is the number of examinations we refer to our enforcement division. This number has typically hovered around 10%. This year, our examinations have resulted in several notable enforcement actions.
For example, OCIE had a big impact with respect to wrap fee accounts, or those accounts where a single fee typically covers all of the management, brokerage and administrative expenses for the account. The commission settled three cases, which were referred from OCIE, involving transaction costs paid by wrap fee account advisory clients. Specifically, these cases related to the practice of trading away, or using a broker other than the sponsoring broker to execute trades in which a commission is charged, in addition to the wrap fee, to the client.
“Monitoring risk” is the third pillar of our mission. I devote a lot of time to this part of our program. Given our role as the eyes and ears of the commission, I want to ensure we optimally employ the intelligence and data which we gather in the course of our exams to inventory emerging risk in the industry. Every exam gives the [national exam program] an opportunity to gain unique insight into the markets.
OCIE’s final pillar is to “inform policy.” OCIE strives to use our perspective to provide support to the rule-making process and inform other guidance issued by the SEC. We aim to share our observations in a neutral way. Based on our exams, we provide our rule-writing colleagues information about the evolution of market practices and the most common exam observations. In certain circumstances, staff from the policy divisions will accompany OCIE staff on site to supplement their industry insight on current market practices.
OCIE is an active participant in commission-wide working groups, where we provide substantial input into the rule-making process. OCIE brings its real world perspective to the table to provide feedback on the impact of rules and suggestions to enhance policy development. In the past year alone, OCIE interfaced with the policy divisions on over 20 rule-making initiatives, including proposing rules relating to the use of derivatives by registered investment companies and the advance notice of proposed rulemaking, concept release and request for comment relating to transfer agent regulations.