Last week, the Securities and Exchange Commission’s Division of Examinations (the “Division”) released its 2021 examination priorities. The priorities reflect the impact of the COVID-19 pandemic, including how it has increased risks related to cybersecurity; a new focus on climate change; and appear to recognize concerns raised by the recent trading in GameStop stock.
Impact of COVID-19
The onset of the work-from-home environment arising from the COVID-19 pandemic, has, among other things, increased the SEC’s concerns about “endpoint security, data loss, remote access, use of third-party communication systems and vendor management.” Consequently, the Division will review whether firms have taken appropriate steps to:
- Safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized access;
- Oversee vendors and service providers;
- Address malicious email activities, such as phishing or account intrusions;
- Respond to incidents, including those related to ransomware attacks; and
- Manage operational risk as a result of dispersed employees in a work-from-home environment.
In particular, the Division will also focus on “controls surrounding online and mobile application access to investor account information, the controls surrounding electronic storage of books and records and personally identifiable information maintained with third-party cloud service providers, and firms’ policies and procedures to protect investor records and information.”
The SEC’s concern is timely given the recent news of Microsoft’s hack, and reflect its long standing focus on cybersecurity. Further, the SEC’s reference to vendors and third-party providers is a reminder that firms are responsible for making sure that the services they outsource comply with applicable SEC rules and requirements.
In its press release announcing the examination priorities, the SEC announced that “[this year, the Division is enhancing its focus on climate and [environmental, social and governance (“ESG”)] related risks by examining proxy voting policies and practices to ensure voting aligns with investors’ best interests and expectations, as well as firms’ business continuity plans in light of intensifying physical risks associated with climate change.”
Accordingly, in the examination priorities, the SEC stated that “[t]he Division will shift its focus to whether [business continuity] plans, particularly those of systemically important registrants, account for the growing physical and other relevant risks associated with climate change… As climate-related events become more frequent and more intense, we will review whether systemically important registrants are considering effective practices to help improve responses to large-scale events.” The SEC noted that the scope of its examinations will be similar to the post-Hurricane Sandy work and “focus on the maturation and improvement of these plans over the intervening years.” Firms should review their business continuity plans and determine whether any further updates or improvements are warranted and, in particular, should be prepared to explain how they have reviewed their plans in light of this guidance.
And, the day after releasing the examination priorities, the SEC took direct aim at climate change and ESG issues by announcing the formation of a Climate and ESG Task Force in the Division of Enforcement. The task force’s initial focus will be to identify material gaps or misstatements in issuers’ disclosures of climate risks under current disclosure requirements. It will also investigate ESG disclosure and compliance issues relating to asset managers and funds, as well as tips, referrals and whistleblower complaints on ESG-related issues. As part of this initiative, the SEC will review its guidance issued in 2010 concerning the application of existing disclosure requirements to climate change matters, with the goal of updating the guidance to reflect developments of the past decade. Stay tuned for that further guidance.
Technology has dramatically changed the way firms interact with customers and clients and the SEC noted that it “remains committed to staying informed about how these developments impact registrants and investors.” In an apparent reference to the Robinhood on-line trading app, and the recent trading in Gamestop stock, the SEC noted that “[a]mong other areas, examinations will focus on evaluating whether firms are operating consistently with their representations, whether firms are handling customer orders in accordance with customer instructions, and review compliance around trade recommendations made in mobile applications.”
The SEC also reminded market participants engaged with digital assets that it will continue to assess the following: whether investments are in the best interests of investors; portfolio management and trading practices; safety of client funds and assets; pricing and valuation; effectiveness of compliance programs and controls; and supervision of representatives’ outside business activities. As digital assets gain in popularity and firms continue to adopt distributed ledger technology, it is expected that this will be an area of increased focus for the SEC.
The examination priorities also include specific areas of focus for registered investment advisors, investment companies, municipal advisors and broker-dealers. By way of example, for broker-dealers, the SEC noted areas of focus including:
- Financial responsibility to ensure that assets are safeguarded in accordance with the Customer Protection Rule and Net Capital Rule;
- Compliance with best execution obligations in a zero commission environment;
- Compliance with amended Rule 606 order routing disclosures;
- Payment for order flow arrangements and its possible effects on order routing and best execution obligations; and
- Market-maker compliance with Regulation SHO.
And, of course, the priorities reflect long running concerns including recommendations to retail investors, in particular, seniors, teachers, military personnel, and retirement savers as well as implementation of Reg BI (which we have previously written about here), the transition from LIBOR, and anti-money laundering.
Firms should consider the SEC examination priorities as well as FINRA’s 2021 priorities (which we wrote about here) when they review their policies and plan their compliance initiatives for the year. To the extent firms identify deficiencies in their policies and procedures, they should promptly remediate them to try to minimize their regulatory risk.