3 Factors Changing The Scope Of Capital Markets Compliance by firm58
As technology sparks more complexity and versatility in the capital markets, new avenues for unethical and illegal trading practices continue to emerge, while political pressure on Wall Street increases in the wake of the 2008 crisis. Broker dealers’ Chief Compliance Officers (CCOs) are coming under increased scrutiny, and for the first time new regulatory proposals threaten to hold them personally accountable for illegal trading activity at their firms.
Over the last two decades, capital markets compliance has evolved from reacting to simple discrete events in a floor-centric world, to addressing intricate, multiasset, multi-event scenarios in a electronic high-speed, high frequency trading environment. This new paradigm introduces challenges (and opportunities) around big data—and the pressure to search for patterns in a constantly shifting landscape—as well as firms’ overall cultural values.
Compliance teams no longer enjoy the benefit of a small pool of compliance concerns, and must simultaneously juggle a variety of competing issues, including:
[drizzle]Securing digital platforms is a recurring problem, and one that will only become more critical as virtually all business processes are or will soon be digitized.
Firms don’t always collect the right data, and even when they do, broker dealers need to aggregate the data in specific ways in order to be able to parse that information to derive meaning. Mid-market broker dealers generally can’t recruit dedicated teams of analysts, but strategic software investments can make the difference between simply retaining and acting on order/execution data.
Institutional culture is a major theme influencing the SEC and FINRA’s recent exam priorities; broker dealers must structure incentives and penalties to encourage responsible trading activity. This doesn’t necessarily mean trying to keep up with the largest market players in terms of technology, but firms do need to work within their capabilities. Compliance blunders are often costly, and preventative investments easily outweigh punitive fees. In fact, FINRA estimates that since 2010 broker dealers have sunk $300 billion into compliance costs as a result of “cultural failures”.
Broker dealers’ reputation and success will hinge on their ability to adjust to new industry regulations–through both simple changes and more comprehensive reforms–in the coming months and years. The largest firms with resources to address these issues will have an easier path; however small and mid-sized (SMB) brokerdealers must employ a patchwork of internal resources and external vendors to protect from these growing threats and answer the demands of regulators.
Regulatory Compliance – Adapting To An Environment In Flux
Regulatory compliance is less a matter of educating broker dealers on new or complex rules and processes; most firms already understand what they need to do, or what they cannot do, but struggle to balance effective execution and oversight against budgetary concerns and business conditions. Broker dealers must review their IT security efforts, data management methods and regulatory exam focus, ensuring that compliance is a business priority.
On the surface, broker dealers appear well protected against cybersecurity threats, but frequent attacks paint a different story. Analysis from the Office of Compliance Inspections and Examinations found that even though 93 percent of broker dealers conduct internal cyber risk assessments, (and 84 percent review their vendors’ security), 88 percent have suffered cyberattacks.3 Broker dealers are clearly taking steps to address cybersecurity, but too often those measures are incomplete or ineffective. Firms’ awareness of cybersecurity risks can only go so far: they have to take meaningful action to address their vulnerabilities and keep up with growing threats. Brian Vazzana, Director of Information Systems & Assurance Services at BDO, sees cybersecurity becoming more crucial, “Cybersecurity has been a hot topic over the past few years and isn’t necessarily showing signs of waning among various industries. It’s extending beyond simple questions of, ‘do you have a firewall,’ and ‘are you conducting penetration testing?’
“Several widely accepted cybersecurity frameworks are available to companies, including the National Institute of Standards and Technology (NIST), Framework for Improving Critical Infrastructure as well as International Organization for Standardization (ISO), Information Security Management—ISO/IEC 27001. The AICPA’s Assurance Services Executive Committee and Audit Standards Board are also currently working on cybersecurity criteria as well as examination engagement guidance in compliance with current attestation standards, which should support various frameworks,” Vazzana explained.
Lacking internal expertise, many broker dealers conduct cybersecurity reviews without a solid grasp on the security concepts they investigate. As a result, it’s common for firms (large and small) to collect information on features that are irrelevant to a vendor’s product while ignoring (whether intentional or not) crucial security considerations. When organizations find defects in their own systems or a partner’s defenses, there’s often no follow-up to see if those issues were ever addressed. At the risk of reducing the process to a formality (not to mention a waste of time and resources), broker dealers must ‘reboot’ their cybersecurity review practices.
While the largest broker dealers have the resources to address this issue, middle-market broker dealers simply lack resources to address the concerns—they need a smarter, cost effective solution. A slim majority (58%) of firms have invested in cybersecurity insurance, but this is just a bandage, not a long-term solution.4 It’s important for firms to invest in relationships with IT consulting organizations familiar with the industry. All of the national and regional accounting firms have cybersecurity practices. Firms like BDO are aggressively marketing their services to the industry and have a wide range of solutions for firms regardless of size.5 Competent security consultants can be the difference between threat recognition and proactive measures that protect your firm, and your clients, from much greater risk.
In recent months, the SEC and FINRA have voiced concern that broker dealers’ surveillance and compliance systems aren’t collecting the information organizations need to detect illegal activity.6 Particularly with regard to anti-money laundering efforts, red flags around wire transfers, name and address changes and more are often lost in the shuffle. This, paired with the industry-wide push toward a consolidated audit trail has forced broker dealers to re-examine their data management practices. Case in point: FINRA recently fined a broker dealer $2.6 million for failing to retain critical records in an immutable format.
Comprehensive data transparency tools, complete with cross-system pattern analyzation and automated reporting, are still new and available at a price point feasible for only the largest firms. The largest, fullservice vendors in this category include NASDAQSmarts, Nice-Actimize and Sungard-Protegent. These vendors target and are best suited for the largest institutions. SMB broker dealers should continue to pursue conventional, targeted compliance solutions rather than holding out for a silver bullet. Firms specializing in trade surveillance and compliance (such as Firm58), personal trading surveillance, affirmations and certifications, gift tracking, case management (such as Schwab Compliance Technologies), or anti-money laundering (such as Lexis-Nexis), are well suited for the SMB broker-dealer market.
Simply hoarding an unorganized data dump might allow for wrongdoing to be discovered via spreadsheets or verified long after the fact, but offers no preventative, or T+1 power. Nor does it address changing industry guidelines or best practices that the vendors mentioned above will provide. Conversely, sparsely collecting data allows for more intensive analysis, but may leave critical records behind. No recordkeeping system will be perfect, but it’s important to extract value from what information your organization already collects. Where possible, firms should