Upon receiving notification of a regulatory examination, financial firms may feel compelled to reach for the panic button. These notifications typically signal that regulators are probing a particular situation to ascertain potential violations.
Whilst concerning, the level of preparation exhibited by compliance teams during such an examination can make all the difference when it comes to the final decision the regulators make.
In this blog, we will break down how firms can adequately prepare for a regulatory examination, what they can expect once the investigation is underway, and how they can mitigate the impact of any potential wrongdoing
Written notice of an upcoming examination has traditionally come via courier, but in more recent years, many firms have been notified by email that they are being subjected to a review. While regulatory examinations can often be associated with illicit behavior, examinations also take place for newly regulated financial firms.
Firms receiving a regulatory examination notice usually fall into one of two categories:
These firms are required to undergo a formal regulatory examination. It serves as an opportunity for the firm to highlight its policies, governance procedures, and tools, including its regulatory technology.
These investigations typically come about as a result of regulatory infractions, possible market manipulation, or other illegal behavior. Often, regulators are interested in delving deeper into a specific event that took place - such as a series of trades or record keeping failures - over a given period. The findings in these regulatory examinations, as well as a firm’s level of participation in supporting the regulator’s efforts, can directly impact any fines or penalties that may be handed out.
Firms receive notice of a regulatory examination
Regulators request relevant data to support their investigation
Firms send the requested data within an allotted timeframe
Regulators examine the data holistically
Regulator presents their findings back to the firm
The two sides discuss a remediation plan
Final settlement
Whether a firm has made a mistake, not established robust enough processes to ensure compliance, or become aware of someone within their firm deliberately breaking the rules, there is plenty that can be done to prepare for a regulatory examination that can also help minimize the negative impact that the examination may have.
Willingness to support the regulator in their investigation is paramount. In August 2023, the SEC and CFTC announced a joint fine of $549M against 13 Wall Street firms for record keeping failures. The Director of the SEC’s Division of Enforcement said, “Self-report, cooperate, and remediate.” While guidance may not have been articulated this directly prior to August 2023, it followed a consistent pattern of regulators trying to remind firms that they would have a significantly better outcome if they approached their situation honestly, transparently, and with a willingness to fix the problem. Additionally, the CFTC mentioned in their recent penalty notice for of one of the largest financial firms in Australia that the firm's cooperation in the examination led to a reduced penalty.
Financial firms that leverage market surveillance tools – especially those that can integrate trade and communication data on a single platform - will typically spot any potential wrongdoings long before they catch the regulator’s attention. Those who take a proactive approach to self-report these findings to regulators will be doing themselves a favor. Conversely, firms that identify areas of concern but opt to conceal them are merely laying the groundwork for future complications.
In order to appease the regulator during an examination, it is imperative that firms can swiftly and readily reproduce any data the regulator requests. Record keeping data should be stored in a WORM compliant (write once, read many) format and firms should be able to readily access this information. Failure to make data readily available to regulators will not only slow down the regulatory examination but may also point to issues in the firm’s record keeping processes. In June of 2023, the SEC fined one of America’s largest banks $4 million after they accidentally deleted 47 million emails. The loss of data hindered the bank's cooperation with at least 12 civil regulatory investigations, as the subpoenaed documents were no longer available. The bank directed the blame at failures by their email archiving vendor, further highlighting the importance of reliable archiving capabilities that allow for instantly retrievable data that is stored in a secure vault.
Being thorough from a data standpoint, paired with a sense of urgency, is also crucial. Those set on providing the regulators with the bare minimum in the hopes that it will impede the examination are only doing themselves more harm than good.
While some regulating bodies may ask firms to turn over data in as little as 72 hours, many have demonstrated a willingness to work on a case-by-case basis. For firms that take a proactive and transparent approach to their examination, it is not uncommon to see regulators meet them halfway and ask them to present the required information in “a timely manner.” However, many firms realize, after it’s too late, that some compliance tools can take days or even weeks to extract data from. In many instances, these same archives will charge an exorbitant fee for the data, knowing that the relevant firms are in a situation that desperately requires this information.
Whether intentional or not, stalled examinations that lack necessary data points can give the impression to regulators that the firm in question may be acting less than truthful.
Even in situations when data is securely archived and can be located, it may still come up short of the regulator's expectations. Ensuring information is properly packaged in the requested format is often overlooked but is another vital piece of the puzzle. Often, firms will send data to regulators and assume their duties have been completed, only to have it sent back and be told that it must be converted and repackaged.
Furthermore, firms should provide regulators with as much metadata as possible to ensure they don’t miss out on crucial details. For example, regulators will likely request context about who made a particular phone call or who was involved in a discussion. If this level of detail is not made available to them, regulators may ask compliance teams to go back and manually track down data that provides a more complete picture.
Complying during an investigation is usually an “all hands on deck” approach, with compliance and legal teams collaborating closely. This involves collating all the necessary information and performing internal audits to see what other findings they may come across that would be of value to the regulators.
Once the examination is underway, there is typically a point of contact - usually the head of compliance - that works with the regulator. This individual is a key resource for regulators when it comes to answering questions that may arise or providing additional information that is requested as part of the examination.
There is no set timeframe for how long a regulatory examination will take – it can last weeks or even months. If the scope of the investigation is large enough, it could take over a year before the examination wraps up. In these situations, it is not uncommon to see regulators dedicate full-time resources to establish a presence onsite at the firm, working tirelessly on the examination around the clock.
Similar to the process at the start of the examination, firms are usually notified of the regulator’s findings via courier or email. Some may come out of the investigation unscathed, with the information they provided being sufficient for regulators. For others, the guidance may be to reevaluate their compliance processes and procedures and even hire an outside consultancy to help with the process. In some instances, the regulators can be lenient if a compliance team shows that they have already implemented measures to mitigate any risks identified or are in the process of doing so. The worst outcome, though, is reserved for firms who do, in fact, fall short of their regulatory requirements and are left with monetary fines, penalties, trading suspensions, or a damaged reputation. Any one of these results can be a major setback for a firm, but a combination of them can be disastrous.
Responding to the notice of a regulatory examination can be an extremely fast-paced process that often requires firms to react quickly and use the processes and tools they currently have in place to the best of their ability. However, there are additional measures that firms can take in the long run to ensure they are prepared if a regulatory examination notice is sent to them
If an organization archives its communications and trade data across various disparate systems that do not speak to each other, it can be extremely easy to miss key data points that are needed in the investigation. The only way for firms to ensure they can quickly access all of their data holistically and get a complete picture is by integrating their communication and trade data onto one platform, offering a single source of truth.
Data completeness checks are reports that run on a set cadence and do a sweep of your data sets to ensure they are complete and readily available. By running these reports weekly or even daily, it becomes much easier for compliance teams to identify crucial data that may have slipped through the cracks rather than doing so retroactively months down the line as part of a formal examination.
The more thorough you are internally before an actual examination comes about, the more likely you are to be successful when the regulator comes knocking.
Navigating regulatory examinations may appear daunting at first glance for many firms.
However, it's crucial for them to recognize that by implementing robust policies and controls, leveraging cutting-edge compliance tools, and demonstrating a proactive attitude in assisting regulators, they can position themselves for a significantly more positive outcome. Engaging in transparency and genuine cooperation trumps any attempt to obscure or deceive regulators, paving the way for smoother regulatory processes and enhanced trust.
As we continue to see regulators around the globe crack down on market participants for falling short of their regulatory obligations, one thing is certain: the need for firms to adequately invest in their compliance teams and solutions is more important than ever.
As the first truly integrated trade and communication surveillance platform, SteelEye provides the most effective solutions for financial firms looking to take a proactive approach and prepare for a potential regulatory examination.
Comprehensive record keeping is the foundation of nearly all compliance requirements. With SteelEye’s compliant archive, firms can store data from over 140 trade and communication channels on a singular platform and rest assured knowing the data they are looking for is easy to find and can’t be altered or deleted. They can also take the tamper-proof data one step further through SteelEye’s eDiscovery capabilities, allowing them to validate, index, and set up intelligent alerts for their structured and unstructured data, making it easy to produce any records for audits, investigations, or litigation purposes. SteelEye’s platform is fully cloud-based, meaning your data is infinitely scalable and will never be removed from its archive in order to make room for newer data.
For examinations that go beyond record keeping and archiving and focus on surveillance, SteelEye’s platform also allows its users to complete trade reconstructions and best execution analysis instantly. When compared to other tools, which sometimes can take more than two weeks to complete these same processes, it can make all the difference in whether your outcome with regulators is favorable.
Lastly, users of the SteelEye platform have full access to download and extract their data at any time. Not only can this be done instantly, but it also comes at no extra cost to the client. Your data is your data, and we don’t believe in holding it for ransom.
Reach out to SteelEye today to learn about how we can help ensure your firm is adequately prepared for a regulatory examination.
Contact our compliance experts to see our platform in action or learn more about how we can help your firm reduce compliance fatigue.
About
LOCATIONS
United Kingdom - 5th Floor, 55 Strand, London, WC2N 5LR
United States - 600 Fifth Avenue, New York, NY 10020
Singapore - 600 North Bridge Road #23-01 Parkview Square Singapore 188778
Portugal - Av. da Liberdade 747 1ºD, 4710-251 Braga
India - No. 613, 12th Main, HAL 2nd Stage, Bangalore - 560008
STEELEYE LIMITED, A COMPANY REGISTERED IN ENGLAND AND WALES WITH COMPANY NUMBER: 10581067, VAT NUMBER: 260818307 AND REGISTERED ADDRESS AT 55 STRAND, LONDON, WC2N 5LR.