Securities Regulation:

SEC Can Further Enhance Its Oversight Program of FINRA

GAO-15-376: Published: Apr 30, 2015. Publicly Released: Apr 30, 2015.

Additional Materials:


A. Nicole Clowers
(202) 512-8678


Office of Public Affairs
(202) 512-4800

What GAO Found

Since GAO reported in May 2012, the Securities and Exchange Commission (SEC) has incorporated elements of a risk-management framework into its oversight program of the Financial Industry Regulatory Authority (FINRA). For example, SEC has developed and implemented procedures for identifying and assessing FINRA program risks, which then inform its annual oversight plan and activities for FINRA. In 2012, GAO found that SEC's approach to developing a risk-based approach to oversight of FINRA did not incorporate all the components of a risk-management framework. GAO recommended that SEC follow all components of a risk-management framework. While SEC has taken some actions, this report found that SEC's risk-based oversight program could be more robust and consistent with risk-management and federal internal control standards. Specifically, SEC has yet to

develop specific performance goals and measures, with corresponding targets to monitor its progress toward the goal of enhancing FINRA oversight;

formalize procedures for documenting its oversight determinations, such as selecting FINRA areas for inspections and any changes made to planned oversight activities; and

perform an assessment of internal risks, such as staff availability and competing priorities, to successfully meeting FINRA oversight program goals and objectives.

Complementary to its implementation of risk-assessment procedures to assist in selecting FINRA programs and operations for oversight, SEC also has taken a number of other steps to enhance its oversight of FINRA. One such step was creating and filling the position of Senior Special Counsel-FINRA and New Markets to work with SEC management in coordinating FINRA oversight activities and reviewing information to inform the risk assessment. Another step was the transition of its FINRA district office inspections, which evaluate various FINRA regulatory programs, from a set schedule (or cycle-based) model to a risk-focused model. Under this risk-focused model, staff analyze information and data, such as the number of high-risk firms in a district, to identify risks and make recommendations for which offices to inspect. A third step SEC took was revising its process for assessing FINRA's broker-dealer examinations to inform its assessment of FINRA program risks.

SEC also recently completed inspections of each of the areas listed in Section 964 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), such as governance and executive compensation. The inspections GAO reviewed were conducted in a manner generally consistent with Government Auditing Standards and the information gathered was further used to inform SEC's FINRA risk assessment. GAO did not validate the findings of the Section 964 area inspections it selected for review.

Why GAO Did This Study

The securities industry is generally regulated by a combination of federal and industry regulation and oversight. FINRA, a self-regulatory organization, is responsible for regulating securities firms doing business with the public in the United States. SEC oversees FINRA's operations and programs.

Section 964 of the Dodd-Frank Act mandates GAO to triennially review and report on aspects of SEC's oversight of FINRA. GAO issued its first report in May 2012 ( GAO-12-625 ). This report (1) assesses SEC's implementation of a risk-based framework for overseeing FINRA; (2) reviews SEC oversight activities of FINRA operations; and (3) assesses recent inspections of areas listed in Section 964.

GAO reviewed and compared SEC documentation on its risk-based oversight with generally accepted risk-management frameworks, and performance management and internal control standards. GAO analyzed SEC inspection procedures for self-regulatory organizations and inspections of four Section 964 areas, against Government Auditing Standards . GAO selected the four inspections partly based on SEC's FINRA risk assessment and frequency of SEC oversight. GAO also interviewed SEC and FINRA officials.

What GAO Recommends

SEC should establish specific performance goals and measures, enhance documentation of oversight determinations and changes, and conduct an assessment of internal risks. In response, SEC described the actions they plan to take.

For more information, contact A. Nicole Clowers at (202) 512-8678 or

Recommendation for Executive Action

  1. Status: Open

    Comments: SEC created the FINRA and Securities Industry Oversight (FSIO) Program as part of the restructuring of its oversight programs. SEC is working with a consultant to create risk management guidance for all examination programs and in particular, FSIO is working with the consultant to expand its current risk-assessment program (guidelines and procedures). FSIO is also developing a draft strategic plan to implement the procedures and working with the consultant to develop specific goals and measures for the program as well as a performance goal for its risk-assessment and inspection planning process. Although the current risk-assessment guidelines have not been adopted, FSIO has continued to follow the procedures in the guidelines while new guidance is being developed. FSIO has enhanced the existing procedures to require an addendum to the annual inspection and oversight examination plan that documents changes to the planned activities and the rationales for the changes. FSIO has prepared addendum for FY 2015, 2016 and 2017. FSIO has also modified its existing risk-assessment guidelines to include an assessment of internal risks that could affect FSIO's ability to execute its planned FINRA oversight. The Program has prepared memorandum of such assessments for FY 2016 and 2017 inspection plans. FSIO needs to finalize its draft strategic plan to fully implement this recommendation.

    Recommendation: To improve SEC's FINRA oversight program, the SEC Chair should direct the appropriate offices and divisions to incorporate additional risk-management practices by taking several actions, including: (1) establishing specific performance goals for the program and performance measures and related targets to assess Market Oversight's progress in meeting those goals; (2) formalizing documentation of procedures, including procedures for making changes to the annual planned oversight activities and decision-making rationales; and (3) modifying existing risk-assessment procedures to require an assessment of internal risks to successfully meeting the FINRA oversight program's goals and objectives.

    Agency Affected: United States Securities and Exchange Commission


Explore the full database of GAO's Open Recommendations »

Dec 8, 2017

Dec 7, 2017

Dec 6, 2017

Sep 29, 2017

Sep 12, 2017

Sep 7, 2017

Apr 19, 2017

Mar 29, 2017

Feb 24, 2017

Looking for more? Browse all our products here