LegiStorm

What GAO Found

Since GAO reported in May 2012, the Securities and Exchange Commission (SEC) has incorporated elements of a risk-management framework into its oversight program of the Financial Industry Regulatory Authority (FINRA). For example, SEC has developed and implemented procedures for identifying and assessing FINRA program risks, which then inform its annual oversight plan and activities for FINRA. In 2012, GAO found that SEC's approach to developing a risk-based approach to oversight of FINRA did not incorporate all the components of a risk-management framework. GAO recommended that SEC follow all components of a risk-management framework. While SEC has taken some actions, this report found that SEC's risk-based oversight program could be more robust and consistent with risk-management and federal internal control standards. Specifically, SEC has yet to

develop specific performance goals and measures, with corresponding targets to monitor its progress toward the goal of enhancing FINRA oversight;

formalize procedures for documenting its oversight determinations, such as selecting FINRA areas for inspections and any changes made to planned oversight activities; and

perform an assessment of internal risks, such as staff availability and competing priorities, to successfully meeting FINRA oversight program goals and objectives.

Complementary to its implementation of risk-assessment procedures to assist in selecting FINRA programs and operations for oversight, SEC also has taken a number of other steps to enhance its oversight of FINRA. One such step was creating and filling the position of Senior Special Counsel-FINRA and New Markets to work with SEC management in coordinating FINRA oversight activities and reviewing information to inform the risk assessment. Another step was the transition of its FINRA district office inspections, which evaluate various FINRA regulatory programs, from a set schedule (or cycle-based) model to a risk-focused model. Under this risk-focused model, staff analyze information and data, such as the number of high-risk firms in a district, to identify risks and make recommendations for which offices to inspect. A third step SEC took was revising its process for assessing FINRA's broker-dealer examinations to inform its assessment of FINRA program risks.

SEC also recently completed inspections of each of the areas listed in Section 964 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), such as governance and executive compensation. The inspections GAO reviewed were conducted in a manner generally consistent with Government Auditing Standards and the information gathered was further used to inform SEC's FINRA risk assessment. GAO did not validate the findings of the Section 964 area inspections it selected for review.

The securities industry is generally regulated by a combination of federal and industry regulation and oversight. FINRA, a self-regulatory organization, is responsible for regulating securities firms doing business with the public in the United States. SEC oversees FINRA's operations and programs.

Section 964 of the Dodd-Frank Act mandates GAO to triennially review and report on aspects of SEC's oversight of FINRA. GAO issued its first report in May 2012 ( GAO-12-625 ). This report (1) assesses SEC's implementation of a risk-based framework for overseeing FINRA; (2) reviews SEC oversight activities of FINRA operations; and (3) assesses recent inspections of areas listed in Section 964.

GAO reviewed and compared SEC documentation on its risk-based oversight with generally accepted risk-management frameworks, and performance management and internal control standards. GAO analyzed SEC inspection procedures for self-regulatory organizations and inspections of four Section 964 areas, against Government Auditing Standards . GAO selected the four inspections partly based on SEC's FINRA risk assessment and frequency of SEC oversight. GAO also interviewed SEC and FINRA officials.

SEC should establish specific performance goals and measures, enhance documentation of oversight determinations and changes, and conduct an assessment of internal risks. In response, SEC described the actions they plan to take.

For more information, contact A. Nicole Clowers at (202) 512-8678 or clowersa@gao.gov.