The user of Supervisory Control may be a person/group trying to do the below functions:
Responsibilities:
• Advice business areas on firm policies and procedures and applicable securities laws and FINRA regulations
• Identify regulatory trends and developments that impact business areas, and advise staff as to how this may impact their current activities.
• Draft, update, and implement relevant policies and procedures.
• Provide regulatory/compliance training.
• Assist the business implement and document various supervisory/control mechanisms.
• Participate in internal investigations, respond to regulatory inquiries, and coordinate internal and external audits and inspections.
• Interact with federal and state regulators
• Perform testing and monitoring of compliance with firm policies and conduct risk assessments of the business to ensure effective business control framework
What does a Supervisory Control Program Manager do?
• Managed the CEO Certification process for the Securities Divisions: created infrastructure to support 250+ supervisors, rolled out 100+ supervisory checklists, developed Written Supervisory Procedures, engineered quarterly certifications through a consolidated workstation dashboard, resulting in reduced regulatory risk and efficient supervisory signoffs.
• Managed Policies and Procedures globally: performed final policy review / approval, drafted manuals, supervised policy implementation. Introduced a global process which improved planning and execution of policy efforts.
• Developed Training plan and Needs analysis for the Securities Divisions, managed training resources.
• Created strategy for the integration of the Equities and FICC Compliance Divisions: identified compliance functions which can be integrated and crafted an implementation proposal. Integration realized 30% efficiency and developed uniformity and a single brand for Compliance.
Deutsche bank LIBOR & Other rates fixing scandal
Recent slap on the wrist from FRB NY:
Best Practices:
To assist firms in the process of reviewing and, where necessary, modifying, their current internal controls against unauthorized trading, we have recently solicited input from a range of firms regarding their internal controls, as well as the preliminary results of internal reviews. We are publishing those practices now with the expectation that doing so will help other firms as they undergo their own review process. While FINRA believes that these practices are worthy of consideration, we understand that their relevance and feasibility will vary depending on a firm’s size and business model. We also note that this is not an exhaustive list, and is not intended to create a safe harbor from regulatory exposure or to discourage firms from completing their own comprehensive internal audits.
Mandatory Vacation Policies
An increasing number of broker-dealers have identified “sensitive” jobs, and adopted mandatory policies requiring employees in those positions, including traders, to be away from the office for a minimum amount of time, typically ten consecutive trading days. During that time away, the employee is barred from having physical or electronic access to the firm, its facilities, or systems. The theory behind this policy, which has been common in the banking industry, is that if an employee has engaged in unauthorized activity and is concealing it, the activity will likely be exposed in the firm’s trade reconciliation process within that time, because the employee is not able to continue the concealment while away from the firm and its systems.
A mandatory vacation policy must be enforced in order to be effective. In at least one recent well-publicized case, the firm had such a policy, but the trader involved had not taken the full, mandatory, consecutive vacation in several years. Exemptions should not be granted except in unusual circumstances and repeated requests for exemptions should be considered a red flag warranting additional monitoring. Firms also should assure that their systems support blocking employees on mandatory vacation from accessing firm systems.
A mandatory vacation policy may not be feasible or reasonable for all firms. However, we urge firms to consider it as part of their risk management procedures. If a firm determines not to adopt such a policy, it should consider other methods of identifying and reviewing the trading activity of traders who have not taken an extended vacation in the past year.
Heightened Scrutiny of Red Flags
As firms review their internal controls, they should pay attention to whether they are both adequately mining available trade data for red flags and following up on those red flags where appropriate. Among other things, firms should monitor, and, when necessary, conduct heightened scrutiny of:
Trading limit breaches. At least one firm surveyed recently has implemented a tool that allows for monitoring of limit breaches by a trading book or individual trades in real-time, and can be set to generate alerts based on a range of parameters, including the notional value of a trade, share size (net/gross position), amount of orders or traders per day and total dollar value per day.
Unrealized profit and loss (P&L) on unsettled transactions. Trading desk managers and financial control managers should pay careful attention to sizeable amounts of unrealized P&L and should understand the nature of the transactions creating these amounts.
Unusual patterns of cancellations and corrections, particularly those involving multiple cancellations or corrections by the same trader or involving the same counter-party. Certain firms prohibit a front-office trader or salesperson from entering cancels and corrects into the trading system and limit the entry of these transactions to mid-office (e.g., those involved in risk management) or back-office (e.g., those involved in settlement services) personnel.
Transactions in which confirmation and settlement do not occur on a timely basis, or where settlement is outside of normal cycles.
Reports of aged unresolved reconciling items and aged outstanding confirmations.
Reports of P&L that exceed a certain de minimis amount by traders who are supposed to be flat, or unusually large one-day P&L reports.
The details underlying a trader’s Value at Risk (VaR), including the long and short positions, on a daily or intra-day basis, as appropriate. Firms should also consider other risks associated with a trader’s positions, such as liquidity risk, the adequacy of hedges and the risks associated with imperfect hedges. This includes understanding and reviewing the valuation of all positions, particularly positions in exotic instruments or instruments that have little or no market.
Repeated or unusual requests by a trader to relax existing controls, including position or P&L limits.
Trading in products that are outside of a trader’s known expertise, without prior approval.
Any other unusual or significant differences between a trader’s account positions and the account activity, such as might be detected by comparison of gross and/or net position to the cash flows of positions; i.e., margin/collateral calls to and from counterparties to the trades.
A pattern of aged fails to deliver for long or short sales.
Whether these data points are reviewed manually, or with the use of automated surveillance tools, or some combination, a firm’s controls should not just note deviations from normal trading patterns as red flags that might signal proprietary business risk, but as signals of possible regulatory risk as well. And, to the extent that firms use automated surveillance tools to identify such items, their internal control systems should include adequate and routine maintenance and testing of those systems.
Protection of Systems and Risk Management Information
In some cases, rogue traders have been able to falsify a firm’s books and records to conceal illicit trading activity due to lapses in password security and other systems protections. Firms should make certain that each employee’s access to systems is limited strictly to what is appropriate for the employee’s function within the firm. This control should not be limited to traders; it should be in place for any employee whose role includes access to trading systems. If an employee’s function changes within the firm, the firm should make sure that the employee’s access changes accordingly. For example, if an employee moves from the back office to a trading desk, that employee’s access should be changed to reflect his or her new role, and access to the back-office functions should be revoked. Firms should also make sure that access is suspended during any mandatory vacation period and cancelled promptly if the employee leaves the firm.
Firms also should protect information about surveillance or monitoring systems and procedures that might help employees circumvent those systems. For example, knowledge that the firm divides responsibility for reviewing certain trade monitoring functions by product type might help a trader who is creating fictitious trades to avoid detection by creating trades involving different products, so that the trades would not all be reviewed by the same personnel. In at least one recent case, a trader’s intimate knowledge of back-office procedures and risk management procedures, including what would—and what would not—trigger heightened scrutiny, may have allowed him to avoid detection for a much longer period than he otherwise might have. Therefore, firms should limit knowledge about the details of their risk management procedures and systems to the extent possible and consider modifying them in response to personnel changes, such as a back office employee becoming a trader. Firms also should consider whether there are appropriate mechanisms in place to review all activity of a given trader.
Firms may want to consider more than a single password to allow access to certain systems. More sophisticated systems require three-factor authentication before access is allowed, including not only a password but also a security card or other I.D. such as a token ring, and a unique identifier such as a fingerprint. Firms need to weigh both the inconvenience and the cost of these additional security measures in determining which controls are appropriate.
Supervision and Accountability
Certain financial services companies have established matrix management structures such that employees may have both direct and dotted line reporting to multiple managers. While matrix management may make sense for an organization, it is important for employees to understand who they report to and what they are held accountable for in their day-to-day job responsibilities. Correspondingly, both the dotted line and the direct manager must have a clear sense of who is responsible for each aspect of the business. It is critical that responsibility for supervision of each aspect of the business be allocated to a specific manager and that these managers have frequent communications to understand their respective businesses. Documenting these supervisory responsibilities in writing is recommended.
Intercompany Transactions
Many FINRA firms are part of larger, complex financial services organizations. The FINRA member firm generally conducts a large number of intercompany transactions with its affiliates. Often the basic controls that are in place for third parties, including controls around credit risk and market risk, are waived for affiliated transactions. In light of the recent cases of unauthorized trading, firms may want to reevaluate whether certain third-party controls that limit their exposure would be appropriate for affiliated transactions. Further, reconciliations of intercompany transactions and balances should be performed on a regular basis.
Compliance Culture
As recent events have demonstrated, even the most rigorous internal controls and risk management procedures can fail if they are not effectively enforced and the effectiveness of that enforcement is directly related to the “tone at the top.” A corporate culture that marginalizes the individuals or departments responsible for trade reconciliation and risk management will undermine the effectiveness of even the most elaborate policies and procedures. In reviewing the adequacy of their internal controls around unauthorized proprietary trading by individual traders, firms should pay attention to any systemic or cultural dynamics that may undermine the effectiveness of those systems. For example:
Do mid- and back-office functions have sufficient independence, clout and profile within the organization? To whom do they report?
Are mid- and back-office personnel adequately trained and encouraged to raise issues about suspicious activity, even if it involves successful traders or activity that is generating profits for the firm, or doesn’t technically violate any limits?
If operations, compliance or internal audit personnel receive a questionable or inadequate response by a trader, are they encouraged to challenge such a response and/or raise the issue to their supervisors where appropriate?
If the firm operates in a global context, do its internal controls take into account any cultural differences that might discourage adequate internal oversight or reporting? For example, anonymous reporting might be appropriate in certain environments.
Responsibilities:
• Advice business areas on firm policies and procedures and applicable securities laws and FINRA regulations
• Identify regulatory trends and developments that impact business areas, and advise staff as to how this may impact their current activities.
• Draft, update, and implement relevant policies and procedures.
• Provide regulatory/compliance training.
• Assist the business implement and document various supervisory/control mechanisms.
• Participate in internal investigations, respond to regulatory inquiries, and coordinate internal and external audits and inspections.
• Interact with federal and state regulators
• Perform testing and monitoring of compliance with firm policies and conduct risk assessments of the business to ensure effective business control framework
What does a Supervisory Control Program Manager do?
- Taken from LinkedIn - Elena Danova - Director DB.
- https://www.linkedin.com/pub/elena-danova/6/7b2/765
• Managed the CEO Certification process for the Securities Divisions: created infrastructure to support 250+ supervisors, rolled out 100+ supervisory checklists, developed Written Supervisory Procedures, engineered quarterly certifications through a consolidated workstation dashboard, resulting in reduced regulatory risk and efficient supervisory signoffs.
• Managed Policies and Procedures globally: performed final policy review / approval, drafted manuals, supervised policy implementation. Introduced a global process which improved planning and execution of policy efforts.
• Developed Training plan and Needs analysis for the Securities Divisions, managed training resources.
• Created strategy for the integration of the Equities and FICC Compliance Divisions: identified compliance functions which can be integrated and crafted an implementation proposal. Integration realized 30% efficiency and developed uniformity and a single brand for Compliance.
- Taken from LinkedIn - Louis Damiano
- Ln Profile - SVP, Supervisory Control Officer
-Participate in the new hire process of sales traders and conduct appropriate training of sales traders.
-Assist in the firm’s continuing education process.
-Prepare Compliance Alerts to the Trading Department.
-Conduct daily monitoring of NASDAQ OMX/ACT workstation.
-Insure the firm’s compliance with Regulation NMS.
-Conduct compliance reviews of institutional trading desks.
-Conduct review of sales traders’ electronic communications.
-Monitor appropriate supervision of institutional trading desks.
-Assist in the firm’s development with regard to compliance with SEC Rule 15c3-5 “Market Access”.
-Advise trading managers of proposed rules and rule interpretation.
-Interact with external regulatory agencies and internal auditors including annual exams.
-Maintain and update the firm’s Trading Department Compliance Manual.
-Conduct Annual Compliance Meetings.
-Compliance representative on Best Execution, Regulation SHO, Direct Market Access, Real Time Risk Monitoring, Options Monitoring committees.
-Assist in developing firms error account procedures and monitor firm’s error accounts on a daily basis.
-Review and monitor firm’s employee trading activity.
-Frequent review of traders’ manual/electronic order tickets.
-Assist in the development and review of various daily exception reports.
-Responsible for review of FINRA Monthly Compliance Report Cards.
-Conduct branch office examinations
-Research and respond to regulatory inquiries.
-Assist in sales of restricted and controlled stock.
-Assist in the filing of QSR and AGU agreements.
-Assist in the firm’s continuing education process.
-Prepare Compliance Alerts to the Trading Department.
-Conduct daily monitoring of NASDAQ OMX/ACT workstation.
-Insure the firm’s compliance with Regulation NMS.
-Conduct compliance reviews of institutional trading desks.
-Conduct review of sales traders’ electronic communications.
-Monitor appropriate supervision of institutional trading desks.
-Assist in the firm’s development with regard to compliance with SEC Rule 15c3-5 “Market Access”.
-Advise trading managers of proposed rules and rule interpretation.
-Interact with external regulatory agencies and internal auditors including annual exams.
-Maintain and update the firm’s Trading Department Compliance Manual.
-Conduct Annual Compliance Meetings.
-Compliance representative on Best Execution, Regulation SHO, Direct Market Access, Real Time Risk Monitoring, Options Monitoring committees.
-Assist in developing firms error account procedures and monitor firm’s error accounts on a daily basis.
-Review and monitor firm’s employee trading activity.
-Frequent review of traders’ manual/electronic order tickets.
-Assist in the development and review of various daily exception reports.
-Responsible for review of FINRA Monthly Compliance Report Cards.
-Conduct branch office examinations
-Research and respond to regulatory inquiries.
-Assist in sales of restricted and controlled stock.
-Assist in the filing of QSR and AGU agreements.
Deutsche bank LIBOR & Other rates fixing scandal
Recent slap on the wrist from FRB NY:
The Federal Reserve Bank of New York (FRBNY) conducted a review of selected regulatory reports filed by Deutsche Bank Trust Corporation (DBTC) and Deutsche Bank AG New York branch (DBNY), collectively (DB) as of March 31, 2013. Our objectives were to assess the accuracy of the regulatory reports, the efficacy of the governance for the reporting processes, and progress achieved in addressing issues identified during the last review conducted in 2007.
We have concluded that the regulatory reports provided by DB are of low quality, inaccurate and unreliable. The size and breadth of errors strongly suggest that the firm’s entire U.S. regulatory reporting structure requires wide-ranging remedial action. We also concluded that no progress was made in remediating prior supervisory concerns as the firm’s U.S. operations regulatory reporting process continues to be fragmented and suffers from weak or inadequate internal controls. Moreover, longstanding weaknesses in the firm’s information technology infrastructure impair the firm’s ability to produce accurate regulatory reports. Lastly, we conclude that oversight by the Compliance and Internal Audit functions is inadequate and ineffective.
The errors identified from our review result from several root causes including: systems limitations, coding errors; misinterpretation of instructions; inadequate analysis and documentation of the quality assurance process; and poor coverage by Internal Audit and Compliance Group. Additionally, there is a lack of ownership by the lines of business (LOBs) in ensuring data integrity, data validation, and the continuous monitoring of data quality. The limitations of the firm’s information technology systems necessitate excessive manual intervention, which expose the firm to significant operational risk and misstated regulatory reports.
Since 2002, the FRBNY has highlighted significant weaknesses in the firm’s regulatory reporting framework that has remained outstanding for a decade. Our review disclosed that several previous attempts by the firm failed to produce sustainable solutions to addressing the weakness in the regulatory reporting process or to improve the quality of data. The scope of the most recent project to address these weaknesses, known as the Bank Regulatory Reporting Program (BRRP) developed in 2012 was not comprehensive. While the BRRP focused on both short-term interim and longer-term strategic solutions using the firm’s global Strategic Reporting and Information Delivery Program (StRIDe), the planned project scope was limited and would not have addressed the issues identified during our review. Discussions with FRBNY supervisory staff resulted in an expansion of the project’s scope and in additional financial and managerial resources being devoted to the BRRP
While these changes are encouraging, we remind management that in the interim effective compensating controls designed to produce high quality, accurate regulatory reports must be put in place. In addition to the requirements outlined below, given the long standing, unresolved repeat nature of our findings, coupled with the public nature of regulatory reports, additional remediation requirements will be forthcoming. The matters below require immediate attention by the DBAG NY Branch Executive Committee, Board of Directors and Senior Management:
Matters Requiring Immediate Attention (“MRIA”)
1. Repeat Issues/Inadequate Governance:
We found that most of the issues identified in our current review are repeat issues that were previously highlighted to management over the past decade. These include: a disjointed and inadequate regulatory reporting infrastructure; inadequate monitoring functions; insufficient breadth and depth of regulatory reporting training; limited accountability policies; and material errors and poor data integrity. Additionally, significant regulatory reporting issues were highlighted in 2012 by an external consulting firm, Internal Audit and the firm’s Quality Assurance Group also remain unresolved. Most concerning is the fact that although the root causes of these errors were not eliminated, prior supervisory issues were considered remediated and closed by Senior Management. The DBAG NY Branch Executive Committee and Board of Directors are required to immediately ensure that the root cause of all issues identified by supervisors, or other control areas within DB (e.g., external consulting firms, Quality Assurance Group, Internal Audit) are addressed and validated by an independent group.
2. Fragmented Regulatory Reporting Information Technology Infrastructure:
The firm’s regulatory reporting infrastructure is fragmented and ineffective in ensuring high quality, accurate reports. Regulatory reporting information is compiled from a variety of applications and data sources, these data sources cannot be reconciled to report control totals. Additionally, multiple manual adjustments (in excess of 800 and totaling approximately $337 billion) are required to prepare the FR Y- 9C. These adjustments require substantial resources, lack transparency and do not allow for sufficient time to effectively review and analyze the data, prior to filing with the FRBNY. Lastly, the firm does not have the capability to effectively implement the new complex reporting requirements. The DBAG NY Branch Executive Committee and Board of Directors are required to immediately ensure that automation efforts to improve the quality of regulatory reports are effectively executed. In the interim, Senior Management must implement compensating controls so that manual adjustments and workarounds are effectively implemented, clearly explained, well documented and auditable.
3. Lack of Data Integrity/Quality:
Examiners found material reporting errors and other data quality weaknesses across LOBs and legal entities (LEs). Additionally, we observed ineffective preventive internal controls over the data entered into operational systems, poorly maintained static customer information and the lack of requisite documentation at the point of origin of a transaction (i.e., inception or at the onboarding of transactions), which later resulted in material reporting errors. Other factors contributing to regulatory reporting weaknesses include the lack of a data governance process to ensure data integrity in subsystems as well as misinterpretation of reporting instructions. These issues raise significant concerns about the adequacy of financial internal controls for the regulatory reporting process. The firm must undertake corrective action to improve the quality of its regulatory and structure reports and more generally, the data acquisition and maintenance processes. Toward this end, the DBAG NY Branch Executive Committee and Board of Directors are required to immediately ensure that Senior Management maintains high quality information in subsystems. This should include ‘scrubbing’ of product systems to enhance the integrity of information at the point of origin and when onboarding transactions. Additionally, the firm must conduct a comprehensive review of customer information files (static data) to identify discrepancies across products, implement changes in source systems, and ensure changes are sustainable.
4. Inadequate Accountability Framework:
The governance framework of the firm’s business infrastructure and financial recordkeeping environment is a shared responsibility of the LOBs, Finance, Risk, and Information Technology functions. The firm lacks an effective accountability process to ensure a high quality of data that is used to develop accurate regulatory and more generally, management information reports. With regard to reports filed with the FRBNY, the firm has not developed a formal Accountability Policy and governance structure that clearly articulates roles and responsibilities for all areas responsible for the integrity of regulatory reports.
Supervisors expect firm’s to develop effective accountability policies and practices. Key components of an effective accountability policy include: (a) developing an integrated governance structure for the escalation and effective monitoring and resolution of all identified issues across all reports and processes; (b) maintaining a comprehensive issues log that tracks issue owner, includes root cause analyses and solutions; affected entities; impacted reports and schedules; remediation owners, and target completion dates; and (c) incorporating a sustainable enforcement process, which defines accountability for accuracy of regulatory reports.
Senior Management of the banking organization is required to immediately:
- Increase the effectiveness of the accountability process and improve data quality by:
– Establishing a formal accountability policy that delineates roles and responsibilities for data owners and Finance staff and developing an effective and sustainable enforcement process, which requires accountability for accuracy of all regulatory reports across LOBs and LEs. The policy should reflect management’s expectations of employees in preserving the integrity of the firm’s regulatory and organizational structure reporting requirements to ensure that changes are communicated to the FRBNY timely and accurately.
– Maintaining a comprehensive issues log that tracks issue owner, root cause analysis, reports and schedules affected; date the issue was identified; interim and strategic solutions; remediation owner; and target completion dates.
– Improving the firm’s Data Quality Assurance Validation Attestation processes conducted by LOBs by including outstanding reporting issues outlined in the firm’s issues log, Internal Audit, Compliance Group, supervisory findings; and the accuracy of static customer and product identification data at the point of origin of the transaction.
7. Inadequate Independent Review and Monitoring Functions
Compliance and Monitoring Surveillance & Inspections:
The Compliance Group’s risk assessment process and testing program failed to identify the firm’s systemic breakdown in the operation of various customer deposit accounts that resulted in wide-spread, longstanding violations of Regulation D (Reg D).
The testing performed by Monitoring Surveillance & Inspection’s (MSI) was limited to only one aspect of Regulation D in which the broader Compliance Group’s risk assessment deemed the risk to be moderate, and excluded other significant aspects of the regulation that were deemed as low risk, including time deposits (early withdrawal penalties); MMDAs (six-transfer limit), and demand deposit sweep program (missing sweep agreements or agreements lacking requisite language). The failure to detect violations arose from a fundamental lack of understanding of the requirements of Regulation D, ineffective risk assessment process and is reflective of a breakdown in the independent monitoring and oversight function of the Compliance Group to include MSI.
Internal Audit:
Internal Audit (IA) failed to detect long-standing weaknesses in the overall regulatory reporting framework. More specifically, our review of the results of lA’s reviews of regulatory reporting from 2009 to present identified only one instance in 2012 that highlighted a critical weakness in the reporting framework. An external consulting firm conducted the regulatory review that highlighted the deficiency. The failure of Compliance and Internal Audit to detect the systemic breakdown in the regulatory reporting process is unacceptable. The DBAG NY Branch Executive Committee and Board of Directors are required to immediately take corrective action to ensure Senior Management increases the level of control staff expertise needed to effectively conduct their respective oversight roles and responsibilities. Both Compliance and IA must improve their respective risk assessments, and monitoring and testing work programs related to regulatory reporting internal controls and framework and other ancillary support functions to ensure compliance with laws and regulations and regulatory reporting requirements.
8. Violations of Regulation D:
We determined that certain accounts were being operated in violation of Regulation D. Consequently, the DBAG NY Branch Executive Committee and Board of Directors are required to immediately conduct an independent, firm-wide review of all deposit accounts and investment and sweep account arrangements operated during 2013 to ensure accounts are operated in accordance with Regulation D. DB must provide a written summary of the results of the aforementioned firm-wide review to FRBNY, including but not limited to:
– a list of all clients determined to be ineligible for sweep transactions (to include netted sweep balances), the criteria used to determine ineligibility and the corresponding corrective actions;
– the average daily balance for each client and the aggregate average daily balance across all ineligible clients for these sweeps;
– a list of MMDAs accounts operated in violation of Reg. D. along with samples of clients notifications regarding transactions that exceed Regulation D requirements and other corresponding corrective actions;
– a list of early withdrawals of time deposits where penalties were not imposed, client notices and other corresponding corrective actions; and
– changes to LOB internal controls, IA and Compliance function’s processes, policies and procedures to ensure ongoing compliance with Reg. D.
Based on the results of this review, restated regulatory reports may be required as well as a “make up” of required reserves.
At the conclusion of this review, we discussed with management regulatory reporting exceptions. The Appendix to this letter lists the affected reports and describes major issues identified. Under separate cover, Kenneth Lamar, Senior Vice President, the Federal Reserve Bank of New York’s Statistics Function, will provide a detailed listing of all the errors identified during our review.
Best Practices:
To assist firms in the process of reviewing and, where necessary, modifying, their current internal controls against unauthorized trading, we have recently solicited input from a range of firms regarding their internal controls, as well as the preliminary results of internal reviews. We are publishing those practices now with the expectation that doing so will help other firms as they undergo their own review process. While FINRA believes that these practices are worthy of consideration, we understand that their relevance and feasibility will vary depending on a firm’s size and business model. We also note that this is not an exhaustive list, and is not intended to create a safe harbor from regulatory exposure or to discourage firms from completing their own comprehensive internal audits.
Mandatory Vacation Policies
An increasing number of broker-dealers have identified “sensitive” jobs, and adopted mandatory policies requiring employees in those positions, including traders, to be away from the office for a minimum amount of time, typically ten consecutive trading days. During that time away, the employee is barred from having physical or electronic access to the firm, its facilities, or systems. The theory behind this policy, which has been common in the banking industry, is that if an employee has engaged in unauthorized activity and is concealing it, the activity will likely be exposed in the firm’s trade reconciliation process within that time, because the employee is not able to continue the concealment while away from the firm and its systems.
A mandatory vacation policy must be enforced in order to be effective. In at least one recent well-publicized case, the firm had such a policy, but the trader involved had not taken the full, mandatory, consecutive vacation in several years. Exemptions should not be granted except in unusual circumstances and repeated requests for exemptions should be considered a red flag warranting additional monitoring. Firms also should assure that their systems support blocking employees on mandatory vacation from accessing firm systems.
A mandatory vacation policy may not be feasible or reasonable for all firms. However, we urge firms to consider it as part of their risk management procedures. If a firm determines not to adopt such a policy, it should consider other methods of identifying and reviewing the trading activity of traders who have not taken an extended vacation in the past year.
Heightened Scrutiny of Red Flags
As firms review their internal controls, they should pay attention to whether they are both adequately mining available trade data for red flags and following up on those red flags where appropriate. Among other things, firms should monitor, and, when necessary, conduct heightened scrutiny of:
Trading limit breaches. At least one firm surveyed recently has implemented a tool that allows for monitoring of limit breaches by a trading book or individual trades in real-time, and can be set to generate alerts based on a range of parameters, including the notional value of a trade, share size (net/gross position), amount of orders or traders per day and total dollar value per day.
Unrealized profit and loss (P&L) on unsettled transactions. Trading desk managers and financial control managers should pay careful attention to sizeable amounts of unrealized P&L and should understand the nature of the transactions creating these amounts.
Unusual patterns of cancellations and corrections, particularly those involving multiple cancellations or corrections by the same trader or involving the same counter-party. Certain firms prohibit a front-office trader or salesperson from entering cancels and corrects into the trading system and limit the entry of these transactions to mid-office (e.g., those involved in risk management) or back-office (e.g., those involved in settlement services) personnel.
Transactions in which confirmation and settlement do not occur on a timely basis, or where settlement is outside of normal cycles.
Reports of aged unresolved reconciling items and aged outstanding confirmations.
Reports of P&L that exceed a certain de minimis amount by traders who are supposed to be flat, or unusually large one-day P&L reports.
The details underlying a trader’s Value at Risk (VaR), including the long and short positions, on a daily or intra-day basis, as appropriate. Firms should also consider other risks associated with a trader’s positions, such as liquidity risk, the adequacy of hedges and the risks associated with imperfect hedges. This includes understanding and reviewing the valuation of all positions, particularly positions in exotic instruments or instruments that have little or no market.
Repeated or unusual requests by a trader to relax existing controls, including position or P&L limits.
Trading in products that are outside of a trader’s known expertise, without prior approval.
Any other unusual or significant differences between a trader’s account positions and the account activity, such as might be detected by comparison of gross and/or net position to the cash flows of positions; i.e., margin/collateral calls to and from counterparties to the trades.
A pattern of aged fails to deliver for long or short sales.
Whether these data points are reviewed manually, or with the use of automated surveillance tools, or some combination, a firm’s controls should not just note deviations from normal trading patterns as red flags that might signal proprietary business risk, but as signals of possible regulatory risk as well. And, to the extent that firms use automated surveillance tools to identify such items, their internal control systems should include adequate and routine maintenance and testing of those systems.
Protection of Systems and Risk Management Information
In some cases, rogue traders have been able to falsify a firm’s books and records to conceal illicit trading activity due to lapses in password security and other systems protections. Firms should make certain that each employee’s access to systems is limited strictly to what is appropriate for the employee’s function within the firm. This control should not be limited to traders; it should be in place for any employee whose role includes access to trading systems. If an employee’s function changes within the firm, the firm should make sure that the employee’s access changes accordingly. For example, if an employee moves from the back office to a trading desk, that employee’s access should be changed to reflect his or her new role, and access to the back-office functions should be revoked. Firms should also make sure that access is suspended during any mandatory vacation period and cancelled promptly if the employee leaves the firm.
Firms also should protect information about surveillance or monitoring systems and procedures that might help employees circumvent those systems. For example, knowledge that the firm divides responsibility for reviewing certain trade monitoring functions by product type might help a trader who is creating fictitious trades to avoid detection by creating trades involving different products, so that the trades would not all be reviewed by the same personnel. In at least one recent case, a trader’s intimate knowledge of back-office procedures and risk management procedures, including what would—and what would not—trigger heightened scrutiny, may have allowed him to avoid detection for a much longer period than he otherwise might have. Therefore, firms should limit knowledge about the details of their risk management procedures and systems to the extent possible and consider modifying them in response to personnel changes, such as a back office employee becoming a trader. Firms also should consider whether there are appropriate mechanisms in place to review all activity of a given trader.
Firms may want to consider more than a single password to allow access to certain systems. More sophisticated systems require three-factor authentication before access is allowed, including not only a password but also a security card or other I.D. such as a token ring, and a unique identifier such as a fingerprint. Firms need to weigh both the inconvenience and the cost of these additional security measures in determining which controls are appropriate.
Supervision and Accountability
Certain financial services companies have established matrix management structures such that employees may have both direct and dotted line reporting to multiple managers. While matrix management may make sense for an organization, it is important for employees to understand who they report to and what they are held accountable for in their day-to-day job responsibilities. Correspondingly, both the dotted line and the direct manager must have a clear sense of who is responsible for each aspect of the business. It is critical that responsibility for supervision of each aspect of the business be allocated to a specific manager and that these managers have frequent communications to understand their respective businesses. Documenting these supervisory responsibilities in writing is recommended.
Intercompany Transactions
Many FINRA firms are part of larger, complex financial services organizations. The FINRA member firm generally conducts a large number of intercompany transactions with its affiliates. Often the basic controls that are in place for third parties, including controls around credit risk and market risk, are waived for affiliated transactions. In light of the recent cases of unauthorized trading, firms may want to reevaluate whether certain third-party controls that limit their exposure would be appropriate for affiliated transactions. Further, reconciliations of intercompany transactions and balances should be performed on a regular basis.
Compliance Culture
As recent events have demonstrated, even the most rigorous internal controls and risk management procedures can fail if they are not effectively enforced and the effectiveness of that enforcement is directly related to the “tone at the top.” A corporate culture that marginalizes the individuals or departments responsible for trade reconciliation and risk management will undermine the effectiveness of even the most elaborate policies and procedures. In reviewing the adequacy of their internal controls around unauthorized proprietary trading by individual traders, firms should pay attention to any systemic or cultural dynamics that may undermine the effectiveness of those systems. For example:
Do mid- and back-office functions have sufficient independence, clout and profile within the organization? To whom do they report?
Are mid- and back-office personnel adequately trained and encouraged to raise issues about suspicious activity, even if it involves successful traders or activity that is generating profits for the firm, or doesn’t technically violate any limits?
If operations, compliance or internal audit personnel receive a questionable or inadequate response by a trader, are they encouraged to challenge such a response and/or raise the issue to their supervisors where appropriate?
If the firm operates in a global context, do its internal controls take into account any cultural differences that might discourage adequate internal oversight or reporting? For example, anonymous reporting might be appropriate in certain environments.
Responsibilities:
• Advice business areas on firm policies and procedures and applicable securities laws and FINRA regulations
• Identify regulatory trends and developments that impact business areas, and advise staff as to how this may impact their current activities.
• Draft, update, and implement relevant policies and procedures.
• Provide regulatory/compliance training.
• Assist the business implement and document various supervisory/control mechanisms.
• Participate in internal investigations, respond to regulatory inquiries, and coordinate internal and external audits and inspections.
• Interact with federal and state regulators
• Perform testing and monitoring of compliance with firm policies and conduct risk assessments of the business to ensure effective business control framework - See more at: http://www.compliancesearch.com/cgibin/webdata_pro.pl?_cgifunction=form&_layout=new&keyval=jobs.ID=1319572785#sthash.FNqEHIhJ.dpuf
• Advice business areas on firm policies and procedures and applicable securities laws and FINRA regulations
• Identify regulatory trends and developments that impact business areas, and advise staff as to how this may impact their current activities.
• Draft, update, and implement relevant policies and procedures.
• Provide regulatory/compliance training.
• Assist the business implement and document various supervisory/control mechanisms.
• Participate in internal investigations, respond to regulatory inquiries, and coordinate internal and external audits and inspections.
• Interact with federal and state regulators
• Perform testing and monitoring of compliance with firm policies and conduct risk assessments of the business to ensure effective business control framework - See more at: http://www.compliancesearch.com/cgibin/webdata_pro.pl?_cgifunction=form&_layout=new&keyval=jobs.ID=1319572785#sthash.FNqEHIhJ.dpuf
Responsibilities:
• Advice business areas on firm policies and procedures and applicable securities laws and FINRA regulations
• Identify regulatory trends and developments that impact business areas, and advise staff as to how this may impact their current activities.
• Draft, update, and implement relevant policies and procedures.
• Provide regulatory/compliance training.
• Assist the business implement and document various supervisory/control mechanisms.
• Participate in internal investigations, respond to regulatory inquiries, and coordinate internal and external audits and inspections.
• Interact with federal and state regulators
• Perform testing and monitoring of compliance with firm policies and conduct risk assessments of the business to ensure effective business control framework - See more at: http://www.compliancesearch.com/cgibin/webdata_pro.pl?_cgifunction=form&_layout=new&keyval=jobs.ID=1319572785#sthash.FNqEHIhJ.dpuf
• Advice business areas on firm policies and procedures and applicable securities laws and FINRA regulations
• Identify regulatory trends and developments that impact business areas, and advise staff as to how this may impact their current activities.
• Draft, update, and implement relevant policies and procedures.
• Provide regulatory/compliance training.
• Assist the business implement and document various supervisory/control mechanisms.
• Participate in internal investigations, respond to regulatory inquiries, and coordinate internal and external audits and inspections.
• Interact with federal and state regulators
• Perform testing and monitoring of compliance with firm policies and conduct risk assessments of the business to ensure effective business control framework - See more at: http://www.compliancesearch.com/cgibin/webdata_pro.pl?_cgifunction=form&_layout=new&keyval=jobs.ID=1319572785#sthash.FNqEHIhJ.dpuf
Responsibilities:
• Advice business areas on firm policies and procedures and applicable securities laws and FINRA regulations
• Identify regulatory trends and developments that impact business areas, and advise staff as to how this may impact their current activities.
• Draft, update, and implement relevant policies and procedures.
• Provide regulatory/compliance training.
• Assist the business implement and document various supervisory/control mechanisms.
• Participate in internal investigations, respond to regulatory inquiries, and coordinate internal and external audits and inspections.
• Interact with federal and state regulators
• Perform testing and monitoring of compliance with firm policies and conduct risk assessments of the business to ensure effective business control framework - See more at: http://www.compliancesearch.com/cgibin/webdata_pro.pl?_cgifunction=form&_layout=new&keyval=jobs.ID=1319572785#sthash.FNqEHIhJ.dpuf
• Advice business areas on firm policies and procedures and applicable securities laws and FINRA regulations
• Identify regulatory trends and developments that impact business areas, and advise staff as to how this may impact their current activities.
• Draft, update, and implement relevant policies and procedures.
• Provide regulatory/compliance training.
• Assist the business implement and document various supervisory/control mechanisms.
• Participate in internal investigations, respond to regulatory inquiries, and coordinate internal and external audits and inspections.
• Interact with federal and state regulators
• Perform testing and monitoring of compliance with firm policies and conduct risk assessments of the business to ensure effective business control framework - See more at: http://www.compliancesearch.com/cgibin/webdata_pro.pl?_cgifunction=form&_layout=new&keyval=jobs.ID=1319572785#sthash.FNqEHIhJ.dpuf
No comments:
Post a Comment