As the 10-year anniversary of the U.S. financial crisis looms, the industry is still trying to regain the investor confidence by showing that it takes compliance rules seriously and punishes those who don't. To meet this end, finance industry regulators have set their sights on corporate culture and its relationship to compliance practices. In other words, rather than asking to see compliance to-do lists checked off, regulators are seeking broader demonstrations of compliance culture in areas such as internal controls and risk management.
The Financial Industry Regulatory Authority (FINRA) has made it a priority to examine how well firms value internal controls and whether supervisors model the company's stated compliance culture. In upcoming FINRA examinations, auditors will pay close attention to the behaviors that are expected at a firm, the behaviors that are performed and whether policy breaches are tolerated.
This FAQ is part of SearchCompliance's IT Compliance FAQ series.
What can financial firms expect from the industry's self-regulatory body -- the Financial Industry Regulatory Authority -- in 2016?
In 2016, the Financial Industry Regulatory Authority (FINRA) is paying special attention to compliance culture and how it plays out in a firm's internal controls, supervision and risk management. The group is particularly interested in assessing how these functions affect cybersecurity, technology management, conflict-of-interest management, anti-money laundering, outsourcing practices, and data quality.
FINRA is currently formalizing how it assesses compliance culture. In FINRA examinations this year, the group will focus on five indicators:
- Does the firm value control functions?
- Does it tolerate control breaches?
- Do managers effectively model the stated culture?
- Is the firm proactive in identifying risk and compliance problems?
- Are non-conforming subcultures held accountable?
Financial firms should take steps to make sure efforts to reduce conflicts of interest are visible, and be prepared to show that their compliance initiatives have necessary resources. The company should also demonstrate that breaches of policy are not tolerated and violators are punished accordingly.
How will FINRA determine whether a firm is adequately implementing its stated compliance culture?
To determine whether a firm's cultural values actually guide business dealings, FINRA will meet with executives and personnel from financial firms' compliance, legal and risk management departments. Firms can expect a discussion about how they communicate and reinforce their values, as well as how they monitor the ways in which these values are demonstrated during business dealings. FINRA is also seeking metrics to demonstrate companies' compliance with these values.
There are several common questions that are likely to arise, including:
- How are cultural values established, and who establishes them?
- Is the board involved with establishing cultural values, and how do executives promote these company values?
- How does the company ensure that middle management applies these values?
- What processes are used to discover breaches of policy, and how are such breaches addressed?
- Are there policies or processes for discovering and dealing with subcultures that might compromise company values?
- How does the compensation structure reinforce values?
How will FINRA evaluate a firm's supervisory, risk management and internal controls functions?
Supervision, internal controls and risk management are integral to a firm's compliance culture, and will be in the spotlight during FINRA's 2016 examinations in 2016. Under the industry's own rules, firms are required to maintain supervisory systems for compliance matters, but FINRA has seen repeated problems with supervision in the areas of conflict of interest management, technology, outsourcing and anti-money laundering.
FINRA will examine how a firm manages conflicts of interest that can arise in various contexts, including incentives in the retail brokerage side of the business, research analysis vis-a-vis the investment banking side of the business, and controls implemented to minimize information leaks.
How a firm manages its hardware, software and information technology personnel will also be closely examined by FINRA in 2016. The group has cautioned that some firms still have not deployed adequate cyber defenses, and persistent threats create particular risks in the areas of customer accounts, asset transfer systems, online trading systems and vendor management systems. FINRA will look closely at how a firm implements IT management, including data governance, employee training, technical controls, risk assessments, data loss prevention, incident response and vendor management.
Information technology change management is of special concern to FINRA. The group has warned that it has seen too many errors in how changes are made to IT systems and applications, and it will look closely at how firms supervise changes to back office systems and vendor systems.
FINRA has also warned that it will be taking a careful look at how firms monitor and prevent suspicious trading activity. Surveillance systems should be tested and the accuracy of data sources should be verified to ensure that suspicious activity can be detected and reported. If certain transactions are excluded from anti-money laundering surveillance functions, the reason for this exclusion must be documented.
What can firms do to prepare for FINRA examinations of information technology systems?
Firms facing a FINRA examination should make sure that they have written procedures guiding change management of IT systems. Adequate segregation of duties for employees who deploy technology changes should be visible, as should the testing of user acceptance. Technology governance should include sufficient testing of algorithms as well.
Compliance systems must be shown to operate effectively, and demonstrate that no major breakdowns occurred in the transition from legacy systems to new systems. Firms should be sure that no coding problems are evident and that email and other electronic communications are properly supervised and retained.
FINRA is expected to look closely at data quality and governance in its examinations this year. Data reporting practices and quality controls must ensure that information channeled to supervisors and surveillance systems are accurate, complete, consistent and timely. In particular, FINRA wants to see that automated anti-money laundering surveillance systems are picking up accurate and thorough data.
How do FINRA's 2016 priorities compare to those of the U.S. Securities & Exchange Commission?
Like FINRA, federal regulators will be taking a closer look at the financial industry's internal controls in 2016. The Office of Compliance Inspections and Examinations at the U.S. Securities and Exchange Commission has made cybersecurity and Systems Compliance and Integrity (SCI) two of its top priorities. The regulators will assess, among other things, how well firms have implemented cybersecurity procedures and controls and whether data centers, infrastructure components and security operations are up to the task.
Learn more about new finance industry mandates, including how Regulation SCI broadens the scope of IT systems compliance and why the rule represents a new level of enforcement for federal regulators.