Speech by SEC Staff:
"Regulatory Examination Programs - Focus and Significant Findings":
Remarks at the SIA Compliance and Legal Division June Monthly Luncheon

by

Mary Ann Gadziala

Associate Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission

New York, New York
June 22, 2006

Thank you for inviting me to speak to you today about the regulatory examination program of the SEC's Office of Compliance Inspections and Examinations (OCIE). It's always a pleasure to address fellow legal and compliance colleagues.

Since our topic is "Regulatory Examination Programs - Focus and Significant Findings", I thought I would spend my time with you today discussing three key areas related to OCIE's broker-dealer examination program: first, how we perform risk assessments to focus our examination program and establish priorities; second, some of the priorities that are currently the focus of our examination program; and third, some of the challenges to creating and maintaining an effective legal and compliance program at a broker-dealer. These challenges are primarily based upon findings from OCIE's comprehensive compliance examinations conducted over the past several years.

I'll begin with our risk assessment process. This involves a wide variety of activities - some formal and more scientific and others more informal and somewhat subjective. We have implemented a process that permits all SEC examiners nationwide to identify what in their view are the most significant risks to investors, registrants, and the markets. This information is analyzed by OCIE's senior management. We use this analysis to assist in setting examination program goals and priorities - to decide if sweeps on focused areas may be appropriate; to determine where interpretations, new rules, or investor education may be recommended; and we use the information in speeches such as this to inform the industry and general public of risks and concerns we have identified. This is intended to be a proactive process - assisting in preventing violations from becoming significant or recurrent - or suggesting improved controls that may prevent some violations from occurring at all. We began this process in 2004 and conducted another in 2005.

Another process utilized in our examination program risk assessment is analyzing examinations themselves. One important element we consider is "significant findings" from our prior exams. In reviewing the significant findings from more than 750 exams we conducted over the past year, the most common involved:

• Books and Records
• Supervision
• Suitability
• Anti-money Laundering
• Net Capital
• Fraud
• Misrepresentations and Omissions
• Manipulative and Deceptive Devices; and
• Advertising and Sales Literature.

In addition to these analyses, all examination staff also monitor news, new products and activities of firms, recurrent problems, trends, academic studies, and information they just "hear on the street". This information is shared with all other examination staff through memoranda, emails, monthly conference calls, and meetings with SEC examination staff nationwide. It is used in risk assessment as we continually reassess examination priorities and the firms selected for examination.

OCIE also receives significant risk focusing information from other SEC offices, including the Divisions of Enforcement, Corporation Finance, Market Regulation, and Investment Management, and the Offices of Economic Analysis and Investor Education and Assistance (which receives and analyzes investor complaints). We also have frequent consultations with bank regulators and discuss risk-related matters with state securities and insurance regulators. And of course, we have numerous discussions with the industry and have learned a great deal from open communications on significant issues. For example, our discussions with firms on conflicts of interests provided invaluable insights on the diverse activities of large firms and the potential conflicts that may arise as they serve the various interests of many different customers.

All of this risk assessment analysis is used together with other information to assist us in developing examination priorities. Among our examination priorities are:

• Supervision, with a focus on branch offices (now numbering over 150,000 and rising); there is special focus on remote offices, such as foreign offices and independent contractors; outsourced activities as well as registered representatives with disciplinary histories are also areas of focus.
• Risk management and internal controls: here some focus areas are liquidity, concentration, conflicts of interests, business continuity plans, controls keeping pace with new products, prime brokerage, complex structured finance transactions, and legal, compliance and reputational risks.
• All aspects of anti-money laundering, recently focusing on customer identification procedures, filing of Suspicious Activity Reports, and general compliance programs.
• Sales practices and suitability: some products that may require special attention are variable annuities, penny stocks, illiquid or volatile securities, hedge funds, and separately managed accounts.
• Sales and marketing to senior citizens: Chairman Cox and the President of NASAA announced a joint SEC/state initiative involving examination, enforcement, and investor education to combat frauds that may be perpetrated on senior citizens.
• Trade reporting, best execution, fixed income mark-ups, potential misuse of customer information and potential front running.
• Books and records, including email retention.
• Information security, Rule S-P, identify theft, and general security of customer information.
• Outside business activities of registered representatives, such as mortgage brokers, or sellers of variable insurance products or hedge funds.
• Rule 202(a)(11)-1 of the Investment Advisers Act regarding when the investment advisory activities of a broker-dealer subject it to the Advisers Act.

My third and final topic, which may be of particular interest to this group, are some of the challenges that firms face in developing and maintaining effective legal and compliance programs. These were identified primarily through the results of our comprehensive compliance examinations. They fall into five general areas and I will mention some challenges under each of those areas.

1. Identification and Control of Compliance Risks

• One significant challenge is to identify all legal and regulatory requirements applicable to the firm, all relevant risks and controls, to perform a gap analysis and to determine necessary enhanced controls; this is quite an undertaking, especially for a large diversified firm.
• Another challenge is ensuring this assessment keeps pace with new regulatory, market and business developments.
• Ensuring that compliance is involved - including at early stages - with new products and other significant business decisions is also sometimes a challenge.

2. Senior Management's Role

• One challenge here is getting the appropriate information on significant legal and compliance issues to senior management on a timely basis, and having appropriate documentation and processes for reporting to senior management on these significant issues.

3. Compliance Programs

• Here, a number of challenges may arise: for example, maintaining appropriate compliance personnel independence from business profit centers, while balancing the need to thoroughly understand the business being monitored.
• Other challenges are appropriately documenting legal and compliance responsibilities and identifying personnel with the respective responsibilities; this promotes consistency, continuity and comprehensive coverage.
• It may also be a challenge to implement surveillance and monitoring processes and systems with sufficient automation and resources to maintain effective compliance oversight.

4. Business Supervisory Function

• Here firms are challenged to ensure that supervisors and written supervisory procedures cover all business activities and are kept up-to-date.
• Having adequate documentation to demonstrate effective performance of supervisory reviews, and establishing supervisory systems that consider heightened challenges - remote locations, diverse businesses, problem registered representatives, and potential conflicts - are also sometimes challenging to firms.

5. Employee Supervision

• Among challenges in this area are ensuring that employees receive appropriate training - including specialized training to the extent they sell specialized products; having appropriate systems to ensure employees are appropriately registered, take appropriate series exams, and fulfill continuing education requirements; and identifying registered representatives that should be subject to heightened supervision and implementing heightened supervision as appropriate.

In conclusion, firms, markets, products, laws, customer activity, operations and technology are all changing at a rapid pace. In addition, we are at risk for the occurrence of unpredictable events that may significantly impact a firm's risks and overall market risks. For example, the potential implications of a pandemic should be a high priority for consideration by all control areas of a firm - including legal and compliance. No one can deny that all of these pose significant regulatory challenges. Open communications, proactive risk assessment, and appropriate and timely responses by regulators and firms are critical to ensure that the integrity and stability that have been the hallmarks of U.S. markets continue for decades to come. Thank you for allowing me to share some of my thoughts on the importance of regulatory vigilance.

http://www.sec.gov/news/speech/spch062206mag.htm