The investment management industry is highly dependent on data for successful business operations. However, unlike some industries, a financial services company tasked with maintaining data classified as “required books and records” is regulated by the U.S. Securities and Exchange Commission (SEC). Regulatory risk is one of the biggest threats to a financial firm’s business reputation and continuity, and as such, organizations need to be conscious regarding their compliance or lack thereof.
It's imperative that Chief Information Officers (CIOs) responsible for overseeing this data implement best practices in a proactive, rather than reactive, manner. Audits by the SEC can expose a company to potential legal penalties, financial forfeiture, and material loss resulting from a failure to act in accordance with laws and industry regulations. Consequently, CIOs need to ensure that their internal information is effectively stored, accurately maintained, and quickly accessible when the need for an examination arises. Meaningful compliance may entail some expenses, but the financial cost and ripple effects of an unsuccessful audit could cripple an entity’s ability to even conduct business.
Fortunately, there are a number of active measures CIOs can take to both clean up how their data is stored and ensure regulatory compliance.
What is Required?
In a routine exam, the standard SEC request could include more than a thousand documents and spreadsheets detailing each client’s trades over the exam period. Subsequently, there are routinely supplemental requests for thousands more records, which may include emails, client statements, and marketing materials.
Federal securities laws and guidelines require certain records to be maintained for a period of at least six years, with the first two years in a fully visible and easy-to-access place. Compliance Officers, who help identify and manage regulatory risk, are tasked with ensuring that required records are properly maintained and readily available should examiners come knocking.
Given a firm’s focus on efficiency and cost-effectiveness, many investment managers outsource non-core business functions such as information technology, accounting, certain operations, and compliance systems to external service providers. However, relying on an outside party to retrieve internal information can leave a firm scrambling in the event of an audit; with reams of information scattered haphazardly and indifferently by a third-party provider, it can be difficult to assemble the necessary data along the correct parameters in time for the SEC’s examination.
“Meaningful compliance may entail some expenses, but the financial cost and ripple effects of an unsuccessful audit could cripple an entity’s ability to even conduct business”
Because regulators traditionally provide one to two weeks to produce the requested records, these exams place financial institutions on a very tight timeframe. The various departments and service providers they rely on have very little time to produce records, giving legal or compliance staff even less availability to prepare and review files for delivery.
What can Go Wrong?
Investment management firms have the potential to grow into remarkably complex organizations very quickly. In today’s landscape where third-party systems are frequently employed and vast quantities of data are stored in “the cloud,” it can be shockingly easy to lose track of records. The looming possibility of an unfavorable regulatory audit, a major data breach, or any situation where sensitive information is compromised are inches closer to reality when financial services professionals fall short in prioritizing data compliance.
Beyond the necessity of preparing for SEC scrutiny, the above scenarios underline why it is crucial for CIOs to implement thorough practices for storing and organizing data internally. In addition to compliance considerations and the general need for organization, such measures also provide a degree of control over ensuring no data is lost, a perennial risk with outside providers. Should a firm need to terminate services with a third party or transfer substantial amounts of data, they are beholden to the protections implemented by a service provider with a smaller stake in the quality of the information and how it’s organized; if an emergency arises, the matter is effectively out of the CIO’s hands. The SEC’s exams take these security concerns into mind and have been known to fine financial firms to the tune of six figures for vulnerabilities in their cybersecurity policies and procedures.
Along with outsourcing crucial IT services, many firms also struggle with the challenge of disparate data sets. This issue may arise from organizations that have grown or gone through multiple acquisitions, producing disordered data sets reflecting dissimilar organizational methods or priorities from different time periods. When the time comes for auditors to conduct exams, organizing this disjointed information together in a unified format can prove challenging for compliance professionals.
How can forward-thinking CIOs effectively prepare their firms for audits?
There are several straightforward, immediately actionable steps that CIOs can take to limit exposure and ensure compliance. Mainly, this includes implementing adequate internal policies and procedures to ensure that the required data is properly maintained. IT staff should not be working in a vacuum and making isolated decisions concerning data — firms should make sure their standard procedures are well-known among employees, up to date and easily accessible. Because data has to be maintained for six years or longer in order to address audit demands, these practices should be conceived and executed with longevity in mind.
A top priority of these internal measures should be streamlining how the firm’s data is stored and presented. For the sake of facilitating eased access for both a regulator and the organization itself, the necessary information should be unified through a standardized format and put into a singular database. During audits concerning data from the previous two years, the SEC expects that information to be readily available for data requests. It is in the best interest for firms to be able to immediately pull this data up, as regulators look poorly upon delays. Although it may be possible to request as much as two weeks’ extension time for more expansive audits, the more data is strewn all over the place, the longer it will take to assemble and the greater risk for errors.
As such, CIOs would benefit from conducting mock exams testing their firm’s ability to respond to auditor requests. These should be conducted in collaboration with organizations’ Compliance Departments using sample SEC Document Request lists obtained from industry associations such as the National Society of Compliance Professionals, the Investment Advisor Association, and the Investment Company Institute. It is important to closely adhere to the sample instructions — particularly when producing files containing specific fields requested by the regulator — in order to best prepare for an audit’s practical demands.
More often than not, these mock exams turn up some form of data quandary. There are instances where the data simply does not exist in a format or location that can be easily accessed or is so scattered that it can be incredibly time-consuming to stitch them all together. Taking federal laws requiring that this data be produced in a timely manner into account, practice runs are an invaluable endeavor for all stakeholders.
The necessity of quality data compliance goes beyond business continuity, as failure to comply can lead to financial and legal exposure as well as certification losses. The forward-thinking CIO’s data infrastructure should support the daily needs of middle and back-office departments — including compliance — while foregrounding regulatory requirements. Correcting unruly data sets may seem daunting, but given the time, money, and goodwill that may be exposed to audits, it is as savvy and cost-effective a move as a CIO can make.
