SEC Releases 2021 Examination Priorities

March 09, 2021by Marianna Shafir Esq.

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

The long-awaited 2021 Examination Priorities from the Securities and Exchange Commission’s (SEC) Division of Examinations was recently released. The priorities include several emerging issues, including climate-related risks, technology and Regulation Best Interest (Reg BI).

New SEC Priorities for 2021

Climate and ESG
SEC will focus on environmental, social and governance (ESG) matters in light of market developments and increasing awareness in this space. The agency will look at the implications of climate change upon registrants’ operations, the consistency and adequacy of climate-change and ESG disclosures, and compliance in the context of ESG-oriented investment strategies.

Global Pandemic
The Division pivoted to focus on the most pressing risks. This includes examining whether registered firms’ business continuity plans were updated, operational and effective, and addressing increased cybersecurity and supervision risks facing firms in a remote environment.

Technology
The Division will focus on the use, implementation and integration of technology by firms to facilitate compliance with regulatory requirements. The SEC has observed that alternative data, or data gleaned from non-traditional sources, is increasingly being used by firms, including private fund advisers, as part of their business and investment decision-making processes. Reviews will include examining whether firms are implementing appropriate controls and compliance around the creation, receipt and use of such information.

Information Security
The SEC will review whether firms have taken appropriate measures to:

  1. Safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access
  2. Oversee vendors and service providers
  3. Address malicious email activities, such as phishing or account intrusions
  4. Respond to incidents, including those related to ransomware attacks
  5. Manage operational risk due to dispersed employees in a work-from-home environment.

The Division will also focus on controls surrounding online and mobile application access to investor account information, the controls surrounding the electronic storage of books and records and personally identifiable information maintained with third-party cloud service providers, and firms’ policies and procedures to protect investor records and information. The Division will again be reviewing registrants’ business continuity and disaster recovery plans.

Reg BI
The Division will expand the scope of examinations to focus on assessing whether broker-dealers are making recommendations they have a reasonable basis to believe are in customers’ best interests and evaluating broker-dealer processes for compliance and alterations made to product offerings. The Division will also conduct enhanced transaction testing as part of these examinations and will evaluate firm policies and procedures designed to meet additional elements of Regulation Best Interest, the recommendation of rollovers and alternatives considered, complex product recommendations, assessment of costs and reasonably available alternatives, how sales-based fees paid to broker-dealers and representatives impact recommendations, and policies and procedures regarding how broker-dealers identify and address conflicts of interest.

Compliance Programs
The Division will continue to review the compliance programs of investment advisors (including whether those programs and their policies and procedures are reasonably designed, implemented and maintained), portfolio management practices, custody and safekeeping of client assets, best execution, fees and expenses, business continuity plans, and valuation of client assets for consistency and appropriateness of methodology.

The report also mentions other areas of interest by the SEC, including compliance concerns related to retail investors, including seniors and those saving for retirement, market structure and anti-money laundering (AML).

Risk factors for investment advisers and broker-dealers

While these priorities drive many of the SEC’s examinations, the agency selects firms and the areas of focus for examination according to a risk-based analysis, which varies depending on the type of firm and its business activities. For registered investment advisers (RIAs) and broker-dealers, the Division considers dozens of risk factors, which include:

  • Products and services offered (including certain products identified as having higher risk characteristics)
  • Compensation and funding arrangements
  • Disclosures and representations made to customers
  • Prior examination observations and regulatory history
  • Whether the firm has never been examined, is newly registered, or has not been examined in many years
  • Material changes in firm leadership or other key personnel
  • Whether a firm has access to investor assets (i.e., custody)

The aforementioned characteristics and factors are not exhaustive, but they provide insight into criteria the Division considers in its risk-based analysis.

How to prepare for an SEC examination

Technology continues to be a key theme for the regulators this year. This means firms need to capture, archive, and supervise all written business communications. This includes retention of electronic communications such as email, text messages, instant messages, social media and collaboration tools. Periodically test the systems to ensure the communications are being captured for review and retention. To test whether advisors are using unapproved communication channels, I recommend setting up automated keyword searches.

The tone in 2021 has not changed for the SEC when it comes to noncompliance. The regulators will continue to penalize firms for failing to meet regulatory requirements, including fines and other enforcement actions. Firms should consider reviewing their controls, policies and procedures regarding the above enforcement priorities.

Share this post!

Marianna Shafir Esq.
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.