Paradigm Shift in SEC Exams, Benefits of a Mock Exam

For investment advisers currently going through an SEC exam, the process likely bears little resemblance to exams of old. Call it the new normal, a paradigm shift, or simply the effects of the SEC having to do more with less, but anecdotal evidence among those now experiencing the exam process suggests some interesting new trends.

What has changed about SEC exams? First, the concept of routine exams seems to have fallen by the wayside, replaced with targeted, risk-based exams. The risks may be specific to a given firm, or may be part of risk-based sweep exams to help the regulator assess the prevalence of certain practices and the extent of controls around certain focus areas.

The targeted exams are evident in the significantly reduced size of the initial request list being received by investment advisers. Firms are reporting initial requests of as a few as a dozen items. Other advisers are sharing that the SEC requests an initial “get-to-know-you” phone call but never comes on-site at all, choosing instead to conduct the entire exam remotely. Still others are reporting that the SEC did come on-site, but only for the purpose of attending the initial presentation they request about the firm, its business model, its risks and controls.

What else seems to have changed with SEC exams? They are actually being completed quickly—in some cases in as little as three months—according to several hedge fund advisers who have recently gone through the process.

Last week, I had the opportunity to hear tales from the front lines from the legal and compliance teams representing firms that had recently gone through an SEC exam, and several shared that they felt prepared for their exams because they engage compliance consultants to conduct mock exams several times per year on a variety of focused topics, such as expense allocation or trading practices. One adviser shared that the benefit of having a third-party mock SEC exam is that the consultant has a breadth of experience among numerous firms going through exams and can leverage actual SEC request lists and questions to help prepare their team by testing the ability to gather and produce requested information in a timely manner, and by testing the preparedness of their personnel to handle a regulatory interview.  Another adviser added that it is important for the chief compliance officer to be in the hot seat for a mock exam interview as well. Mock SEC exams offer the opportunity for an independent look at how staff responds to questions, and can reveal valuable insights such as who may be able to handle the pressure in front of a real regulator and who should perhaps be encouraged to take a vacation that week because the interviewee over-volunteered information or was wholly inaccurate.

I also had the opportunity to join an FBI Agent from the Financial Cyber Crimes Task Force to speak to hedge fund advisers on the topic of big data as it relates to cybersecurity. Hedge fund advisers in particular are generally very protective of their “secret sauce,” and it was interesting to hear how many firms were storing data in the cloud versus on premises. The scales have clearly tilted towards the use of the cloud, and especially a private cloud solution, although many in the audience agreed that they migrated to the cloud in stages one system at a time.

Whether using the cloud or not, my co-panelist and I stressed the importance of data classification, of understanding what your organization’s crown jewels are and protecting those assets accordingly. Once hackers have gained access, log files tend to show that the hackers try to move laterally within the firm to try to access other systems, files, and information. It may not be readily apparent to an adviser what information may be valuable to the hacker, because it may differ from what the adviser considers to be its crown jewels. And since many cyber intrusions are not detected for 6-9 months after the fact, it is important for firms to maintain log files they can review to determine what a hacker accessed.

Finally, the FBI was in agreement that social engineering continues to be the biggest risk facing the financial sector. As merger-and-acquisition activity picks up in the financial space, it can be very easy for a firm with strong controls on all of its systems to suddenly have a number of new and potentially unsecure systems added to the mix. Cyber crime tends to be a crime of opportunity. A hacker only needs one way in, whether it’s through an unpatched system or a phishing attempt to be let right in the front door.

Want to make sure your firm is exam-ready? Ascendant can help. Our mock exams consist of interviews; document review; data inspection; compliance testing; and evaluation of policies and procedures; and are designed not only to highlight weaknesses but also to assist with enhancing compliance programs to ensure consistency with the SEC’s expectations. For more information, contact us today via email or at 860-435-2255.

Related Content

Latest Content

Why Should a Big Hedge Fund Use a Compliance Consultant?

If your firm isn’t already using an outside consultant, you may want to ask yourself “why not?” Oftentimes at hedge funds, compliance officers struggle to successfully fulfill the requirements of the job without an essential tool in their toolbox: the outside compliance consultant. Why? The primary reason is simple: resources. When your head is down … Continued

SEC and FINRA 2018 Examination Priorities

The SEC and FINRA have recently released their examination priorities for 2018. These releases provide insight into regulatory priorities and serve as guidance for a firm in evaluating its compliance program. We will discuss topics covered in these releases, including: Protecting retail investors Disclosure Best execution Mutual fund selection Anti-money laundering Cryptocurrencies Technology and cybersecurity

OCIE Examined 15% of RIAs in 2017

In 2017, the SEC examined 2,114 investment advisers, approximately 15 percent of the 14,000+ registered investment advisers, the SEC confirmed in its Fiscal Year 2019 Congressional Budget Justification Annual Performance Plan. In the same report, the SEC said the staff will continue to improve its efforts of RIAs, noting that nearly 35 percent of all … Continued

Ascendant’s Adam DiPaolo Discusses Hypothetical & Model Performance Marketing Pitfalls

A Jan. 12 article in HFMCompliance titled “Best practice for hedge funds using hypothetical and model performance” outlines best practices for hedge fund managers when using hypothetical performance or model data in marketing efforts, and how managers relying on such data can avoid enforcement actions. Adam DiPaolo, Senior Consultant in Ascendant’s Private Funds group, is quoted in the … Continued

SEC’s Exam Priorities Offer Insight Into National Exam Program

On February 7, 2018, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued their 2018 Examination Priorities (see Ascendant’s summary here). In addition to defining their examination priorities for the year, the OCIE staff offered some insight into the National Exam Program.  Specifically, they defined the following five principles in executing their exam priorities: … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.