SEC’s Office of Compliance Inspections Releases Its 2018 Examination Priorities

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) has released its 2018 examination priorities, an annual report outlining the areas of the securities industry its examiners will target. This year, the priorities are organized into five broad areas:

  • Compliance and risks in critical market infrastructure
  • Retail investors
  • FINRA and MSRB
  • Cybersecurity
  • Anti-money laundering programs

The priorities also deal with recent hot-button developments in cryptocurrency and initial coin offerings. Firms should review the 2018 priorities and ensure that internal controls and practices are updated to effectively handle priority risks.

Compliance and Risks in Critical Market Infrastructure

Clearing agencies, national securities exchanges, transfer agents and the like are critical to the operation of financial markets. Thus, the OCIE will continue to target these entities for examination. As to clearing agencies, the OCIE will examine those designated as systemically important by the Financial Stability Oversight Council and focus on compliance with the SEC’s Standards for Covered Clearing Agencies. For national securities exchanges, the OCIE will focus on the exchange’s internal audits, fees, governance and the operation of National Market System plans. Finally, for transfer agents, the focus will be on transfers, record keeping and the controls in place for protecting funds and securities.

In addition, the SEC will examine whether entities subject to Regulation Systems Compliance and Integrity have effectively implemented policies for their systems’ capacity, integrity, resiliency, availability and security.

Retail Investors

Recognizing that many seniors are increasingly reliant on investments to fund retirement, the OCIE will continue to prioritize the protection of elderly and retiring investors. Firms providing investment services to these investors should ensure that they have internal controls in place to detect and prevent financial exploitation of senior investors.

On another front, the rapid growth of cryptocurrency and related markets has drawn the attention of the OCIE. Firms involved in these markets will be examined to ensure that theft-prevention controls are in place and that investors are fully informed of the risks inherent in initial coin offering markets, such as investment losses, liquidity, fraud and volatility. When a cryptocurrency qualifies as a security – which is not always abundantly clear – advisors must comply with the applicable securities laws.

Beyond these two areas, other areas of focus in the retail investor realm include: (i) ensuring transparency and accurateness in the charging of fees and other investment costs; (ii) “robo-advisers” and computer program algorithms that generate investment advice; (iii) advisors and broker-dealers that charge investors a single, bundled fee based on the percentage of assets being invested (i.e. “wrap fee programs”); (iv) never before examined advisers, particularly those with elevated risk profiles[1]; (v) mutual funds and exchange traded funds; (vi) municipal advisors and underwriters; and (vii) ensuring best execution of customer orders in the fixed income secondary market.


The SEC will continue its oversight of FINRA and MSRB by inspecting these agencies’ operations and regulatory programs. As in previous years, the SEC will rely upon FINRA to carry the torch in supervising broker-dealers. Similarly, the SEC will look to MSRB to take the lead in supervising municipal advisors and broker-dealers that buy, sell and underwrite municipal securities.


Financial markets are constantly evolving to incorporate improvements in technology, which also bring new and unique cyber-risks. Consequently, the last few years have seen the SEC devote substantial resources to cybersecurity, and it expects market participants to do the same. This year, the OCIE’s focus will be on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.

Anti-Money Laundering Programs

The Bank Secrecy Act, 31 U.S.C. § 5311, et seq., requires securities firms (among others) to establish anti-money laundering programs. These programs must include means by which to identify customers, perform due diligence, and monitor accounts for suspicious activity. As to the latter requirement, suspicious activity must be reported to the Financial Crime Enforcement network via Suspicious Activity Reports. These reports have become increasingly important to law enforcement agencies in combatting terrorist financing, organized crime and public corruption. It is imperative that firms update their anti-money laundering programs and run independent tests on the efficacy of such programs. Suspicious Activity Reports must be filed timely and in full compliance with the Bank Secrecy Act.


The SEC priorities portend a regulatory scheme focused on customer protection and fraud-prevention in the face of an evolving marketplace. Issues driven to the forefront of the public consciousness, such as the disclosure of investment fees and cryptocurrency, have in turn elicited an increased focus by the SEC. At the same time, the SEC remains committed to ensuring that firms adjust their cybersecurity and anti-money laundering controls to account for new risks. Firms should thoroughly review the SEC’s 2018 priorities and consult with outside counsel to ensure that an appropriate response is implemented in their internal systems.

A version of this article was originally published here on Fox Rothschild’s firm website.

Ernest Badway is co-chair of the firm’s Securities Industry Practice and advises clients on a broad range of business matters, including securities, intellectual property, employment, corporate governance, partnership disputes, contracts and litigation.

Joshua Horn is co-chair of the Securities Industry Practice and co-chair of the Cannabis Law practice. Joshua represents major financial services companies in matters throughout the country.

Benjamin McCoy (LAW ’12) is an experienced trial and appellate litigator. He has a broad commercial practice with an emphasis on international, employment, entertainment, and intellectual property litigation.

[1] An “elevated risk profile” can arise in a number of ways.  The most common occurs from the SEC’s examination of certain objective criteria, such as whether: (i) the firm’s size and/or assets under management are large enough that non-compliance could have a negative effect on a significant number of investors; (ii) the firm has weak compliance controls; or (iii) the firm has employees with disciplinary histories.  When one or more of these factors are present, a firm may be tagged as having an “elevated risk profile.”

Leave a Comment