Covid Could Cause US Regulators to Rethink Surveillance

At the height of the pandemic as the markets were rapidly fluctuating, US trading firms were having to both manage a remote workforce, as well as manage new types of compliance risks. When compared to their European counterparts, US regulators have not been as prescriptive when it comes to procedures to ensure surveillance for working remotely, thus firms were flying blind while managing their coronavirus response. As a result, it might cause a rethink at some of the US regulatory bodies in order to better fall in line with European guidance. 

For example, since the Covid-19 pandemic first began disrupting the markets in March, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) has observed areas of heightened risk that it says firms should be focusing on.

The OCIE last week issued a risk alert titled “Select Covid-19 Compliance Risk and Considerations for Broker Dealers and Investment Advisers” in which it lays out these six areas: protection of investor assets; supervision of personnel; fees, expenses, and financial transactions; investment fraud; business continuity; and protection of sensitive information. The OCIE is the SEC’s examining body; its mission is to ensure market integrity and investor protection, partly by monitoring risks. This was the OCIE’s sixth risk alert since April; for comparison, it issued six alerts in all of 2019, five in 2018 and 2017, and four in 2016.

In Covid-19 times and beyond, firms have a long and potentially transformative journey ahead of them. 

Danielle Tierney, a senior adviser on market structure and technology at Greenwich Associates, believes that the SEC may be laying the groundwork to enact more specific regulation with exact procedures that more closely aligns with the EU’s Market Abuse Regulation (MAR) and the Markets in Financial Instruments Directive (Mifid II). For example, US regulation on mobile phones used in trading is vague, at best, whereas MAR and Mifid II directly address those devices in their communications monitoring requirements, Tierney says.

“It’s been up to firms to self-regulate. It’s been up to firms to say, ‘Okay, it’s a pain to have all this mobile surveillance functionality, and roll out all these devices, and it costs money.’ But also, if we don’t monitor any of these mobile devices that employees are definitely using for work, then they’re basically just whistling past the graveyard until someone does something really, really bad,” she says.

Tierney says that US trading firms are not actually far behind EU firms regarding how they surveil and monitor in practice, but without specific requirements and guidance to fall back on in March, some funds were put in a position during the pandemic’s early days. At that time, the adviser spoke with turret providers and infrastructure providers to get a sense of how working from home was being handled, and they told her that only about a one-third of firms had been prepared for the catastrophe. 

“There were a lot of outages,” she says. “So what you had the first couple weeks of March was firms reaching out to the SEC and the CFTC and saying, ‘Hey, just so you know, we have not been in compliance.’”

While the pandemic has fueled a new wave of surveillance tech from vendors, their clients may not have been as proactive as they should have been with the regtech systems they had in place. Tierney says maintenance of those systems proved to be a sharp pain point for firms whose staff were mostly working from home.

“Vendors can’t go in and adjust alert parameters,” Tierney says. “When volumes and volatility spiked, a lot of firms were completely unprepared to go in and adjust their surveillance or alert parameters. They didn’t even know what parameters to adjust it to—infinity?”

But Not So Fast

However, other sources think the idea that OCIE’s risk alerts hint at a system reboot equal to bringing MAR and Mifid II home may be projecting too much too soon. David Friedman, who spent 14 years as counsel at the Financial Industry Regulatory Authority (Finra) before leaving the organization last year, says the latest risk alert indicates something else—that there has been a “huge spike” in fraudulent activity.

He points to Finra’s recent notice, issued the same day as OCIE’s risk alert, warning member firms of a new imposter website going by the domain “www.finnra.org.” In May, WatersTechnology also spoke with the US Office of the Comptroller of the Currency, who warned of an uptick in cyberattacks looking to target weak points in firms’ IT stacks, third-party devices, and networks during remote working scenarios. In March, Finastra detected that “a bad-actor was attempting to introduce malware into our network in what appears to have been a common ransomware attack,” which resulted in the vendor taking its servers offline.

Matthew Giordano, deputy lead partner in public investment management at KPMG, says that after economic downturns, firms tend to see a lot of enforcement cases and deficiency letters come out of OCIE around their policies, procedures. He doesn’t see a move toward European-style regulation as being on the cards for now—particularly with the November presidential election nearing—but it’s possible, he says.

As the former chief accountant for the division of investment management at the SEC until 2017, Giordano says that while OCIE is not involved in rule-making, its staffers may observe certain issues and pose them in turn to the commissioners or other divisions, which could result in rule changes.

Joshua Broaded, a partner and co-head of ACA’s US regulatory compliance practice, says chief compliance officers are hungry for systemic solutions, better frameworks, and better structure. In March, the industry was focused on keeping staff and customers connected and keeping the business running. It took only a few weeks for C-suite executives to realize they needed to be extra proactive in terms of employee outreach.

“That cultural piece is something that is being solved by lots of video chats and other kinds of messaging. But chief compliance officers and chief risk officers are saying, ‘We can’t count on that,’” Broaded says. “We also need good surveillance around employee personal trading. We need surveillance around market abuse, insider trading, front-running, best execution—we need to look at those kinds of issues. Political contributions are going to be a hot topic over the next several months. So we need to have data-driven surveillance systems, coupled with a really proactive outreach so that we get both the ethics and also the testing capabilities, and together, those two things can form a robust set of internal controls.”