United States Government Accountability Office GAO Report to Congressional Committees May 2012 SECURITIES REGULATION Opportunities Exist to Improve SEC’s Oversight of the Financial Industry Regulatory Authority GAO-12-625 May 2012 SECURITIES REGULATION Opportunities Exist to Improve SEC’s Oversight of the Financial Industry Regulatory Authority Highlights of GAO-12-625, a report to congressional committees Why GAO Did This Study What GAO Found SEC oversees FINRA, which is Historically, the Securities and Exchange Commission’s (SEC) oversight of the charged with regulatory oversight of all Financial Industry Regulatory Authority’s (FINRA) programs and operations securities broker-dealers conducting varied, with some programs and operations receiving regular oversight and business with the public in the United others receiving limited or no oversight. Through its inspection process, SEC States. In light of recent events in the conducted routine and special inspections of various aspects of FINRA financial markets, SEC and FINRA regulatory programs, including examinations, surveillance, and enforcement have faced questions about their programs. SEC has also conducted routine inspections of FINRA’s advertising oversight roles. The Dodd-Frank Wall and arbitration programs but not as frequently as it had planned. SEC has also Street Reform and Consumer regularly reviewed FINRA proposed rule changes that are subject to SEC Protection Act required GAO to study approval to determine consistency with the Securities Exchange Act of 1934 and SEC’s oversight of national securities associations registered under section related rules and regulations. However, neither SEC nor FINRA conducts 15A of the Securities Exchange Act of retrospective reviews of FINRA’s rules. GAO and others have reported on the 1934, a provision which applies only to usefulness of retrospective reviews as they allow agencies to assess the FINRA. This report examines (1) how effectiveness of their rules, and some federal financial regulators, including SEC, SEC has conducted oversight of have begun pursuing plans to conduct retrospective reviews of their rules in light FINRA, including FINRA rule proposals of a recent executive order that encourages independent regulatory agencies to and the effectiveness of its rules, and do so. By not conducting these reviews, FINRA may be missing an opportunity to (2) how SEC plans to enhance its systematically assess whether its rules are achieving their intended purpose and oversight of FINRA. To address these take appropriate action, such as maintaining rules that are effective and objectives, GAO reviewed SEC modifying or repealing rules that are ineffective or burdensome. Further, by not documentation, policies and reviewing what steps FINRA takes in reviewing its existing rules, SEC may not procedures for inspections of FINRA capture sufficient information to form an opinion about FINRA’s efforts to review and reviews of FINRA rule proposals; its rules. Further, SEC has conducted limited or no oversight of other aspects of reviewed documentation on SEC’s FINRA’s operations, such as governance and executive compensation. plans for enhanced FINRA oversight; According to SEC, these operations were not historically considered due to and interviewed SEC and FINRA competing priorities and resource constraints. Specifically, SEC officials said that officials. SEC focused its resources on FINRA’s regulatory departments, which were What GAO Recommends perceived as programs that have the greatest impact on investors. SEC should encourage FINRA to SEC is in the process of enhancing and expanding its oversight of FINRA using a conduct retrospective reviews of its more risk-based approach. To assess the risks facing FINRA, SEC has collected rules and establish a process for a substantial amount of information on FINRA’s regulatory programs and examining FINRA’s reviews, and SEC operations, including for programs and operations of FINRA for which it has not should follow all elements of a risk- previously conducted oversight. SEC has analyzed the information it collected, management framework in developing and, according to SEC staff, will use this information as it implements its its future oversight plans. SEC enhanced risk-based oversight of FINRA later this year. SEC has followed some generally agreed with GAO’s elements GAO has previously found to be important in a risk-management recommendations. framework, but officials have not articulated or documented how they will implement all of the elements, such as considering alternative oversight approaches and monitoring the effectiveness of its oversight. Incorporating these other elements will better position SEC to prioritize evolving and varying risks, evaluate alternatives, and monitor its oversight efforts. Without such elements, SEC may be missing opportunities to take a more comprehensive, risk-based approach in overseeing FINRA. View GAO-12-625. For more information, contact A. Nicole Clowers at (202) 512-8678 or firstname.lastname@example.org. United States Government Accountability Office Contents Letter 1 Background 3 The Level of SEC’s Oversight of FINRA’s Programs and Operations Has Varied 7 SEC’s Efforts to Enhance Oversight of FINRA Could Benefit from Following All Elements of a Risk-Management Framework 17 Conclusions 25 Recommendations for Executive Action 26 Agency Comments 26 Appendix I Scope and Methodology 28 Appendix II Comments from the Securities and Exchange Commission 32 Appendix III GAO Contact and Staff Acknowledgments 34 Table Table 1: SEC’s Oversight of FINRA, 2005 to 2010 7 Figure Figure 1: Elements of a Risk-Management Framework 23 Page i GAO-12-625 SEC Oversight of FINRA Abbreviations COSO Committee of Sponsoring Organizations of the Treadway Commission Dodd-Frank Act Dodd-Frank Wall Street Reform and Consumer Protection Act Exchange Act Securities Exchange Act of 1934 FINRA Financial Industry Regulatory Authority NASD National Association of Securities Dealers, Inc. NYSE New York Stock Exchange OCIE Office of Compliance Inspections and Examinations SEC Securities and Exchange Commission SIFMA Securities Industry and Financial Markets Association SRO self-regulatory organization This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page ii GAO-12-625 SEC Oversight of FINRA United States Government Accountability Office Washington, DC 20548 May 30, 2012 The Honorable Timothy Johnson Chairman The Honorable Richard C. Shelby Ranking Member Committee on Banking, Housing, and Urban Affairs United States Senate The Honorable Spencer T. Bachus Chairman The Honorable Barney Frank Ranking Member Committee on Financial Services House of Representatives The securities industry is generally regulated by a combination of direct Securities and Exchange Commission (SEC) regulation and industry self- regulation with SEC oversight. Congress adopted self-regulation, as opposed to direct federal regulation of the securities markets, to prevent excessive government involvement in market operations, which could hinder competition and market innovation. Also, Congress concluded that self-regulation with federal oversight would be more efficient and less costly to taxpayers. As regulators, self-regulatory organizations (SRO) such as national securities exchanges and associations, have responsibility for much of the day-to-day oversight of the securities markets and broker-dealers under their jurisdiction. Specifically, SROs are primarily responsible for establishing the standards under which their members conduct business; monitoring the way that business is conducted; and bringing disciplinary actions against their members for violating applicable federal statutes, SEC’s rules, and their own rules. SEC oversees SROs to ensure that they are carrying out their regulatory responsibilities. The Financial Industry Regulatory Authority (FINRA), an SRO and the only registered national securities association, has regulatory oversight of all securities broker-dealers doing business with Page 1 GAO-12-625 SEC Oversight of FINRA the public in the United States. 1 In particular, FINRA oversees almost 4,500 brokerage firms and approximately 630,000 registered securities representatives and provides regulatory services for approximately 80 percent of the trading volume in U.S. equity markets. For industry self-regulation to function effectively, SEC must ensure that SROs are fulfilling their regulatory responsibilities. SEC oversees FINRA primarily by inspecting its operations and examination programs and reviewing its proposed rule changes. However, over the last few years, and specifically in light of recent events in the financial markets, SEC and FINRA have faced questions about their oversight roles. These questions include the fairness of FINRA’s arbitration practices, the rules it crafts related to oversight of broker-dealers, the limited transparency in its investment practices and corporate governance, and SEC’s ability to effectively oversee FINRA. Section 964 of the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) requires us to review SEC’s oversight of national securities associations registered under section 15A of the Securities Exchange Act of 1934 (Exchange Act), a provision that solely applies to FINRA. 2 Specifically, Section 964 identifies several aspects of SEC’s oversight of FINRA for our review, including examinations, effectiveness of FINRA’s rules, arbitration services, advertising regulation, governance, executive compensation, cooperation with state securities regulators, funding, and policies regarding former FINRA employees. This report examines (1) how SEC has conducted oversight of FINRA, including FINRA rule proposals and the effectiveness of its rules, and (2) how SEC plans to enhance its oversight of FINRA. To address these objectives, we reviewed and assessed SEC documentation, procedures and guidance for inspections of FINRA. To describe SEC’s oversight of FINRA’s examination programs and selected services and operations, we evaluated SEC’s planning documentation 1 SEC approved the establishment of the Financial Industry Regulatory Authority (FINRA) in July 2007. FINRA is the result of the consolidation of the former National Association of Securities Dealers, Inc. (NASD) (which regulated the over-the-counter market for exchange-listed and nonexchange-listed securities and provided regulatory services to markets such as the American Stock Exchange and the NASDAQ Stock Market) and the member regulation, enforcement, and arbitration operations of NYSE Regulation, Inc. 2 Pub. L. No. 111-203, § 964(a),124 Stat. 1376, 1910 (2010). Page 2 GAO-12-625 SEC Oversight of FINRA and analyzed SEC’s inspection reports from 2005 to 2010 to understand the details of the reviews and the examination areas targeted by SEC. To describe how SEC has overseen FINRA rule proposals, we reviewed and analyzed SEC’s documentation on SRO rulemaking policies and procedures, including procedures for approving proposed rule changes. We also interviewed officials from SEC’s Division of Trading and Markets (Trading and Markets) as well as FINRA to understand what methods or measures they use to assess the effectiveness of FINRA’s rules. To determine what steps SEC has taken or plans to take to enhance its oversight of FINRA, we interviewed officials from SEC’s Office of Compliance Inspections and Examinations (OCIE) about plans they have been developing for oversight of FINRA and reviewed OCIE documentation related to these plans. We also reviewed OCIE’s preliminary analysis of information collected from FINRA on its regulatory programs and operations related to areas identified in Section 964 of the Dodd-Frank Act, and the extent to which OCIE’s plans to enhance its oversight address these areas. We also interviewed other stakeholders such as the Securities Industry and Financial Markets Association (SIFMA) and selected members of SIFMA who are also members of FINRA, as well as a citizen advocacy group. Appendix I contains additional information on our scope and methodology. We conducted our work from August 2011 through May 2012 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Congress established SEC in 1934 to enforce the Securities Act of 1933 Background and the Exchange Act. SEC’s mission is to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation by overseeing key participants in the securities markets, including SROs, securities broker-dealers, investment advisers, and mutual funds. The agency’s functional responsibilities are organized into five divisions and 18 offices. Of the 18 offices, OCIE is the largest—with approximately 825 employees—and is responsible for SEC’s nationwide examination and Page 3 GAO-12-625 SEC Oversight of FINRA inspection program. 3 Individual groups within OCIE have oversight responsibility for SROs, broker-dealers, and investment advisers. OCIE’s Market Oversight group examines SROs to ensure that they and their members comply with applicable federal securities laws and SRO rules. As of April 2012, there are 33 employees assigned to the Market Oversight group. Consistent with its oversight responsibilities for other SROs, SEC is responsible for ensuring that FINRA carries out its regulatory responsibilities related to oversight of broker-dealers. 4 FINRA’s responsibilities include registering and examining all securities firms doing business with the public, writing rules and enforcing them, as well as enforcing federal securities laws, and informing and educating the investing public. One of SEC’s principal oversight mechanisms for FINRA and other SROs is conducting inspections. Historically, OCIE has conducted both routine and special inspections of SROs. Routine inspections focused on a particular program area during each inspection, based on factors such as the commission’s priorities, previously completed inspections, and enforcement actions. Special inspections arose from a tip or a need to follow up on past inspection findings and recommendations. Special inspections have included sweep inspections, whereby OCIE probed specific activities of all SROs it oversees or a sample of them to identify emerging compliance issues. Another principal oversight mechanism for SEC is its authority to review and, where applicable, approve SRO proposed rules and proposed changes to existing rules, including those submitted by FINRA. 5 Section 19(b)(2) of the Exchange Act, as amended, and related rules and regulations, contain the requirements for SRO proposed rule changes 3 This includes OCIE examination staff in headquarters and regional offices. 4 In addition to FINRA, SEC oversees more than 20 other SROs, including national stock exchanges, such as the New York Stock Exchange, NASDAQ, and Chicago Options Board Exchange, registered clearing agencies, and the Municipal Securities Rulemaking Board. 5 Securities Exchange Act of 1934, Pub. L. No. 73-291, 48 Stat. 881 (codified at 15 U.S.C. § 78a et seq.). Page 4 GAO-12-625 SEC Oversight of FINRA that are subject to SEC approval. 6 These requirements include that an SRO file a proposed rule change with SEC and publish it on a publicly available website. 7 SEC then sends a notice of the proposed rule change to the Federal Register and allows interested persons the opportunity to submit written comments concerning the proposed rule change. 8 Concurrently, SEC reviews the proposed rule change and, if applicable, considers public comments and the SRO’s response. SEC then determines whether the proposed rule change is consistent with the requirements of the Exchange Act and Exchange Act rules and regulations that are applicable to the SRO. SEC has delegated authority to the Trading and Markets Division to approve proposed rule changes. 9 With the passage of the Dodd-Frank Act, SEC can now directly disapprove proposed rule changes that are subject to SEC approval if it does not find that they are consistent with the Exchange Act. 10 SEC also may choose to institute proceedings to determine whether to disapprove a proposed rule change that is subject to its approval if it does not 6 Certain proposed rule changes designated by an SRO pursuant to Section 19(b)(3)(A) of the Exchange Act become effective upon filing and do not require approval by SEC before they go into effect. SEC may suspend the proposed rule change within 60 days of the filing date if it appears to SEC that such action is necessary or appropriate in the public interest, for protection of investors, or in furtherance of the purposes of the Exchange Act. If SEC takes such action, it must institute proceedings to determine whether to approve or disapprove the proposed rule. 15 U.S.C. § 78(b)(3). 7 The proposed rule change must contain a general statement of its basis and purpose. 8 SEC must send notice of the proposed rule change to the Federal Register within 15 days of the SRO’s website publication date. 15 U.S.C. § 78s(b)(2)(E). The SRO must publish the proposed rule change on its website within 2 business days of filing with the SEC. 17 C.F.R. § 240.19b-4(l). 9 The Division of Trading and Markets helps SEC maintain fair, orderly, and efficient markets by providing day-to-day oversight of the major securities market participants, such as the securities exchanges, securities firms, and SROs. Its responsibilities include, among others, reviewing proposed new rules and proposed changes to existing rules filed by SROs, assisting SEC in establishing rules and issuing interpretations on matters affecting the operation of the securities markets, and conducting market surveillance. 10 Prior to the Dodd-Frank Act, SEC could either approve a rule upon an initial review or institute proceedings to determine whether a proposed rule should be disapproved. Page 5 GAO-12-625 SEC Oversight of FINRA approve or disapprove it directly upon its initial review. 11 SEC concludes its review of a proposed rule change by issuing an approval or a disapproval order. 12 Section 967 of the Dodd-Frank Act directed SEC to engage an independent consultant to examine its internal operations and structure and the need for reform. SEC selected the Boston Consulting Group to conduct the study, and on March 10, 2011, the Boston Consulting Group issued a report on SEC’s organizational and operational structure. The study focused on four specific areas: (1) organizational structure, (2) personnel and resources, (3) technology and resources, and (4) relationships with SROs. The study resulted in a report of Boston Consulting Group’s findings and recommendations, including some related to SEC’s oversight of SROs, and SEC has been working to implement several of these recommendations. Specifically, the report recommended that SEC strengthen its oversight of SROs by developing a set of metrics to assess SRO regulatory effectiveness and suggested that SEC centralize and coordinate its interactions with SROs. SEC has established an SRO working group composed of OCIE and Trading and Markets staff to conduct an evaluation of the current SRO regulatory structure focusing on two areas: (1) disclosures that SROs make, both to the public and SEC, regarding their regulatory operations; and (2) the feasibility of using more defined metrics and standards to assist SEC’s oversight of SROs. OCIE and Trading and Markets have also jointly developed a communication plan to help strengthen the oversight of and coordination with SROs and held an outreach conference in January 2012 with all of the equity and options exchanges, the Municipal 11 The proceedings include SEC providing notice and opportunity for a hearing to consider the potential grounds for approval or disapproval, after which SEC makes a final decision by issuing an approval or disapproval order. The Dodd-Frank Act also amended the Exchange Act to extend the period in which SEC must approve or disapprove a proposed rule change or institute disapproval proceedings from 35 to 45 days. However, SEC may extend the period by an additional 45 days if it publishes the reasons for a determination that a longer period is appropriate or the SRO consents to the longer period. Pub. L. No. 111-203, § 916(a) (codified at 15 U.S.C. §78s(b)(2)(A)). 12 SEC must issue an approval or disapproval order within 180 days of the publication date. However, SEC may extend the period by an additional 60 days if it publishes the reasons for a determination that a longer period is appropriate or the SRO consents to the longer period. If this extension occurs, then SEC has 240 days from the publication date to issue an approval or disapproval order. Page 6 GAO-12-625 SEC Oversight of FINRA Securities Rulemaking Board, and FINRA to discuss issues, such as inspection priorities and the SRO rule filing process. SEC’s oversight of FINRA’s programs and operations varied, with some The Level of SEC’s programs and operations receiving regular oversight and others receiving Oversight of FINRA’s limited or no oversight. Through its inspection process, OCIE conducted routine and special inspections of various aspects of FINRA regulatory Programs and programs, including examinations, surveillance, and enforcement Operations Has Varied programs. Similarly, Trading and Markets has regularly reviewed FINRA’s proposed rule changes to determine compliance with the Exchange Act. However, neither SEC nor FINRA conducts retrospective reviews of FINRA’s rules, which would allow them to evaluate the effectiveness of these rules. SEC also has conducted limited to no oversight of other aspects of FINRA’s operations, such as governance and executive compensation. According to OCIE officials, the limited or no oversight of these FINRA operations were due to competing priorities and resource constraints. Table 1 summarizes SEC’s oversight of FINRA programs and operations identified in Section 964 of the Dodd-Frank Act, which is the focus of our report. Table 1: SEC’s Oversight of FINRA, 2005 to 2010 Frequency of SEC’s reviews Areas for SEC oversight of FINRA Annually or a b identified in Section 964 of the Dodd-Frank Act continuous Occasionally Never c Examinations and expertise of examiners √ Advertising √ Rules √ Arbitration service √ Governance √ Funding √ d Post-employment of former employees √ Executive compensation √ Cooperation with states securities regulators √ Transparency of governance √ Source: GAO analysis of SEC documentation. a Annually refers to SEC having conducted oversight of this area or some aspects of this area on an annual basis. Continuous refers to SEC reviewing FINRA’s rule filings on an ongoing basis. b Occasionally refers to areas for which SEC has not conducted reviews as regularly as it intended or for which it has only reviewed some components of the program or operation. Page 7 GAO-12-625 SEC Oversight of FINRA c Expertise of examiners is not an area for which SEC has historically conducted oversight, but related issues such as training and staffing have been included in its inspections of FINRA. d OCIE formally requested documentation from FINRA related to former FINRA employees and their new employers prior to conducting inspections of FINRA district offices. However, OCIE documented its review of this area in three inspection reports. OCIE Has Historically OCIE has historically conducted routine inspections of various aspects of Conducted Routine and FINRA’s regulatory programs. 13 For example, from 2005 through 2010, Special Inspections of OCIE conducted 29 inspections of FINRA district offices—which conduct the majority of broker-dealer examinations—mostly in accordance with a FINRA’s Regulatory 3-year cycle that existed during that period. 14 In general, these Programs inspections evaluated various FINRA district office regulatory programs, as well as FINRA’s efforts to enforce compliance with federal securities laws and FINRA rules. Specifically, during a district office inspection, OCIE would select several FINRA regulatory programs for review. The following describes the type of issues OCIE included in its routine district office inspections of 3 of FINRA’s 16 regulatory programs: 15 • Routine or cycle examinations: In its routine inspections of FINRA’s examination program, OCIE reviewed FINRA’s cycle examinations of broker-dealers to determine whether FINRA district offices met their goals during the period under review. 16 Through its review of FINRA’s 13 Routine inspections are planned inspections for aspects of FINRA but they vary in the frequency with which they are scheduled to be conducted. According to SEC, numerous factors such as commission priorities, risk analysis, and previous inspections play a role in determining the frequency of the inspections. 14 There are 11 FINRA districts with 15 offices, including Atlanta, Boca Raton, Boston, Chicago, Dallas, Denver, Kansas City, Long Island, Los Angeles, New Jersey, New Orleans, New York, Philadelphia, San Francisco, and Seattle. FINRA’s Long Island office, located in Jericho, New York, is a satellite office of FINRA’s New York district office. The inspections of FINRA’s New York district office included a review of the Long Island office. 15 The 16 FINRA regulatory programs in the district office inspections included routine or cycle examinations; formal disciplinary actions; the prior national exam program surveillance system; statutorily disqualified persons and member firms; branch office examinations; business gifts, gratuities, and courtesies; financial surveillance; employee securities accounts; subordination loan agreements; membership program; clearing agreements; advertising; new member examinations; automated customer account transfer system; cause examinations; and compliance with municipal rules. 16 FINRA’s cycle examinations are designed to determine whether member firms are in compliance with various SEC, FINRA, and Municipal Securities Rulemaking Board rules and regulations. Page 8 GAO-12-625 SEC Oversight of FINRA examination program, OCIE reviewed district offices’ examination scope, completeness of documentation, and analysis of member firms’ compliance to determine whether FINRA’s review was appropriate. 17 • Financial surveillance system: In its routine inspections of this program, OCIE reviewed FINRA’s financial surveillance and whether the district office was periodically monitoring member firms’ business activities and financial conditions. In particular, OCIE reviewed whether the reports generated by the surveillance system were adequate and whether the district office used the surveillance data to focus routine examinations on the riskier areas of a firm’s business. • Formal disciplinary action: In its routine inspections of this program, OCIE reviewed formal disciplinary actions initiated by FINRA district offices during the period under review. For example, OCIE’s inspection assessed whether FINRA district offices’ investigations and sanctions were appropriate. While OCIE selected some programs for review more frequently than others during the period we reviewed (2005-2010), all of FINRA’s 16 regulatory programs were reviewed at least once across the 29 district office inspections. We earlier reported that, according to OCIE officials, OCIE tailored inspections in the past to focus on those areas judged to pose the greatest risk to the SRO or the general market, considering such factors as the amount of time that passed since a particular area was last inspected and the results of past inspections. 18 In these inspections, OCIE identified some deficiencies related to FINRA’s broker-dealer examinations, such as inadequate documentation, insufficient sampling, and the timeliness of reviews. However, OCIE generally found that FINRA’s district offices conducted thorough reviews of their member firms 17 OCIE also previously assessed the quality of FINRA examinations of broker-dealers through its own examinations of broker-dealers that FINRA examined. Although these examinations served as an oversight function, we previously found that they expose firms to duplicative examinations and costs. See GAO, Mutual Fund Industry: SEC's Revised Examination Approach Offers Potential Benefits, but Significant Oversight Challenges Remain, GAO-05-415 (Washington, D.C.: Aug. 17, 2005). As a result, OCIE stopped conducting these inspections in 2011. 18 GAO, Securities and Exchange Commission: Opportunities Exist to Improve Oversight of Self-Regulatory Organizations, GAO-08-33 (Washington, D.C.: Nov. 15, 2007). Page 9 GAO-12-625 SEC Oversight of FINRA and that district offices generally addressed deficiencies from the prior inspection. In addition to the district office inspections, OCIE conducted routine inspections of FINRA’s oversight related to advertising. However, these inspections occurred less frequently than what was stated in OCIE’s planned inspection timelines. 19 In particular, while OCIE’s then existing timelines called for inspections once every 4 years, OCIE conducted inspections of FINRA’s advertising regulatory program in 1998 and 2005. According to OCIE, the timelines were not followed due to resource constraints and competing priorities. In the 1998 and 2005 inspections, OCIE reviewed FINRA’s assessment of communications submitted by member firms to evaluate their compliance with FINRA advertising rules as well as FINRA’s investigation of alleged violations of these rules. 20 In the advertising-related submissions and investigation files reviewed by OCIE in 1998 and 2005, OCIE generally found that FINRA’s review met the requirements of FINRA rules, and the OCIE review team did not identify substantial issues with FINRA’s oversight of member firms. Although OCIE did not meet their proposed timelines for conducting routine inspections of FINRA’s advertising program, our analysis of OCIE’s inspections showed that OCIE also reviewed advertising through other efforts, such as including it in some of the FINRA district office inspections previously discussed. Specifically, OCIE reviewed advertising in at least one FINRA district office each year between 2005 and 2010. In those inspections, OCIE reviewed whether the district offices took steps to ensure that customer communications were appropriately reviewed and approved. OCIE also conducted routine inspections of FINRA’s arbitration program. According to OCIE guidance, OCIE planned to conduct inspections of FINRA’s arbitration program on a 2-year cycle, but it did not follow this planned schedule. OCIE conducted inspections of FINRA’s arbitration program in 2000, 2005, and 2010. The 2000 arbitration program inspection evaluated how FINRA administers various aspects of the 19 FINRA’s advertising regulation program is also referred to as the customer communication program in SEC documentation. 20 For more information on mutual fund advertising and how the regulatory requirements are administered and enforced, see GAO, Mutual Fund Advertising: Improving How Regulators Communicate New Rule Interpretations to Industry Would Further Protect Investors, GAO-11-697 (Washington, D.C.: July 26, 2011). Page 10 GAO-12-625 SEC Oversight of FINRA arbitration program including evaluation of the arbitrators, training, and processing of cases, and OCIE found that FINRA generally processed cases in accordance with its guidance. The 2005 inspection, which inspected the New York Stock Exchange’s (NYSE) arbitration program that later consolidated into FINRA’s arbitration program, identified some deficiencies related to incorrect classifications of some arbitrators, and a lack of sufficient documentation in response to a complaint or negative evaluation regarding an arbitrator. However, OCIE staff found that NYSE either had taken or was taking steps to address these deficiencies. The 2010 inspection of FINRA’s arbitration program focused on a sample of FINRA arbitrators, and OCIE’s report found that FINRA generally followed its internal procedures related to the qualifications and classifications of its pool of arbitrators. The report also found that FINRA generally removed arbitrators from its roster due to inappropriate conduct or if the arbitrator received credible poor evaluations on a consistent basis. OCIE has also conducted special inspections—which can arise from tips or the need to follow up on prior recommendations or enforcement actions—of FINRA regulatory programs, as warranted. For example, OCIE inspected FINRA’s fixed-income regulatory program in 2006 and was in the process of completing a report for another inspection of this program as of May 2012. 21 Further, due to market conditions, the events of May 6, 2010, also known as the “flash crash,” and the dynamic nature of the secondary markets, OCIE has initiated a review of FINRA’s surveillance of high-frequency trading. 22 For this inspection, OCIE examiners plan to evaluate the effectiveness of FINRA’s automated surveillance programs to detect trading abuses related to high-frequency trading and algorithmic trading. OCIE officials explained that competing 21 OCIE is reviewing FINRA’s fixed-income regulatory program, focusing on the effectiveness of FINRA’s surveillances in the markups area and also reviewing trade reporting in corporate and municipal fixed-income instruments. 22 Based on a joint report issued by the Commodity Futures Trading Commission and SEC, on May 6, 2010, the prices of many U.S.-based equity products experienced an extraordinarily rapid decline and recovery. That afternoon, major equity indices in both the futures and securities markets, each already down over 4 percent from their prior-day close, suddenly plummeted a further 5 to 6 percent in a matter of minutes before rebounding almost as quickly. High frequency trading is a subset of algorithmic trading where the high speed with which individuals detect and act on profitable trading opportunities in the marketplace is the defining characteristic. Algorithmic trading is the use of computer and advanced mathematical models to make decisions about the timing, price, and quantity of the market order. Page 11 GAO-12-625 SEC Oversight of FINRA priorities have prevented them from conducting these types of special inspections of SROs on a more frequent basis. Additionally, OCIE conducted other inspections of FINRA (and its predecessor NASD) from 2005 through 2010 that examined other FINRA programs and operations, such as FINRA’s anti-money-laundering review program, front-end cause unit, and internal audit department. Neither SEC nor FINRA SEC’s Division of Trading and Markets regularly reviews FINRA’s rule Has a Formal Process for filings and has a formal process in place for its reviews and decisions Evaluating the related to filings. Trading and Markets reviews FINRA proposed rule changes that are subject to SEC approval to determine whether they are Effectiveness of consistent with the Exchange Act, and related rules and regulations. Implemented FINRA Rules During its review, Trading and Markets determines whether a proposed rule change complies with all of the requirements of Form 19b-4—a form that instructs SROs, including FINRA, to provide required information, presented in a clear and comprehensible manner to enable the public to provide meaningful comment and for SEC to determine whether a proposed rule change is consistent with the Exchange Act. 23 If a proposed rule change does not comply with the form requirements, Trading and Markets rejects the filing. If FINRA re-files the proposed rule change and it is complete, Trading and Markets publishes it for public comment. 24 Trading and Markets then determines whether the proposed rule change is consistent with the Exchange Act and, if subject to SEC approval, approves or disapproves it. 25 From 2009 through 2011, SEC issued more than 400 releases regarding FINRA proposed rule changes. 26 We reviewed a sample of 19 of these releases and found that 23 For example, form 19b-4 requires FINRA to indicate whether the proposed rule change is an initial filing or an amendment to an existing rule as well as whether the proposed rule change is being filed for approval under Section 19(b)(2) or for immediate effectiveness under Sections 19(b)(3)(A) or 19(b)(3)(B). 24 A complete filing is one that complies with all of the form 19b-4 requirements, the guidelines for publication in the Federal Register, and any requirements for electronic filing as published by SEC (if applicable). 25 For some proposed rule changes that are subject to SEC approval, SEC can grant approval on an accelerated basis if it finds good cause to do so and publishes the reason for the finding. 26 SEC releases include rule orders describing SEC’s final decision regarding FINRA proposed rule changes and notices. Page 12 GAO-12-625 SEC Oversight of FINRA SEC consistently provided reasons for approving or disapproving proposed rule changes. 27 Trading and Markets has taken steps to strengthen its review of FINRA proposed rule changes based on recommendations in the Boston Consulting Group study. First, in implementing recommendations from the study, Trading and Markets has developed a more formal structure to consult with OCIE, which has expertise in reviewing and assessing an SRO’s regulatory plan and practices. Trading and Markets officials explained that they previously consulted with OCIE on proposed rule changes when necessary but had done so on an informal basis. Second, SEC has also developed an action plan to address other Boston Consulting Group report recommendations, such as plans to provide additional guidance in order to strengthen and clarify the SRO rule filing process. Third, Trading and Markets officials stated that they are formally tracking complex proposed rule changes under review because Section 916 of the Dodd-Frank Act modified certain procedures under Section 19(b) of the Exchange Act, setting tighter time frames for approving proposed rule changes and imposing stricter consequences if deadlines are not met. For example, under Section 916, if SEC does not send a notice to the Federal Register within 15 days of when FINRA posts the proposed rule change on its website, the publication date defaults to the date of FINRA’s website posting, which shortens the review period. 28 Prior to the Dodd-Frank Act, Trading and Markets officials stated that they tracked complex proposed rule changes for the Commission on an informal basis. Finally, Trading and Markets assisted in organizing SEC’s SRO outreach conference in January 2012 to provide information on, and promote transparency of, the SRO rule filing process. 29 27 We selected for review 19 SEC releases. Specifically, we randomly selected 2 releases for each year from 2009 through 2011, for a total of 18 releases, from the following categories: releases approving proposed rule changes, releases granting accelerated approval of proposed rule changes, and releases notifying the public of immediately effective proposed rule changes. In addition, we reviewed 1 release disapproving a proposed rule change, the only one for the time period reviewed. For more information on our methodology, please see appendix I. 28 FINRA posts all of its proposed rule filings on its website within 2 business days of filing with SEC. 29 Trading and Markets and OCIE conducted an outreach conference in January 2012 to provide information and clarification about the rule-filing process, OCIE’s oversight and inspections of SROs, and other similar areas to the SROs SEC oversees. Page 13 GAO-12-625 SEC Oversight of FINRA While SEC reviews FINRA proposed rule changes, it does not have a formal process for conducting retrospective reviews of FINRA rules. Retrospective reviews assess the effectiveness of FINRA rules after they have been implemented. Trading and Markets officials told us that through the process of soliciting comments and conducting reviews of proposed rule changes, SEC gathers information on the potential effects that they may have on the industry. Moreover, according to officials, OCIE may look at a particular rule after approval through targeted or broad examinations of FINRA’s operations and services if industry participants or others have raised concerns. For example, OCIE officials stated that in one case, they found that fragmentation in the trading of NASDAQ securities was hindering the ability of the National Association of Securities Dealers, Inc. (NASD)—FINRA’s predecessor—to create a complete audit trail and recommended that NASD amend a rule regarding its Order Audit Trail System and require member firms to report complete order information to NASD. However, SEC does not have specific guidance or protocols for conducting retrospective reviews of FINRA’s implemented rules. FINRA also does not have a formal process for conducting retrospective reviews of its rules, but it may review implemented rules informally, according to FINRA officials. FINRA officials stated that there are several mechanisms that they employ in their routine oversight activities that could be used to evaluate the effectiveness of implemented rules. These mechanisms include soliciting feedback from FINRA’s Board of Governors and industry organizations, analyzing customer complaints and arbitration claims, and performing examination and oversight functions related to member and market regulation. FINRA officials also stated that they review existing rules when there are new industry developments. Further, FINRA officials stated that the ongoing consolidation between the NASD and NYSE rulebooks—which was part of FINRA’s creation in 2007—provides an opportunity to evaluate the effectiveness of existing FINRA rules. However, without a more formal process in place to examine its implemented rules, FINRA might miss opportunities to consistently evaluate the effectiveness of its rules. Further, SEC currently does not have a process by which it reviews what steps FINRA takes in reviewing its existing rules, which could result in SEC not capturing sufficient information to form an opinion about FINRA’s efforts to review its rules. OCIE staff is currently reviewing how FINRA’s regulatory programs evaluate the effectiveness of FINRA’s rules and how FINRA’s rulemaking process helps to ensure the effectiveness of its rules. Page 14 GAO-12-625 SEC Oversight of FINRA Recently, federal financial regulators have been encouraged to conduct retrospective reviews of existing rules. In 2011, the President signed Executive Order 13579, which asked independent regulatory agencies, such as SEC, to develop plans for reviewing existing significant regulations. 30 The order encourages these agencies to conduct retrospective reviews of their rules in order to modify or repeal rules that may be ineffective, insufficient, or excessively burdensome. We and others have also reported on the usefulness of retrospective reviews of rules, including their ability to inform policymakers about the design of rules and regulatory programs. 31 Although the financial regulators are not required to follow Executive Order 13579, SEC is developing plans for conducting retrospective reviews of its rulemaking. Specifically, SEC has issued a Federal Register notice soliciting public comments to assist the agency in developing plans for conducting retrospective reviews in response to the executive order. 32 While Executive Order 13579 does not apply to FINRA, its regulatory responsibilities are similar to those of federal financial regulators. 33 Specifically, FINRA proposes many rules and rule changes each year in its regulatory role of overseeing broker-dealers and the markets in which they operate. These rules can have an impact similar to those proposed and implemented by financial regulators, such as SEC. Thus, the Executive Order could provide SEC criteria to encourage FINRA to conduct retrospective reviews of its rules. By not conducting retrospective reviews of its rules, FINRA may be missing an opportunity to assess whether its rules are achieving their intended purpose. 30 Independent regulatory agencies are those defined by 44 U.S.C. § 3502(5). 31 GAO, Reexamining Regulations: Opportunities Exist to Improve Effectiveness and Transparency of Retrospective Reviews, GAO-07-791 (Washington, D.C.: July 16, 2007) 32 Section 610 of the Regulatory Flexibility Act requires independent and other regulatory agencies to review within 10 years of publication any of their rules that have a significant economic impact on a substantial number of small entities. Pub. L. No. 96-354, §3(a), 94 Stat. 1164, 1169 (1980) (codified at 5 U.S.C. § 610). 33 FINRA is an SRO, incorporated in Delaware as a nonprofit entity, and is therefore not an independent regulatory agency. Page 15 GAO-12-625 SEC Oversight of FINRA OCIE Has Conducted OCIE has conducted limited oversight of some aspects of FINRA’s Limited or No Oversight of operations, as described below. Other Aspects of FINRA’s • Governance: SEC has not directly overseen FINRA’s governance but Operations has monitored structural changes of the Board of Governors to ensure that policies and rules related to governance are being appropriately followed. For example, SEC and FINRA officials told us that OCIE has periodically reviewed the composition of FINRA’s board to determine compliance with SRO board-composition requirements. 34 Through its authority to review FINRA rule filings, Trading and Markets also reviews new rules or proposed changes to existing rules related to corporate governance or other governance-related issues. However, SEC has not historically examined issues such as conflicts of interest or recusals related to FINRA’s governance. • Funding: Although OCIE has not examined the sufficiency of FINRA’s funding in the past, OCIE officials told us that they have reviewed FINRA’s annual report and any relevant information to understand FINRA’s finances. For example, OCIE has reviewed this information to determine whether FINRA needs more resources in certain areas, such as training. OCIE officials have not historically focused on the adequacy of FINRA’s funding because of competing priorities and resource constraints. • Employment of former FINRA employees at regulated entities: OCIE’s guidelines for inspections of FINRA district offices included information about examining FINRA examiners who had terminated their employment. In addition, according to OCIE officials, inspections of district offices typically include a review of issues related to former FINRA employees. For example, from 2005 through 2010, OCIE formally requested documentation from FINRA related to former FINRA employees and their new employers prior to conducting inspections of FINRA district offices. OCIE officials provided three inspection reports that documented that this issue was examined in the inspections during this period. 34 FINRA’s governance structure is outlined in its by-laws, which among several qualifications include diverse industry representation of three small, one medium, and three large firms. In 2006, OCIE conducted a special inspection of the NASD Board of Governors election based on a complaint. In its review, OCIE found that NASD generally conducted its election in accordance with its legal obligations and did not find any deficiencies that its staff believe would have changed the outcome of the election. Page 16 GAO-12-625 SEC Oversight of FINRA OCIE has not historically conducted oversight of some areas of FINRA’s programs and operations identified in Section 964, including FINRA’s executive compensation, cooperation with state securities regulators, and transparency of FINRA’s governance. Specifically, OCIE officials told us that they focused their limited resources on FINRA’s regulatory departments which they perceived as programs that have the greatest impact on investors. However, as will be discussed, SEC is currently re- evaluating its oversight of FINRA, including the levels of oversight dedicated to aspects of FINRA’s programs and operations that it has not historically overseen. OCIE is in the process of enhancing and expanding its oversight of SEC’s Efforts to FINRA using a more risk-based approach. In 2010, OCIE transitioned Enhance Oversight of from conducting routine, or cycle-based, inspections of the SROs it oversees, including FINRA, to a more risk-based approach to oversight. FINRA Could Benefit We have previously reported that, according to OCIE officials, in the past from Following All OCIE tailored inspections to focus on areas with the greatest risks and Elements of a Risk- considered the results of past inspections and other factors in planning routine inspections. 35 However, OCIE continued to conduct inspections Management on a cycle-basis. With the transition to a more risk-based inspection Framework process, OCIE officials stated that they are working to focus their resources on the most critical and high-risk areas in their oversight of FINRA and other SROs, rather than continuing to conduct cycle-based inspections. To assess the risks facing FINRA and conduct reviews of FINRA programs, OCIE collected a substantial amount of information on FINRA’s regulatory programs and operations, including those for which it had not previously conducted oversight but which Section 964 of the Dodd-Frank Act identified. OCIE has analyzed the information it collected, and, according to OCIE officials, will use this information as it implements its enhanced risk-based oversight of FINRA later in 2012. While OCIE has followed some elements of a risk-management framework as it has considered its existing and future oversight of FINRA, it has not addressed all elements of the framework. For example, OCIE officials have not articulated or documented how they will select the appropriate alternatives for enhanced oversight and how they will monitor the implementation of OCIE’s oversight. Without doing so, OCIE may be missing opportunities to take a more comprehensive approach to 35 GAO-08-33. Page 17 GAO-12-625 SEC Oversight of FINRA considering all risks and alternatives associated with oversight of FINRA, as well as the monitoring of its future efforts. OCIE Is Assessing FINRA’s With the goal of enhancing its oversight of FINRA, OCIE is working to Risks as Part of Its Efforts assess potential risks FINRA faces. These risks may also affect SEC’s to Enhance and Expand general oversight of the securities industry, and more specifically, how SEC will oversee FINRA. To assess potential risks FINRA faces, OCIE Oversight of FINRA has obtained information and data on various aspects of FINRA’s regulatory programs and operations. This includes information on FINRA’s examinations of broker-dealers, its surveillance programs, arbitration, advertising regulation, and governance. It also has collected information from FINRA’s internal audit reports, and reports prepared by third parties for FINRA. 36 OCIE officials said that they focused their information collection efforts on the areas identified in Section 964 of the Dodd-Frank Act because these were the risks that Congress identified. OCIE officials have analyzed the information they collected for different FINRA programs and operations, including areas that they have previously overseen. • Examinations. According to OCIE’s preliminary analysis of the information collected, OCIE has analyzed the number of examinations FINRA has conducted of member firms as well as the number of examiners that FINRA employed between 2008 and 2010. OCIE has also been reviewing several aspects of FINRA’s examination programs to further develop its risk-based approach, including how FINRA communicates with its members and SEC about its examination programs. For example, according to OCIE’s analysis, OCIE staff are reviewing the extent to which FINRA’s examination process is transparent to its member firms and SEC. OCIE staff are also reviewing how FINRA is filling open examiner positions with well- qualified applicants, and how FINRA trains its examiners. To assess how FINRA has filled examiner positions with well-qualified applicants, OCIE obtained data on recently hired staff in FINRA’s examination program, staff turnover rates, criteria that FINRA uses in 36 FINRA’s internal audit department uses a risk-based approach in developing its plan for audits of FINRA regulatory programs and operations over a 4-year cycle. The approach includes annual risk assessments that assess various types of risks, such as financial and regulatory risks, and the internal controls related to FINRA programs and operations. Page 18 GAO-12-625 SEC Oversight of FINRA determining experience levels of its staff, and guidelines on how FINRA staffs examinations. OCIE also obtained information, such as job descriptions, that outlines education and experience requirements for examiner positions. According to OCIE officials, this information will be used to develop a systematic review of examiner expertise in future inspections of FINRA. OCIE officials are also reviewing how FINRA compensates and trains its examiners, including whether FINRA assesses the adequacy of examiner compensation. • Arbitration. According to OCIE’s analysis, OCIE staff are reviewing FINRA’s documentation and procedures related to arbitrator selection. In addition, OCIE staff are examining staffing levels, staffing changes, and staff compensation in FINRA’s dispute resolution department and FINRA’s procedures for monitoring trends in case filings. OCIE staff are also reviewing information regarding FINRA’s procedures for establishing performance benchmarks for its arbitration program, such as the time to serve claims and appoint arbitrators. • Advertising. OCIE staff are reviewing FINRA’s funding of its advertising regulation department to determine whether it is receiving adequate funding to sufficiently implement, administer, and staff FINRA’s advertising review program. OCIE staff have conducted preliminary analysis on how many member filings each analyst in FINRA’s advertising regulation department is expected to review, the turn-around time for filings, the number of filings submitted relative to the number of staff reviewing them, and supervisory reviews of analysts’ work. According to OCIE officials, this analysis is designed to inform future, risk-based inspections of FINRA’s advertising program and target areas that warrant the most attention. OCIE also collected information on aspects of FINRA’s operations for which OCIE has historically conducted limited or no oversight but which Section 964 of the Dodd-Frank Act identifies. These aspects include oversight related to FINRA’s governance, cooperation with state securities regulators, policies regarding former FINRA employees, executive compensation, and funding. • Governance. According to OCIE’s analysis, OCIE staff are reviewing information board members receive from FINRA management in carrying out their duties and the extent to which governance practices are transparent. OCIE staff are examining the process by which FINRA governors recuse themselves from matters that raise a potential conflict of interest. According to OCIE staff, they are also examining other governance-related issues, such as independence Page 19 GAO-12-625 SEC Oversight of FINRA and fiduciary duties and the expertise and skill sets of FINRA governors. 37 • Cooperation with state securities regulators. OCIE staff have been reviewing the extent to which FINRA communicates effectively with state securities regulators. OCIE staff are also exploring whether any opportunities exist for improving cooperation between FINRA and state securities regulators, as OCIE recognizes the importance of enhanced communication between FINRA and state securities regulators. Such communication could become even more important if FINRA becomes an SRO for investment advisers. Although there are many variations of what an investment advisor SRO could look like, one scenario is that FINRA could share examination authority over certain investment advisers with state regulators alone rather than with state regulators and SEC, as is currently the case with broker- dealers. • Post-employment policies regarding former FINRA employees. OCIE staff have been reviewing FINRA’s written procedures concerning former employees and comparing FINRA and SEC post- employment restrictions to assess whether FINRA could implement additional controls. OCIE staff are also examining policies that FINRA has adopted and take effect in July 2012 that place restrictions on former FINRA officers, such as vice presidents, senior vice presidents, and higher-ranking FINRA executives. These restrictions would prevent a former FINRA officer from appearing in a FINRA disciplinary proceeding for 1 year following the date of that officer’s separation from FINRA. • Executive compensation. OCIE has obtained information and data on FINRA executive compensation, including retirement plans and incentive compensation for its executives. OCIE staff have been reviewing the data, specifically focusing on compensation FINRA pays its senior executives and the annual goals set by FINRA’s Management Compensation Committee. These goals include those that FINRA senior executives must meet to qualify for incentive compensation and the analysis and deliberations undertaken by FINRA, the Management Compensation Committee, and FINRA’s 37 FINRA’s Board is comprised of governors representing various groups and interests, such as small, mid-size, and large firms; investment companies; and the public. Page 20 GAO-12-625 SEC Oversight of FINRA Board of Governors in connection with the award of incentive compensation. According to OCIE’s analysis, OCIE officials are also reviewing the firms or entities that FINRA uses for compensation benchmarking purposes and examining studies conducted by FINRA’s compensation consultant. 38 We reviewed the three most recently completed compensation studies conducted by the consultant—in 2009, 2010, and 2011—and found that these studies concluded that FINRA’s pay levels are appropriate relative to certain comparable regulators, exchanges, and financial services organizations engaged in brokerage or related banking. • Funding. As part of its analysis, OCIE officials are examining FINRA’s annual budget process among other funding-related items. In particular, officials observed budget discussions and interactions during FINRA’s annual planning process between FINRA’s operating departments and divisions, FINRA’s Financial Planning and Initiatives team (which develops FINRA’s budget), senior management, the Finance and Operations Committee, and the Board of Governors. Further, officials are reviewing FINRA’s Board of Governors’ oversight of the budgeting process. OCIE officials have also been assessing issues concerning FINRA’s investment portfolio, such as FINRA decisions related to levels of portfolio contributions to annual spending. In addition, OCIE officials are reviewing FINRA’s management of investment-related conflicts of interest. Finally, as part of its monitoring of FINRA’s resource allocation, OCIE officials are assessing FINRA’s plans to fund an investment adviser oversight program and how FINRA would maintain sufficient funding to fulfill its current core regulatory programs relating to broker-dealers. FINRA has indicated an interest in becoming an SRO for investment advisers if Congress were to approve legislation permitting the creation of one or more SROs for investment advisers. OCIE’s analysis of the information collected on FINRA’s programs and operations is ongoing. OCIE officials anticipate using the information they have collected and analyzed to inform their planning of future oversight of FINRA. According to OCIE officials, implementation of OCIE’s enhanced, risk-based FINRA oversight will begin later in the year. 38 Since 2004, FINRA has retained the services of a consultant to conduct a review each year to provide the Management Compensation Committee with ongoing guidance concerning competitive executive compensation pay levels, overall compensation program structure, and other related compensation matters. Page 21 GAO-12-625 SEC Oversight of FINRA OCIE’s Methodology for While OCIE is engaged in efforts to develop and implement an enhanced Developing Enhanced, risk-based approach to oversight of FINRA, its approach does not follow Risk-Based Oversight of all the elements of a formal risk-management framework. According to OCIE staff, they developed the framework for their risk-based approach, FINRA Could Benefit From in part, by considering the Committee of Sponsoring Organizations of the More Closely Following a Treadway Commission’s (COSO) enterprise management framework. 39 Risk-Management COSO’s enterprise risk-management framework contains eight Framework components for managing risk: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. However, OCIE officials explained that they modified this framework to focus on three elements: (1) risks facing FINRA, (2) internal controls FINRA has in place to mitigate those risks, and (3) the residual risks that are not mitigated by the existing internal controls. OCIE officials explained that they decided to modify the COSO framework, in part, to customize the process to OCIE’s needs and expertise. In prior work, we have reported on the benefits of risk management and identified elements of a risk-management framework for federal agency oversight efforts. 40 Risk management provides the rigor and structure necessary to enable entities, on a continuous basis, to enhance their capability to identify potential adverse events, assess risks, and establish appropriate responses. Figure 1 shows the five elements for a risk- management framework, which are also described below. All of these are critical to OCIE’s efforts to develop an enhanced risk-based inspection program. • Identify strategic goals, objectives, and constraints refers to identifying the strategic goals that are trying to be achieved and the steps needed to attain those goals. It also includes determining limitations or constraints that affect the desired outcomes. 39 COSO was organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public companies and their independent auditors, for SEC and other regulators, and for educational institutions, including frameworks and guidance on enterprise risk management. 40 GAO, Risk Management: Further Refinements Needed to Assess Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructure, GAO-06-91 (Washington, D.C.: Dec. 15, 2005). Page 22 GAO-12-625 SEC Oversight of FINRA • Risk assessment refers to identifying the key aspects of potential risk. • Alternatives evaluation refers to considering measures to reduce the identified risks. • Management selection refers to management selecting where resources and investments will be made based on selecting the appropriate alternatives for reducing risks. • Implementation and monitoring refers to how the steps to reduce risk will be applied and monitored to help ensure ongoing effectiveness. Figure 1: Elements of a Risk-Management Framework While these elements are designed for agencies overseeing their own risks and programs, they can be applied to SEC’s oversight of FINRA and its efforts to enhance its oversight. To oversee the securities markets, SEC leverages its own capabilities as well as those of the SROs it oversees, including FINRA. For example, SEC relies on FINRA for examinations of broker-dealers and in instances where SEC and FINRA pursue joint enforcement actions. As such, the risks associated with FINRA’s surveillance programs and its oversight of broker-dealers potentially affect SEC’s ability to effectively regulate the securities markets. Specifically, FINRA’s regulation of its members and its surveillance activities serve as crucial oversight functions, on which SEC Page 23 GAO-12-625 SEC Oversight of FINRA relies. A failure of FINRA’s oversight is a risk to SEC and its ability to fulfill its mission. Therefore, for SEC to conduct effective oversight of the securities markets, it must take steps to ensure that FINRA is performing these functions properly. OCIE has taken steps to incorporate the first two elements of the risk- management framework. OCIE has identified its goals and objectives— specifically, enhancing oversight of FINRA—and is assessing FINRA’s potential risks. As previously mentioned, OCIE plans to develop an oversight plan based on its risk assessments and will focus on the risk areas determined to be the highest risk. To inform its oversight plan, OCIE plans to conduct risk assessments on a regular basis. For example, OCIE has already imbedded procedures for identifying risks related to FINRA’s regulatory programs in its district office inspection procedures. However, while OCIE officials have addressed two of the five elements, they have not articulated or documented how they plan to implement the remaining three elements of the risk-management framework: considering alternatives for reducing risks; selecting the appropriate alternatives for enhanced oversight; and implementing and monitoring its risk-based oversight. While OCIE officials may have initiated internal discussions about these elements, they have not formally presented specific steps for them, nor are all three elements apparent in the modified risk- management approach OCIE adopted. Because these elements are not formally articulated, OCIE may not be in the best position to determine whether its staff are actively considering how to implement and monitor enhanced oversight of FINRA once the key risks are identified and prioritized. The remaining three elements of the risk-management framework could also provide SEC with other opportunities to improve its oversight efforts. For example, the areas identified in Section 964 of the Dodd-Frank Act may not contain an equal amount of risk, and that risk may vary over time. As such, SEC must continuously identify and prioritize these evolving risks in order to appropriately target its resources. Further, the FINRA programs and operations identified in Section 964 may not encompass all current and future risks. For example, should FINRA become the SRO for investment advisers, SEC would need to consider the potential impact of FINRA’s additional responsibilities and reassess risks related to FINRA’s current oversight of broker-dealers and its surveillance functions. Moreover, as we have previously recommended, leveraging the findings in FINRA’s internal audits is another important source of information that SEC could use to assess current or evolving Page 24 GAO-12-625 SEC Oversight of FINRA risks. 41 Establishing all elements of a risk-management framework would provide SEC with a comprehensive plan to develop the appropriate options to identify current and future risks, including those not specifically identified in Section 964 of the Dodd-Frank Act, prioritize them, and implement an oversight plan that can be monitored for effectiveness. Without such elements, OCIE may be missing opportunities to take a more comprehensive approach to considering all risks and alternatives associated with oversight of FINRA, as well as the monitoring of its future efforts. SEC has a formal process for reviewing FINRA’s proposed rule changes Conclusions and has recently taken steps to strengthen its review process. However, neither FINRA nor SEC has a formal process for evaluating the effectiveness of FINRA’s implemented rules. Increasing attention has recently been given to the importance of these retrospective reviews and some federal financial regulators, including SEC, have begun pursuing plans to conduct retrospective reviews of their rules. Although FINRA also publishes rules governing the securities markets, it is not required to conduct such reviews of its rules. However, given its role in regulation, FINRA proposes many rules and rule changes each year that can have an impact similar to rules proposed and implemented by SEC. By not conducting retrospective reviews, FINRA may be missing an opportunity to systematically assess whether its rules are achieving their intended purpose and take appropriate action, such as maintaining rules that are effective and modifying or repealing rules that are ineffective or burdensome. SEC is in the process of enhancing and expanding its oversight of FINRA, using a more risk-based approach. To inform these plans, SEC has worked to assess the risks associated with the FINRA programs and operations. Moving forward, incorporating the other elements we have previously identified for a comprehensive risk-management framework will be important, including prioritizing risks and monitoring the effectiveness of its oversight. For example, although SEC collected information on all FINRA programs and operations identified in Section 964 of the Dodd-Frank Act, the risks posed by the individual programs and operations could vary and therefore warrant different levels of 41 GAO-08-33. Page 25 GAO-12-625 SEC Oversight of FINRA oversight. Moreover, the FINRA programs and operations identified in Section 964 may not encompass all current and future risks, such as FINRA becoming an SRO for investment advisers. Incorporating these other elements of the risk management framework will better position SEC to identify and prioritize evolving risks, evaluate alternatives and monitor its oversight efforts. Without such elements, SEC may be missing opportunities to take a more comprehensive, risk-based approach in overseeing FINRA. As SEC works to enhance its oversight of FINRA, we recommend that the Recommendations for SEC Chairman take the following two actions: Executive Action • encourage FINRA to conduct retrospective reviews of its rules and establish a process for examining FINRA’s reviews; and • direct OCIE to follow all elements of a risk-management framework as it develops plans for an enhanced risk-based approach to FINRA oversight, such as developing plans for how it will prioritize risks related to oversight of FINRA and assessing the effectiveness of its risk-based model. We provided a draft of this report to SEC for review and comment. In its Agency Comments comment letter, which is reprinted in appendix II, SEC generally agreed with our recommendations. Pursuant to our first recommendation concerning retrospective reviews of rules, the SEC Chairman has requested that OCIE and Trading and Markets encourage FINRA to consider additional methods to conduct these reviews. The Chairman has also requested that OCIE consider the most effective method to examine or monitor FINRA’s reviews of its rules. In response to our second recommendation that OCIE follow all elements of a risk-management framework, SEC commented that they had planned to do so and agreed that implementation of the remaining elements of a risk-management framework may better position OCIE to take a more comprehensive, risk- based approach in overseeing FINRA. As such, OCIE will consider how best to prioritize evolving and varying risks, evaluate alternatives, and monitor oversight efforts related to its oversight of FINRA. SEC also provided technical comments on the draft report, which we incorporated as appropriate. Page 26 GAO-12-625 SEC Oversight of FINRA We also provided portions of the draft report to FINRA for review and comment. FINRA provided technical comments, which we incorporated as appropriate. We are sending copies of this report to the Chairman of the Securities and Exchange Commission, the appropriate congressional committees, and other interested parties. In addition, the report will be available at no charge on GAO’s website at http://www.gao.gov. If you or your staffs have any questions about this report, please contact me at (202) 512-8678 or email@example.com. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix II. A. Nicole Clowers Director, Financial Markets and Community Investment Page 27 GAO-12-625 SEC Oversight of FINRA Appendix I: Scope and Methodology Appendix I: Scope and Methodology The objectives of this report were to examine (1) how the Securities and Exchange Commission (SEC) has conducted oversight of the Financial Industry Regulatory Authority (FINRA), including FINRA rule proposals and the effectiveness of its rules, and (2) how SEC plans to enhance its oversight of FINRA. To address our first objective, we reviewed and assessed SEC documentation, procedures, and guidance for inspections of FINRA. To describe how SEC has conducted oversight of FINRA’s examination programs specifically, we reviewed and assessed SEC’s Office of Compliance Inspections and Examinations’ (OCIE) procedures and guidance for inspections of FINRA’s examination programs, including OCIE’s guidelines for oversight inspections of FINRA district offices, inspection planning memorandums, and advertising inspection checklists. We analyzed all (29) of OCIE’s inspection reports of FINRA district offices for inspections conducted from 2005 to 2010 to understand the details of the reviews, including the scope and findings of the inspections. Additionally, we reviewed other OCIE inspection reports related to aspects of FINRA oversight identified in Section 964 of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act), including the 1998 and 2006 inspections of the National Association of Securities Dealers, Inc.’s (NASD) Department of Advertising Regulation, 2000 inspection of NASD Dispute Resolution’s Midwest Regional Office, 2002 inspection of NASD’s surveillance program for member-firm trading in municipal securities, and 2006 inspection of NASD’s regulatory program for fixed-income securities. We also reviewed relevant documentation OCIE collected from FINRA, including FINRA’s member regulation handbook, samples of letters FINRA sends to firms to discuss various regulatory issues, and questionnaires FINRA uses in its meetings with member firms when conducting oversight examinations. We reviewed request letters SEC submitted to FINRA for inspections that SEC had recently initiated of FINRA’s surveillance programs related to fixed income and high-frequency trading. We also interviewed SEC, FINRA, and North American Securities Administrators Association officials. Moreover, we interviewed other relevant stakeholders such as the Securities Industry and Financial Markets Association (SIFMA), members of SIFMA who are also members of FINRA, and a citizen advocacy group. SIFMA assisted us in identifying members who varied in size—small, medium and large—and had been in existence prior to the creation of FINRA in 2007. We also reviewed relevant prior GAO reports regarding SEC oversight of FINRA and self-regulatory organizations (SRO) in general. Page 28 GAO-12-625 SEC Oversight of FINRA Appendix I: Scope and Methodology To describe how SEC has overseen FINRA’s proposed rule changes and what methods or measures SEC and FINRA use to assess the effectiveness of FINRA’s implemented rules, we reviewed and analyzed SEC’s documentation on SRO filing policies and procedures, including SEC procedures for approving proposed rule changes, relevant federal statutes governing SEC’s review of SRO rule filings, and recent executive orders regarding retrospective reviews of existing regulations. We also interviewed officials from SEC’s Division of Trading and Markets, FINRA, members of SIFMA who are also members of FINRA, and we reviewed prior GAO reports on agencies conducting retrospective reviews of existing rules. To understand the steps SEC takes to review and approve or disapprove FINRA’s proposed rule changes, we analyzed a random sample of SEC releases regarding FINRA’s proposed rule changes issued in 2009, 2010, and 2011. 1 We selected the years 2009 through 2011 because these were the most recent years that contained a full year of releases and included a full year of releases before and after the enactment of the Dodd-Frank Act. We examined SEC releases approving proposed rule changes, granting accelerated approval of proposed rule changes, notifying the public of immediately effective proposed rule changes, and disapproving proposed rule changes. 1. Approved: Proposed rule changes from SROs, including FINRA, that were filed for approval under section 19(b)(2) with approval occurring after the 30th day of the publication date (date of the Federal Register publication or SRO website posting). 2. Accelerated approval: Amendments to previously filed proposed rule changes from SROs, including FINRA, that were filed for approval under section 19(b)(2) with approval occurring before the thirtieth day of the publication date (date of the Federal Register publication or SRO website posting). 3. Immediately effective: Certain categories of proposed rule changes from SROs, including FINRA, that were filed for immediate effectiveness under section 19(b)(3)(A). Categories include (i) rules constituting a stated policy, practice, or interpretation with respect to 1 SEC releases include rule orders describing SEC’s final decision regarding FINRA proposed rule changes and notices. Page 29 GAO-12-625 SEC Oversight of FINRA Appendix I: Scope and Methodology the meaning, administration, or enforcement of an existing rule, (ii) rules establishing or changing a due, fee, or other charge imposed by the self-regulatory organization on any person, or (iii) rules concerned solely with the administration of the self-regulatory organization or other matters specified by SEC. 4. Disapproved: Proposed rule changes from SROs, including FINRA, that were filed for approval under Section 19(b), but were disapproved. We obtained a list of all SEC releases regarding FINRA proposed rule changes from SEC’s website for the years 2009 through 2011, a total of 432 releases. We identified all approved, accelerated approval, immediately effective, and disapproved release types issued during the 3 years and randomly selected two occurrences for each type of release for each year. There was only one occurrence of a disapproved release available on SEC’s website for the time period of 2009 through 2011.The result was a nongeneralizable sample of 19 SEC releases (18 approved, accelerated approval, and immediately effective releases and 1 disapproved release) that we examined to understand how SEC reviews FINRA proposed rule changes and arrives at its decisions. We reviewed the releases based on elements we identified from SEC’s SRO rule filing statute, including SEC allowing for public comments and explaining its rationale for the decision to approve or disapprove a proposed rule change. To address our second objective, we reviewed OCIE documentation of plans they have been developing for oversight of FINRA, and we interviewed officials from OCIE about these plans. We also reviewed documentation on OCIE’s preliminary analysis of information collected from FINRA on its regulatory programs and operations related to areas identified in Section 964 of the Dodd-Frank Act, and the extent to which OCIE’s plans address these areas. We also reviewed other SEC documentation on its plans for enhanced oversight, including risk analysis plans for future inspections of FINRA, scoping memorandums for areas of oversight identified in Section 964 of the Dodd-Frank Act, and information and data requests SEC sent to FINRA regarding these areas. We also reviewed SEC documentation on the implementation of SEC organizational reform recommendations identified in a study conducted by the Boston Consulting Group of SEC’s structure and operations. To assess SEC’s risk-based oversight framework, we reviewed literature and documentation on the Committee of Sponsoring Organizations of the Treadway Commission’s enterprise management framework. We also Page 30 GAO-12-625 SEC Oversight of FINRA Appendix I: Scope and Methodology reviewed guidance and documentation on the elements of risk- management frameworks and prior GAO work on models or frameworks related to agency oversight efforts. We conducted our work from August 2011 through May 2012 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Page 31 GAO-12-625 SEC Oversight of FINRA Appendix II: Comments from the Securities Appendix II: Comments from the Securities and Exchange Commission and Exchange Commission Page 32 GAO-12-625 SEC Oversight of FINRA Appendix II: Comments from the Securities and Exchange Commission Page 33 GAO-12-625 SEC Oversight of FINRA Appendix III: GAO Contact and Staff Appendix III: GAO Contact and Staff Acknowledgments Acknowledgments A. Nicole Clowers, (202) 512-8678 or firstname.lastname@example.org GAO Contact In addition to the contact named above, Andrew Pauline (Assistant Staff Director), Vida Awumey, Chir-Jen Huang, Jonathan Kucskar, Tarek Acknowledgments Mahmassani, Marc Molino, Luann Moy, Jessica Sandler, and Jennifer Schwartz made key contributions to this report. (250628) Page 34 GAO-12-625 SEC Oversight of FINRA GAO’s Mission The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (www.gao.gov). Each weekday afternoon, GAO Reports and GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, Testimony go to www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: www.gao.gov/fraudnet/fraudnet.htm E-mail: email@example.com Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, firstname.lastname@example.org, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, email@example.com, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Securities Regulation: Opportunities Exist to Improve SEC's Oversight of the Financial Industry Regulatory Authority
Published by the Government Accountability Office on 2012-05-30.
Below is a raw (and likely hideous) rendition of the original report. (PDF)