EDITOR’S NOTE: This post is a continuation of a 2 part series on advisor compliance audits from the team at Practifi. To read the first post in this series, check out FINTECH CORNER: Compliance Audits Don’t Have to Be So Scary: Part 1!
For wealth management firms, regulatory compliance audits are a fact of life. The whens and hows of auditors scrutinizing your firm’s compliance practices can be unpredictable—but advisors, administrators and support staff can prepare themselves by understanding what to expect when regulators come calling.
“You can lay a response plan down to the smallest detail, so your compliance team knows exactly what to do when they receive an audit notice,” said Adrian Johnstone, president, and co-founder of Pracitfi, a performance optimization platform for wealth management firms. “That will effectively take all of the guesswork out of audit preparations and make sure the process goes as smoothly as possible.”
Johnstone and Practifi offer several tips for what to expect from audits by two different agencies that oversee the wealth management space, the Financial Industry Regulatory Authority (Finra), which oversees broker-dealers and their representatives, and the federal U.S. Securities and Exchange Commission (SEC), which oversees independent financial advisors.
Finra is an industry self-regulatory agency that is not part of the federal government, yet it wields the power to hold financial firms accountable that do not adhere to its rules via fines and other forms.
Finra evaluates firms on an annual basis, but that doesn’t mean that a firm will be audited each year. Generally speaking, Finra will try to perform on-site assessments of firms on a one-, two- or four-year cycle.
Depending on the level of risk Fina officials discover when they review a firm’s file, they may call for one of several audits:
- Cycle exams, which are routine audits to check that firms comply with federal regulations.
- Cause exams, which are in-depth audits that take place when Finra receives a customer complaint or otherwise has reasons to believe a firm is out of compliance.
- Branch exams, where larger firms may have to respond to audits and inspections on specific branch offices.
- Sweeps, a string of audits conducted by Finra targeting various organizations in the same financial services field, usually targeting a specific practice or offering.
Finra audits follow a pretty standard timeline:
One–A Finra examiner contacts the firm as much as 30 days before the actual exam—the notice might be as short as 14 days.
Two—Regulators conduct off-site research prior to the exam to better understand the firm’s business model.
Three—Finra’s exam team will hold a call with the firm’s compliance team or point person to discuss the inspection in more detail. At this point, regulators may request a firm present a variety of documents.
Four—A “Cycle Announcement” letter is sent to the firm, serving as a formal notification of the forthcoming audit.
Five—After receiving the letter, the firm has 14 days to complete the online portion of the exam.
Six—The examiners send out an Initial Records request along with a list of documents to prepare for the on-site inspection.
Seven—The on-site examination. The exam team works with internal compliance teams to obtain requested documents and information, concluding with an exit interview.
Eight—Regulators submit a final examination to Finra, including any issues that need to be addressed.
“The on-site inspection is usually the most difficult portion of the audit process, and for good reason,” said Johnstone. “Sitting down with regulators to go over documents with a fine-tooth comb would stress out even the most experienced financial advisors and wealth managers. Firms that meticulously prepare for in-person inspections and anticipate the questions and materials covered will have an easier time with the process.”
SEC audits cover very similar ground to Finra inspections, with one important exception: SEC auditors have the authority of the federal or state government behind them. The SEC does not adhere to a specific audit cycle, so an examination could happen at any time with very little notice. Complacency can be dangerous, as many years may pass between SEC audits, and many firms have never been audited at all.
The SEC conducts a few different types of audits:
Routine Exams—The SEC can inspect a firm’s compliance standing without any set schedule. These audits usually have a very broad scope since they are not related to any specific incident.
Cause Exams—If state or federal regulators receive a specific complaint, they may trigger an audit of a firm’s records, controls, or services.
Sweep Exams—The SEC may periodically review specific niches of the financial services industry, auditing firms operating in the same space, or offering similar services.
The SEC Audit Process
SEC Compliance audits follow a predictable, consistent workflow:
One–The agency sends out an initial letter of notification announcing the audit. The letter will typically include a list of documents and reports to be presented before or during the inspection. Those materials may cover background information, compliance and control documentation, client information and financial records, among other areas of interest.
Two—The SEC conducts an on-site interview with the firm’s compliance teams and reviews the submitted documents.
Three—After the interview and on-site inspection, regulators will review all documents to look for possible violations, a process that can take up to 120 days.
Four—If the auditors find any issues, they may recommend further action be taken by the Office of Enforcement.
Keep in mind that in addition to the SEC, state agencies may subject a firm to their own auditing and inspection procedures. Thus, firms may be subject to examinations by multiple agencies and at a higher frequency than is indicated by the SEC and Finra auditing cycles.
“Assume that inspectors will dig up some kind of problem, even if it’s just a minor one,” said Johnstone. “According to the SEC’s own internal figures, as of 2017, 72% of audits turn up a compliance issue. It’s extremely important that you respond quickly to inspection results and show regulators that your firm is taking actionable steps to correct whatever problems they found. Failing to address compliance issues will almost certainly increase a firm’s risk profile — and that means the SEC will conduct more audits with more frequency in the future