Securities Regulation: SEC Can Further Enhance Its Oversight Program of FINRA
What GAO Found
Since GAO reported in May 2012, the Securities and Exchange Commission (SEC) has incorporated elements of a risk-management framework into its oversight program of the Financial Industry Regulatory Authority (FINRA). For example, SEC has developed and implemented procedures for identifying and assessing FINRA program risks, which then inform its annual oversight plan and activities for FINRA. In 2012, GAO found that SEC's approach to developing a risk-based approach to oversight of FINRA did not incorporate all the components of a risk-management framework. GAO recommended that SEC follow all components of a risk-management framework. While SEC has taken some actions, this report found that SEC's risk-based oversight program could be more robust and consistent with risk-management and federal internal control standards. Specifically, SEC has yet to
develop specific performance goals and measures, with corresponding targets to monitor its progress toward the goal of enhancing FINRA oversight;
formalize procedures for documenting its oversight determinations, such as selecting FINRA areas for inspections and any changes made to planned oversight activities; and
perform an assessment of internal risks, such as staff availability and competing priorities, to successfully meeting FINRA oversight program goals and objectives.
Complementary to its implementation of risk-assessment procedures to assist in selecting FINRA programs and operations for oversight, SEC also has taken a number of other steps to enhance its oversight of FINRA. One such step was creating and filling the position of Senior Special Counsel-FINRA and New Markets to work with SEC management in coordinating FINRA oversight activities and reviewing information to inform the risk assessment. Another step was the transition of its FINRA district office inspections, which evaluate various FINRA regulatory programs, from a set schedule (or cycle-based) model to a risk-focused model. Under this risk-focused model, staff analyze information and data, such as the number of high-risk firms in a district, to identify risks and make recommendations for which offices to inspect. A third step SEC took was revising its process for assessing FINRA's broker-dealer examinations to inform its assessment of FINRA program risks.
SEC also recently completed inspections of each of the areas listed in Section 964 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), such as governance and executive compensation. The inspections GAO reviewed were conducted in a manner generally consistent with Government Auditing Standards and the information gathered was further used to inform SEC's FINRA risk assessment. GAO did not validate the findings of the Section 964 area inspections it selected for review.
Why GAO Did This Study
The securities industry is generally regulated by a combination of federal and industry regulation and oversight. FINRA, a self-regulatory organization, is responsible for regulating securities firms doing business with the public in the United States. SEC oversees FINRA's operations and programs.
Section 964 of the Dodd-Frank Act mandates GAO to triennially review and report on aspects of SEC's oversight of FINRA. GAO issued its first report in May 2012 ( GAO-12-625 ). This report (1) assesses SEC's implementation of a risk-based framework for overseeing FINRA; (2) reviews SEC oversight activities of FINRA operations; and (3) assesses recent inspections of areas listed in Section 964.
GAO reviewed and compared SEC documentation on its risk-based oversight with generally accepted risk-management frameworks, and performance management and internal control standards. GAO analyzed SEC inspection procedures for self-regulatory organizations and inspections of four Section 964 areas, against Government Auditing Standards . GAO selected the four inspections partly based on SEC's FINRA risk assessment and frequency of SEC oversight. GAO also interviewed SEC and FINRA officials.
SEC should establish specific performance goals and measures, enhance documentation of oversight determinations and changes, and conduct an assessment of internal risks. In response, SEC described the actions they plan to take.
Recommendations for Executive Action
|United States Securities and Exchange Commission||To improve SEC's FINRA oversight program, the SEC Chair should direct the appropriate offices and divisions to incorporate additional risk-management practices by taking several actions, including: (1) establishing specific performance goals for the program and performance measures and related targets to assess Market Oversight's progress in meeting those goals; (2) formalizing documentation of procedures, including procedures for making changes to the annual planned oversight activities and decision-making rationales; and (3) modifying existing risk-assessment procedures to require an assessment of internal risks to successfully meeting the FINRA oversight program's goals and objectives.||
SEC created the FINRA and Securities Industry Oversight (FSIO) Program within the Office of Compliance Inspections and Examinations (OCIE) as part of the restructuring of its oversight programs. To address our first recommendation, FSIO developed a Strategic Plan that included strategic goals and objectives that support the respective strategic goals and objectives of SEC and OCIE. In addition, FSIO also developed a Risk Management Framework Guidance. FSIO stated that the Guidance provides the framework for the development and subsequent modification, if necessary, of FSIO's Strategic Plan. FSIO has developed an initial set of metrics and key performance indicators, which are included as part of the Risk Management Framework Guidance. To address our second recommendation, FSIO documents the strategic goals and the related metrics and performance indicators in the FSIO Strategic Plan and the FSIO Risk Inventory Matrix. Additionally, FSIO's Risk Management Framework Guidance has enhanced the existing procedures to require FSIO staff to prepare an addendum to the written inspection and oversight examination plan to document proposed changes to the annual planned oversight activities and related rationales. FSIO has prepared addendum for FY 2015, 2016 and 2017. Lastly, to address our third recommendation, FSIO's Risk Management Framework Guidance incorporates a process to assess internal and external risks that could affect FSIO's ability to execute its planned FINRA oversight. FSIO stated that it began incorporating an assessment of internal risks in the development of its fiscal year 2016 inspection and oversight examination plan and continued to do so in developing its fiscal years 2017 and 2018 plans. Further, FSIO documents in the Risk Inventory Matrix its assessment of internal and external risks and management's determination of the appropriate response to mitigate these risks. FSIO has prepared memorandum of such assessments for FY 2016 and 2017 inspection plans.