The XLoD event in New York City this month focused squarely on on an enterprise-wide view of nonfinancial risk across the three lines of defense and featured industry participants, regulators, and technology provider firms offering their perspectives. Voice and electronic communications surveillance, leveraging AI in the risk context, trade-date surveillance challenges, and cyber resilience played prominent roles in the day’s discussions.
Our first report on the event highlights the regulators’ comments specifically and offers the results of the audience polling, both of which set the groundwork for the commentary to follow in Part Two.
SEC enforcements: e-comms issue now a checklist item
Lindsey Moilanen, Assistant Director for Enforcement at the SEC, reminded us of the 784 enforcement actions his agency brought in the last fiscal year. Many of the actions and fines levied involved cases of recordkeeping lapses for off-channel communications and blue-sheet data. He said another issue that the agency found problematic was the impediment of whistleblowers with severance agreements and other employee contracts.
The issues share a common thread that is of top concern to the SEC, Moilanen said, because the regulator is prevented from having a clear path to these records. Putting up roadblocks to would-be tipsters frustrates the essential work of the agency in protecting investors and the market as a whole.
He said that after all of these enforcement actions and fines in the e-comms recordkeeping space, the SEC is now expecting firms to have heard the message and be fully compliant. Any evidence to the contrary will result in a tacked-on charge to any other charges they are pursuing against a firm. It’s squarely an Enforcement Division checklist item that cannot be ignored.
“Do a dry run of a tabletop exercise that goes through the who, when, why and how of every business crisis so you feel a level of control and understanding of how these events will unfold and what expertise will be called upon.”
Greg Ruppert, Executive VP, Member Supervision, FINRA
He stressed the opportunity businesses have to earn leniency at the penalty stage of cases by self-reporting, cooperating and remediating their compliance programs in a timely manner, asking the audience to consider if they are doing the regular reviews needed and reacting as soon as a red flag is detected in any area.
He also said the agency is quite focused on AI washing right now to ensure businesses take very seriously their obligations to be truthful about their AI investments and technology posture or capabilities.
Moilanen said the agency is incredibly pro-technology adoption and development. But firms must truly select their tech tools according to their individual needs, considering the products and services they offer, their size, their client base, and their geographies of business.
FINRA discussion: BCPs and tabletop exercises
Greg Ruppert, Executive VP, Member Supervision at the Financial Industry Regulatory Authority (FINRA), gave us this scenario about business continuity plans (BCPs): Your systems go down. And that’s where your BCP is located. Everyone’s phone number is there, too. He said firms must think about where their critical data resides and which people have access as an ongoing exercise.
“Do a dry run of a tabletop exercise that goes through the who, when, why and how of every business crisis so you feel a level of control and understanding of how these events will unfold and what expertise will be called upon,” he said. But don’t stop there, he said. Take that information and act upon it – offloading a business partner if that’s what is needed to lower the risk.
Another benefit of these exercises is that they build relationships, Ruppert said. When you build trust between people who have demonstrated their sound judgment, great things happen. Basically, he said, the next time that a trusted colleague makes a recommendation, it is acted on without delay, because of the earned trust there. And it’s best that this trust is there before a crisis emerges.
NFA: What good records look like
Cliffe Allen, Managing Director of the OTC Derivatives Division at the National Futures Association (NFA), used his brief time on stage to remind us what good looks like when it comes to recordkeeping and surveillance, all from the vantage point of his agency.
He reminded us that CFTC rules do not specifically mention surveillance; they talk about supervision and that supervision being “diligent,” and that is the basis for much of his agency’s rulemaking and enforcement efforts. (If you have violated the CFTC rule, you are deemed to have violated the NFA one.)
NFA Rule 23.602 requires swap dealers and major swap participants to establish a supervisory system to oversee all activities performed by the firm, its business partners, members, agents and employees and designate at least one qualified person with authority to carry out the supervisory responsibilities.
NFA Rule 23.201 requires these business to keep full, complete, and systematic records, together with all pertinent data and memoranda, of all its swap activities, including business records, transaction records and position records.
Some problems his agency has spotted and have concerns about include:
- Some global firms having little centralization of records and knowledge of how to obtain the right record promptly.
- Businesses sometimes do not understand how to prove their records are complete, some are obviously incomplete, and the business cannot attest as to where the remaining data is located or what it looks like.
- There is sometimes an insufficient coverage of languages actually spoken in terms of the business’s surveillance and recordkeeping capabilities.
Allen then described what “good” looks like to his agency in terms of clear compliance and risk alignment.
- The firm having clear policies and procedures that very clearly identify the devices and types of apps allowed; the type of communications that fall under the “business” heading; those persons responsible for the surveillance of the communications and the technology used to perform it; how the communications will be documented and archived; and how compliance will be evidenced to regulators and others.
- Ongoing training to all relevant staff on the items listed above.
- Attestations of employees that they understand the policies and procedures and will abide by them.
- A review of the program’s adequacy, which much be periodic and ongoing.
- Having a well-communicated and clear disciplinary framework for noncompliance.
Audience polling – we’re midstream, still concerned
To kick off the event, the overwhelming majority of the audience (70%) answered this question with a modest “slowly evolving” response: “The direction of travel for innovation in risk management practices at my firm is … ” Only 26% said “accelerating at pace.”
Participants stressed that there was some comfort in having had these conversations in the business about how to supervise the comms – but there was still a deep concern about what they could be missing.
In the afternoon roundtable sessions, the participants went back to this idea, mentioning budget restraints, competing budgetary requests in the tech arena, and locating the right skill sets to manage these tasks well on an enterprise level.
Another question early in the day: “Where do you believe we are in the cycle of regulatory actions over firms’ communications compliance deficiencies?”
The most popular answers (41%) was “somewhere midstream in the cycle,” followed by “still many more to come” (27%) and “While we’re toward the end of the enforcement action cycle, the issue will continue to be a key risk area in examinations” (23%).
Again, in the smaller roundtables, participants stressed that there was some comfort in now having had these conversations in the business about how to supervise these communications – but there was still a deep concern about what they could be missing. In fact, although there was some concern about over-capture, it was the possibility of under-capture and the few employees evading systems and controls that were the significant concerns.
The event organizers asked about the recent fines in this space, wondering how attendees would describe their firm’s focus in relation to the issues described in the recent enforcement actions. The top answer was “my firm had not had much of a focus in those areas of enforcement activity – but it does now” (62%). Everyone else said those issues had always been a central concern, since no one answered that they don’t have a focus on those issues.
Trading venues in focus
In a poll question about trading venues, there was a stark split in answers.
The query was: “When it comes to the relationship between my firm and trading venues, the extent to which that relationship is owned and driven by the business is best described as …” Coming in at 47% each were the answers: “The business really gets it – they genuinely own the relationships with venues” and “The business only ‘gets it’ to a certain extent; it’s not consistently the case that the business owns the relationship.”
Again, in the small roundtables, these issues were discussed more granularly, with an emphasis on getting everyone at a large business to appreciate what front-office and compliance responsibilities are (for example, understanding the first line of defense versus the second line of defense roles and responsibilities) for venue management and trade surveillance functions.
The message was this: Firms need a holistic view of trader activities to manage their risk in trading venues. And the message from some participants – namely those offering technology solutions, but others as well: You can better do this with advanced data solutions and techniques for supervision.
And then the regulators reminded us of this. They are using data analytics for their supervisory roles and exams, they expect you to as well, as they seek more granular information.