Compliance officers: What you should expect in 2023, and how to prepare

Under Chair Gary Gensler, the Securities and Exchange Commission has become a much more outspoken regulatory body.

Whether it's new rules about marketing, oversight for outsourced services, or increased scrutiny of digital assets and cybersecurity, there’s plenty of activity – and that means more requirements for firms to meet. For chief compliance officers, there are a number of steps to take to keep up with the SEC, says Beth Haddock, chief compliance strategist at AdvisorEngine. As a veteran investment industry legal expert, Haddock offers suggestions on where fellow compliance officers can focus efforts this year.  

Follow Gensler

Haddock: 2022 was one of the busiest regulatory years that we've seen in enforcement and in new rule pronouncements. We saw lots of new rules with short, 30-day comment periods, and increased enforcement cases, up almost nine percent from 2021. I recommend you follow the SEC’s public relations releases and the social presence of SEC chair Gensler. His commentaries about the news releases that come out are good fodder for your compliance training and a shortcut to keep you updated on what the SEC is focusing on.

Back to basics

Haddock: Basics are still super important. Get an independent review because if you haven't had someone take a look at your basics lately, that's a really important gap to fill. Make sure you refresh and you don't keep doing what you were doing without a critical analysis of your controls.

A best practice

Haddock: A core roadmap for your compliance program is the regulator's roadmap. So rather than being too insular and focused on the day-to-day, pause and say, ‘I'm going to summarize my annual testing into a Chief Compliance Officer report.’ There are some proposals about making it a requirement. Those haven't passed, but it is certainly a best practice to do so, and arguably an expectation. If you haven't been audited by the SEC or a state regulator in some time, I would expect they would look for some sort of annual report. 

What goes in 

Haddock: Document your annual review from your advisor’s perspective. Tell your story as a narrative on your control environment and culture. Start with an executive summary that says upfront if you have an adequate program or not. (Obviously, if you have concerns about your program not being adequate, get help and get the program in line.) I'm going to assume you have an executive summary and it tells good news. Itemize some gaps, but note they are on the lower end of priority or risks, or that they are gaps that were discovered and remediated. You'll also want to cover in your executive summary what laws apply to you and what is not applicable and highlight any changes to the compliance program. You should always have changes – you never want to have an annual report that says there are no changes to the compliance program because that in and of itself could be a red flag as regulatory expectations are always evolving. 

Next, you want to give an overview of your compliance controls. You're going to cover your risk assessments. If you don't, you want to make sure you get outside help to complete a  risk assessment. You're also going to give an overview of your independent testing, what you found, and what are the improvements. And give a brief overview of what you anticipate or predict in the coming year. Even if your forecast isn't 100% accurate, you can show that you did some strategic work. You had a good faith effort to make sure you are resourced correctly. Finally, use lots of exhibits. If you have an exam two years from now, you don’t want to have to look for all of the different bits and pieces that were referenced. This process is going to set the stage for great results for your next exam.

What should be in your roadmap 

Haddock: There are several priorities: 

• If you're engaged in digital assets in any way, make sure you've got internal controls that describe how you're managing risks with digital assets.
• The same with environmental, social and governance (ESG) offerings.
• Operational resiliency should be included on your roadmap too. Think of any kind of information security work that you do through your CISO or any kind of oversight that you do for your vendors. You want to make sure resiliency and identification theft are covered.
• There are also off-channel communications that may violate SEC requirements for review and archiving. Separate personal from business communications, because arguably the business is going to have better cyber controls. So no texting, no emailing, no communicating on any kind of apps that are on personal devices. That might mean including in your roadmap an inventory of devices, maybe even budgeting for more additional devices if you don't already. Offer training and even more surveillance to everyone who's involved in the firm.
• Don’t forget the basics too – such as insider trading which is commonly part of a compliance program and training. Make sure that you're covering risks tailored to your business. If your firm recommends individual securities where you have access to material nonpublic information, you're really just going to focus on access to MNPI in personal networking.
• The last thing on the list is commingled products. Regulators have really focused on mutual funds and private funds. You need to understand what the cost structure is and when you're talking about a track record for performance, be careful that you do so in the right way. 

New marketing rule

Haddock: Some advice for compliance officers: Be skeptical about any performance hypotheticals and projections. Keep resources and any kind of backup for a projection. It'll be very difficult to build that down the line during a routine exam or during a for cause exam. If you don't understand how the calculations are made, you probably do need to go one level deeper to make sure that the disclosures are accurate. You don't need to be doing others’ work, but you certainly need to enhance due diligence under this new marketing rule. The marketing rule is really about making sure that firms under an audit or an independent review can show that they were trying to be fair and balanced, which on the other hand makes it easy for regulators to see if there's a material omission. 

Vendor oversight

Haddock: You should already have a due diligence questionnaire and conduct initial and annual reviews. Part of the due diligence should be a vendor risk assessment: risk rank your vendors, some might be less risky and support a three-year review instead of an annual review. The risk scale can be based on your firm’s preference; for example, what information they have access to and what type of systems vulnerabilities exist. Regulators also want an independent review of your record keepers, which is new and should be included in this process. 

Reg BI

Haddock: Even if you aren't a broker dealer, when you think about your obligations, number one, you want to make sure that you're documenting evidence not just to support the product and the actual investment, but any recommendations too. You need to have a reasonable basis for recommendations. If there is a release of new products at a firm level, you want to categorize the higher risk products centrally – don't leave it to the incentive-based reps to decide whether a product is high-risk. Risk tolerance isn't just for an account at the client level, it needs to be at the specific recommendation level. Also, I'd recommend that you have a new product committee and annual training that covers product features so you help ensure recommendations are grounded in an accurate understanding of the products. If your workload is such that you don't have enough time to pause and tackle all this work, get outside help. 

Create a business case

Haddock: To compliance officers: Assume your annual report is primarily for your management and regulator (SEC) to review. For management – show why you've done a great job, why you're a great business leader, and how you're helping the firm. A slide deck is recommended to help tell that story. The deck can show what the program is, and how you have managed it strategically and tactically for the year. This is another chance to manage your performance review. Tell your story as the head of the compliance program, and use it not just to show how the SEC is focused on enforcement, but use it to demonstrate the ROI for the compliance program. Keep it simple. Also give a regular update, whether it's an all-hands or a staff meeting. You can give a five-minute overview, then either have your own office hours or recommend people see you with different questions. Adopt SEC Chair Gensler’s stance – use the annual report as a little bit of your own PR to show what a great job you did and how challenging your job is.