The step-by-step of what to expect in an external exam and how best to prepareLast week in this space, we looked at what an enterprise financial firm might expect to experience in the run-up to an external audit, or, as they're commonly referred to by industry insiders, external exams. We explored what triggers them, what regulators are looking for, and regulatory remits. Today we'll explore process: the step-by-step of what happens in an external exam and how best to prepare.
FOREWARNED IS FOREARMED
"The more organized you are before the SEC ever notifies you, the better." So says Niel Armstrong, CEO and founder of Gordian Compliance Solutions, a boutique consulting firm specializing in regulatory compliance services for financial firms. "You want to have really solid policies and procedures and code of ethics, and a good methodology for maintaining all your books and records in an electronic format. It makes life so much easier." The notification of an exam comes in the form of a document request letter, a request for information that comes to the CCO in the mail, typically asking for about 20 pages of data.
But not all document request letters are created equal. Each one is tailored specifically to the targeted firm, depending on what the regulator sees as that firm's particular risk areas. But the unique nature of these information requests can be used to the targeted firms' advantage. "The document request letter gives insight into what kind of exam it's going to be," says Patrick Dominguez, Director Of Investment Adviser Services for Gordian Compliance Solutions.
The SEC is typically looking at several risk factors, including investment strategy, newly submitted data by the registrant, and consistency of performance. Any of these items may raise a red flag. Again, Dominguez: "Right now, there's a focus on retail investors and cybersecurity. So if any of the request items seem to lean in one direction or the other, you can sometimes discern whether its a routine examination, or whether they're looking at practices they consider to be high risk."
GETTING TO KNOW YOU
Once examiners arrive onsite, the first thing they do is conduct interviews with key personnel, in an attempt to get a handle on who's responsible for what and how business is conducted. These interviews can last anywhere from two to four hours per person. Based on what was sent back to the SEC in the document request letter, examiners may use these conversations to delve deeper into areas of specific interest.
The SEC has, however, been known to not come onsite at all. "Sometimes they stay for two or three days," says Armstrong, "and other times they defer completely. Sometimes they'll send the document request, and tell you right away they're not going to be onsite. It really varies." But even if a regulator does entirely eschew face-to-face interaction, expect that at the very least there will be a phone interview.
Once the interviews are over the CCO will be the primary point of contact with the SEC, as the exam continues and additional documentation or data is requested. That's for investment advisors, though. On the broker-dealer side, the CFO might be involved more. And once examiners start to drill down into specifics, they may want to speak to the traders, to get a better understanding of how they made decisions to trade particular securities.
FINRA can be an entirely different regulatory animal than the SEC. The longest the SEC will be physically present is about a week. FINRA can be onsite for several weeks. Consider setting aside a conference room for them.
THE LONG AND THE SHORT OF IT
Like with any exam, you'll no doubt be anxious to get your results, but don't expect to hear anything anytime soon. "Wait times vary quite a bit," says Armstrong. "Sometimes you hear something back in two months, sometime six. I've seen it go as long as a year." The reasons for delay are mixed. At the SEC, examiners tend to stay for a long time. FINRA has more turnover. As a result, the SEC tends to be more organized in their processes and procedures overall.
There's also been a delay in regulators getting up to speed with all the digital and data-driven change that's come to finance. Part of that delay involves simply not having enough examiners on staff with the necessary technical backgrounds, though the SEC is coming around. "The SEC has started hiring more technical staff," says Dominguez, "people who can audit things like quant strategies and algorithms, and who can look through the more intensive financial data." State regulators, in general lacking the resources of the SEC or FINRA, may offer the longest waits of all.
The good news is, once exam results do finally come in, in the vast majority of cases nothing is found. Sometimes, what the regulators refer to as deficiencies are uncovered, where they suggest ways to do things better. Very rarely, if examiners find something they think is a violation of the law, cases will go to enforcement. What then? "There is an appeals process," says Armstrong. "If the SEC's enforcement division rules against you, you can schedule a hearing and argue against it."
Regulators prize a culture of compliance. Make sure everyone knows what their roles are. Document activity exactly as the manual says you should. Ensure your staff has adequate compliance training. Ensure your firm's stated policies and procedures will catch the conflicts of interest, market abuse, or equivalent risk to the business or marketplace they're designed to catch, and then adhere to them. Finally, conduct an annual review of all your policies and procedures and update them as appropriate.
"One of the most common findings to come out of SEC exams," says Dominguez, "is that an investment advisor hasn't conducted an annual review of its compliance program: an honest look at the policies and procedures as written versus the firm's actual advisory business practices. It's basics like this that will position you for a successful external exam, before it ever begins."