Biden SEC Doubles Down on Operational Resiliency amid Catastrophes
The Securities and Exchange Commission on Wednesday said it will add brokerage firms’ ability to operate and protect investor accounts as climate-change risk grows to its list of priorities in 2021 compliance examinations.
“Our priorities reflect the complicated, diverse, and evolving nature of the risks to investors and the markets, including climate and E[nvironmental] S[ocial] G[overnance],” Pete Driscoll, director of the SEC’s division of examinations, said in a prepared statement.
The 25-year-old exam unit, formerly known as the Office of Compliance Inspections and Examinations (OCIE), will refocus its examination of disaster recovery and business continuity plans to emphasize growing climate risks, especially for large firms judged “systemically important” by government regulators.
“As climate-related events become more frequent and more intense, the division will review whether firms are considering effective practices to help improve responses to large-scale events,” the SEC said in a summary of the exam priority document.
It also touched on operational and information security vulnerabilities that arose over the past year because of the increase in remote operations in response to the pandemic, putting pressure on firms to ensure that brokers and advisors communicate responsibly with customers and prospects and that they document their activities.
“The Division will review whether firms have taken appropriate measures to: (1) safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access; (2) oversee vendors and service providers; (3) address malicious email activities, such as phishing or account intrusions; (4) respond to incidents, including those related to ransomware attacks; and (5) manage operational risk as a result of dispersed employees in a work-from-home environment,” the document said. “In particular, exams will also focus on controls surrounding online and mobile application access to investor account information, the controls surrounding the electronic storage of books and records and personally identifiable information maintained with third-party cloud service providers, and firms’ policies and procedures to protect investor records and information.”
The SEC overall applauded the securities industry’s response to the pandemic. “Generally, we observed that the financial markets’ operations and systems continued to work as designed,” the report said. “While there certainly were challenges, and we observed adjustments to many processes, particularly those that involved manual processing or were not automated, overall, the delivery of financial services continued in the pandemic environment as it should have and as investors and other market participants have come to rely and depend upon.”
With respect to retail investors, exam priorities will continue to focus on high-use products—including mutual funds, ETFs, municipal securities, variable annuities, private placements and microcap securities—that have high-risk characteristics and on sales to seniors and within retirement plan programs. “The Division will examine whether firms are appropriately mitigating conflicts of interest and, where necessary providing disclosure of conflicts that is sufficient to enable informed consent by retail investors,” the report said.
Consumer advocates have criticized the Best Interest regulation for not being sufficiently prescriptive and the new Customer Relationship Summary form as too general and easy for investors to discard without reading. The securities industry and brokers have expressed concerns about their ability to meet disclosure standards involving things such as recommendations to move assets from 401(k) accounts maintained at current or former employers to individual retirement accounts at firms.
In October, the SEC said most firms have updated their written supervisory procedures to comply with Reg BI but had concerns in cases where no “meaningful guidance” was given employees on how the upgraded procedures should be implemented. It congratulated the bulk of firms for avoiding legalese in the CRS forms that must be sent prospects and customers, but said readability could still be improved and criticized some firms for not fully disclosing disciplinary actions.
“In addition, we identified and notified hundreds of firms that they have failed to timely file a Form CRS,” the document released on Wednesday said.