On Feb. 27, 2012, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a National Examination Risk Alert (“Alert”) to encourage brokerage and advisory firms to review and assess their existing compliance controls related to detecting and preventing unauthorized trading.1 OCIE, recognizing the ongoing problem of unauthorized trading, provides guidance on how firms should review, assess and enhance existing processes to address this issue.Unauthorized Trading
The Alert defines “unauthorized trading” to include a broad range of activities, all of which, if undetected, might cause a firm and its investors to incur losses on investments and endure legal and regulatory risks, as well as reputational damage. According to the Alert, the following would be considered unauthorized trading and should be assessed as such:
- “Rogue” or other unauthorized trading in customer or client proprietary accounts;2
- Trading in excess of firm limits on position exposures, risk tolerance or losses;
- Purposeful mismarking of positions; and
- Fabricating nonexistent transactions through the creation of false records.
OCIE recommends that firms consider and assess any activity that would allow an individual to engage in unauthorized trading. In that regard, OCIE recommends a firm have “independent and mutually reinforcing controls” as an element to be used in mitigating against unauthorized trading. As such, firms should consider engaging various firm control functions — e.g., operational risk, audit, legal and compliance — to assist with the independent identification of potential risks or situations that could facilitate unauthorized trading. Regular review and assessment of internal controls should be conducted to ensure unauthorized trading is not taking place — particularly in light of internal changes at the firm as well as changes in market conditions.
Depending on the results of such a review, the firm may wish to enlist the same control functions to create enhanced controls and processes. According to OCIE, training of management and staff is essential in the identification and prevention of unauthorized trading. In addition, firms should have in place an appropriate reporting system for reports of unauthorized trading and escalation of reports as needed.
Complying With Supervisory and Compliance Obligations
The Alert sets forth examples of unauthorized trading that OCIE staff have considered in the National Examination Program. The examples address supervisory and compliance matters related to unauthorized trading and provide firms with guidance on meeting related supervisory and compliance requirements. OCIE is clear to note that the guidance is “neither a safe harbor nor a ‘checklist’,” and indicates that how the compliance or supervisory controls are assessed is a firm-specific process.
Supervisory Structure — The Most Important Control
The Alert emphasizes the importance of a firm’s supervisory structure as its most valuable control in detecting and preventing unauthorized trading. The Alert recommends that firms consider the following in assessing whether its systems are adequately designed to detect unauthorized trading:
- Identification of independent and well-defined reporting lines, including methods for reinforcing checks and balances. More than one person and reporting line should be responsible for monitoring the status of the trading or other business activity
- An understanding on the part of persons in the reporting chain, including management, of the complex products and strategies used by firm traders. Without such an understanding, red flags related to unauthorized trading may go unnoticed
- Conversations with direct and indirect reports regarding trading portfolios and account positions with a focus on identifying situations that are not typical. Management should consider additional discussions with traders depending on each particular scenario (e.g., new traders, traders for larger portfolios)
- Consideration of the balance between compensation/incentives to traders and supervisors in light of the level of responsible risk-taking in which they engage
- Disaggregation of functions performed by one trader or desk. Where multiple activities are the responsibility of a single person or desk, it may be difficult to detect potential wrongdoing or irregular activity.
- Implementation of an “open-door” policy to encourage reporting of information that may help management detect and prevent problems, including those related to unauthorized trading
- Limits on access to certain trading systems only by approved personnel with regular reviews by management of those persons with access
- Implementation of additional controls and enhanced scrutiny of certain activity as needed with regular, even daily, monitoring (e.g., monitoring of changes in trading patterns, unusual or high volume of error account activity; manual trade adjustments)
- Consideration of issues related to the movement of employees into trading positions from within the firm. OCIE suggests that brokerage firms have a process in place so that employees moved from another area of the firm into trading are treated as “new hires” and no longer have access to the systems or information available in their prior position. In addition, brokerage firms should consider the various scenarios that could be exploited if certain information were carried over into a trading position. Firms may use internal checks to alert management of any potential breach.
- Implementation of special supervisory reviews to detect extended settlement trades and client or firm positions that are excessively rolled over. OCIE suggests that such reviews might include contact with clients to confirm their knowledge of the trade or verbal independent confirmation by a designated mid- or back-office representative of the trade, shortly after an order is received.
- Additional reviews of internal trades (where a confirmation may not be issued), as well as the street-side comparison process to uncover any potential unauthorized trading activity. OCIE suggests management consider training middle and operations staff on receipt of confirmation acknowledgments and understanding when to escalate issues.
- Limits on remote access to firm systems while a trader is away from the firm. OCIE notes that while many brokerage firms have instituted mandatory vacation policies for trading staff and others, this alone may not necessarily uncover unauthorized trading. By limiting a trader’s access to firm systems — or simply eliminating any access — while he/she is away from the office, the firm can review the trader’s portfolios for issues of concern, including unauthorized trading.
- Implementation of independent trading reviews to check on a trader’s strategies and performance, as well as reviews of business performance and risk profile
- Reviews of consolidated transaction information for firms that use multiple systems for various components of a transaction. OCIE notes that if firm systems operate in silos, then the seamless detection, management and reporting of issues such as unauthorized trading is difficult.
- Testing of firm controls meant to detect unauthorized trading. OCIE suggests periodic reviews and testing of relevant controls.
- Finally, OCIE encourages implementation, starting with top management, of a well-articulated “culture of compliance.” OCIE recommends firms create a supervisory and compliance system that encourages involvement and a sense of shared responsibility. Employees should feel comfortable reporting potential issues with no fear of retaliation, and no activity should be tolerated that might discourage the escalation of concerns.
Overall the OCIE Risk Alert provides sound ideas that firms can use when considering how to prevent and detect unauthorized trading. OCIE stops short of providing guidance on which a firm can fully rely to comply with SEC or FINRA requirements, but it encourages firms to consider a number of elements that may assist in the prevention, detection and management of unauthorized trading and related issues.
*This alert was co-authored by W. Hardy Callcott and Margaret Blake.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:Boch-DavidKroll-Amy
1 Unless otherwise indicated, references herein to “firms” include both brokerage and advisory firms.
2 On Feb. 28, 2012, the SEC also issued jointly with the Commodities Futures Trading Commission proposed rules and guidelines, known generally as the “red flag” rules, relating to identity theft. See Investment Company Act Release No. 29969 (Feb. 28, 2012). Bingham is preparing a separate alert on the red flags proposal.