SEC/FINRA Guidance Signals that Broker-Dealers Must Strengthen Branch Exam Processes
December 19, 2011
On November 30, 2011, the Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE), in coordination with the Financial Industry Regulatory Authority (FINRA), issued a joint Risk Alert and a Regulatory Notice (Risk Alert) regarding broker-dealer branch office inspections. The Risk Alert offers suggestions to help firms better perform their supervisory obligations. However, it also makes clear that OCIE and FINRA will expand their use of branch office inspections in their broker-dealer examination process. Therefore, firms should anticipate that both OCIE and FINRA will assess whether a firm has implemented these compliance suggestions in its branch office inspection procedures.
We have summarized key points of the Risk Alert and Regulatory Notice below. The full text of the SEC's "National Examination Risk Alert: Broker-Dealer Branch Inspections" is available here.1
The Importance of Branch Office Inspection
Both the SEC and FINRA have pronounced the importance of the branch office inspection process. In discussing the importance of the process, OCIE Director Carolos di Florio stated, "A robust process for self-inspection of branch offices is a critical element of a firm's compliance and supervisory process, and a vital part of a comprehensive risk management program." Stephen Luparello, vice chairman of FINRA, mirrored this sentiment, stating "An effective risk-based branch office inspection program is an important component of a broker-dealer's supervisory system and, when constructed and implemented reasonably, it can better protect investors and the firm's own interests." Because of the importance of this process, both OCIE and FINRA are urging broker-dealers to carefully consider enhancements to their own inspection processes.
Branch Office Inspections Generally
Under FINRA rules, broker-dealers are required to conduct on-site inspections of each office location. Specifically, every office that has supervisory jurisdiction, or any branch office without supervisory jurisdiction that supervises one or more non-branch locations, must conduct annual inspections to detect and prevent violations of the securities laws. For non-supervisory branch offices, inspections are required every three years. The inspection must review the activities of each office, including a periodic examination of customer accounts, in order to detect and prevent irregularities or abuses. A written record of the inspection must be kept by the firm, and this report must include, among other things, the testing and verification of the firm's policies and procedures, including supervisory policies and procedures in various specified areas.
To satisfy supervisory obligations under FINRA rules, these supervisory procedures must take into consideration:
- firm size
- organizational structure
- scope of business activities
- number and location of offices
- nature and complexity of products and services offered
- volume of business done
- number of associated persons assigned to a location
- if there's a principal on-site
- if the office is a non-branch location
- disciplinary history of registered representatives or associated persons
Thus, under existing regulations, branch office inspections pose significant obligations on broker-dealer firms.
"Recommended" Enhancements to Sharpen Risk Assessments In Order to Avoid SEC Violations
The Risk Alert provides broker-dealer firms with additional information on policies and procedures for developing effective branch office inspections, outlining many specific recommendations. A primary suggestion is the implementation of an ongoing "risk-based" analysis and monitoring that considers changes to the business, its personnel and its products for each office. The Risk Alert recommends that this analysis should drive the frequency, intensity and focus of branch office inspections and should also factor into the consideration of whether to conduct an announced or unannounced examination. It is clear that OCIE and FINRA expect this ongoing risk-based analysis to result in more frequent examinations of offices posing higher levels of risk (as discussed below).
The Risk Alert specifically highlights the following effective practices:
Increased Frequency of Inspections
The Risk Alert establishes that firms should establish a more aggressive schedule for conducting branch office examinations. The Risk Alert encourages "[u]sing risk analysis to identify whether individual non-supervising branches should be inspected more frequently than the FINRA-required minimum three-year cycle." Branches that meet certain risk criteria based on risk ratings should have more frequent exams. The Risk Alert specifically provides that effective audits elevate the frequency and/or scope of branch inspections where registered personnel are allowed to conduct business activities other than as associated persons of a broker-dealer. In addition, it elaborates that firms that have effective branch audit protocols conduct "re-audits" more frequently than required when routine inspections reveal a higher than normal number of deficiencies, repeat deficiencies or serious deficiencies.
The Risk Alert recommends that unannounced examinations should be conducted more frequently than in the past. Unannounced examinations of broker-dealer offices, especially remote offices, were originally recommended in the SEC Division of Market Regulation's Staff Legal Bulletin No. 17 (March 19, 2004). Such unannounced inspections have repeatedly been held by the Commission as constituting a necessary part of an effective branch office inspection program.2 Similarly, the Risk Alert states that OCIE and FINRA believe that a well-constructed branch office inspection program should include unannounced inspections, based on a combination of random selection, risk-based selection and for-cause exams. However, the Risk Alert also recommends that increased frequency of unannounced examinations is a critical element of a well-designed branch office inspection program.
The Risk Alert found that firms with significant deficiencies in the integrity of their overall branch inspection process typically utilize generic examination procedures for all branch offices, regardless of business mix and underlying risk; perform inspections in a "check the box" fashion without critically questioning the integrity of underlying control environments and their effect on risk exposure; and/or devote minimal time to each exam and little, if any, resources to reviewing the effectiveness of the branch office exam program. The Risk Alert recommends the use of surveillance and technology to create custom-tailored inspection programs. Therefore, firms must now develop a customized approach for their compliance programs that considers the type of business conducted at each branch.
Involving Personnel with 'Gravitas' and Without Conflicts of Interest
The Risk Alert recommends using examiners with enough experience and depth to understand the business of a location and to be able to challenge assumptions when necessary. It also mandates the involvement of qualified senior personnel in several branch office examinations per year. Moreover, exams must be designed to avoid examiner conflicts of interest, particularly where an examiner holds an economic, commercial or financial interest in the associated person or branch being inspected.
Increasing Supervision of Certain Offices
The Risk Alert recommends that offices posting higher levels of risk should undergo more frequent exams. Examples of potentially high risk areas include structured and complex product sales, including variable annuities; private or otherwise unregistered offerings; or offices employing individuals with a history of disciplinary issues or that previously worked at a firm with disciplinary issues.
Requiring Corrective Action
The Risk Alert also recommends including any noted deficiencies and areas of improvement in the written report of each branch inspection, as well as outlining agreed upon actions to correct the identified deficiencies, including timelines. It identified a number of components OCIE and FINRA observed in firms that execute the branch inspection process well, including employing comprehensive checklists that incorporate previous inspection findings and trends from internal reports such as audit reports; providing branch office managers with the firm's internal inspection findings and requiring them to take and document corrective action; and then tracking corrective action taken by each branch office manager in response to branch audit findings.
After providing these and other effective practices, the Risk Alert concluded that while the noted compliance methods are not meant to be exhaustive or exclusive, and do not constitute a "safe harbor," they should assist firms in crafting more effective policies and procedures for branch office inspections to prevent and detect misconduct. OCIE and FINRA have used this Risk Alert to provide specific suggestions and encourage firms to make sure their policies are compliant. Importantly, OCIE and FINRA "urge firms to review their policies and procedures in this regard to determine if they are reasonably designed to prevent and detect violations of applicable law and rules." Given this guidance, broker-dealers should immediately review and assess their branch examination process and procedures to ensure they conform to the Risk Alert's recommended practices.
If you have questions about how this guidance could potentially affect your company, or any other securities-related issues, please contact any of the following Baker Donelson attorneys:
1. FINRA’s parallel release, Regulatory Notice 11-54, Branch Office Inspections (November 2011) is available here. Issued in conjunction with the Risk Alert, SEC Release No. 2011-250 is available here; and FINRA Regulatory Notice 11-54 is available here.
2. See, e.g., Consolidated Investment Services, Inc., Rel. No. 34-36687(Jan. 5, 1996) (where the Commission notes that, "We also agree with the law judge that surprise inspections of [the branch office] would have been a prudent course of action"); and Quest Capital Strategies, Rel. No. 34-44935 (Oct. 15, 2001) (where the Commission stated that, "A surprise inspection is a compliance tool that is necessarily available to every securities firm in carrying out its supervisory responsibilities.")