SEC Announces 2015 Examination Priorities

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations has released its examination priorities for 2015, describing a planned focus on assessing market-wide risks, protecting retail investors, and using data analytics to identify signs of potential illegal activity.

The 2015 examination priorities address issues across a variety of financial institutions, including national securities exchanges, investment advisers and companies, broker-dealers, transfer agents, and clearing agencies. In terms of market-wide risks, OCIE will examine for structural risks and trends that involve multiple firms or entire industries, including annual examinations of clearing agencies as required by the Dodd-Frank Act and assessing cyber-security controls. The agency will also examine proxy advisory service firms, assessing how they make recommendations on proxy voting and how they disclose and mitigate potential conflicts of interest.

A letter this week to national exchanges elaborated on OCIE’s approach this year, describing the following priorities:

Examining exchanges' internal controls for regulatory responsibilities and decisions. Potential examinations in this area may include reviews of a national securities exchange's outsourcing of regulatory functions, the funding of regulatory functions, and the governance and oversight of regulatory functions.

An examination of options exchanges' listing programs, including assessing compliance with listing requirements and evaluating the policies and procedures regarding listing programs.

An examination of exchanges' controls related to the management of information technology, such as written supervisory policies and procedures; information security and incident response, business continuity planning and pandemic preparedness, software development and testing, outsourcing and vendor management, and enterprise risk management.

Other areas of focus include: cyber-security compliance and controls; and assessing anti-money laundering controls, with a focus on firms that have not filed suspicious activity reports or have incomplete or late filings.

The 2015 examination priorities were developed in consultation with the five commissioners, senior staff from eleven regional offices, the policy-making and enforcement divisions, the SEC’s Investor Advocate, and other regulators.

The SEC’s list of examination priorities follows similar guidance released last week by the Financial Industry Regulatory Authority. Its approach will focus on broker-dealer activity, flagging such issues as alignment of firms' interests with those of their customers; standards of ethical behavior; development of strong supervisory and risk management systems; and management of conflicts of interest.

In terms of AML controls, FINRA will focus on certain types of accounts, including cash management accounts. CMAs are brokerage accounts used for activity typically associated with bank accounts. FINRA will review the adequacy of firm surveillance systems and processes to identify potentially suspicious transfers to and from CMA accounts, and to verify the business purpose of activity conducted through these accounts.

FINRA examiners will also focus on the adequacy of firms’ surveillance of customer trading. Firms are advised to tailor customer trading surveillance around the AML risks inherent in their business lines, products and customer bases and examiners will evaluate whether firms have systems to monitor for red flags indicative of suspicious customer trading activity.

FINRA will also review firms’ approaches to cyber-security risk management, including their governance structures and processes for conducting risk assessments and addressing the output of those assessments.

In January 2014, FINRA initiated a sweep to better understand the threats to which member firms are subject, as well as their responses to those threats. It expects to publish the results of that sweep in early 2015. That report will include best practices firms should consider in developing and implementing their cyber-security programs, for example, the use of frameworks and standards, the role of risk assessments, the identification of critical assets, and the implementation of controls to protect assets.