As it does every year FINRA has published its Regulatory and Examination Priorities Letter. This year it is focused on three broad issues:
- Culture, Conflict of Interest and Ethics
- Supervision, Risk Management and Control
FINRA and its predecessor entities have always talked about “firm culture”. But this year they have given it a definition:
“We use it to refer to the set of explicit and implicit norms, practices, and expected behaviors that influence how firm executives, supervisors and employees make and implement decisions in the course of conducting a firm’s business.”
It is FINRA’s intention to formalize its assessment of firm culture in 2016. That assessment will be based upon five indicators:
- Whether control functions are valued within the organization
- Whether policy or control breaches are tolerated
- Whether the organization proactively seeks to identify risk and compliance events;
- Whether supervisors are effective role models of firm culture; and
- Whether sub-cultures (e.g. branch offices, trading desks, or investment banking) that may not conform to overall corporate culture are identified and addressed.
What does all of this mean? It appears that FINRA is looking for a clear path to bringing more enforcement actions against Chief Compliance Officers.
Most enforcement actions against CCOs have arisen from the CCO being involved in supervision of a business line. However, if you focus on the five indicators, while senior management can be implicated so can the CCO. Who has responsibility for making sure that control functions are valued within the organization? Answer – CEO and CCO. Who is responsible for making sure the organization proactively seeks to identify risk and compliance events? Answer – CEO and CCO. Obviously in a large organization the answer may be a regional or business head and CCO. But I think you get the thrust of my argument. What happened to “the CCO is our partner?”
So how does the CCO move forward in this environment? I think it starts with the annual compliance review. Make sure that every breach or regulatory inquiry is documented in the report to the CEO. Also make sure you report how it was resolved or is being resolved. I also believe that CCOs and their staff need to be visible. Make sure that not only managers, but also their staff know that compliance is a force to be reckoned with.
Click here for the full 2016 letter.