As part of the audit process, regulators expect you’ll have quick and easy access to your compliance data. How promptly and thoroughly you can provide the information that auditors request sets the stage for how the regulators will perceive your entire compliance program.
During MCO’s annual User Conference, I sat down with Mitch Avnet, Founder and Managing Partner at Compliance Risk Concepts (CRC) and CRC Regulatory Analyst Lauren Mitchell. We had a wide-reaching conversation about the importance of compliance recordkeeping and some of the other foundational elements of the compliance program that, when done right, can really set up a firm for a successful audit.
Our customers use MCO to store a full range of compliance information, ranging from outside business activities and gifts and entertainment to private investments, brokerage accounts and political contributions. As part of the audit, regulators will want to see this data compiled in a way that delivers tangible evidence that your compliance program is adequate and robust. Read a white paper on the importance of evidencing compliance.
We asked Mitch and Lauren about expectations for how quickly compliance is expected to pull requested information as part of a regulatory audit.
From Mitch’s perspective, under record retention requirements like SEC Rule 17a-3 and SEC Rule 17a-4, the data must be easily available and readily accessible within a reasonable timeframe. But what’s considered reasonable these days? Mitch notes that the reasonableness standard has significantly changed over time as the industry has adopted compliance technology as the norm. Historically, when it was typical for firms to keep physical records in off-site storage, a reasonable standard would account for the time needed to pull records out of the archive and courier or overnight them.
Expectations are very different now. Mitch finds that most, if not all, of the firms he works with utilize electronic records storage. Regulators expect it. And with that shift comes the assumption that your compliance data is readily available and at your fingertips. When a request comes in, whether it’s from a cycle exam or a targeted audit, Mitch recommends that you should be able to turn that around within 24 hours as a reasonable standard. Read more from Mitch on the importance of electronic archiving in the white paper Communications Compliance - Stay Ahead of the Curve.
It gets cumbersome quickly when a firm handles compliance through multiple resources, including separate systems, email, spreadsheets, PDFs and Word docs. That usually means it’s all hands on deck when it’s time to cobble together reporting, and often, it takes so long that there’s little time for review. If your firm takes a fragmented approach to compliance, your reporting and analysis results will be equally disjointed.
The risk of taking this approach is substantial. If a regulator or an auditor doesn’t like how you're managing your core compliance data, they might see that as an indication of deeper problems in your program. They might then dig even deeper into your processes for additional red flags. Read about how consolidating compliance technology reduces costs and risk.
Good recordkeeping isn’t just important in the context of an audit. Solid books and records management is a core part of a robust compliance program.
Lauren notes that technology streamlines a firm's processes and is critical for a solid compliance foundation. It simplifies compliance all around, making it easier for employees to understand and fulfill their obligations and for compliance to manage adherence to policy and flag and understand exceptions.
Lauren also reminded customers to take full advantage of the customization capabilities within the MyComplianceOffice platform to make sure that processes are configured to adapt to the regulatory and company requirements that are unique to each firm. Read a case study about how one firm used MyComplianceOffice for better compliance on a single platform.
We asked Mitch and Lauren how often firms should issue certifications – it’s a perennial question we hear from firms of all types and sizes.
Mitch notes that it’s a loaded question that once again comes down to understanding your firm's unique needs and regulatory obligations. He has clients that do certifications quarterly, especially regarding personal trading activity, the use of off-channel communications or receipt of MNPI. Most firms will—and should—do annual attestations of policies and procedures.
He reminded our customers that the most important thing is that whatever you do, it must align with what you said you were going to do in the firm's documentation – whether that’s your WSPs (written supervisory procedures), compliance policies and procedures or your code of ethics depending on your type of firm.
According to Mitch, it comes down to defining what regular and rigorous should be for your firm – and critically, ensuring that data you collect allows you to evidence adequate oversight of your program.
Lauren advises her clients that it’s good practice to have employees log into the firm every quarter. It helps keep employees engaged with their compliance obligations and up to date with meeting expectations. Frequent access helps with maintaining and cleaning system data as well. She also recommends consistent monitoring by compliance of open tasks and user activity to keep up with outliers. Read more about compliance certifications and attestations.
We asked Mitch and Lauren their thoughts on keeping employees informed of their disclosure requirements. Mitch says one of the best ways to remind employees of their compliance obligations is during the annual compliance meeting. He has found that across his practice, many firms find that most of their employee disclosure updates will come after that annual meeting. He notes that it provides a good opportunity for housekeeping and to capture updates like address changes that may have happened over the year.
Lauren also recommends that firms update their MCO dashboard with reminders for when people log in as an ongoing way to encourage timely and accurate submissions.
MCO can help you streamline compliance across your organization and be ready to provide defensible proof of compliance. Contact us today for a demo to see MyComplianceOffice in action.
Mitch Avnet is the Founder, Managing Partner and CEO of Compliance Risk Concepts (CRC). Bringing a wealth of financial services industry experience to his clients, he is responsible for relationship management and overseeing all client-driven / business-focused Compliance and Ethics Risk Management strategic engagements.
Lauren Mitchell is a Senior Compliance Professional at CRC. She previously worked as a compliance analyst for consulting firms in New York and Chicago. Her responsibilities include solution implementation for various regulatory platforms, project management, and general compliance support.
If you’d like to connect with Mitch, Lauren and the rest of the CRC team, you can contact them here.
Jeff Childs is the Director of SMB Sales at MCO. Jeff leads a team of sales professionals dedicated to helping firms across the globe improve compliance and reduce risk. If you’d like to connect with Jeff or any of our experts to learn more about the MyComplianceOffice platform, schedule a conversation here.