Remarks at the SIFMA Operations Conference & Exhibition: Staying Vigilant to Protect Investors
SIFMA Operations Conference, Boca Raton, Florida
May 8, 2019
Good morning and thank you Ellen [Greene] for your kind introduction. It is a pleasure to be here today, and I want to thank everyone here for joining us—your commitment to strengthening compliance, risk management and operations is important to our capital markets and to protecting America’s Main Street investors, promoting savings, growth and opportunity for the future.*
Let me also take a moment to thank the talented and hardworking examiners and staff of the OCIE. I’m proud of our team’s commitment and dedication to promoting compliance, monitoring risk, informing policy and preventing fraud, which resonates through our work. In particular, I would like to acknowledge Kevin Stemp, Christine Sibille, Eric Garvey, Alexis Hall, Tina Barry and Akrivi Mazarakis, for their assistance in preparing me to make today’s remarks.
You may have noticed that OCIE published its 2019 Examinations Priorities just before the start of this year—later this morning I am going to join Ira [Hammerman], Vic [Chakrian], Mark [Katzelnick] and Ornella [Bergeron] for a robust panel discussion on these (and other) regulatory priorities for 2019 and beyond. It’s an important topic and I am looking forward to speaking to OCIE’s 2019 Examination Priorities and how we work closely with our regulatory partners, including FINRA and the Federal Reserve.
For now, I want to focus my remarks on a few specific themes, each focused on the protection of retail investors: Anti-Money Laundering (AML), Microcap Securities, Paying Agents, and Cybersecurity. But before I begin, I must share our standard disclaimer. I am speaking today only for myself and not for the Commission, the Commissioners, or the staff.
II. Anti-Money Laundering (AML)
Pursuant to examination authority delegated to the Commission by Treasury, OCIE has long examined broker-dealers and mutual funds for compliance with their anti-money laundering obligations under the Bank Secrecy Act. Broker-dealers, mutual funds and certain other financial institutions are required to implement and maintain an anti-money laundering program and to monitor for and report suspicious activity to FinCEN (the Financial Crimes Enforcement Network). These obligations are critically important in helping law enforcement and the Commission pursue misconduct that could threaten the safety of investor assets and the integrity of our financial markets.
A. AML Programs and SARs Reporting Obligations
Suspicious activity includes more than just activity associated with money movements and traditional money laundering. It also includes activity associated with potential securities fraud, insider trading, and a wide variety of manipulative trading schemes, among other financial crimes. Furthermore, these financial crimes may be carried out through account intrusions and other cyber-related crimes as well as identity theft.
As such, it is of particular importance that broker-dealers and mutual funds, as the first line of defense, implement and maintain robust anti-money laundering programs that are tailored to address the risks associated with their particular businesses, including taking into account the various means through which bad actors could engage in potential money laundering and other illicit activity. In other words, broker-dealers and mutual funds should consider their size, location, and activities—including the types of transactions customers engage in, the products and services offered to customers, and the means by which those are offered—when determining whether an AML program and related internal controls are reasonably designed to mitigate the risks associated with their businesses.
As firms evolve, they need to re-assess their AML programs to address new and emerging risks and business practices. However, I want to stress that OCIE is not here to second guess decisions firms have made regarding implementation of their AML compliance programs or whether to file Suspicious Activity Reports (commonly referred to as SARs), provided those decisions appear reasonable under existing regulatory guidance as well as the firms’ own business activities and risk-based policies and procedures.
For example, firms need to take reasonable steps to follow up on red flags identified through their transaction monitoring in order to determine whether to file a SAR. If a firm becomes aware of possible weaknesses or failures in its AML compliance programs or transaction monitoring, the firm must not ignore the problem, but rather take steps to address those weaknesses or failures. To the extent that firms are relying on automated systems for transaction monitoring, firms should make sure those systems are operating effectively in terms of the quality and integrity of the data flowing into the systems as well as the quality of the transaction alerts generated for additional review. This is where a firm’s obligation to conduct independent testing to assess its compliance can be especially useful in identifying weaknesses and failures of the firm’s AML program. Unfortunately, OCIE examiners continue to identify firms that are not conducting independent tests, are not conducting tests on a timely basis, or conduct ineffective tests that cannot identify failures in the firm’s AML program.
B. Customer Due Diligence Rule
I would like to take a few minutes to discuss FinCEN’s customer due diligence rule (“CDD Rule”) which was issued in May 2016 and became effective in May 2018. The CDD Rule clarifies and strengthens customer due diligence requirements for broker-dealers and mutual funds, and adds a new requirement to identify, and verify the identity of, beneficial owners of legal entity customers.
Specifically, the CDD Rule requires broker-dealers, mutual funds and other covered financial institutions to establish and maintain policies and procedures reasonably designed to (among other things) understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile and conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, maintain and update customer information. These requirements apply to all customer relationships. In addition, the CDD Rule includes a requirement that broker-dealers and mutual funds establish and maintain policies and procedures reasonably designed to identify, and verify the beneficial owners (e.g., individuals) of legal entity customers.
It is critical that risk and control professionals responsible for broker-dealers and mutual funds educate themselves on these requirements and develop and implement reasonable policies, procedures and controls, to comply with these requirements. As we get further away from last May’s effective date, OCIE expects to see that firms have made the necessary improvements to their policies, procedures and controls that will ensure their compliance with these requirements.
To that end, I want to highlight for you that OCIE has established a Source Tool resource to assist broker-dealers and mutual funds with their AML compliance available from the OCIE’s portion of the SEC’s website. The Source Tool includes a compilation of key AML laws, rules, orders, and guidance applicable to broker-dealers and mutual funds. Please remember the Source Tool is a point-in-time summary, meant to aid your research efforts into AML requirements. As such, the Source Tool is a helpful jumping-off point—it is not a substitute for the underlying statutes, rules, orders, and interpretations or legal advice, and firms should not rely solely on the Source Tool for their compliance.
III. Microcap Securities
Similarly, investing in microcap securities is an area of heightened risk for retail investors, and eliminating microcap fraud remains a priority for the Commission and OCIE.  OCIE will continue to examine broker-dealers involved in selling stocks of companies with a market capitalization of under $250 million, consistent with its priorities and the protection of Main Street investors. OCIE remains vigilant in reviewing for pump and dumps, and other manipulative market schemes that put investors’ funds at risk.
Recently, SEC Chairman Jay Clayton and Division of Trading and Markets Director Brett Redfearn gave remarks on a number of equity market structure matters—including areas relating to microcap securities. I encourage you to review their published remarks. OCIE will be working alongside the Division of Trading and Markets to help inform policy and support their initiatives, while also promoting investor protection and strong compliance. OCIE plans to examine the role of transfer agents in the issuance of microcap securities and the removal of legends from restricted stocks. OCIE also plans to examine firms’ adherence to the detailed quotation requirements of Exchange Act rule 15c2-11, especially following microcap trading suspensions that break the continuous quotation “piggyback exception” that many firms rely upon. We encourage firms to scrutinize red flags of manipulation, fraud, and inaccurate issuer information when publishing quotations of over-the-counter securities in connection with Rule 15c2-11. As a secondary issue, OCIE will also examine firms’ compliance with the locate requirements of Regulation SHO, whether on behalf of customers or when claiming an exemption.
These are important protections designed to prevent fraud and manipulative trading that could harm investors. Consequently, OCIE will examine both for underlying violations, as well as to ensure that firms have appropriate policies, procedures and controls in place that are reasonably designed to prevent violations.
IV. Protection of Customer Funds
I would like to turn now to an additional area of risk, the role transfer agents, broker-dealers and mutual fund complexes play as paying agents. OCIE recently issued a risk alert on the topic of Transfer Agent Safeguarding of Funds and Securities. I encourage not only transfer agents, but also broker-dealers and mutual fund complexes—all firms that may act as paying agents—to review the alert because it identifies risks and common findings from OCIE examinations, and details examples of robust policies, procedures and controls, that firms may find helpful. Today I want to spend a few minutes highlighting two themes from the risk alert: (1) lost securityholders and (2) the safeguarding and customer protection rules.
A. Lost Securityholders
In some circumstances, transfer agents may be unable to distribute shareholder funds as intended. Checks may be returned as undeliverable, shareholders may receive a check but never cash it, or electronic banking instructions may be inaccurate. When this happens, shareholder funds may remain in a firm’s bank accounts for years until the funds are escheated per relevant state statute. Rule 17Ad-17 of the Exchange Act (the “Lost Securityholder/Unresponsive Payee Rule”) requires transfer agents and covered broker-dealers to conduct searches for lost securityholders and send notices to lost payees, within specified timeframes. OCIE’s recent risk alert can be helpful as you think through operations, procedures and controls at your particular firm. It summarizes common weaknesses and identifies improvements that firms may wish to consider. This is a good opportunity to ensure that your firm has the necessary policies, procedures and controls in place to ensure compliance with the lost securityholder rule—including keeping accurate records of notices sent and databases searched.
B. Safeguarding and Customer Protection Rules
Safeguarding of client funds is at the bedrock of investor protection, and underlies much of what we do as compliance and operations professionals. Although many firms have long worked within a framework of customer protection, custody, and safeguarding of clients’ assets, we should never become so complacent that we do not check to ensure our frameworks are solid. In OCIE’s recent Safeguarding risk alert, the examination staff details recent examples of misappropriation and theft of clients’ funds and assets, as well as common weaknesses in policies and procedures. OCIE is committed to investor protection and ensuring that Main Street retail investors’ faith and confidence in our industry and markets is well founded.
Likewise, it is a priority for OCIE to examine broker-dealers for compliance with the Customer Protection rule and ensure investors are protected by comprehensive policies and procedures that reduce risks and prevent harm. There have been many changes in technology since these rules were first adopted. Please consider these changes, and new and emerging risks applicable to your business, and evaluate your firm’s control environment and processes for safeguarding customer funds in its possession or control. I encourage you to review OCIE’s recent risk alert as you assess your programs. Strong safeguards protect investors, firms and the marketplace—and are in everyone’s interest.
V. Cybersecurity and Technology Controls
Protecting retail investors by ensuring firms have cybersecurity and technology controls is an important element of the examination program, and has been a top OCIE priority for several years. Today, in the interest of time, I will share a few remarks on Regulation S-P and the importance of hardware security. I also want to encourage everyone to read more about OCIE’s recent findings in these areas. OCIE just published a detailed risk alert (available on our website) which goes into greater depth than what I will have time to discuss today.
A. Protecting Customer Information
As you are aware, Regulation S-P, among other things, requires covered financial institutions with retail customers to implement policies and procedures reasonably designed to protect customer information from unauthorized access, protect against any anticipated threats or hazards to the security or integrity of this information, and ensure the security and confidentiality of this information. OCIE staff also recently identified security risks associated with the storage of customer information in various network storage solutions, including those that leverage cloud technology.
OCIE examination teams observed that some firms’ policies and procedures did not cover standard security features such as encryption, password protection, or other available tools designed to limit access to information. Some firms’ policies and procedures did not address configurations to the security settings on storage solutions to protect against unauthorized access. In some cases, firms’ policies and procedures did not sufficiently address requirements for implementing secure configurations (especially in cloud storage), nor did firms adequately oversee vendors to ensure the effective implementation of their solutions.
Strong and effective cybersecurity is critical to protecting clients’ and consumers’ privacy. As covered financial institutions move to the cloud and utilize third-party technology providers, they need to ensure their policies and procedures are updated to keep pace with change. It is important to include comprehensive vendor management as a component of an overall cybersecurity approach and ensure the proper security configuration management of network and cloud storage used for customer data.
B. Hardware Security
I also want to take a moment to reiterate the importance of establishing policies and procedures to secure hardware such as mobile devices, servers, hard drives, and laptops. Even once deactivated and removed from service, these devices may still contain data required to be retained by Commission rules. Additionally, these devices may also contain sensitive customer information or other data that could be utilized to compromise the integrity of a firm’s technology systems.
Firms should assess their policies and procedures for inventorying, deactivating, and removing physical devices on their networks, as well as those designed to prevent the loss of sensitive data. Inadequate policies and procedures could result in harm to investors or the firm, and could be deficient under the federal securities laws.
In closing, I want to leave you today with a few parting thoughts. Strong compliance programs incorporate legal requirements and essential controls that are periodically reviewed and updated. As firms are confronted with technology-driven changes, new regulatory requirements, and changes to their mix of products and services, they need to adapt to ensure their compliance programs and internal controls remain effective. As firms identify ineffective policies, procedures, or controls, they need to make changes and improvements.
It is important not to wait until the regulator is at your door step to come into compliance with a new regulation. Striving to stay current on recent regulatory developments will help you to be well prepared for the questions an OCIE examiner asks you on when and how you addressed new requirements. I hope to leave you with the thought that OCIE wants you to be in compliance, and OCIE wants to find robust compliance systems and strong controls when we examine your firm. This is why OCIE is continually trying to find ways to be as transparent as possible about what it is doing, and what it is finding. This is also why OCIE publishes its priorities and risk alerts and speaks at outreach events and conferences.
It has been my experience that OCIE’s goals of promoting effective compliance and investor protection are nearly always echoed by the dedicated work of Chief Compliance Officers (CCOs) and operations professionals I have the pleasure of speaking with—many of whom are here today. I oftentimes view you as the investor’s first line of defense, and as the first line of defense for your firm. And as much as it is OCIE’s job to conduct the rigorous inspections and examinations it is known for, OCIE should also strive to provide you with the information and guidance needed to make your own compliance more effective, more efficient, and stronger—because it benefits America’s Main Street investors. With that in mind, I encourage you to reach out and share your views on how OCIE can improve—including any areas where you feel additional guidance or clarification would be useful. Let us know how OCIE can help you, ultimately to help investors. I look forward to hearing from you.
# # #
* The Securities and Exchange Commission (“SEC” or “Commission”) disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author’s views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.
 Office of Compliance Inspections and Examinations, 2019 Examination Priorities (Dec. 20, 2018), available at https://www.sec.gov/files/OCIE%202019%20Priorities.pdf (hereafter “2019 Priorities”).
 See 31 CFR 1010.810(b)(6). See generally, Kevin W. Goodman, Anti-Money Laundering: An Often-Overlooked Cornerstone of Effective Compliance, Sec. Exch. Comm. (June 18, 2015), available at https://www.sec.gov/news/speech/anti-money-laundering-an-often-overlooked-cornerstone.html.
 31 C.F.R. § 1023 (broker-dealers); 31 C.F.R. §1024 (mutual funds); see also FINRA Rule 3300.
 See FinCEN Advisory FIN-2016-A005, Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, Fin. Crimes Enf. Network (Oct. 25, 2016), available at https://www.fincen.gov/sites/default/files/advisory/2016-10-25/Cyber%20Threats%20Advisory%20-%20FINAL%20508_2.pdf.
 OCIE Risk Alert, Observations from Cybersecurity Examinations, Sec. Exch. Comm. (Aug. 7, 2017), available at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf; OCIE Risk Alert, Broker-Dealer Controls Regarding Customer Sales of Microcap Securities, Sec. Exch. Comm. (Oct. 9, 2014), available at https://www.sec.gov/about/offices/ocie/broker-dealer-controls-microcap-securities.pdf.
 See Financial Crimes Enforcement Network, Anti-Money Laundering Programs for Mutual Funds, 67 Fed. Reg. 21117, 21119 (Apr. 29, 2002) available at https://www.sec.gov/about/offices/ocie/amlmf/67fr21117.pdf (noting that, “[t]he general nature of the requirement reflects Congress’ intent that each financial institution should have the flexibility to tailor its program to fit its business, taking into account factors such as size, location, activities, and risks or vulnerabilities to money laundering. This flexibility is designed to ensure that all firms subject to the statute, from the largest to the very small firms, have in place policies and procedures appropriate to monitor for anti-money laundering compliance.”). Regulators enforce these requirements against firms with inadequate AML programs. See Exchange Act Release No. 84828, Advisers Act Release No. 5075 (Dec. 17, 2018); FINRA Letter of Acceptance, Waiver and Consent No. 2012034427001, RE: UBS Financial Services, Inc., (Dec. 17, 2018), available at https://www.finra.org/sites/default/files/UBS_AWC_121718.pdf; U.S. Dep’t of the Treasury, Fin. Crimes Enforcement Network, Assessment of Civil Money Penalty, In the Matter of UBS Financial Services, Inc., No. 2018-03 (Dec. 11, 2018).
 Cf. In the Matter of Vision Financial Markets LLC, Exchange Act Release No. 85460 (Mar. 29, 2019) (settled action involving a firm that failed to update its AML policies and procedures when it moved into a new business of clearing penny-stocks, resulting in an AML program “not reasonably tailored to the risks associated with [the firm’s] low-priced securities clearing business.”).
 FINRA has published helpful AML guidance to assist small firms in establishing an appropriately tailored AML program. See FINRA, “Anti-Money Laundering (AML) Template for Small Firms,” available at https://www.finra.org/industry/anti-money-laundering-template-small-firms (last visited April 2, 2019).
 See, e.g., In the Matter of Merrill Lynch, Pierce, Fenner & Smith, Inc., Exchange Act Release No. 82382, Advisers Act Release No. 4831 (Dec. 21, 2017) (settled action noting failures in the implementation and quality of automated monitoring and a lack of appropriate follow-up) (herein “Merrill”); see also, In the Matter of COR Clearing, LLC, Exchange Act Rel. No. 84309 (Sept. 28, 2018) (settled action involving failures to implement an appropriate AML program and to appropriately follow-up on red-flags generated by automated surveillance system) (herein “COR Clearing”).
 See, e.g., In the Matter of Aegis Capital Corporation, Exchange Act Release No. 82956 (Mar. 28, 2018) (settled action finding failures in the firm’s AML program, including a failure to follow its own written supervisory procedures or appropriately file SARS despite receiving numerous alerts and red-flags); see also, In the Matter of Wells Fargo Advisors, LLC, Adm. Proc. File No. 3-18279 (Nov. 13, 2017) (settled action citing the firm for its failure to properly file continuing activity SARs despite having procedures requiring it to review for continuing activity both after an initial SAR was filed and while the account remained open).
 See Merrill and COR Clearing, supra note 9.
 See 31 C.F.R. § 1023.210(b)(2) (requiring independent testing for AML program compliance to be conducted by the broker-dealer’s personnel or by a qualified outside party); 31 C.F.R. § 1024.210(b)(2) (requiring independent testing for AML program compliance to be conducted by the mutual fund’s personnel or by a qualified outside party).
 Dep’t of the Treasury, Financial Crimes Enforcement Network, Customer Due Diligence Requirements for Financial Institutions, 81 Fed. Reg. 29398 (May 11, 2016) (effective May 11, 2018), available at https://www.govinfo.gov/content/pkg/FR-2016-05-11/pdf/2016-10567.pdf.
 31 C.F.R. § 1023.210(b)(5) (broker-dealers); 31 C.F.R. § 1024.210(b)(5) (mutual funds).
 31 C.F.R. § 1010.230.
 See Office of Compliance Inspections and Examinations, Anti-Money Laundering (AML) Source Tool for Mutual Funds, Sec. Exch. Comm (Feb. 15, 2019), available at https://www.sec.gov/about/offices/ocie/amlmfsourcetool.htm; Office of Compliance Inspections and Examinations , Anti-Money Laundering (AML) Source Tool for Broker-Dealers, Sec. Exch. Comm (Oct. 4, 2018) available at https://www.sec.gov/about/offices/ocie/amlsourcetool.htm;
 2019 Priorities, supra note 1, at 8.
 Chairman Jay Clayton and Director Brett Redfearn, Equity Market Structure 2019: Looking Back & Moving Forward, Sec. Exch. Comm (Mar. 8, 2019), available at https://www.sec.gov/news/speech/clayton-redfearn-equity-market-structure-2019.
 17 C.F.R. § 240.15c2-11(f)(3)(i).
 See Appendix, Publication or Submission of Quotations Without Specified Information, Exchange Act Release No. 41110 (Feb. 25, 1999), 64 Fed. Reg. 11124 (Mar. 8, 1999).
 17 C.F.R. § 242.203(b)(1).
 See OCIE Risk Alert, Transfer Agent Safeguarding of Funds and Securities, Sec. Exch. Comm (Feb. 13, 2019) available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Transfer%20Agent%20Safeguarding.pdf.
 17 C.F.R. § 240.17Ad-17.
 See “Broker-Dealers; Maintenance of Certain Basic Reserves,” 37 Fed. Reg. 25224, 25226 (Nov. 28, 1972), Exchange Act Release No. 34-9856 (adopting the Customer Protection Rule and noting that “Rule 15c3-3 represents the first comprehensive program undertaken by the Commission to provide regulatory safeguards over customers’ funds and securities held by broker-dealers.”), codified at 17 C.F.R. § 240.15c3-3; see also “Lost Securityholders,” 62 Fed. Reg. 52229 (Oct. 7, 1997), Exchange Act Release No. 34-39176, File No. S7-21-96 (adopting Rule 17Ad-17) (codified at 17 C.F.R. § 240.17Ad-17).
 See supra note 23.
 17 C.F.R. § 240.15c3-3.
 See 2019 Priorities, supra note 1, at 8.
 See 2019 Priorities, supra note 1, at 11; see also Office of Compliance Inspections and Examinations, 2018 National Exam Program Examination Priorities 9 (Feb. 7, 2018), available at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2018.pdf; Office of Compliance Inspections and Examinations, Examination Priorities for 2017 4 (Jan. 12, 2017), available at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf; Office of Compliance Inspections and Examinations, Examination Priorities for 2016 3 (Jan. 11, 2016), available at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2016.pdf ; Office of Compliance Inspections and Examinations, Examination Priorities for 2015 3 (Jan. 13, 2015), available at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf; Office of Compliance Inspections and Examinations, Examination Priorities for 2014 7 (Jan. 9, 2014), available at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf.
 See OCIE Risk Alert, Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies, Sec. Exch. Comm. (Apr. 16, 2019) available at: https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf.
 See “Privacy of Consumer Financial Information (Regulation S-P),” 65 Fed. Reg. 40334 (June 22, 2000), Rel. Nos. 34-42974, IC-24543, IA- 1883, File No. S7-6-00 (adopting Regulation S-P), available at https://www.sec.gov/rules/final/34-42974.htm; 17 C.F.R. § 248.30.
 See 2019 Priorities, supra note 1, at 11. See also OCIE Risk Alert, Observations from Cybersecurity Examinations, Sec. Exch. Comm. (Aug. 7, 2017), available at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.