SEC-FINRA Joint Guidance Expands Requirements for Broker-Dealers’ Branch Examination Process

On Nov. 30, 2011, the Securities and Exchange Commission's Office of Compliance Inspections and Examinations (“OCIE”), in cooperation with the Financial Industry Regulatory Authority (FINRA), issued a National Examination Risk Alert addressing branch office inspections (the “Risk Alert”).¹ The Risk Alert informs broker-dealers about observations the regulators have made as a result of their own on-site inspections. It provides broker-dealers with five specific processes that the OCIE and FINRA believe are effective for firms when implementing their own internal branch office inspections. Some of the five processes, however, create new expectations that make this “joint guidance” look a lot like “rulemaking” — but without being subject to the appropriate rulemaking process, including comments from the industry.

In the Risk Alert, the OCIE and FINRA put firms on notice that their own broker-dealer examinations will expand the use of branch office inspections. For the OCIE, this is notable. Historically, OCIE examinations have primarily focused on the firm’s headquarters. The Risk Alert makes it clear, however, that the OCIE will be conducting more branch examinations. As a result, firms should expect both FINRA and the OCIE to assess whether they have implemented this joint guidance in terms of the timing and nature of internal branch inspection programs.

Risk-Based Inspections and Unannounced Visits

Under FINRA rules, broker-dealers are required to conduct on-site inspections of each office location. Offices of Supervisory Jurisdictions (“OSJs”) and non-OSJ branches that supervise non-branch locations must have annual inspections. For non-supervisory branch offices, inspections must occur at least every three years; and non-branch offices must be inspected “periodically.”

Despite the longstanding FINRA rule on the timing of branch office inspections, the Risk Alert seeks to establish a more aggressive schedule. A firm must conduct a risk-based analysis of every location to determine the appropriate timing of each branch inspection (not merely the minimum timing required under the FINRA rule). Today, many broker-dealers apply a risk-based analysis of their firm as a whole but not an individualized risk-based analysis of every branch office. Under the Risk Alert, the OCIE and FINRA expect firms to conduct ongoing risk-based analyses of each location, which should result in more frequent examinations of offices posing higher levels of risk. In addition, if firms implement this risk-based analysis for each location, the Risk Alert suggests that both the OCIE and FINRA expect that this will also result in firms conducting more “unannounced” examinations.

Broker-dealers often conduct some unannounced examinations, especially of remote offices, as recommended in the 2004 SEC Division of Market Regulation Staff Legal Bulletin No. 17. However, the new Risk Alert suggests that a risk-based analysis of office locations should result in more unannounced examinations. This is a substantial undertaking to impose, especially in guidance issued without notice and comment. Had the SEC or FINRA proposed a rule imposing this requirement, the industry likely would have submitted comments regarding its practicality and whether its benefits outweighed its costs. Indeed, for many broker-dealers, unannounced examinations present practical difficulties such as making sure the registered persons are at the location on the date of the unannounced visit. Despite these logistical problems, the Risk Alert indicates that firms need to assess whether they should conduct additional unannounced visits in order to satisfy the OCIE and FINRA examination staffs.

Deploying Examiners With “Gravitas” and No Conflicts of Interest

The Risk Alert also suggests that firms should “deploy sufficiently senior branch office examiners who understand the business and have the ‘gravitas’ to challenge assumptions.” The regulators gave no meaningful guidance as to what this means in practical terms. The Risk Alert suggests only that both the OCIE and FINRA have noticed deficiencies in the integrity of certain branch inspection processes when the firm has tried to “…leverage novice or unseasoned branch office examiners who do not have significant depth of experience or understanding of the business to challenge assumptions.” What this means in terms of whether there is an experience requirement for internal examinations is anyone’s guess. Again, the costs associated with requiring senior examiners for all branch exams (and who counts as a senior examiner) should have been vetted through the rulemaking process. That being said, firms should consider the training they provide their internal inspection teams with as a way to buttress their argument that the staff who conduct internal inspections have sufficient “gravitas.”

The Risk Alert suggests that another aspect of effective internal inspections includes avoiding conflicts of interest on the part of examiners that may undermine complete and effective inspections. The Risk Alert, however, does not provide any effective guidance on how to achieve this “standard.” A situation where a branch office manager or registered principal for the particular office conducts the internal examination may be an example that regulators would consider to be a conflict of interest. Broker-dealers should consider their processes so as not to run afoul of the regulators’ expectations about conflicts of interest.

Heightened Supervision of Remote Offices

The Risk Alert reiterates prior guidance that firms’ internal inspection programs should include procedures for, among other things, heightened supervision of some remote offices. If those offices have associated persons who have disciplinary histories, outside business activities, histories of customer complaints or other red flags, they should be examined more often than the minimum frequencies set forth in the FINRA rule. Moreover, those office examinations should include a review of supervisory responsibilities, as well as a system of follow-up and review of these procedures. The fact that a location is remote does not necessarily mean that it requires a firm to pay more attention to it. Nevertheless, firms should consider the Risk Alert and re-assess whether their procedures place sufficient emphasis on remote offices.

Best Practices

The Risk Alert indicates that examination modules for both the OCIE and FINRA will include a targeted review of the quality and scope of branch examinations. The regulators believe an effective branch inspection program is a necessary part of a firm’s supervisory system and a strong indicator of its culture of compliance. Moreover, by listing examples of what an examiner may review in “verifying” the effective program, the OCIE and FINRA are providing a signal of what they expect to be included in a reasonably designed inspection program.²

For example, the Risk Alert suggests:

• Testing and verifying procedures at the branch level;


• Conducting risk-based reviews of bank accounts of the branch, third-party wire transfers and branch signature guarantee logs;


• Establishing procedures to uncover the use of unauthorized computers or other electronic devices and/or social media; and


• Including in the written report of each branch inspection any noted deficiencies and areas of improvement. The report should also outline agreed upon actions, including timelines, to correct the identified deficiencies.

A Common Theme — Getting the Outside Business Activities Into the Branch Examinations

Another theme that runs through this “guidance” is that the OCIE and FINRA would like to expand their jurisdiction by having firms renew outside business activities as part of the branch examination process that they oversee. 

The Risk Alert suggests:

• Conducting a risk-based review that “allow[s] a firm to better identify the nature and extent of outside business activities of registered branch office personnel.” Additionally, “[o]utside business activities conducted by registered persons may carry added risk because these activities may be perceived by customers as part of the member’s business.”³


• Elevating the frequency and/or scope of branch inspections where registered personnel are allowed to conduct outside business activities.


• Reviewing for “evidence of unreported outside or other unauthorized business activities by review of customer files, written materials on the premises and at any satellite locations, branch office accounting records, appointment books and calendars, phone records, bank records.”


• Independently verifying “the nature and extent of outside business activities.”

Conclusion

Broker-dealers should assess their internal branch examination program to determine if there are gaps between their current practices and the “guidance” in the OCIE-FINRA Risk Alert. Firms would be well-served to document this assessment and any determination that aspects of this guidance are not applicable to their branch examination programs.

For more information, please contact:

Gail Marshall, Of Counsel, Broker-Dealer Group
gail.marshall@bingham.com, 202.373.6102

Roger P. Joseph, Practice Group Leader, Investment Management Practice Group; Co-chair, Financial Services Area
roger.joseph@bingham.com, 617.951.8247

Edwin Smith, Partner, Financial Restructuring Group; Co-chair, Financial Services Area
edwin.smith@bingham.com, 617.951.8615

Tim Burke, Practice Group Leader, Broker-Dealer Group; Co-chair, Financial Services Area
timothy.burke@bingham.com, 617.951.8620

¹ See National Examination Risk Alert, Vol. I, Issue 2, Nov. 30, 2011 and FINRA Regulatory Notice 11-54, Branch Office Inspections, Nov. 30, 2011. In October 2011, the OCIE issued its first-ever national Examination Risk Alert targeting the master/sub account trading model. See Bingham Alert, “SEC Targets Master/Sub Account Trading Model for Examination” (Oct. 10, 2011), /Media.aspx?MediaID=12930.

² Of course the regulators caution that these factors and suggestions are not exhaustive, and they constitute neither a safe harbor nor a “checklist” for SEC staff examiners. The adequacy of a supervisory program can be determined only with reference to the profile of the specific firm and the specific facts and circumstances.

³ The Risk Alert notes further that the broker-dealer should do “risk-based reviews of bank accounts of the branch and affiliated entities” (emphasis added). The concept of a branch having an “affiliated entity” is somewhat novel, but presumably includes outside business activities at affiliated entities such as banks, investment advisers or insurance companies.