Paradigm Shift in SEC Exams, Benefits of a Mock Exam

For investment advisers currently going through an SEC exam, the process likely bears little resemblance to exams of old. Call it the new normal, a paradigm shift, or simply the effects of the SEC having to do more with less, but anecdotal evidence among those now experiencing the exam process suggests some interesting new trends.

What has changed about SEC exams? First, the concept of routine exams seems to have fallen by the wayside, replaced with targeted, risk-based exams. The risks may be specific to a given firm, or may be part of risk-based sweep exams to help the regulator assess the prevalence of certain practices and the extent of controls around certain focus areas.

The targeted exams are evident in the significantly reduced size of the initial request list being received by investment advisers. Firms are reporting initial requests of as a few as a dozen items. Other advisers are sharing that the SEC requests an initial “get-to-know-you” phone call but never comes on-site at all, choosing instead to conduct the entire exam remotely. Still others are reporting that the SEC did come on-site, but only for the purpose of attending the initial presentation they request about the firm, its business model, its risks and controls.

What else seems to have changed with SEC exams? They are actually being completed quickly—in some cases in as little as three months—according to several hedge fund advisers who have recently gone through the process.

Last week, I had the opportunity to hear tales from the front lines from the legal and compliance teams representing firms that had recently gone through an SEC exam, and several shared that they felt prepared for their exams because they engage compliance consultants to conduct mock exams several times per year on a variety of focused topics, such as expense allocation or trading practices. One adviser shared that the benefit of having a third-party mock SEC exam is that the consultant has a breadth of experience among numerous firms going through exams and can leverage actual SEC request lists and questions to help prepare their team by testing the ability to gather and produce requested information in a timely manner, and by testing the preparedness of their personnel to handle a regulatory interview.  Another adviser added that it is important for the chief compliance officer to be in the hot seat for a mock exam interview as well. Mock SEC exams offer the opportunity for an independent look at how staff responds to questions, and can reveal valuable insights such as who may be able to handle the pressure in front of a real regulator and who should perhaps be encouraged to take a vacation that week because the interviewee over-volunteered information or was wholly inaccurate.

I also had the opportunity to join an FBI Agent from the Financial Cyber Crimes Task Force to speak to hedge fund advisers on the topic of big data as it relates to cybersecurity. Hedge fund advisers in particular are generally very protective of their “secret sauce,” and it was interesting to hear how many firms were storing data in the cloud versus on premises. The scales have clearly tilted towards the use of the cloud, and especially a private cloud solution, although many in the audience agreed that they migrated to the cloud in stages one system at a time.

Whether using the cloud or not, my co-panelist and I stressed the importance of data classification, of understanding what your organization’s crown jewels are and protecting those assets accordingly. Once hackers have gained access, log files tend to show that the hackers try to move laterally within the firm to try to access other systems, files, and information. It may not be readily apparent to an adviser what information may be valuable to the hacker, because it may differ from what the adviser considers to be its crown jewels. And since many cyber intrusions are not detected for 6-9 months after the fact, it is important for firms to maintain log files they can review to determine what a hacker accessed.

Finally, the FBI was in agreement that social engineering continues to be the biggest risk facing the financial sector. As merger-and-acquisition activity picks up in the financial space, it can be very easy for a firm with strong controls on all of its systems to suddenly have a number of new and potentially unsecure systems added to the mix. Cyber crime tends to be a crime of opportunity. A hacker only needs one way in, whether it’s through an unpatched system or a phishing attempt to be let right in the front door.


Want to make sure your firm is exam-ready? Ascendant can help. Our mock exams consist of interviews; document review; data inspection; compliance testing; and evaluation of policies and procedures; and are designed not only to highlight weaknesses but also to assist with enhancing compliance programs to ensure consistency with the SEC’s expectations. For more information, contact us today via email or at 860-435-2255.

Related Content

Latest Content

The Challenges of Building a Global Compliance Program

Compliance programs face challenges in balancing global requirements with local exceptions while incorporating the fast pace of regulatory change, addressing critical business needs and obtaining the necessary resources necessary to manage the program. Trends and thinking on the subject were center stage at the recent CSS London event “Looking at the Year Ahead – Global … Continued

Coming to America – California Adopts GDPR-Like Privacy Regulation

After a number of firms struggled last year to get their marketing and information systems into compliance with the EU’s General Data Protection Regulation (GDPR), advisers to U.S. clients will soon be facing similar requirements on the home front.  On the heels of the Cambridge Analytica scandal, California enacted the California Consumer Privacy Act of … Continued

SEC and FINRA 2019 Examination Priorities

The SEC and FINRA have recently released their examination priorities for 2019. These releases provide insight into regulatory priorities and serve as guidance for a firm in evaluating its compliance program. We will discuss topics covered in these releases, including: Protecting retail investors Fees and expenses Disclosure Conflicts of interest Suitability Protecting senior investors Trading … Continued

SEC Reopened After 35-Day Government Shutdown

SEC Chairman Jay Clayton announced on Saturday, January 26 that with an agreement reached to end the government shutdown, the “Commission has resumed normal staffing levels and is returning to normal operations.” In total, about 94% of the commission’s approximately 4,400 employees had been furloughed during the 35-day shutdown, according to its operations plan. In a … Continued

FINRA Rolls Out New Central Registration Depository Functionality; Annual Verification Deadline Nears

FINRA first introduced enhancements to the Central Registration Depository (“CRD”) on October 1, 2018, which were rolled out in support of FINRA’s restructured qualification examination program as well as the adoption of consolidated FINRA registration rules. The new enhancements were intended to also more easily assist member firms with satisfying their reporting and compliance obligations. … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.