In today’s world where large-scale data breaches and hacks of private client information seem to be happening with increasing frequency, the issue of cybersecurity has never been more pressing to the financial industry.
Knowing the protections to put in place, and particularly the relevant requirements from a regulatory perspective, is essential. And while securities firms are more aware than ever of their necessity, they may not necessarily have sufficient expertise in-house to respond to their implications in a timely manner. It’s an expertise that Brian Connell-Tombs offers through his practice, CT Compliance Consulting: regulatory compliance services that dovetail with risk management services that he executes.
Connell-Tombs stresses that any concern that intends to provide services to clients, directly or as a supplier to financial institutions, must be aware of due diligence questions and related activities.
“This is primarily driven by the (Securities) Commission’s and the SRO’ (self-regulatory organization) rules and regulations and codes of conduct,” Connell-Tombs explains. “Knowing best practices and having a robust risk management approach is essential to protect your own business including its reputation.”
CT Compliance Consulting was launched by Connell-Tombs after accumulating more than 20 years of combined experience in accounting and investigations, with an emphasis in the securities industry.
He served as a Manager with the Ombudsman for Banking Services and Investments (OBSI), Canada’s largest and independent investigating agency for banking and investment-related complaints. He also served as a senior investigator for the Investment Industry Regulatory Organization of Canada (IIROC) and a forensic accountant with the Ontario Securities Commission.
Connell-Tombs points out that regulatory compliance issues are an important aspect of risk management. A key component in managing this includes providing all staff with ongoing training to ensure they are fully apprised of the firm’s and their regulatory obligations.
Another element to think about is the need to ensure that not only policies and procedures are in place, but that they are being followed, when the firm receives a complaint from a client. “While this is a regulatory requirement, it also makes good business sense to try and resolve a client complaint quickly and fairly.“
From a regulatory and compliance perspective, what do you think are the biggest challenges securities firms face?
Brian Connell-Tombs: Firms face significant challenges both at the macro and micro level that if not managed effectively will negatively impact the firm’s reputation.
A significant challenge at the macro level is the protection of client information, and I am thinking particularly of information in an electronic format and cybersecurity. While compliance staff do not usually have the skillset to develop appropriate cybersecurity protocols, they can provide valuable insight into the firm’s regulatory requirements in this area. Further, compliance staff are often tasked with ensuring that these regulatory requirements are communicated to and followed by staff.
A significant challenge at the micro level is working with investment advisors to ensure they are managing their client’s expectations in line with their regulatory obligations. This is not just the expectations of the more conservative investors with low risk tolerances, but also the expectations of investors willing to accept higher risk with the expectation of higher returns.
Regardless, if a client’s expectations are not in line with the investment advisor/firm’s investment philosophy, it may be appropriate to transition the client to another advisor or another firm. While this is never an easy decision, compliance is in a position to support the advisor and assist the client transition to a new advisor.
Are there aspects of these challenges that are particularly – and surprisingly, perhaps – overlooked? What, specifically?
One of the biggest challenges we face is the volume of information that must be processed on daily basis. Because Compliance is involved in most, if not all, aspects of the firm’s business, its expertise is continuing to be leveraged. Take, for example, the number of new products that are made available to firms. It seems at times that before the KYP committee can complete its review of a product, the product is changed, canceled and replaced by another product. Along those lines, I have responded to a number of questions regarding the Canadian cryptocurrency market. There seems to be a lot of interest in this area and the CSA recent Staff Notice helped clarify the CSA’s position.
In terms of opportunities that may be overlooked, the regulators are transparent with the issues they will be focusing on during their upcoming compliance reviews at the various firms. For example, this summer the OSC released its annual summary for dealers in which it stated clearly that it still had concerns regarding the collecting and documenting of KYC/suitability and KYP information. I encourage the sharing of this information with investment advisors as it not only serves as a reminder of the IA obligations but it also can put context to the questions IAs receive from Compliance.
How would you characterize the job newer and smaller organizations in the securities industry are doing on their risk management strategies? What, in particular, would you have them focus on in order to achieve optimal success?
Most of the people I deal with understand the need to have risk management strategies in place, but, and I do not want to overly generalize, some of the smaller organizations do not have the systems in place to ensure those strategies are being followed, particularly when it comes to long time personal contacts. This is more than an just an issue of paperwork. Firms, and individuals at the firms, can avoid a lot of time consuming and stressful situations if they have proper KYC and KYP procedures in place and those procedures have been followed.
In terms of achieving optimal success, I encourage organizations to assess what tasks are key to the organization’s success and to assess if the organization has individuals that not only perform those tasks well, but also enjoys performing those tasks. If the answer is no to either of those questions, then the organization needs to consider hiring someone to perform the task or outsourcing the task. Over the years, I have noticed a strong correlation with what a person does well with what they enjoy doing, with what tasks are completed on time; with the opposite also being true.
We’re hearing a lot about “RegTech” startups that are working hand-in-hand with FinTech to make compliance easier and also to help companies achieve greater operational efficiencies and cost benefits. How do you view this new category of tech innovators and their ultimate role when it comes to compliance? How do you see the human touch and the tech touch coming together to better serve the consumer?
With new and more complex products being offered to clients almost daily and given our ever-changing regulatory environment, I am not sure compliance will ever be “easier”. However, I think that firms that include RegTech/FinTech as part of their compliance regime will be better able to meet the challenges that lay ahead. RegTech/FinTech will allow firms to spend less time reviewing documents, say a KYC for completeness, and more time understanding and analyzing the underlying information. RegTech/FinTech will assist in identifying trends and exceptions that need to be investigated and this contribute to making the process more effective.
While I think technology plays an important role in an effective compliance program, I don’t think it will replace the human touch anytime soon, as individuals will have to review the data, and not just the exception reports, to confirm what the technology is suggesting makes sense. For example, regarding clients, it will still take qualified individuals at the firm to review the relevant information and then to decide if the client’s risk tolerance and investments objectives are in-line with the firm’s investment strategy. Similarly, when fulfilling their KYP obligations, I would recommend firms not solely rely upon RegTech tools, but to review and assess the information when deciding if they will make a particular product available to their clients.