Forensics reviews: Trying to focus on tomorrow based on what happened yesterday

Published on November 28, 2019 by Manish Mohan Raj

The US Securities and Exchange Commission (SEC) collected a total of USD4,349m in disgorgement and penalties in FY2019 (year ended September 2019), according to its 2019 Division of Enforcement Annual Report. Although the penalties show that several firms were not acting in the best interests of their clients, we found a number of firms that did act diligently on their clients’ behalf.

The chart below shows a broad consistency in FY2019 and FY2018 in terms of the type of cases that were more frequent. Notably, the number of cases of investment advisory and investment company issues jumped sharply in FY2019 from FY2018. Another interesting fact is the reduction in the number of cases tied to broker dealers, insider trading, and market manipulation. We believe the drop in these numbers is significant, as it reflects the effectiveness of compliance programmes being designed to mitigate risk.

Source: SEC Division of Enforcement 2019 Annual Report.

Total monetary relief ordered in FY2019 was about 10% or USD404m higher than in FY2018, and the highest since 2015. This begs the question, what has changed? Regulations are still coming out at the same pace, but the one significant turn has been the push towards internal controls and reviews – mostly termed forensic – that help identify malintent and nip risks in the bud.

Source: SEC Division of Enforcement 2019 Annual Report

While the above statistics are interesting, it is important to note that these are from one regulator. In a previous blog, we shared global statistics of regulators/regulations and fines paid. The following are some of our observations on the reasons for non-compliance:

• Risk evolves on a daily basis, and existing systems do not have the capabilities to address this

• New regulations make it difficult for smaller institutions to implement compliance programmes

• Firms do not have sufficient controls

• The individual who created the controls is no longer with the firm

• Costs of compliance are increasing

• Businesses are evolving, but compliance follows legacy practices

The above challenges are just a few of the many scenarios that businesses face. For example, would you have ever imagined a case involving a chief compliance officer who stole millions of dollars from investors? The SEC has reported such a case. As risk stewards, compliance officers need to factor in multiple scenarios of what can go wrong. The following checklist, based on an SEC document, would help firms assess whether they have tested their existing controls:

1. Does the business know how compliance alerts are generated?

2. Do you perform a risk assessment that factors in current market conditions, trends and regulatory enforcements?

3. Are the firm’s policies updated based on trigger events or annual assessments?

4. How do you evaluate whether all clients are being treated fairly and equally?

5. Do you ensure that the performance of employee/proprietary accounts is in line with the performance of client accounts?

The rationale behind these questions is as follows: existing controls will generate red flags only based on the logic on which they were created; however, the logic may not factor in current dynamics. A legacy system could weaken a compliance programme, as uplift legacy systems is time consuming and does not yield the required results. When a compliance officer’s reviews yield multiple false positives, it is imperative to confirm manually whether the controls are effective

Current market factors need to be considered when updating a firm’s policies, as all aspects of the business will be impacted. The basic duty of a compliance function is to ensure that clients are treated fairly and equally. If proprietary and employee accounts are performing ahead of the curve, multiple market-manipulation risks may be inherent. Testing compliance provides additional insight, to understand whether the controls created and reviewed are effective. While employers trust their employees, there have been instances where employees, knowing how the compliance programme works, have manipulated the system. This makes it critical to implement an evolving compliance methodology to address the risk.

Forensics reviews have been in place for several years now, in different fields. In this blog, we presented them from a compliance perspective for investment and banking institutions. The forensic approach creates capabilities to understand an institution’s threats and develops controls that can be converted into long-term solutions. A forensics review is not a one-time solution but an ongoing effort to help firms meet regulatory and fiduciary requirements, and client expectations. The forensic approach evolves from regulations and enforcements to bring effective suite of solutions to otherwise unaccounted risks.

Acuity Knowledge Partners’ Solution

We aim to create an approach that develops controls that are dynamic, robust and proficient, to address risk at all levels of a firm. We are experienced in identifying and reviewing gaps in compliance programmes, meeting regulatory requirements, and providing unique solutions with the help of our state-of-the-art technology.

With our focused set of offerings in the areas of forensic analysis, compliance testing, monitoring programmes, risk trend analysis, and risk mitigation, we customise and design reviews dedicated to your firm’s risks, keeping the latest regulatory expectations in mind. We offer a well-thought-through approach – from initial analysis to end documentation and recommendation – to provide you with a holistic view of your business’s risks and how to safeguard it.

Sources:

https://www.sec.gov/news/statement/supporting-role-of-chief-compliance-officers.html

https://www.sec.gov/files/enforcement-annual-report-2019.pdf

https://www.sec.gov/info/cco/adviser_compliance_questions.htm

---

---