By Colleen Corwell

US regulators have been making big investments in Big Data to accelerate exam frequency and more aggressively combat market malfeasance.[i]
For instance, the U.S. Securities and Exchange Commission’s (SEC) National Exam  Analytics Tool (NEAT), enables examiners to access and systematically analyze massive amounts of trading data from firms along with market data in a fraction of the time it has taken in years past. In 2015, the SEC awarded a $90 million contract to a software company assisting its data analytics detection program.[ii]

Following regulators’ lead, a growing number of financial firms are leveraging automated data mining, analytics, and compliance testing to protect their firms and clients.

A core requirement of the SEC’s Rule 206(4)-7 of the Advisors Act (the “Compliance Rule”) is to test the adequacy and effectiveness of the compliance program on at least an annual basis. Compliance testing enables registrants to continuously monitor the efficacy of their compliance controls to mitigate the risks of everything from conflicts of interest, improper asset allocations breaches of client investment mandates, market manipulation, and other misconduct.

Regulators allow leeway as to the methods firms employ to assess and review their compliance programs. Naturally, firms use the resources at their disposal to satisfy the testing obligation. This equates to widely varying assessment and review practices. For instance, small- to mid-sized private equity firms that are not high-volume high-frequency transactional businesses historically have able to effectively manage compliance testing with legacy tools and tactics, including Microsoft Excel spreadsheets.

Says BasisCode Compliance CEO Carlos Guillen, “By law, all registered firms are managing compliance testing one way or another. The differentiator is what tools they’re using to test their programs, including how information is stored and accessed.” The larger firms with more resources were among the first to migrate to automated compliance assessment and reviews, he says.

Now more mid-sized and smaller firms are taking advantage of testing technology. A firm’s size does not necessarily correlate to the amount of policies and procedures under review nor the amount of risk. The pace of change in the regulatory landscape along with a firm’s growth in size or complexity has driven the need for an efficient use of technology in order for a compliance department to remain effective and relevant in the digital age.

According to Accenture’s 2017 Compliance Risk Study, risk assessment remains one of the most time-consuming compliance activities, with 46% of respondents expecting it will remain a significant capacity drain in the next three years.[iii]

“Technology-adoption inertia is the greatest risk to the compliance department’s future effectiveness as a strategic advisor and risk manager,” said Samantha Regan, a managing director in Accenture Finance and Risk, leading the company’s Regulation and Compliance practice.

              Mark Opila, Chief Executive Officer of compliance software provider Patrina Corporation agreed that technology-adoption inertia won’t make compliance issues go away.

              “Doing nothing is not an option, especially when the savings realized by avoiding a single fine or disgorgement could pay for a solution that keeps a company compliant and safe from reputational risk for years.”

It typically takes time for a compliance department to adopt something new even if employees are frustrated and unhappy with the current process. For some firms, it’s simply easier to stick with the status quo than implement a new system. There can be push-back when trying to adopt new technology because it requires new skills, and there will be a learning curve along with a cost. Now, several years since testing technology has hit the market, cultural inertia has hit a flashpoint, and more firms are leaving behind the old, inferior processes in favor of cost-effective technology solutions that can be pivotal for a compliance department’s performance.

For the growing number of financial firms embracing automation, compliance testing software offers manifold benefits. The firm’s policies, testing processes, and data are all stored in a central location and are calendared in a web-based program that allows multiple users to interact. Information is easier to access and analyze than hardcopy reports and data stored in filing cabinets or disparate folders on a network. Data-rich reports can be generated on a moment’s notice when needed internally or by regulators. Assessment software can really shine by combing large volumes of data and comparing it historically or against benchmarks to detect anomalies or patterns that signal potential problems. Similar to the SEC’s NEAT system, this enables managers to identify behavioral patterns by specified individual, group of individuals or area of a firm, to triage resources where they may be best put to use, and address misconduct before it metastasizes.   Compounding the need to better manage internal compliance reviews, registrants may be examined without even knowing it. Under Dodd-Frank, the SEC was given independent authority to review custodian data. The regulator runs analyses against its vast data stores to detect issues, and registrants need not be notified that the SEC requested information from a bank or fund administrator.

Thus, it behooves registrants to do everything within its means to maintain an audit-ready posture. “What you don’t know absolutely can hurt you,” says regulatory software provider Financial Tracking principal Tony Turner: “You need to look under the bed to see if there’s a monster under there, instead of waiting for regulators to say you have good reason to lose sleep at night.”

Turner says a regulator handed one of his clients an exam letter that requested 36 “eye-popping” pages of information. Responding to that request manually would have taken weeks or months. By virtue of compliance testing and risk management software, the review took less than two days.

Traditional, manual assessment methodologies managed by the Chief ‘Excel’ Officer may remain part of some compliance programs in the near-term. However integrating automation takes testing to the next level and may soon become the standard. At some point, the consequence of not having an automated program, such as unsystematic reviews, lost productivity and greater potential for risk, may justify the shift. Automated assessment solutions enable firms to produce tangible evidence that they are tearing a page from regulators’ rulebooks to manage compliance proactively, instead of reactively.

Examiners may look favorably on firms that leverage state-of-the-art tools to mitigate risk further upstream. “This is not your grandfather’s SEC,” Turner adds. “You may be able to manage compliance with spreadsheets, but how long will it take you? If it turns into a full time job, there’s a more thorough and less expensive way to a better result.   Make sure your tools are sophisticated, like the ones regulators are using. Otherwise, you could be at a disadvantage without even knowing it.”

_________

About the Author

Colleen Corwell is a Director at Alaric Compliance Services, www.alariccompliance.com. She can be reached at

ccorwell@alariccompliance.com.

Five Best Practices for Compliance Assessment and Reviews

1. Define Inventory and Ranking of Compliance Risk – Take an inventory of compliance risks that include regulators’ “Critical Areas” (e.g. safeguarding client assets, trading practices, marketing, BCP, records management, disclosures, etc.). Then rank these risks (e.g., probability of occurrence, financial impact, reputational impact, etc.) and allocate compliance resources (people, tools, etc.) to the highest impact areas.
2. Map Controls Against Identified Risks – Once compliance risks are identified, ranked, and prioritized, map controls to each risk, including procedure, frequency, and assignment of owners to each control to ensure appropriate  Software can facilitate this control mapping process and improve a firm’s Risk Assessment, Testing, Archiving, and Reporting procedures. It greatly increases efficiency, reduces impact of employee turnover, eliminates disparate data repositories, and helps firms maintain audit readiness.
3. Define Compliance Information Flows – Once controls are mapped to ranked risks, determine who needs what compliance information when. Externally, regulators specify the information they need, while internally, information must be shared throughout your business. Defining information flows can help reverse-engineer a compliance solution that delivers the information needed internally and externally.
4. Monitor and Archive the Execution of Reviews – this should include the controls being conducted, person(s) who executed the control/testing, procedures followed at the time of execution/testing, when it was executed, and evidence to prove completion.
5. Test the Efficacy of Control Processes – SEC staff has emphasized that the “annual review” really should be a continuing process throughout the year. Reviewing the results of testing and overlaying to the risk assessment demonstrates to management and examiners that resources are appropriately focused, identifying evolving trouble areas, and any changes that need to be made to the compliance program. Following these five steps, identify and rank risk, map controls, redefine information flows, document reviews, improve assessment processes and retest compliance program efficacy as an iterative process.         (SOURCE: BasisCode Compliance)

[i] http://www.sec.gov/news/speech/2014-spch012714mjw

[ii] http://www.reuters.com/article/us-usa-sec-enforcement-idUSKCN0RU2R020150930

[iii] http://www.accenture.com/us-en/insight-compliance-risk-study-2017-financial-services