Securities Regulatory Outlook 2017

CAT, SBS, and other regulatory trends

Get ahead of new securities regulations and trends to better guide your compliance strategies, actions, and investments in 2017—and beyond.

A brief overview of the 2017 regulatory trends in securities

This publication is part of the Deloitte Center for Regulatory Strategy Americas' annual, cross-industry series on the year's top regulatory trends. The issues below provide a starting point for an important dialogue about future regulatory challenges and opportunities.

Download the full report for a deeper look at these trends.

Back to top

DOL fiduciary definition

The final version of the Department of Labor’s (DOL) “Conflicts of Interest” rule (the Rule), which was published in the Federal Register in April 2016, includes an expanded definition of “fiduciary” under the Employee Retirement Income Security Act (ERISA). This new definition requires retirement investment advisers—including broker-dealers and insurance agents—to abide by a fiduciary standard of trust and undivided loyalty, rather than the lower standard of care (e.g., suitability) that may have previously been permissible.

As currently written, the Rule’s compliance timeline extends to the end of 2017, with substantial compliance requirements taking effect on April 10, 2017, and the remaining requirements taking effect on January 1, 2018. Affected advisers must be compliant with the ERISA fiduciary standards by April 10, 2017.

The Rule is complex and has potential impacts to many existing business and operating models across the financial services industry, including revenue streams, compliance programs, sales, services and compensation models, policies and procedures, and the customer experience.

Keep up to date with our latest thinking on the DOL Fiduciary Rule.

Back to top

Shortened settlement cycle

On September 5, 2017, the financial services industry is scheduled to move from its current settlement cycle (trade date plus three business days—i.e., “T+3”) to a shortened settlement cycle (trade date plus two business days—i.e., “T+2”). The move will affect all trading transactions for US equities, corporate bonds, municipal bonds, and unit investment trusts (UITs), as well as for financial instruments such as American depositary receipt (ADRs) and exchange-traded fund (ETFs) that include those types of securities.

The first major milestone that firms will face in 2017 is the Depository Trust & Clearing Corporation (DTTC) industry testing, which will kick off in February 2017 and be conducted in 13 biweekly test cycles. In preparation, firms should be working with their vendors and service providers to ensure their internal testing is ready. Also, governance and budgets should already be in place, and efforts to build the necessary test environment should be well underway.

Back to top

Group standing over table

Consolidated audit trail

In July 2012, the Securities and Exchange Commission (SEC) approved Rule 613, which introduced the requirement for a consolidated audit trail (CAT)—a central repository of all US securities transactions for use by self-regulatory organizations (SROs) and the SEC for regulatory purposes.

When it goes into operation, the CAT will require all US broker-dealers and SROs to report all equity and options lifecycle events to the repository on a daily basis. It will also require US broker-dealers to submit customer account information to the repository. As a result, CAT will be the world’s largest repository of securities transactions, receiving an estimated 58 billion records per day.

In February 2015, the SROs submitted the CAT National Market System (NMS) Plan to operationalize the CAT. On November 15, 2016, the SEC unanimously approved the CAT NMS Plan. The NMS Plan, effective November 15, 2016, outlines the reporting requirements for industry participants as well as the requirements of the plan processor. The SROs will have 12 months to submit equity and options lifecycle events to the CAT. Large broker-dealers will be required to begin reporting within 24 months, and small broker-dealers will be required to report within 36 months.

Back to top

Operational integrity

Regulators are expanding their role in overseeing and guiding the “operational integrity” of their regulated entities. This direct supervisory oversight of system integrity, security, and resilience within a business—which can be quite detailed and, at times, even prescriptive—is a major departure from regulators’ traditional arms-length approaches to operational and IT risk management. In effect, it imposes a rigorous testing and supervisory process to help ensure that companies:

  • Are following appropriate processes and procedures
  • Can identify and mitigate risks in a timely manner
  • Have sufficient controls in place to ensure a high level of system integrity, security, and resiliency

The large and growing potential for widespread damage from information system problems is prompting regulators in many industries to establish increasingly strict requirements and detailed guidance on how companies manage their IT systems and data.

Back to top

New York DFS cybersecurity rules

Security threats posed by internal and external actors remain a major focus for regulators at all levels. As federal regulators continue to update existing cybersecurity guidance and consider new rules governing banks’ cybersecurity practices, the New York State Department of Financial Services (DFS), under the direction of Governor Andrew Cuomo, proposed to establish cybersecurity requirements that go beyond those at the federal level.

The New York State DFS proposal would require banks, insurance companies, and other DFS-regulated entities to establish a cybersecurity program and comply with related requirements. The proposal, which the DFS describes as a “first-in-the-nation” regulation, would establish a more prescriptive framework than any existing regulation. It would require firms to appoint a chief information security officer (CISO) and submit an annual certification to the DFS regarding compliance. Also, it includes prescriptive requirements, such as an annual risk assessment, annual penetration testing, and quarterly vulnerability resting.

Back to top

Non-financial regulatory reporting

The SEC and Financial Industry Regulatory Authority (FINRA) rely on non-financial regulatory reporting, such as the Order Audit Trail System (OATS), an integrated audit trail that includes a wide range of information—including order, quote, and trade information for all NMS stocks and over-the-counter (OTC) equity securities, electronic blue sheets, large trader reporting, and large options position reports. The system is used to re-create events in the lifecycle of orders and to more completely monitor the trading practices of market participants, including member firms.

Both the SEC and FINRA are developing sophisticated data mining programs that will leverage big data technology to drive a risk-based process for examinations and enforcement actions. The SEC’s Division of Economic Research and Analysis (DERA) has been growing, staffing up with analysts, economists, and “quants.” Other groups have been staffing up as well, including the Risk and Examinations Office in the Division of Investment Management, the Risk Analysis Examination Team in the SEC exams office, and the Center for Risk and Qualitative Analytics.

Regulators are particularly focused on the quality of data with respect to non-financial regulatory reporting, a focus that has resulted in several recent high-profile enforcement actions. This increased scrutiny is affecting dozens of firms and generating millions of dollars in fines.

Back to top

Liquidity management

Liquidity stress testing rules from the Federal Reserve Board (FRB)—such as the US liquidity coverage ratio (LCR) and enhanced prudential standards (EPS)—have pushed the impact down from bank holding companies and intermediate holding companies to their large broker-dealers by creating a need to extend the duration on securities transactions. This has led to an increase in various types of structured transactions—such as securities lending with maturity terms, collateral upgrades, and swaps transactions—to help extend short-term cash flow projections beyond the prescribed regulatory metrics.

In 2017, the implementation of these regulations will be scrutinized by multiple regulators, including the FRB, Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), SEC, and FINRA. At the same time, additional proposed regulations could be approved by the SEC. In particular, Rule 18a-1 could provide more regulation on liquidity for alternative net capital broker-dealers and security-based swap dealers (SBSD), while the rule’s additional initial margin requirements may affect SBSD funding profitability.

Back to top

SEC enforcement sweep over customer protection

Over the past few years, there has been a trend of increased regulatory scrutiny over SEC Rule 15c3-3, the customer protection rule (CPR). The SEC recently announced its CPR initiative, which it describes as “a coordinated effort across divisions to find potential violations by other firms through a targeted sweep and by encouraging firms to self-report any potential violations of the Customer Protection Rule ….”

With the commencement of the CPR initiative and increased regulatory scrutiny, it’s essential that firms take a fresh look at their systems and processes that support compliance of CPR—including both possession or control and the reserve formula. Here are some key activities that firms should consider performing:

  • Revisit process documentation and system logic
  • Review causes of possession or control deficits
  • Review large debit balances in the reserve formula
  • Educate operations personnel on the importance of the rule
  • Increase communication between regulatory reporting and operations
  • Identify and remediate any “key man” risks
  • Document “unique” situations

Back to top

Registration of security-based swap dealers

The SEC is in the process of finalizing rules related to security-based swaps (SBS), including the criteria under which firms will need to register as SBSDs. In addition to the registration requirements, the rules will specify the number of regulatory obligations and required capabilities, such as trade reporting and uncleared margin.

SEC rules related to SBS are expected to be finalized in 2017, and they will likely require firms to register as SBSDs if they meet certain criteria, including a de minimis threshold of $8 billion aggregate gross notional of CDS; $400 million of other security-based swaps; or $25 million of security-based swaps with certain “special entity” counterparties, such as municipalities and employee benefit plans.

Back to top

Data analytics and data quality

As the financial industry has continued to increase its use of big data and cutting-edge technology, so has the SEC’s Office of Compliance Inspections and Examinations (OCIE). The SEC is already armed with an impressive arsenal of data, and various groups within OCIE have been continually building the technological capabilities to use that data for both industry surveillance and examination. Also, while the SEC will continue to employ big data and technology, the information gathered may be used differently by the next administration.

The OCIE (along with its subgroups) and the SEC have consolidated their offices and created the Office of Risk and Strategy (ORS). Under the new office, the various groups are integrating the work of their quantitative analytics experts with that of their staff who have direct exam experience. The goal? To develop tools for identifying risks among SEC registrants and the products and services they provide to investors.

Read our latest thinking on data analytics and data quality—Regulatory analytics: Keeping pace with the SEC (February 3, 2017).

Back to top

US treasuries market

The SEC and FINRA are increasing their focus on the US Treasury market. In the past, regular and timely access to market data was essentially unavailable for US Treasury securities. But regulators now believe it’s important that they have full access to comprehensive trading data about US treasuries in order to understand market dynamics and provide optimal oversight. They see this as a logical regulatory convergence of the treasuries and equities markets.

In October 2016, the SEC approved amn FINRA proposal that requires FINRA’s members to report transactions in US Treasury securities through FINRA’s trade reporting and compliance engine (TRACE) system, generally by the end of the day on which they were executed. FINRA won’t disseminate the trading data publicly, but the data will be available to relevant regulators to enhance their oversight. All broker-dealers registered with the SEC that are FINRA members will be subject to this rule, which will go into effect July 10, 2017. In addition, the FRB announced its intent to collect US Treasury securities transaction data from banks, with the possibility of FINRA acting as agent on the FRB’s behalf.

Back to top

Conduct risk management

A risk management program for culture and business conduct is designed to prevent, detect, and even predict inappropriate business behaviors and misconduct. It’s also designed to create controls that mitigate the firm’s exposure to conduct risk. The ultimate goal is to foster a culture of compliance and ethical behavior that supports and protects the trust customers place in a financial services firm and that allows the firm to execute on its business strategy.

The focus on “conduct risk” has been gaining momentum in the marketplace, in particular, due to widely publicized manipulative sales and trading practices in wholesale markets (such as the London Interbank Offered Rate (LIBOR) benchmark fixing scandals). However, retail sales practices are coming under scrutiny, too. Conduct risk can be defined as the risk that a firm’s employees or agents may—intentionally or through negligence—do something that harms customers, other employees, the integrity of the markets, and/or the firm itself.

A strong culture and conduct risk program should give senior executives greater confidence that the organization is operating with integrity, and that all complaints and claims from employees and/or customers are being escalated and managed appropriately. It should also provide visibility into the behavioral characteristics that might prevent the organization from executing the business strategy in a responsible, compliant, and controlled manner.

Back to top

Look again

In today’s rapidly evolving marketplace environment, key business issues are converging with impacts felt across multiple industry sectors. What are the key trends, challenges, and opportunities that may affect your business and influence your strategy? Look for more perspectives and insights from some of Deloitte’s forward thinkers.

Discover more Industry Outlooks.

Back to top

Did you find this useful?