2023 was another active year for U.S. Securities and Exchange Commission (SEC) enforcement, encompassing a wide range of violations against individuals and firms of all sizes.
Understanding 2023 enforcement actions along with the agency’s 2024 enforcement priorities will help firms better assess and anticipate regulatory expectations—and set the stage for better compliance.
2023 SEC enforcement had substantive breadth and depth, with actions that addressed a wide range of violations and violators including individuals and companies large and small. And with the agency's 2022-2026 Strategic Plan promising a sustained focus on investor protection, a robust regulatory framework and evolving technology and rule sets, firms should be ready for another year of extensive SEC action and enforcement.
In 2023, SEC enforcement actions covered a variety of topics, such as compliance programs, disclosures, conflicts of interest, investment recommendations, market and credit risks, derivatives and leverage, environmental, social, and governance (ESG) factors, and new technologies.
There were 784 total enforcement actions in the SEC’s fiscal year 2023, a 3 percent increase from 2022, including:
See how MCO helps firms manage the risk of MNPI and insider information
The SEC’s Division of Enforcement filed settled charges and imposed penalties against firms and individuals across a broad range of securities law violations, including:
Fines for books and records failures were assessed in excess of a staggering $1.5 billion. In remarks before the 2023 Securities Enforcement Forum, SEC Chair Gary Gensler noted “Since the 1930s, recordkeeping obligations have been vital to market integrity and the SEC’s oversight. At a fundamental level, failures in recordkeeping—like those involving off-channel communications—obstruct such market integrity.”
Read a white paper on Communications Compliance
The SEC Division of Examinations 2024 Examination Priorities outline the agency's strategic approach, direction and priorities for the upcoming year for various market participants. These priorities contain the Division’s assessment of key risks, issues, and policy matters stemming from market and regulatory developments, examination information, and sources including tips, complaints, referrals and coordination with other SEC divisions and other regulators.
Investment advisers
For investment advisers, the agency will examine how investment advisers, especially those who advise private and registered funds, manage their compliance programs, fiduciary duties, disclosures, conflicts of interest, and investment recommendations. Priorities will also include the continued impact of the COVID-19 pandemic, the change from LIBOR, the application of ESG factors, and the use of new technology.
Registered funds
The Division will monitor how registered funds, especially mutual funds and ETFs, manage their compliance programs, disclosures, liquidity and valuation practices, fees and expenses, and conflicts of interest. Additional priorities will include oversight and governance of registered funds, management of market and credit risks, the use of derivatives and leverage, and compliance with the new fund of funds rule.
Broker-dealers
For broker-dealers, top priorities include compliance with Regulation Best Interest (Reg BI) and the use of Form CRS, as well as the financial responsibility rules, trading practices, market access, best execution, payment for order flow, and cybersecurity. The Division will also examine sales practices, suitability, and disclosures, especially those surrounding complex or structured products, crypto-asset securities, or ESG-related products.
Other market participants
The Division will examine the compliance programs, risk management, operational resilience, and cybersecurity of other market participants, including self-regulatory organizations, clearing agencies, municipal advisors, security-based swap dealers, transfer agents, and national securities exchanges, focusing on oversight and governance as well as the protection of customer assets and data.
Genser and the SEC continue to encourage meaningful cooperation from market participants who are involved in or aware of potential violations of securities laws. As noted by Gensler in his remarks before the 2023 Securities Enforcement Forum “Further, process is about meaningful cooperation. I’m talking about more than showing up for testimony or producing documents under subpoena. It means going above and beyond to self-report, cooperate, and remediate.”
With expectations high for another year of regulatory scrutiny, there are key areas compliance executives can focus on to close out 2023 strong and meet the expectations of the SEC and other regulators in 2024. These areas include risk assessments, vendor due diligence, preparing for the annual compliance review and optimizing compliance technology.
Be ready for proactive compliance in 2024! Watch an on-demand webinar featuring practical year-end guidance from the experts at MCG Consulting.
In the webinar Practical Steps to Strategic Year-End Compliance, Paul Murdock and James Hartmann from MCG Consulting share tips for evaluating core elements of the compliance program to flag issues and make adjustments, laying the foundation for effective compliance in the year ahead.
When asked if organizations should conduct a formal Risk Assessment, the answer from Paul and James was a resounding yes. James notes that most firms don't have one, but really need one! In fact, for Registered Investment Advisers, it's an implied aspect of SEC Rule 206(4)-7, as outlined in the Risk Alert Investment Advisers: Assessing Risks, Scoping Examinations, and Requesting Documents.
Rule 206(4)-7 requires each registered adviser to review policies and procedures annually to determine both adequacy and the effectiveness of implementation. The Risk Alert reminds firms that they should take inventory of compliance risks and conflicts of interest that form the basis for policies and procedures and make notations regarding changes made to the inventory. James explained that the Risk Alert outlines typical focus areas and requests for information. That means that the RIA is expected to have responses to those request areas, so long as they are germane—and having a written risk assessment is germane to all RIAs. Read about Compliance Pitfalls for Newly Registered Investment Advisers.
According to Paul, the basic elements of a Risk Assessment include:
The culture of the firm is the ultimate efficacy test. When there is a material breach within the firm is it handled expediently and according to policy?
You can delegate, but you can’t abdicate….so, supervise with care.
James reminded firms that the regulators have intensifying their focus on vendor due diligence, and that compliance programs should increase attention on the area accordingly. Due diligence should be conducted at on-boarding and on a regular basis for the vendors that support clients and the firm. eComms are a high-risk area these days, but other areas of concerns include cyber risk and IT risk. Criteria that should be evaluated during the due diligence process include resources for implementation, verification, and ongoing system monitoring, service and support, and certifications and audits including SOC-2.
See how MCO helps firms efficiently and effectively manage third party due diligence.
Paul and James pointed out that in nearly all enforcement actions, the risks were not on the internal radar of any reporting prepared for a management committee or Board of Directors, let along mis-characterized as low/medium/high. A comprehensive annual review should identify risks and allow for mitigation before the regulators find them first.
Paul and James recommend that year over year firms document reviews and draft the report with monthly, quarterly and ad hoc updates. At year end, most firms will only need to make minor adjustments since the bulk of the annual review has already been written. They also reminded firms that a written report is required, along with solid documentation of the source data that makes up the report’s observations and recommendations. Those observations and recommendations can and should be both regulatory driven and indicative of year over year changes in the firm's business. Controls should be updated and amended based on the findings of the annual compliance review. If the annual compliance review leads to no year over year control enhancements, that's a definite flag that regulators are going to want to look info.
Paul and James also addressed a common question about outsourcing the annual review. Using a third party for the annual compliance review is not required, but there are circumstances where it can be advantageous to a firm. A third party can bring a fresh perspective that helps uncover gaps and blind spots. An outside resource can also help alleviate time and capacity restraints and bring an independent and objective voice to the table.
See how MCO helps firms effectively manage compliance obligations
The regulatory environment is continuously evolving, and compliance teams must be nimble to keep pace. A set it and forget it approach to compliance technology is a surefire way to miss or underestimate risk.
Paul and James recommend that alongside of their annual review of policies and procedures, compliance teams evaluate how they are set in their system as well. Compliance technology that is regularly updated and enhanced and knowledgeable and responsive customer support can also help with this endeavor.
Read a tale of just right compliance technology
MCO can help you streamline compliance across your organization and be ready to stand up to regulatory scrutiny. Contact us today for a demo to see MyComplianceOffice in action.