SEC Rule 17a -5 One year after reporting rule changes, there is still work to be done

SEC Rule 17a-5 one year later 2

One year after reporting rule changes, there is still work to be done Changes to SEC Rule 17a-5 were meant to strengthen protection for investors. In carrying out the amended regulations, broker-dealers should take steps to ensure continued compliance.

It has been a year since the SEC finalized amendments to Rule 17a-5, which governs the financial statement reporting of brokers and dealers. As part of these amendments, a new requirement was implemented – broker-dealers are required to file either a Compliance Report or an Exemption Report, depending on whether the broker-dealer carries customers’ funds or securities – and stronger audit and oversight requirements go along with it.

Although year one implementation challenges have passed, broker-dealers should continue to keep pace with the latest industry developments. They should continue to refine their approaches and master these requirements.

SEC Rule 17a-5 one year later 3

After living with the new rule for a year, many firms have had a number of common experiences.

Ambiguity around implementation remains. As with any new regulation, there was a level of uncertainty regarding implementation of the amendments. Questions such as which internal controls over financial reporting to include, how to determine and apply materiality, account scoping, and the level of testing and documentation by management continue to be discussed.

Many firms used this as an opportunity to take a fresh look at Written Supervisory Procedures and reduce “key man risks.” Often, because of knowledge and experience, a single person may perform the review of the activity. What happens if this key person isn’t available? Would the replacement know what to look for? In an effort to better document and review controls, broker-dealers are including specific review procedures and thresholds for escalation. Broker-dealers can now treat this as institutional knowledge instead of personal knowledge.

Challenges around completeness and accuracy of reports. Under PCAOB guidance, auditors have been very focused on the completeness and accuracy of the information they receive from broker-dealers. Many broker-dealers use systems and technology that have been built in house many years ago. These systems and reports may not have undergone periodic testing and as a result, broker-dealers have found it difficult to provide report logic details and report parameters to their auditors for testing. Broker-dealers should consider implementing or enhancing report testing procedures going forward.

Difficulty scoping customer account statement controls. Many broker-dealers utilize a third-party service provider to produce customer account statements and saw the related controls as the responsibility of the service provider. Although the activities are being outsourced, firms are still responsible for oversight and implementing effective internal controls.

Spreadsheet controls identified as key controls. The reserve formula and net capital computation are often performed in and supported by spreadsheets, and many firms found that controls did not exist to validate and protect the data in these spreadsheets. Examples of spreadsheet controls that have been implemented include locked cells and calculations and user access controls. Periodic reviews of spreadsheets can help make sure the data is being captured correctly.

Considerations on controls around intercompany balances. Broker-dealers that are part of a larger organization need to consider controls over intercompany balances. Although these balances eliminate from the accounts at the ultimate parent level, intercompany relationships and transactions do impact broker-dealer subsidiaries of larger organizations. In addition, PCAOB Auditing Standard No. 18 requires a robust analysis of related party balances, controls and transactions, and so the approach to risk assessing these balances and accounts must continue to be refined.

What they’re saying: reactions from the street

SEC Rule 17a-5 one year later 4

Potential themes have been identified in the first round of Compliance Report filings, and all carrying broker-dealers should assess themselves in light of these themes.

Make sure internal decision-makers know the rules and how their responsibilities relate to it. Knowledge of the rules across all parts of the organization is key to successful application and compliance. Much of the interpretation of the Financial Responsibility Rules (“FRRs”) subject to the Compliance Report rests with Finance and Regulatory Reporting departments; however it is imperative that Operations personnel as well as Information Technology departments understand the impact that their work can have on broker-dealer reporting and compliance with the FRRs.

In instances where Regulatory Reporting relies on people providing the data who may not have full appreciation of the rules, there tends to be no coherent ownership of the entire compliance process. If people provide data without understanding the regulatory impact, or if people have the authority to take relevant action without understanding the implications on compliance, the potential for non-compliance arises.

To have effective internal controls over compliance, broker-dealers need to make sure their people understand the roles they play in complying with it. People need to be able to recognize indications that something is out of the ordinary so they can escalate issues by communicating with Regulatory Reporting. The alternatives include compliance failure, internal control breakdowns, or both.

Align the entity's Treasury department with the new requirements. A lack of understanding of the Net Capital and Customer Protection Rules by the Treasury function can lead to more pronounced problems. It’s Treasury’s role to move funds

from place to place – and amid a multitude of competing priorities and directives, it may be difficult for them to understand all of the nuances of the Net Capital and Customer Protection rules. Moving the wrong funds at the wrong times or to inappropriate (e.g., affiliate, off-shore) bank accounts could trigger non-compliance. And because the balances of funds being moved can be large, Treasury errors can lead to large errors.

It is important for all functions across the firm, and more specifically, Treasury, to clearly understand the rules and the implications of the actions that they take.

Be vigilant about service providers’ performance. When a broker-dealer relies on a third party for functions such as producing customer statements, it relies on that third party’s controls and reporting quality. During the first year under amended Rule 17a-5, many broker-dealers didn’t place enough focus on their service providers’ practices. This includes assessing third-party reports and identifying issues or incorporating end-user controls as part of the broker-dealers controls. Broker-dealers should also assess the service auditor reports to determine that they are the appropriate timeframe and identify and address any issues that came up through the audit.

To mitigate the risks involved, including mismatched reporting timeframes and control deficiencies, broker-dealers should have enhanced processes and controls documentation and more active oversight.

What are the most important considerations at this stage?

SEC Rule 17a-5 one year later 5

Every broker-dealer to whom the rule applies should self-assess in a number of critical areas. Are the right controls in place? Are you confident that all of the people who have a role in compliance understand their roles? Are there sufficient controls and documentation around third-party relationships?

Broker-dealers have made it through the first year of compliance with amended Rule 17a-5 but the focus going forward should be on how to make this a sustainable process, including establishment of an ongoing monitoring process and solidifying resource requirements.

Moving into year two, broker-dealers should consider performing the following:

• Take a fresh look at their calculations to achieve compliance

• Assess feedback from auditors/regulators and the themes identified above and determine if additional action needs to be taken

• Determine how to make the process sustainable moving forward; consider how to enhance documentation and controls framework and formalize the testing schedule

• Determine what function (e.g. Operations Control or Internal Audit) will perform management testing over the controls supporting the Rule 17a-5 assertions as well as how this testing will be performed. This should also address if any exceptions were to occur, how those exceptions would be aggregated and reported.

Think of year one under the new rule as a race to compliance – and the time after it as a period of refinement. There are many players involved, including your auditors, the SEC, the PCAOB, FINRA, and the third parties each broker-dealer does business with. The institutions that take the most care to understand and fine-tune their approaches are the ones that are likely to fair the best.

What are the critical next steps?

About the Deloitte Center for Regulatory StrategiesThe Deloitte Center for Regulatory Strategies provides valuable insight to help organizations in the financial services, health care, life sciences, and energy industries keep abreast of emerging regulatory and compliance requirements, regulatory implementation leading practices, and other regulatory trends. Home to a team of experienced executives, former regulators, and Deloitte professionals with extensive experience solving complex regulatory issues, the Center exists to bring relevant information and specialized perspectives to our clients through a range of media including thought leadership, research, forums, webcasts, and events.

www.deloitte.com/us/centerregulatorystrategies

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2015 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited

Gina Greer Partner Deloitte & Touche LLP +1 212 436 5868 ggreer@deloitte.com

Michael Jamroz Partner Deloitte & Touche LLP +1 202 879 5310 mjamroz@deloitte.com

Felicia Sokalski Partner Deloitte & Touche LLP +1 973 602 6237 fsokalski@deloitte.com

Tom Rollauer Executive Director Center for Regulatory Strategies Deloitte & Touche LLP +1 212 436 4802 trollauer@deloitte.com

Jesselyn Garrisi Senior Manager Deloitte & Touche LLP +1 646 872 4704 jgarrisi@deloitte.com

Timothy Vintzel Partner Deloitte & Touche LLP +1 973 602 5148 tvintzel@deloitte.com

Chris Donovan Partner Deloitte & Touche LLP +1 212 436 4478 chrdonovan@deloitte.com

Advisory

Contacts

Audit

The Center wishes to thank the following additional Deloitte professionals for their contributions and support:

Lara Hamilton, Senior manager, Deloitte & Touche LLP Zach Dressander, Senior marketing specialist, Deloitte Services LP