[author: Matt Kelly]
The coronavirus crisis is far from over, and compliance professionals still need every scrap of guidance that regulators can provide about how to run compliance programs in these difficult times.
So when the Securities and Exchange Commission published its latest risk alert the other week, I took notice. Even though the guidance was written for broker-dealers and investment advisers, it deals with subjects including policy management, risk assessment, and data security.
Well, those things challenge every compliance officer, regardless of industry. So let’s see what lessons can be extrapolated for corporate compliance programs generally.
Personnel and Policy Matters
This risk alert came from the SEC’s Office of Compliance Inspections & Examinations, and OCIE uses the phrase “supervision of personnel” quite often in its material. That conjures up an image of managers watching over employees on a sales team, but the term actually means much more — and raises an important point for compliance officers.
OCIE’s full description of “supervision of personnel” in its risk alert is this:
A firm's supervisory and compliance program should include policies and procedures that are tailored to its specific business activities and operations and should be amended as necessary to reflect the firm’s current business activities and operations.
When OCIE mentions supervision of personnel, it’s really talking about policies and procedures the company issues to guide personnel. Moreover, OCIE says, “As firms need to make significant changes to respond to the health and economic effects of COVID-19…OCIE encourages firms to closely review and, where appropriate, modify their supervisory and compliance policies and procedures.”
In other words, when COVID-19 renders your usual policies and procedures obsolete, draft updated policies and procedures to reflect the reality of pandemic life.
Those new pressures might include less direct oversight and interaction with employees if they’re working remotely; less ability to perform due diligence reviews on third parties; or employee communications that happen outside typical corporate messaging systems. (OCIE cites all three examples, plus several more.)
Not every change in circumstance that COVID-19 forces upon us, will you be able to address with a specific new procedure that seals up the heightened risk. For example, employees working from home will always be able to use personal devices to communicate with others; you won’t be able to stop it.
In that case, the proper response is a stronger policy against the undesired action, perhaps with stronger discipline and better analytics to identify forbidden actions after the fact. If coronavirus leaves your preventive controls weaker, you’ll need to make detective controls stronger — and raise the consequences for employees flouting procedure.
Another implicit point is buried in OCIE’s warning about amending policies and procedures as necessary: that you’ve already done a risk assessment, to know which policies and procedures need to be changed.
Most large organizations do a formal enterprise risk assessment once a year, with internal audit leading the charge. Sometimes the compliance team might do its own compliance risk assessment, but again, once a year is the norm.
Coronavirus is one of those rare occasions where you need to do a fresh risk assessment. Specifically, assess how changes to business operations that we all rushed to implement in the spring may have left your policies, procedures, and internal controls misaligned with your new operating reality.
If you haven’t taken that step, you have no idea whether the new policies and procedures you’re drafting (see our prior section, above) are really going to work.
And few things are as awkward to explain to a regulator as a revised policy or procedure that failed to achieve its compliance objective, because you hadn’t taken the time to understand what had really changed in your organization.
Indeed, if we want to take a quick detour to the Justice Department, it made exactly that point in the latest updates to its guidance on effective compliance programs: the program should evolve to keep pace with the company’s risks.
The Justice Department made that point in a sweeping way for all organizations. Now OCIE makes that point in a more focused way for broker-dealers and financial firms. Which tells us something about how important this point truly is.
As Always, Cybersecurity
The OCIE alert talks at length about cybersecurity, and for good reason. Broker-dealers and investment advisers collect troves of personally identifiable information from clients every day; and since March, those firms have also been working remotely, with all manner of makeshift technology procedures to churn through daily routines.
That’s a recipe for privacy compliance disaster. Your own organization might well be brewing up the same concoction.
OCIE recommends a few practical measures, such as the security team providing adequate support for employees working remotely, and assuring that PII is properly encrypted — regardless of whether that PII resides on employees’ own devices (which it shouldn’t), or in a central database, or in the cloud with a third-party vendor.
Another threat comes from a blend of more phishing attacks and greater insider threat: hackers impersonating the boss via email or instant message to ask for a $2 million wire transfer; employees skittish about losing their jobs who start pilfering client data for a side business; or worse, former employees stealing data because nobody deactivated their user IDs.
The proper measures to take: better security training; more policy and procedure for wire transfers (such as verbal confirmation); automated management of user access controls, and so forth.
Train the Manager: Cyber Security Risk Management
What do you need to put those in place? Thorough risk assessments (funny how that keeps cropping up), and clear, close communication between the compliance and security teams. Compliance can spot the threats and recommend mitigation steps, but typically security will need to put those measures into place.