Peter Driscoll: The risk detective

OCIE, under his guidance, uses a risk-based approach to examinations to fulfill its mission to promote compliance with U.S. securities laws, prevent fraud, monitor risk, and inform SEC policy.

The Investment Adviser/Investment Company examination program is responsible for the examination of over 10,000 investment advisers with more than $48 trillion of assets under management and more than 800 registered investment company complexes to determine their compliance with the federal securities laws, particularly the Investment Advisers Act and the Investment Company Act.

The Broker-Dealer Examinations program is responsible for examining the approximately 4,500 broker-dealers in the U.S. The program also coordinates with the New York Stock Exchange, NASD, and other SROs on regulatory issues.

The Clearance and Settlement examination program is responsible for examining clearing agencies and coordinating with the eleven regional offices the examination program for approximately 450 transfer agents.

Driscoll stepped into the new role after serving as OCIE’s first chief risk and strategy officer, beginning in March 2016. The office was created to consolidate and streamline OCIE’s risk assessment, market surveillance, and quantitative analysis teams. It provides operational risk management and organizational strategy for OCIE.

Driscoll was previously OCIE’s managing executive from 2013 through February 2016. He joined the Commission in 2001 as a staff attorney in the Division of Enforcement in the Chicago Regional Office and was later a branch chief and assistant regional director in OCIE’s investment adviser and investment company examination program.

Prior to the SEC, Driscoll began his career with Ernst & Young and held several accounting positions in private industry. He holds a B.S. in accounting and a law degree from St. Louis University. He is licensed as a certified public accountant.

Can you tell us a little bit about your career and past experience? What path brought you to the SEC?

As an undergrad I studied accounting and moved on to Ernst & Young. That was my first job as an auditor. I was there for about three years and then went to work as a controller for a client.

Later, I had a friendly interaction with an assistant U.S. attorney who was an alumnus of my high school. He was telling me about his job and I saw him as someone who was really making a difference. I hung up the phone and decided to go to law school that same day. It was something I had been thinking about for a while, but what he was doing as a federal prosecutor struck me in terms of making the most of your career while helping society.

I stayed in the accounting field for four more years, while going to law school at night. Then, when I was getting close to finishing my last year, I ended up doing an internship at the SEC’s Chicago Enforcement Division.

The reason I selected the SEC was that I was a financial reporting accountant, as opposed to a tax accountant. The SEC, to me, was the pinnacle of financial reporting for all of the publicly reporting companies. I thought it would be a very interesting job if I could get it.

Fortunately, I ended up getting the internship and joined the following year as a staff attorney in enforcement. I had looked at the Division of Corporation Finance, but the Enforcement Division was more appealing because I had a desire to litigate.

The Office of Risk and Strategy, OCIE, and SEC in general have focused on data-driven approaches. How does this fit with very notable investments in technology and data analysis undertaken by the Commission in recent years?

One of the big challenges we have is being resource-constrained. We are tasked with examining an ever-growing population of registrants and have roughly 1,000 folks in OCIE to cover more than 12,000 investment advisers, 11,000 mutual funds and ETFs, 4,000 broker dealers, and 600 municipal advisers that are newly registered with us. We continue to take on more and more responsibilities with clearing firms, FINRA, and exchanges. We can’t do it all on a regular basis.

We moved to a risk-based approach several years ago, particularly as the investment adviser space had grown so much.

Last year, we were around 11 percent coverage with IAs, in terms of what we did with exams. With that backdrop, we have had to be much more careful about how we use our resources, and that drives the risk-based approach. We are not only looking at risk in terms of who we do exams of; we are also taking a risk-based approach to, when we execute an exam, the areas are we going to focus on.

When I joined the program in 2004, we would do almost full-scope exams. At the time, there were some significant new rules, including the compliance rule and a code of ethics rule. There was a lot to look at.

When I think back to my public accounting days, from an audit perspective you are doing full-scope audits. You may have multiple visits in a year where you do a week of planning and inventory observation at year’s end, then you execute out on an audit after the year has ended. You may also have the same staff year after year. We don’t have that luxury. We have 600 or so IA staff covering 12,000 IAs and 11K mutual funds. We need to do limited scope and a risk-based approach in terms of where we spend our resources. That is something that has really driven our approach here within OCIE.

One of the things we have been very fortunate about is that our future is going to be driven by technology, as opposed to hiring more and more staff. We obviously need more staff; there is no question about that. Our assumption, however, is that while we will hopefully get some growth, we need to use the tools we have in place and develop technology to look at not only one firm at a time, but 300 firms at a time.

What are your views on evolving technology and risks, such as cyber-security, blockchain, Bitcoin, robo-advisers, and FinTech? How can a regulator best straddle the fine line between maintaining safe and fair markets without stifling innovation?

Electronic advice is a big area for us and a priority. We publish our priorities every year. We talked this year about one of our initiatives being electronic investment advice, the robo-adviser world. What we are seeing is that it started with technology companies that weren’t registered entities before and did not have a history of regulatory compliance. Now that industry is shifting to large firms who have a history with the SEC, developing a compliance program, and knowing the regulatory regime. They are branching out into having some electronic advice. It is certainly a challenge in trying to ensure that the firms are satisfying the requirements of the laws while adapting to technology.

We certainly don’t want to stand in the way of technology development. A lot of these technologies could help save fees, and that’s a good thing for investors. We are making sure that firms address some of the risks of disclosures, client testing, stress testing, customer data protection, and record keeping.

Frankly, we have to adjust along with the industry and learn about these new programs. Most of our examiners are not technologists, so we have to continue to educate our own teams on where the market is going.

If you look at what we did in cyber-security, it’s a different approach to what we have historically taken. We knew it was a high-risk area for all of our firms.

For our first initiative, we put out a risk alert and said we were going to examine around 100 firms. We published our request list, which we thought was an effective way to get out to all 12,000 investment advisers and 4,000 broker-dealers the types of information we were looking for. It is also a great way for a CCO who is on the other side of one of those risk alerts to ask, “OK, do I have this information? Is my IT department looking at this information?”

We went about our exams and published what we found. It wasn’t meant to be a “gotcha,” it was meant to educate the industry. Internally, we were able to see trends, what best practices were, and push all that out so the industry could see what we found on our exams. We thought that was an excellent way to move the needle in terms of putting cyber-risk as a top priority.

We ended up following through with a deeper dive into a number of areas in our second cyber-security initiative. They include governance and risk assessment, access rights and controls, vendor management training, data loss and prevention, and incident response.

Cyber is a tough issue for firms. In many cases they are victims, but they also they need to adhere to certain requirements to make sure they are protecting their investors and client information.

What is your guiding philosophy and approach to your role at the SEC?

Personally, I want to have a lasting impact with what I do. Professionally, I want to move the needle on compliance. There is a lot we can do from a collective action standpoint to really help the industry move the needle on protecting investors. I firmly believe in our mission and it is a joy to come to work every day and do the work we do.