Regulatory Compliance Management for Broker-Dealers & Investment Advisors

For the financial industry, regulatory compliance management is an essential part of doing business. It’s what helps highly regulated firms ensure that their practices and procedures are in line with the applicable laws, standards, and other industry requirements.

When regulators come calling, firms that provide brokerage and investment services need to be able to make the case that (1) they are securing their data properly across the organization, and (2) they have strong controls, policies, and procedures in place to prove they are compliant.

By helping to operationalize and document those processes, information governance (IG) plays a crucial role in regulatory compliance management for broker-dealers and investment advisors.

The demands of FINRA audits on regulatory compliance management

Here in the U.S., financial firms must answer to a broad range of regulatory bodies, such as the SEC, Federal Reserve, OCC, CFTC, and FDIC, as well as state and local regulators and even overseas rules such as GDPR.

But additionally, U.S. broker-dealers must meet the requirements of FINRA, the industry’s self-regulatory organization — and those requirements can be particularly challenging to regulatory compliance management.

That’s because FINRA has very stringent and closely defined regulations for broker-dealers. For instance, it requires immutable storage, where once data is stored, it cannot be changed, tampered with, or deleted. This is generally accomplished using what is known as write once read many (WORM) technology.

Even more critically, unlike other regulators, FINRA requires the regulated firms to undergo annual audits of their operational policies and procedures. The goal is to verify adherence to all the pertinent laws and regulations on how a broker-dealer is managing its information and practices.

Annual FINRA audits, as well as SEC investigations, also uncover whether firms have corrected previously cited compliance lapses and responded to auditors’ recommendations. Additionally, firms are expected to show progress from year to year in moving regulatory compliance to the next level.

Yet all too often, firms concentrate on merely getting through an audit — whether by FINRA or other regulators — and then file the results away without creating a plan of action or documenting how they intend to address any issues that were identified.

The need to document operational processes and compliance

Every brokerage or investment firm has a compliance manager or some central oversight group responsible for regulatory compliance management — the process of implementing and overseeing standards and regulations to ensure that the organization complies.

But it is not enough to put policies and procedures in place, and then sit back and let them “do their thing.” Documenting that the right operational processes are in place and that people are actually adhering to the laws is an ongoing obligation — especially to FINRA and the SEC, who can come into an organization at any time and say, “Prove it.”

Therefore, broker-dealers and investment advisors must be able to prove that their processes continue to be documented, followed, controlled, and monitored to verify compliance. Failure to do so can result in hefty fines, disciplinary action, legal consequences, reputational damage, or in the most severe circumstances, shuttering of the business.

Proving compliance with data collection, protection, and storage requirements

With the proper regulatory compliance management and recordkeeping governance in place, broker-dealers and investment advisors can respond more effectively to FINRA audits, the SEC, or other regulator requests. For example, the firms can provide documentation that verifies:

• All required client communications and transaction information is being collected
• Where every piece of collected information is sitting
• Client data and identities are being protected
• All records are secured in immutable, WORM-compliant storage
• All data is stored according to the requirements of the jurisdiction where it sits

The last point is a growing issue as more companies implement enterprise solutions for consolidating and managing data in one system. Organizations using these systems need to be cautious about the flow of data across borders — ensuring that they meet any jurisdiction-specific rules and regulations pertaining to how to manage and store data.

This may be a concern particularly for large organizations with enterprise systems that do not sit in the United States and that feed financial information into other systems.

How IG makes regulatory compliance management easier

As part of an effective regulatory compliance management program, information governance not only helps you establish the recordkeeping policies and procedures that employees must adhere to — it enables you to operationalize the related rules, technology, and activities wherever they are needed across the organization.

Operationalizing regulatory compliance management provides a method for inventorying data across different business units, functions, and locations. For example, it allows you to document all records pertaining to the broker-dealer or investment advisor business, including where the information is stored and how it is archived.

Information governance also ensures you have controls in place to monitor and test the effectiveness of policies and processes on an ongoing basis. This helps you be sure the business is continuing to meet compliance requirements as the amount of data increases, the organization changes, or new regulations come into play.

In addition, the structure of an IG program makes it easier to adapt current policies and processes to satisfy requests from regulators and respond to recommendations for improving recordkeeping and documentation.

To learn more about how information governance can make regulatory compliance management easier, please contact lynn@bernsteindatao.wpenginepowered.com.