The Regulatory Compliance Review: What You Need to Know
By: Andrew Rhee & Dave Santiago
It is 4 p.m. on a Friday afternoon when you receive a call from the regulators telling you that your firm has been selected to undergo a compliance review. The initial reaction is undoubtedly always similar, you feel a sense of panic and you blurt out, “Why am I being selected and is there a problem?”, “I am really busy right now, can you come in a few weeks?”, or “How much time do I have to prepare and how long will you be here?” These words will certainly resonate with some of you, and whether or not you have been through this process before, being selected for a regulatory compliance review can be very stressful, especially for those who have not made the appropriate preparations.
As former Accountants of the Compliance and Registrant Regulation Branch of the Ontario Securities Commission (OSC) who spent a majority of our time conducting regulatory compliance reviews. Now we are independent compliance consultants, and many of our clients have asked for our insight on what to expect during a regulatory compliance review. While our insight relates to our experience at the OSC, there is a national registration regime with similar requirements across provinces. The Canadian Securities Administrators (CSA) have worked to harmonize the compliance review program so that a compliance review conducted by the OSC, or for example the ASC, should look and feel the same for an Exempt Market Dealer based out of Ontario or Alberta.
Selection Process and Types of Compliance Reviews
Your firm can be selected for one of the following types of compliance reviews: full compliance review, targeted review, such as a sweep (e.g. KYC, KYP, and Suitability sweep, or Marketing Sweep), or a for-cause review.
The selection process may vary by jurisdiction, but in Ontario, the OSC generally uses a risk based approach when selecting registrants for review and will consider a number of factors and information provided by firms. The OSC uses a tool called the risk assessment questionnaire (RAQ), which is sent to firms for completion every few years. The RAQ is used to determine a risk ranking for registered firms, which allows the regulator to allocate its resources more effectively and efficiently by targeting firms with higher risk rankings. It is important for firms to provide clear and accurate answers when completing the RAQ. From our experience, we have seen some firms selected for a compliance review as a result of confusing and inaccurate answers.
A firm may also be selected to undergo a for-cause review, which may be the result of information received from various sources, including complaints made to the regulators. For these types of reviews, the structure will generally follow a full compliance review. This may include additional procedures depending on the nature of the information received, and the cause for the review.
The OSC does not follow a set schedule on how frequent a firm is selected for a compliance review, and some firms may operate for many years before ever getting selected. On the other hand, some firms may undergo multiple compliance reviews over the course of a year, or several years. This can happen, for example, because numerous significant deficiencies were identified in the first review.
The compliance review starts with the regulator sending a list of books and records that they require to conduct the review. The size of the list can be very daunting and gathering the information can be an onerous process. The good news is that the OSC has made its list of books and records request available on its website and will typically give firms five days notice before starting the on-site portion of the compliance review. Firms should review this list and determine if they are maintaining the necessary books and records needed for a compliance review. Further, firms may also be asked to provide additional information during the course of the compliance review and should therefore ensure appropriate books and records are being maintained as required.
The on-site portion of the review starts with an entrance meeting, which will generally last approximately two to three hours. Do not be alarmed if you see a large number of the regulator’s staff at this meeting. A compliance review team is usually comprised of four individuals, including Accountants to conduct and oversee the on-site review, as well as Legal Counsel who provide a supporting role but do not conduct the on-site review. The initial entrance meeting is intended to find out more about your firm’s business and to discuss various compliance related topics, including your firm’s compliance and supervision structure. Firms should be well prepared for this meeting, as the compliance review team will have a good understanding of the deficiencies that are likely to arise during the course of the review as a result of the meeting, and will hone in on these areas. It has been our experience that if a firm has a poor understanding of compliance, it will be evident in the entrance meeting. Firms should also be prepared to accommodate the review team and make themselves available as the on-site review can take anywhere from a few days to a few weeks.
A final exit meeting is typically held to communicate the compliance review team’s findings and to seek the firm’s feedback. In most cases, a deficiency report will be issued and the firm will have 30 days to respond in writing to any significant deficiencies. If further regulatory action is warranted, this may come in the form of terms and conditions on the firm’s registration, suspensions, or referrals to the Enforcement Branch. Firms that have an inadequate compliance system will have numerous significant deficiencies, including an ineffective/inadequate Chief Compliance Officer (CCO) and/or Ultimate Designated Person (UDP). In such cases, terms and conditions may be imposed on the firm’s registration requiring the firm to hire an independent compliance consultant or compliance monitor to assist in the firm in strengthening its compliance system or monitoring its activities.
How to Prepare for a Compliance Review
By now, you are probably wondering: how does my firm prepare for a compliance review by the regulators? The best advice we can give firms is to continually take a pro-active approach to compliance and stay on top of compliance related matters. From a practical perspective, this can mean different things, focusing on four main areas:
1. Staying up to date and abreast of regulatory changes
Firms need to take initiative and stay up to date and abreast of new rule requirements and guidance. When new or proposed rules are published, or new guidance from the regulator is issued, read and review them on a timely basis. Also, firms should look to a variety of resources to help them stay on top of new compliance requirements, including external legal counsel, compliance consultants, external training sessions and seminars, and industry associations, such as NEMA.
2. Being organized and working with the regulators
If your firm is selected for a compliance review by the regulators, ensure you are organized and work cooperatively with the regulators. Prepare an itemized set of the books and records required for the review for the regulator, and keep a set for the firm as well. Keep copies of any additional documents provided to the regulator and track when they are provided. As much as possible, be accommodating, and maintain an ongoing and open dialogue with the regulator throughout the compliance review.
3. Periodically performing self-assessments of your firm’s compliance
Firms should perform ongoing self-assessments of their compliance with securities law and take any actions required to improve their internal controls, monitoring, supervision and policies and procedures. Also, regular training should be provided to staff on new rule requirements and guidance, and on the firm’s internal policies and procedures.
4. Engaging an independent compliance consultant to conduct a mock review
As a best practice, firms should consider hiring an independent compliance consultant to conduct a mock compliance review and provide advice on compliance, including making recommendations to improve the firm’s compliance system. Having an independent third party review your firm’s compliance system and processes may uncover issues you were unaware of and allow your firm to rectify any issues before the regulator comes knocking.
We hope this article has provided you with some valuable insight into the regulatory compliance review. By having a better understanding of the review process and taking the appropriate steps to prepare for a review, your reaction to that Friday afternoon call from the regulators telling you that your has been selected to undergo a compliance review will undoubtedly be different – you will feel a sense of calm and ease, and confidently say “We are happy to have you on-site, when you would like to start the review?”, “Please send me the list of books and records you require so we can start gathering the information,” and “Thank you, and we look forward to our entrance meeting.”