Best practices for managing suitability compliance risk is a good news, bad news bedtime story in the financial services industry. The good news is that I am hard pressed to identify another area where both the global regulators and regulations, including, but not limited to, the
FINRA, the SEC, MiFID, and the
IOSCO, speak with one voice with respect to global statutes, rules and regulations. On a global basis, capital markets compliance is usually a patchwork of disparate requirements. However, the global requirements relating to suitability are nothing short of harmonious and work to support the actions of many firms for adopting and implementing a holistic compliance framework across the enterprise.
The not so good news is that holistic compliance itself has struggled over the years with its own identity crisis, trying to ascertain what it needed to do to evolve. With that in mind, the framework of holistic compliance is not a 'one size fits all' because the business models and scale of firms varies significantly. With respect to a few of the contemporary expectations of the global requirements, best practices in holistic suitability compliance must ensure that your organization does not fail to establish, document and maintain a system of risk management controls and supervisory procedures. Considering this, a well-organized system of "detection, prevention, deterrence" coupled up with follow-up and review should be integrated, and reasonably designed to manage suitability risk.
The Compliance "Eyeball" Challenge
With managing risk in mind, irrespective of how many eyes your organization has looking at client activity, it is clearly impossible to review each and every recommendation or transaction by simple, manual "eyeballing" of trade records. Understanding any recommendation or transaction in the context of a client's investment profile – which includes a specific financial profile, risk tolerance, investment objectives, portfolio holdings, time horizon, liquidity needs, and other profile attributes – is both a critical and mandatory part of the review process.
The challenge, and the reason the eyeball approach fails, is that those "eyeballs" would need to have the customer's investment profile information stored away in the recesses of the reviewer's mind as reviews are conducted – and that's virtually impossible. Additionally, those same "eyeballs" would need to mentally process the impact of any transaction on the risk weight of the client's overall portfolio holdings.
Would the "eyeballs" know, by simply looking at a transaction, that the transaction has had the effect of pushing out the duration of the client's fixed income exposure beyond the recommended allocation model? Or, one could wonder, has the transaction established a concentration issue for this client's related accounts, at the issuer/company level, the asset or sector level, or in alternative and complex products, or the correlated asset class level, or at the illiquid security level? A mere manual glance through the records won't reveal these risk considerations easily.
Last, one must determine if there has been a change in the client's investment profile that would impact the review and sign-off. These factors are just a few examples of the routine assessments that need to be processed by the information, or lack of information, in the minds of the "eyeball" reviewers. Can I defend my eyeball system as being "reasonably designed" to a regulator? I seriously doubt it.
Risk-based Systems, Right-Sized Tech
The regulators seem to clearly understand that the "eyeball" approach is not dissimilar from the "not doing anything at all" approach, and so they have heightened expectations in this area. The regulators also understand that due to the complexities of a firm's business model, and their scale, that a "risk-based" approach would indeed allow a firm to satisfy the discharge of its supervisory and control obligations while relieving the firm of the near impossible mission of reviewing each transaction and all activities in a client's account.
This "risk-based" relief is only available in the instance where the "risk-based" systems and infrastructure are reasonably designed to achieve compliance. Agreeing with the chorus of many other voices, I would argue that, in concert with both the regulators and the regulated, that any risk-based system must be supported by the right-sized technologies to facilitate the delegation and discharge of the responsibilities of "all lines of defense" that are customer suitability stakeholders.
As a baseline, a robust and comprehensive risk-based suitability system must review activities at the point of their occurrence, in the context of the client's investment profile and the firm's internal policies and procedures. Of course, the system needs to contemplate the nuances between discretionary/managed vs non-discretionary account activities and recommendations.
The Approach for Complex Products
Understanding the product is a critical component of the right-size technology, with respect to the product's complexity and risk characteristics. Having a system that can detect and flag transactions that have not been approved for sale, or that were recommended and sold to clients with investment profiles that fall below the profile requirements established by the firm's product control/vetting process is still another critical component to a "risk-based" suitability system.
Complex products illustrate the significance of taking a risk-based approach, not only because of the heightened regulatory attention in this area, but also because of the attendant risks (regulatory, legal, reputational) based on market volatility and direction, the performance of the product, and the product's embedded benchmarks and/or derivatives (what I refer to as "the air coming out of the balloon a lot faster than it went in" problem).
This risk-based approach for complex products should be extended to the financial advisor/broker level as it relates to their client book, and at the same time, to other financial advisors/brokers that fall within the same operating unit/segment (e.g. at the branch level). Further, this risk-based approach at the transaction and product level requires a far different set of rules for transactions in large cap value or growth vs. microcap equity securities, or investment grade vs. high yield, or 10-year duration vs. 2-year duration, and products (especially proprietary) that give rise to a conflict of interest.
The other component of this risk-based baseline involves an ongoing risk analysis at the account and portfolio holdings level to detect and alert on, among other matters: whether the account's holdings are in sync with the investment profile and/or recommended allocation model; concentration risk; and activities wherein the "best interests" of the client may have been breached. (Examples in this last area are numerous and will depend on the firm's business model and self-professed policies and procedures.) Naturally, automated reviews need to be conducted on a regularly scheduled frequency basis, but also upon the occurrence of certain triggering events such as an updated investment profile.
While the foregoing touches on the needs and challenges relating to "suitability" in the context of KYC, there are still other considerations and requirements relating to the "best interest/fiduciary standards" that need to run in parallel with the foregoing baseline requirements. Rather than repeat the case here, let me state the obvious: Yes, a risk-based technological framework is the safe fork in the road to take to insulate the firm and its stakeholders from fiduciary risk.
In closing, a risk-based approach to suitability best practices will enable your organization to comply with both the spirit and the letter of the law. This is not the same thing as saying that you are unconditionally guaranteed that best practices will ferret out 100 percent of your business model's inherent compliance risk. But to borrow from an old adage that has driven my compliance risk management decisioning and reasoned opinions processes in the past, "don't let the perfect be the enemy of the good."