Richard Ketchum, Chairman and CEO of the Financial Industry Regulatory Authority (FINRA), shared his thoughts on the top 3 regulatory concerns for 2016 recently at the SIFMA Annual Conference. His observations were in response to Ben A. Indek, an attorney at Morgan Lewis, who asked Ketchum about what we can expect on next year’s annual examination priorities letter. He replied with three key issues: outsourcing, cyber risk and liquidity concerns.
On outsourcing, Ketchum said, “It’s entirely appropriate for firms to make those decisions … but those decisions have to be made with supervision challenges absolutely top of mind.” This has been a major focus for the agency in the past, and apparently will continue to be so.
With respect to cybersecurity, Ketchum strayed from data protections and he instead focused on recordkeeping. He specifically noted that “Firms have to insure that email records and other social media records are maintained on unalterable forms.” Ultimately, while most firms have addressed the maintenance of records, he noted that there are a number situations where these records are not being maintained in ways that prevent the data from being altered and or modified.
Finally, Ketchum also noted the issue of liquidity risk as a problem area, especially for financial firms beneath the holding company level that can potentially cause systematic risk to client accounts. To support this claim, he recalled FINRA’s stress test of 43 firms earlier this year that focused on several potential stresses including repo positions, deposits with clearing firms and counterparties, funding for customer withdrawals and forced deleveraging. Thirty-seven firms passed the test, six didn’t. Ketchum noted that the six firms that failed the test are now under “heightened surveillance”.
Additionally. in keeping with comments previously made by Ketchum at the 2015 National Conference for The National Society of Compliance Professionals, he noted that while FINRA withdrew its Comprehensive Automated Risk Data System (CARDS) proposal earlier this year, it’s not deserting the idea of ways to create an effective warning system based on big data.
In any event, outsourcing and cybersecurity are clearly on the regulatory screen for 2016 for small and mid-sized firms, and those firms need to focus on addressing any weakness assessed in those areas.