By Carlos Guillen, President & CEO
July 10, 2020
Originally published in IAA Today, an Investment Adviser Association publication.
It has now been almost 20 years since the first computer software was introduced to help compliance ofcers automate the many tasks involved in the day-to-day management of a company’s risk and compliance program. Over this time, compliance technology software has become increasingly sophisticated with fully integrated solutions that can track multiple tasks in different functional areas on a common platform optimizing compliance and risk management programs.
While compliance technology solutions have provided chief compliance officers (CCOs) with the tools to better manage the myriad of compliance tests and procedures, the challenges they face have also increased proportionately as a result of increased FINRA and SEC regulation and the promulgation of complex new rules. When you add in additional reporting requirements which come with industry consolidation, acquisitions or global expansion, harnessing the capabilities of compliance technology to meet these new challenges becomes a goal unto itself.
The purpose of this brief is to share the experiences of compliance professionals and consultants on how they maximize the benefits of compliance technology for their firms and for their clients. We will be looking at three key measurements criteria in assessing compliance technology benefits – effectiveness, efficiency and risk reduction.
How does compliance technology maximize the effectiveness of a company’s compliance program? Jon Wowak, chief operating officer at Cipperman Compliance Services, believes that technology allows firms to create an accurate ‘audit’ trail of documentation and communications, which provides the flexibility to timely customize compliance programs based on a firm’s own business model. Wowak points out that the systems used to manage compliance programs also enable firms to have a centralized location to maintain their books and records.
Other compliance professionals equate compliance effectiveness with a level of confidence that is generated from knowing that their compliance programs are meeting regulatory requirements. Jennifer Relien, general counsel and chief compliance officer at Prosperity Capital Advisors, maintains that, “having a software program that allows our firms to identify, track, document and retain information for our compliance program has given us the confidence that our compliance program is effective and meets regulatory requirements.”
Brian Robling, senior consultant with SEC Compliance Consulting, agrees that being able to remotely review an entire testing program all the way from the policy itself, the test results and even working papers in one place can be very valuable. He adds, “to be able to see if what’s actually being done actually supports the policies that you’re testing then, from a measurement standpoint, it affords more peace of mind.”
How do you measure the effectiveness of a compliance program? Compliance professionals measure the impact of technology on the effectiveness of their programs in different ways. Relien believes that the ability to efficiently pull information, fulfill daily work tasks and respond to regulators quickly is qualitative evidence that compliance technology is working. On the other hand, Wowak says that his organization measures the effectiveness of technology by including an assessment during each year’s annual compliance review. For example, they would assess whether regulatory changes were timely and accurately made to a compliance program.
During the past year, the SEC has released cybersecurity information for best practices within investment advisory firms, Wowak points out. Through technology, we are able to distribute those changes, obtain acknowledgements from employees/vendors and establish an audit timeline to ensure those regulatory updates were implemented in an effective manner. We then used the annual review process to verify this implementation.
One critical area that compliance professionals look at closely is audit quality and the impact that technology has in this critical area. The audit trail and time stamp of communications, by far, provides the means to measure the quality of the compliance task delivered to a client or a firm, observes Wowak. The ease of pulling information and reports for an annual review is also a major benefit for ensuring audit quality, adds Relien.
Specifically, for one client, Wowak added, “we had an instance where an employee was habitually late on his code of ethics certification. He said he was not being informed and provided access to the necessary information to make the certification. Using technology, we were able to verify that the date/time that the certification was delivered to his email and when he accessed the certification.” This ability to verify the time stamp of the workflow allowed us to defend the compliance program to the regulators and ensure that the certifications were delivered on a timely basis.
“The best compliance software systems will package up all of your testing material,” said Robling. “Once you assign the date parameters, it will produce all of the documentation pretty much at the touch of a button. With an examination situation it can save you a ton of time.”
How does compliance technology contribute to maximizing efficiency and productivity in compliance programs? According to Relien, “We have been able to add additional tests and mitigation efforts without significantly increasing our workload or the need to hire additional staff.”
“From a consultant’s perspective, when regulations change, we are able to make sweeping changes to our templates and policies affecting our 90+ clients,” said Wowak. “We can also deliver certifications or other forms to many recipients during a single instance rather than using email or other means to reach our clients’ employees.”
Wowak cites another instance with a client with 90+ plus employees in three locations in the United States. A few months ago, they had to email individual pdf files of the certification to each employee and manage them on a one-by-one basis. Technology then allowed them to centralize the distribution of the certification which saved hours of work.
In addition, by using technology to manage a firm’s code of ethics templates, Wowak added, we are able to update and make revisions to the certifications once and then “deliver” that template to each of our 90+ clients instead of making 90+ pdf file changes. Significant time is saved by using technology to manage templates that can be used by all of clients.
“Technology offers the opportunity to share resources and combine processes into a single campaign when you have similarly aligned projects that may have common properties, references or source files and then delegate among different team members,” said Robling. “So instead of having a separate test for each one, you align the campaigns, and everybody works toward a common goal and can move through the processes more quickly without using redundant tasks. Not only does this save time but also increases productivity down the line.”
How are efficiency and productivity gains measured? Wowak observes that from a high-level perspective, efficiency can be measured through the ease of use and satisfaction of users. From a detailed, more quantitative approach, efficiency and productivity can be measured by the time spent utilizing the technology as compared to prior years when no technology was used. Any efficiencies gained would be clearly evident when the time analysis is completed.
Another way to measure efficiency, adds Relien, is the time it takes to complete a routine SEC examination. “Technology enables compliance professionals to quickly respond to numerous requests as a result of leveraging the software platform. The information leveraged from the technology solution is robust and comprehensive, and at times more than meets a SEC examiner needs.”
How does technology impact the levels of risk reduction for a firm’s compliance program? Relien says that she would not feel comfortable being a CCO without an effective technology solution to support their compliance program. “The rules governing our business are vast and technical. It would be too easy for issues and tasks to fall through the cracks, raising the risk prole of the firm.”
For Robling, he looks at risk reduction a bit differently. He sees risk reduction stemming from the elements of both enhanced supervision and the systematic testing and being able to delegate it to people more closely related to the process. “Keeping in mind that, of course, you need to keep people from testing themselves. If you can have an operational expert testing processes with which they’re intimately familiar, and then you as CCO are reviewing that testing, it allows you to refine your efforts and focus on assessing the effectiveness of the tests.”
“A software-based compliance program allows a firm to communicate with employees in a timely and efficient manner and minimizes the risks of policy changes not being made effectively,” says Wowak. “Technology also enable firms to develop documentation that is designed to protect client-firm employees from regulatory scrutiny by giving them the means to timely and accurately make disclosure to the CCO. All of this contributes to risk reduction for firms.”
How do you measure risk reduction gains from technology? As it relates specifically to the Code of Ethics program, each quarter is tested and reviewed to ensure that client personnel have pre-cleared any transactions that may be prohibited by the client, notes Wowak. “By using technology over the pre-clearance program, the client greatly reduces the risk around not having an adequately designed Code of Ethics program.”
Using a technology platform over the pre-clearance process has allowed us to centralize the pre-clearance forms. We do not have to worry about searching emails or other depositories to look for all employee forms. We also then can match the pre-clearance forms to the employee transactions on an automated basis, which saves considerable time and effort for our staff.
Actually, measuring any gains in risk reduction will show up in the risk assessment process itself, adds Robling. For example, if it increases the frequency with which senior management and the CCO are reviewing testing, that in and of itself acts as an additional control.
A client’s risk prole is reduced by using a compliance technology in two ways – through data centralization and an audit trail of communications. “When Cipperman implemented the BasisCode software to address these two main objectives,” noted Wowak, “we expected the system to provide those risk reduction items. However, what we didn’t expect was for regulators to respond favorably simply because we were utilizing technology to manage portions of the overall compliance program.” “Our interactions with regulators have been enhanced since they expect us to deliver a timely and effective compliance program. Technology allows us to both represent that, to any regulator, as well as deliver that to our client firms.”
A technology platform provides a centralized location to manage a firm’s code of ethics program. Wowak pointed out that during a client’s SEC audit, we were able to demonstrate the use of technology to centralize and manage this process along with being able to quickly produce the auditable documentation they requested ( i.e . certifications, pre-clearance forms, statements, etc.).
In a Thomson Reuters study of global compliance professionals, close to 75 percent of those interviewed agreed that the successful deployment of compliance technology drives up efficiency and effectiveness allowing more time to focus on value-add activities. One ramification of the move towards technology is the potential, longer-term need for fewer compliance staff, but a staff that is more experienced and better paid.
Another finding from the Reuters study, and one that is in forefront in the minds of most CCOs and regulators, is the need to address cybersecurity issues. Those firms that have an effective and efficient technology platform in place are far better equipped to implement measures that safeguard a firm and its clients’ data than those firms who do not have such a platform in place.
In the event of serious business disruption such as what the nation is experiencing right now with COVID-19, compliance staff and employees must be able to work remotely and have access to a shared and integrated technology platform in order to maintain a smooth functioning compliance and rick management programs. Compliance programs are most vulnerable to breakdowns when market volatility is exceedingly high due to catastrophic events like the current global pandemic.
After a several decades of slow but steady integration of technology into a company’s compliance program, the message is quite clear that compliance technology is now firmly embedded in the risk and compliance management programs that are considered to be the most effective, efficient and audit ready.