The SEC’s 2023 Exam Priorities
The U.S. Securities and Exchange Commission’s (SEC's) Division of Examinations recently released its annual examination priorities "to provide insights into its risk-based approach, including the areas it believes present potential risks to investors and the integrity of the U.S. capital markets." The 2023 priorities reflect those from 2022, grounded in the four pillars of promoting compliance, preventing fraud, identifying and monitoring risk, and informing policy.
New focus areas for 2023 include compliance with the Advisers Act Rule 206(4)-1, the Marketing Rule, and recently enacted investment company rules, including the Derivatives Rule (Investment Company Act Rule 18f-4) and the Fair Valuation Rule (Investment Company Act Rule 2a-5). The SEC will also continue to examine compliance program basics, including custody and safekeeping of client assets, valuation, portfolio management, and brokerage and execution. The examination priorities also indicate increased scrutiny about the calculation of fees and alternative ways to maximize revenue, such as revenue earned on clients' bank deposit sweep programs.
As in prior years, the SEC will continue to focus on private fund managers since more than "5,500 RIAs, totaling over 35% of all RIAs, manage approximately 50,000 private funds with gross assets exceeding $21 trillion." Like other years, the SEC will look at conflicts of interest, calculation and allocation of fees and expenses, and valuation practices.
New exam topics include:
- Marketing Rule compliance, including performance advertising and compensated testimonials and endorsements
- Policies and practices regarding the use of alternative data and compliance with the Investment Advisers Act Section 204A
- Timely delivery of audited financials and selection of permissible auditors
Private funds are not the only ones receiving attention in 2023. Advisers serving the retail market should expect scrutiny of their procedures for meeting their fiduciary obligations. Examiners will review the following:
- Investment advice and recommendations of products, investment strategies and account types
- Disclosures of conflicts of interest related to advice and recommendations
- Evaluation of RIA process for "best interest" recommendations, including how advisers compare available alternatives, review costs and risks, and deal with conflicts of interest
- Process for recommending complex products (ETFs, ETNs, ETPs), high-cost and illiquid products, proprietary products, unconventional products and microcaps
In addition, exam staff will look at the old standards:
- Portfolio management
- Calculation of fees
- Brokerage and execution
The SEC will continue delving into investment companies' compliance programs and governance programs by evaluating "boards' processes for assessing and approving advisory and other fund fees, particularly for funds with weaker performance relative to their peers."
Due to rising investor interest in Environmental, Social, and Governance (ESG)-related investments and strategies, the SEC will continue to focus significantly on RIAs and funds that provide ESG-related funds and products. For 2023, this includes ensuring that firms are operating in a manner that aligns with their ESG disclosures, ESG products are appropriately labeled, and ESG-related recommendations are made in the best interest of investors.
As with previous years, firms should ensure their ESG statements and disclosures align with the firm's practices. However, firms should also be prepared to demonstrate how their ESG-related strategies are in their investor's best interests, which may be a more difficult task given the economic headwinds of the past year, and the potentially higher fees that are often associated with ESG funds and products.
Information Security and Operational Resilience
Information security continues to be a key SEC exam priority. Many cyber priorities remain the same from 2022, including firms' practices surrounding preventing account intrusions (such as ransomware), safeguarding customer records and information, and operational resiliency planning. However, in addition to these existing priorities, the SEC introduced two new cyber exam priorities for 2023.
First, the SEC will focus more closely on reviewing firms' cybersecurity policies and procedures, governance practices, and incident response plans to ensure they are "reasonably designed" to safeguard customer records and information. Second, the SEC is zeroing in on third-party vendor cyber risks, including registrants' processes for understanding the security practices of their third-party products and services. In doing so, the SEC will also focus on unauthorized third-party providers, especially when migrating client information.
These expanding cyber exam priorities come at a time when the SEC is already pursuing broader policy-level efforts to establish enhanced cybersecurity expectations and requirements of registrants. For example, Cyber Rule 206(4)-9, initially proposed in February 2022, is expected to be finalized in April 2023. This Rule will set unprecedented formal cybersecurity risk management requirements for investment advisers and private funds, including expectations for firms' cybersecurity policies and procedures, reporting and testing of firms' cyber programs, alerting of cybersecurity incidents, and disclosing cyber risks and incidents to investors. To learn more about the proposed rules, view our information sheet here.
While preparing to meet the expanding 2023 information security SEC exam priorities, firms should consider doing the following:
- Review and establish data transfer and information security third-party risk management policies and procedures, including the monitoring of said activities
- Test incident response plans and backups
- Conduct a risk assessment to identify gaps that could put investor data and assets at risk
- Implement ransomware mitigation controls, including multi-factor authentication (MFA), endpoint protection, and email security controls
- Train end-users on cybersecurity best practices and how to detect and report a potential cyber incident
Crypto Assets and Emerging Financial Technology
The SEC continues to be concerned about crypto-assets and the new technologies changing the delivery of investment management services. Accordingly, advisers offering crypto or crypto-related assets, be prepared to provide that you have met your standard of care in recommending such investments and that your compliance, disclosure, and risk management practices address such assets.
The SEC will also look closely at apps and new asset management tools used by RIAs and broker-dealers. In addition, examination staff will look at how firms are meeting the different compliance challenges raised by new technology to ensure that appropriate risk controls are in place, disclosures are fair and accurate, and investment advice meets investors' needs.
Similar to previous years, the SEC will review broker-dealers' risks, including credit, market, and liquidity risk management controls. In addition, they will focus on the following key areas:
- Safeguarding customer funds and controls around the Customer Protection Rule and the Net Capital Rule
- Electronic communications and recordkeeping
- Conflicts of interest related to order routing
- Regulation SHO, especially aggregation units and the locate requirements
- Alternative trading systems compliance with Regulation ATS
- Fixed income pricing and confirmation disclosures
- Municipal issuer disclosures when underwriting
- Microcap securities issues and compliance with Rule 15c2-11 and penny stock disclosure rules
- Anti-money laundering programs
We advise firms to review their compliance programs in light of the above priorities and consider taking action before an examination.
How we help
Compliance teams need continuous support and knowledge sharing to stay on top of global regulatory initiatives. Our team helps you navigate the evolving regulatory landscape while considering the complexity of your firm's unique compliance requirements.
We empower clients to reimagine governance, risk, and compliance (GRC) and protect and grow their business. Our innovative approach integrates advisory, managed services, and distribution solutions with our ComplianceAlpha® regulatory technology platform with the specialized expertise of former regulators and practitioners and a deep understanding of the global regulatory landscape.
For more information about these priorities, or to find out how ACA can help your firm prepare for this year’s focus areas, please reach out to your ACA consultant or contact us here.
Listen to our 2023 Regulatory Outlook webcast on demand
We recently hosted a webcast to review the regulatory changes that will likely have implications on compliance programs in 2023, and provide recommendations to prepare for these changes. Our experts discussed rule proposals and adoption, examination and enforcement trends, and regulatory guidance. Watch our webcast for more insights to help you prepare your compliance program for this year’s focus areas.