5 tips to strip stress out of your next SEC, FINRA or state regulatory audit

August 30, 2022 1:13 PM

magnifying screen.jpg — Does an upcoming audit have you sweating bullets? Take a breath, grab a towel and check out some advice from the pros.

Staring down the barrel of a looming regulatory audit can feel like being called into the principal's office without warning. But Stacy Sizemore says it's not the end of the world.

And she would know. The chief compliance officer of tru Independence, a Portland, Oregon-based consulting services platform for wealth managers, has more than two decades of experience in financial services, including being part of more than 50 different audits, exams or inquiries over the years.

Each time, she's lived to tell the tale. And frequently, she has learned something nuanced in the process.

Regulation and compliance

SEC tells advisors to rein in conflicts of interest under Reg BI

August 3, 2022 5:56 PM

"My three words for exams are preparation, organization and confidence," she said. "You became a CCO for a reason. Even if you're a first-time CCO going into your first exam, you have the education and that special something that makes you CCO material … know that you know your stuff … and just because you have a regulatory audit coming up, it's no reason for you to break into a cold sweat."

To help you make your next, or first, regulatory audit a smooth one, Financial Planning asked compliance experts for tips. Scroll down to see their insider advice about the process, and learn why if you're not already prepared, you may be too late.

Don't get ready. Stay ready.

RIA in a Box's Director of Compliance Jason Vinsonhaler said the best place to start is ensuring that all of your documentation is in order. If you're reading this without already having that step crossed off your to-do list, you should probably hop to it.

"I tell firms all the time, if you wait until you receive the exam notification or the request, you've waited a little too long," Vinsonhaler said. "You really need to be prepared up front. It's making sure that you understand where your books and records are. And if there's something that the regulator asks for, know where to go get it."

With that in mind, Vinsonhaler recommended that compliance officers and advisors operate with an eye toward being audited while performing their day-to-day work. Organizational charts, client information, employee trade records and advertising materials should be organized and ready to submit at a moment's notice.

"Operate not from the point of fear, but from a point of, 'I'm probably going to have to be able to explain this at some point. How am I going to do that?'" Vinsonhaler said. "Just keeping that in the back of your mind is huge. It makes it much easier going forward."

Sizemore also placed early preparation at the top of every firm's priority list. Be it the SEC, FINRA or a state agency, there are times outside of a full-fledged audit when a regulator may have a simple, innocuous inquiry that needs to be addressed.Being organized and prepared can make that interaction painless while significantly cutting down on the time required to handle it.

She added that firms should prepare smarter, not harder. For example, when working with firms that are fresh SEC registrants, she immediately starts prepping for what is known as a "limited scope exam." These are smaller examinations for new firms, or firms that have gone for many years without a proper audit.

"There's a list of things that the SEC generally asks for, and it's usually pretty basic. All of those things I have ready at all times and I update them as I go along," Sizemore said, noting that this process does not have to be guesswork. "You can get a copy of the limited scope exam and see the general items that you'll be asked for. Just be prepared always. And if you're only working with one firm, it should be fairly easy."

Setting the table

Once you're ready and you know an audit is heading your way, Vinsonhaler said the next step is learning as much as you can about the process and the impact it may have on your organization while it's underway.

He said the firm's senior management, CCO and compliance staff should be available and briefed to answer detailed questions during an initial interview with the agency handling the examination. Establish your game plan during the interview, and don't be shy about asking your own questions.

"They may come on site, depending on what type of examination this is. So set some expectations ahead of time with them on that initial call," Vinsonhaler said. "Talk about how much space they'll need, how much time they plan to be there and then make sure that you prepare that for them so that when the time comes you're not saying, 'where are we going to put these people today?'"

But there's a chance that everything will be handled remotely, especially in today's COVID-inflexed environment. Vinsonhalher said that regulators often like to do the early stage limited scope exams from the desk, not in person.

This is where your tech stack can be a game-changer. If it is a remote audit, do what you can to remove friction, keep lines of communication open and make sure the process of sending or receiving documents from afar is easy.

Understand the why

In addition to making sure your firm can properly accommodate regulators, Integrated Financial Partners' Chief Legal Officer John Cataldo said the initial communication is a great opportunity to figure out exactly why you're getting a digital or IRL visit.

"If we're talking about something that's either targeted, limited scope or broad scope, the firm should really be trying to understand the purpose and what is bringing them in," he said. "Is this a routine, unspecified visit? Is this something that's related to an industry sweep? Or is this something related to the discovery of a red flag."

With those answers in hand, use the provided resources from the regulators themselves to study up. Doing so can cut down on uncertainty and give time back to your team.

"There is plenty of guidance out there. There are FINRA, SEC and state exam priority letters. There's regulatory actions. There's FINRA notices to members and SEC risk alerts. There is state and multi-state NASAA guidance that is published on a routine basis," Cataldo said. "You really have to understand your business, and you have to understand the regulator's priorities to be prepared for an audit. And then take it a step further when they come in … you need to be prepared to ask them right from the outset when you get your exam letter or your exam call what the scope is."

Vinsohaler also warned against turning to the numerous blog posts or opinion pieces that often follow alerts or communication from regulators.

Cut out the middleman, and go right to the source.

"They're not going to give you a lot of commentary and a lot of color, but they give some and you can have that straight from the SEC or the state," he said. "To me, that's the best way to be prepared for these."

Think hospitable, not adversarial

Sizemore said another powerful tool to keep handy before, during and after an audit is a positive mindset. Understand that regulators aren't showing up with an ax to grind or a personal vendetta.

"I get it. You hear a regulator knocking on your door saying, 'Hey I'm looking at you. Prove to me that you guys are doing what's right.' It can really provide a lot of anxiety and pressure, and you get scared," she said. "So what I keep in mind is that they're not, they're not trying to get us. They're trying to really and truly help us and do their job by protecting the public. And when I have said this to some firms that I work with they're just like, 'are you crazy?' But in a way I think that having an exam is a good thing because I personally want to know where we need to be more robust or where we maybe need to change some policies."

That frame of mind can transform apprehension into anticipation, said Sizemore, who believes feedback from regulators can address blindspots and create better wealth managers.

"If they come back to you and say that you don't have something in your compliance manual, here's an opportunity to get it in your compliance manual so the next time they come to you, you're set," she said.

Cataldo also believes there is great power in just grabbing the flashlight and shining it right in the face of the regulatory monster under your firm's bed. He said that in his experience, he has never seen a regulator show up hell bent on burying a firm in citations.

"They may come in with a preconceived notion if they're coming in on a targeted basis. But set all that aside for a minute," he said. "The fact is you build a good rapport with the staff by helping them understand your business right from the get-go. I always begin a regulatory audit with a presentation. A presentation about what our practices are. What resources we dedicate to compliance, to legal, to regulatory affairs and to operations. And I invite the (regulatory) staff to do the same with us.

"Tell us what the hierarchy is like, what's the office dynamic and who are the folks we're going to be working with on this audit. Not just the two or three of you in front of us or on the phone call," he added. "It's like a play, right? You want to know the characters, you want to know the plot and you want to set the scene."

Learning from mistakes

Once the audit is complete and regulators are getting ready to head out, Vinsonhaler said the exit interview is next on the docket. If an exit interview is not offered, he said that a firm should request one to get a better understanding of the timeline and next steps.

Still, he added, "I tell firms, don't start making changes based on the exit interview. Wait until you receive the deficiency letter, and statistically speaking, you're probably going to get a deficiency letter. It's somewhere between 70 and 80% of all examinations end with at least one deficiency being identified.Be prepared for that. It's not the end of the world. It's not an enforcement action. I've seen some of them turn into that, but most of the time it's just a very simple question or correction.

"Having that deficiency letter … it's kind of like the person who gets straight A's and all of a sudden they get a B+. It's OK. I assure you. But once you have that deficiency letter in hand, you'll have a period of time, typically 30 days, to respond. And that's really when changes should be made if needed."

Sizemore said it is extremely rare for a firm not to get some kind of feedback. "Even if it's not a requirement, maybe it's a suggestion," she said. But the timing isn't set in stone.

"After the exam is over with the SEC specifically, it might be a couple of weeks. It might be a month," she said. "It just kind of depends and there's no set patterns for when you'll get a deficiency letter."

As part of that follow-up, Sizemore always reminds firms that a letter is no reason to slam the panic button. Deficiency letters are not public, so there should be no fear of a few missteps making headlines.

"Sometimes you've just got to take it on the chin and say, 'I'll fix it,'" she said.

Cataldo said that when responding to a regulator's findings, be honest about your firm's practices, what you're capable of and how to intend to address whatever is suggested.

But don't be sheepish to speak up or push back if you feel so inclined.

"That doesn't necessarily mean that you're going to agree with everything. It doesn't mean you're going to disagree. But you can always explain what you are doing, what you have done and why your practices and processes are tailored to your business needs," he said. "So you should be looking at every finding through the lens of the staff's determination. Keep very good records of your discussions and refer back to them. And if there's a point you have to concede, explain what you have done to address their concerns and what you're going to be doing going forward. If it's something where you feel there is no needed adjustment … respectfully disagree and explain the reasons why."