In a year that has been nothing close to normal, at least one thing hasn’t changed: The best compliance programs are supported by senior management and have adequate staffing, technology, and training.

That was the message from Peter Driscoll, director of the Office of Compliance Inspections and Examinations (OCIE), at the Securities and Exchange Commission’s annual compliance outreach conference, held virtually on Thursday.

The OCIE notices when CCOs are fired after reporting suspicious behavior or raising red flags about issues of noncompliance, or when they are fired as scapegoats for poor compliance performance that leads to fines and other penalties.

Despite the unprecedented disruptions caused by the coronavirus pandemic, which forced OCIE’s workforce into remote work since March, the division conducted examinations of 2,950 firms in fiscal year 2020. That figure comprises approximately 15 percent of the total number of investment firms and broker-dealers registered with the SEC.

Fifteen percent of firms being examined is a typical percentage in a normal year, so managing to hit the same amount in 2020 was remarkable, Driscoll said.

In his remarks, Driscoll laid out items OCIE investigators notice when evaluating a compliance program during an examination. He said investigators know when firms do not give chief compliance officers sufficient authority; when the compliance program is not supported by top management; or if the CCO position has become a revolving door.

“We notice when a firm positions CCOs too low in an organization,” Driscoll said. “We notice when CCOs are not given the resources necessary to implement the policies and procedures that ensure compliance” with SEC regulations. In this case, resources translate to adequate training, automated systems, and sufficient staffing.

Driscoll said the OCIE notices when CCOs are fired after reporting suspicious behavior or raising red flags about issues of noncompliance, or when they are fired as scapegoats for poor compliance performance that leads to fines and other penalties.

“They should not be made to feel they are one ‘no’ away from termination,” he said.

In the eyes of the OCIE, the most important thing a firm can do to strengthen its compliance program, Driscoll said, is to make sure it has the full-throated support of the firm’s management.

Firms often ask for recommendations from the OCIE for who the CCO of a registered investment firm or broker-dealer should report to. Driscoll said it varies from firm to firm, depending on size, experience of the CCO, and risk appetite, among other factors.

“I do believe the CCO should have a direct line of reporting to senior management or be senior management,” he said.

This concept of elevating compliance within an organization for strategic reasons was the focus of a recent study commissioned by the Committee of Sponsoring Organizations of the Treadway Commission, which concluded a more thoughtful consideration and examination of compliance risks provides a firm with strategic benefits.

The OCIE also issued a risk alert Thursday identifying “notable compliance issues” related to the “Compliance Rule” of the Advisors Act of 1940. The Compliance Rule requires firms to have policies and procedures in place to ensure compliance with SEC regulations; that those policies and procedures be reviewed at least once a year; and that the firm designate a CCO to oversee compliance and “compel others to adhere to the compliance policies and procedures.”

The risk alert touched on many of the points highlighted by Driscoll in his remarks, including inadequate compliance resources, particularly in firms that had grown in size or complexity but did not support their compliance division.

Other firms fell short because their CCOs did not have adequate authority, were restricted from accessing key data, or had limited interaction with senior management.

Some firms did not perform adequate annual reviews of their compliance programs; could not or would not implement actions required by their policies and procedures; did not maintain adequate and updated information on their policies and procedures; and did not maintain or establish “reasonably designed” policies and procedures.

Mind your data—the SEC is watching

Thursday’s conference provided yet another example of the SEC using firms’ own data to pursue enforcement actions.

Marc Berger, deputy director of the SEC’s Division of Enforcement, pointed to $3 million in fines the SEC levied against five firms on Nov. 13 as an example. The SEC concluded the firms improperly recommended complex, high-risk investments that were unsuitable for the investors who purchased them. The products were meant to be bought and sold in a day, but the SEC found investors were advised to hold onto them for months, and in some cases, years.

“We were able to analyze a huge amount of data, representing an entire sector of the market, to pinpoint the unsuitable investments,” Berger said.

Another recent example of regulators’ data analytics capabilities in enforcement actions includes the $920 million fine levied earlier this year by the Commodity Futures Trading Commission, SEC, and Department of Justice against JPMorgan Chase for the illegal manipulation of the precious metals markets by several traders. The criminal activity stretched back to 2008, but in 2013, the investigation ended because regulators did not have the data analytics in place to prove their case, according to the Wall Street Journal. The case was later reopened, and indictments were handed down against four traders in 2019.

Further, the SEC’s Earnings Per Share Initiative “utilizes risk-based data analytics to uncover potential accounting and disclosure violations caused by, among other things, earnings management practices,” the agency said in September, when it announced two landmark data analytic enforcement actions.