For chief compliance officers at financial firms, following the five Ps — prioritize, plan, protect, preserve, and paper– with the help of IT managers will become critical to ensure employees working remotely meet corporate and regulatory requirements.
“Even the best designed business continuity plans likely didn’t take a global pandemic into account,” says Kristin Koloniaris, managing director of Adherence LLC, an outsourced remote work-based regulatory compliance and operations consultancy. “They were meant to address a power outage, epidemic or other natural diaster affecting a particular city, country or region on a temporary basis.” Nonetheless, CCOs can’t be remiss. The Securities and Exchange Commission, broker-dealer watchdog Financial Industry Regulatory Authority and other regulators will count on them to still do their jobs regardless of the dire circumstances.
Based on talks with compliance consultants, CCOs and published regulatory guidance, FinOps Report explains how the five Ps can be applied as best practice. (When in doubt, consulting with legal counsel and compliance consultants is advisable).
Prioritize: Fulfilling regulatory requirements is paramount, but keeping abreasts of deadlines can be challenging considering they are so many. Regulators are either constantly changing the timetables to provide some badly needed relief, or keeping them despite industry pleas to the contrary. As is the case with any regulatory requirement, data collection, mathematical calculations and data reformatting must be completed on time so designating dedicated point folks such as business line managers to fulfill specific regulations is a good idea.
The SEC says it will temporarily delay enforcement action for fund managers filing their upcoming Forms ADV and PF, highlighting their financial soundness, if they can explain why they need a postponement. However, broker-dealers must still meet the requirements of the SEC’s Regulation Best Interest and produce the customer relationship summary form by June 30. The pan-European securities watchdog, European Securities and Markets Association, has urged national regulators to delay taking enforcement action for firms reporting securities finance transactions under the Securities Financing Transactions Regulation (SFTR). As FinOps Report went to press, the Basel Committee on Banking Supervision and International Organization of Securities Commissions had agreed to delay by one year the September 2020 and September 2021 timetables for meeting initial margin requirements for uncleared swap trades under phases five and six of their rules.
While juggling regulatory deadlines, CCOs also need to think about exams. “The SEC and other agencies are maintaining business continuity and conducting exams remotely,” says Luis Bruno, who heads up the global compliance and regulatory solutions group of global consultancy EisnerAmper in New York. When an examiner asks for information in advance of an exam it’s a good idea to have it handy rather than use the coronavirus pandemic as an excuse for delay. Being responsive could mitigate any suspicions that the firm’s disaster recovery plans are disastrous and prevent the Pandora’s box of further scrutiny from opening.
Plan: Business continuity plans do address who is responsible for fulfilling which business functions when a disaster strikes. Those plans outline who can take over specific roles when the primary employee is either unavailable or cannot access his or her systems. “What is also paramount is a solid gameplan for how to escalate any concerns about particular compliance issues in the event of someone’s absence,” says Jane Shahmanesh, managing partner of Adherence LLC.
Now is the time to construct an organizational phone tree with all the relevant contact individuals, their replacements and phone numbers, FINRA acknowledges in a recent guidance to broker-dealers. The regulatory agency also recommends that front, middle, and back-office communication channels be established to effectively escalate communications to the compliance team and ultimately the CCO.
Given that CCOs could end up being inundated with emails and calls from employees escalating concerns about whether they applied a regulation or company rule correctly, CCOs must also prioritize which crisis they tackle first. “Dealing with regulatory requirements should take precedence,” recommends Leonard Amoruso, a managing partner with the law firm of Murphy & McGonigle in New York. The nature of the regulatory requirement they address all depends on the type of business involved. “For larger brokers and banks with principal trading desks dealing with net capital requirements might be more critical while for agency brokers it could be executing customer orders and fulfilling best execution requirements,” says Amoruso.”
Yet another potential crisis that CCOs must quickly face is emergency office relocations. FINRA says that if a broker-dealer reallocates personnel to temporary locations that are not registered as branch offices it should provide the regulator with a written notice as possible and include the names of registered persons at the location, telephone numbers and expected duration of the new location. When sharing office space with other companies, the firm should describe the other company’s business. FINRA’s final piece of advice: firms should keep in mind the business risks associated with shared office space involving confidentiality of customer information and recordkeeping responsibilities.
Protect: Critical customer, trading and financial data need to be safeguarded against external cybercriminals and disgruntled internal employees who might want to download confidential files onto their personal computers to steal intellectual property or want to introduce malware into a platform. “Hackers are malicious, smart, and opportunistic in preying on cybersecurity gaps resulting from more remote workers, more mobile devices, workstations that are not company-provided and remote management tools,” says Tony Pietrocola, president of Agile1, a Cleveland-headquartered firm offering a security operations center (SOC) as-a-service.
Since the coronavirus quarantine began about three weeks ago, there has been a spike in phishing emails and software breaches with remote monitoring tools. “One of the most important tasks for CCOs, in conjunction with other C-level executives, will be to properly map security controls based on their companies’ risk tolerances,” says Pietrocola. “CIOs are often given this assignment, but this is the job of every C-level executive, including the CCO.”
Remote-working creates extra cybersecurity risks which CCOs will need to address with their chief technology and cybersecurity experts. Among the critical questions that must be asked is: if the firm relies on a virtual private network (VPN) — as many do– how can home computers and mobile devices connect without introducing any threats? Yet another question: can the firm track who accesses what files and when? In its recent communique with broker-dealers reminding them of their responsibilities during the coronavirus pandemic, FINRA recommends that VPNs and other remote access systems be properly patched with available security updates; that system entitlements be kept up-to-date; and that multifactor authentication be used.
Any data stored in the cloud needs extra attention as workers working remotely may be using more cloud-based applications such as SaaS applications, shared workspaces or virtual desktop arrangements, says Pietrocola. Although the cloud-based service providers are responsible for preventing hardware and network breaches, clients are ultimately responsible for mitigating data and application breaches. Pietrocola urges CCOs to work with their CTOs and other technology experts to get a deeper understanding where the data is located, how well it is protected, and how the firm’s cloud security stacks up with industry standards or regulatory requirements.
Data privacy laws still apply in a remote-work environment, so access to data should be limited to only necessary parties and irrelevant data deleted as quickly as legally possible. Gregory Ewing, a data privacy and cybersecurity attorney with Potomac Law Group in Washington, D.C. also recommends that financial firms immediately review the data privacy policies of third-party vendors to ensure they comply with regulatory requirements. Relying on some free services could carry legal risk, he warns citing the use of Zoom’s free version as just one example of potentially violating some privacy laws. “Zoom does have paid versions of its software that are designed to be privacy law-compliant, but many firms have not considered the distinction to the free version as they quickly addressed the immediate need for employees to work remotely,” says Ewing.
The term protect applies not only to data, but also reputation. CCOs should anticipate that some employees working remotely might be tempted to slck off or even worse bypass company policy and regulations. “It isn’t the time for CCOs to bend the rules,” says Shahmanesh. Prohibitions or limits to personal trading, rules involving gift-giving, or policies on preventing conflicts of interest, must be rigorously enforced for all exmployees.
One of the best ways CCOs can protect their firms from bad internal actors is the old-fashioned way. “The CCO can send out continual reminders about the need to follow regulatory and company rules and the consequences for violating them,” says EisnerAmper’s Bruno. “Those reminders should include what to say and not say to customers, why not to use private devices for business purposes, and how to apply regulatory guidelines.”
Although CCOs do not monitor every single employee 24 hours a day, they do rely on their supervisors and supervisory controls and procedures to monitor employee activities. Working with their firm’s supervisors and management teams, CCOs can recommend appropriate disciplinary action when the firm’s regulatory obligations or compliance procedures are violated, says Murphy & McGonigle’s Amoruso.
Preserve: Using collaboration platforms, such as Zoom and Cisco Webex, will be necessary to connect with employees that might otherwise require in-person communications or e-mails. However, those platforms which allow for interactive video teleconferencing and live chats, must still meet recordkeeping requirements, such as the SEC’s Rule 17(a)4, according to the SEC. FINRA has warned that collaboration platforms are subject to the same capture, retention and supervision as other communication channels, such as e-mail and social media. Therefore, CCOs must work with IT departments to ensure that whichever collaboration platform used can capture and store information electronically to fulfill regulatory requirements.
What should the CCO do if the firm’s archiving system doesn’t work? Such is the case an undisclosed number of firms are now facing with the Portland-headquarterd Smarsh which recently announced it could no longer capture and archive Twitter communications. (At press time, Smarsh was still working to resolve the problem and would not answer further questions). “Telling employees using Smarsh to take a screen shot of their Twitter correspondence might seem practical, but it isn’t a sound regulatory compliance solution,” says Bill Singer, a New York attorney specializing in broker-dealer compliance. The reason: CCOs can’t know for certain whether their employees are providing screenshots of all their Twitter communications. The better alternative: notify employees not to use Twitter or find another third-party service provider quickly.
Paper: CCOs are likely scrambling to ensure all of their employees are set up and work remotely. “They probably haven’t focused yet on documenting their decisions around how they are operating in this changed environment, but they should,” says Koloniaris. The reason: CCOs have to prove they acted reasonably during the crisis, because they will be judged accordingly by regulators and investors.
When in doubt of what to do, the motto the road to hell is paved with good intentions should apply. “CCOs will likely find themselves between a moral rock and a regulatory hardplace when it comes to responding to many emergencies created by the coronavirus crisis,” says Singer. He offers the following example: a registered representative has an “understanding” with a long-time customer concerning a particularly large position. The representative knows the customer would want him or her to sell the position as it breached a certain value and could further depreciate. Now come the rub: the customer never granted the registered representative written authority to use his or her discretion for the account and the customer can’t be reached by telephone or e-mail during the coronavirus pandemic. The registered repesentative can’t exercise time and price discretion, because there is no authorization from the customer.
What if the representative then begs the CCO to give him or her permission to sell the customer’s position in order to mitigate further losses using the argument it is in the customer’s best interest. The CCO is faced with a damned if you do and damned if you don’t scenario. “If the CCO says no, that could result in mounting losses in the customer’s account and an angry customer,” explains Singer. “If the CCO says yes, he or she exposes the firm to liability, if the position rebounds because the sale was not authorized under FINRA’s rules.”
What should the CEO do? Avoid the regulatory headache. “If a broker-dealer doesn’t have prior written discretionary authorization from the customer and the rules of time and price discretion don’t apply, FINRA will likely advise the firm’s CCO not to sanction the use of unauthorized discretion,” explains Singer. “If hit with a potential investor lawsuit, a CCO can cite the firm’s compliance with the rules on discretion and produce documentation that efforts were undertaken to contact the customer.”
Yet another sticky point for CCOs: what to do about ensuring the correct valuations for hard-to-price assets. Getting valuations right is critical to computing net capital correctly or determining the fair market value upon which to mark-up or mark-down an asset. With so many traders working from home, there is increased pressure on the reliability of quoted markets. “For some thinly-traded stocks and bonds it pay prove next to impossible to call around and get meaningful reliable quotes,” cautions Singer. Then what? “In these times, it becomes extremely critical for traders to maintain meticulous records for their basis for quoting a given price to a customer; how the fair-market value was determined and the dates, times and names of all parties who quoted bids and asks for the trade at issue,” he says.
CCOs need to make sure their traders not only document their decisions, but also turn over their documentation to their firms’ valuation committees so they can archive the paperwork and do their jobs right. Their responsibilities include thoroughly discussing the methodologies and data inputs used to apply a particular price to a particular asset and making any tweaks when necessary. The valuation committee, which also consists of the CCO, the firm’s president, heads of various desks and chief operating officer, can decide how to incorporate the trader’s findings into its recommendations for pricing during the new period of extreme market volatility based on the firm’s policies and procedures. The better the firm’s documentation on valuation decisions, the better the firm can demonstrate that it acted in good faith or fulfilled its fiduciary role if the transaction becomes the focus of a customer lawsuit or regulatory investigation, according to SInger.
For CCOs the benefit of following the five Ps could end up being more than just about keeping their firms safe. They may even be able to keep their own jobs safe by proving they were indispensible during the crisis. Compliance departments are major cost centers, not revenue generators, and should layoffs ever become necessary CCOs will be judged on how much they pitched in. “It’s time to go the extra mile and help out where needed,”advises Adherence LLC’s Shahmanesh.