Assessing customer protection: SEC Rule 15c3-3

3Assessing customer protection: SEC Rule 15c3-3 |2 | Assessing customer protection: SEC Rule 15c3-3

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Regulatory landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Assessing customer protection . . . . . . . . . . . . . . . . . . . . . 4

How EY can help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Illustrative models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Overview of broker-dealer requirements . . . . . . . . . . . . . 9

Case studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

IntroductionOn June 23, 2016, the Securities and Exchange Commission (SEC) launched a Customer Protection Rule (CPR) Initiative to identify and assess compliance with SEC Rule 15c3-3 . Under this initiative, broker-dealers are strongly encouraged to conduct thorough reviews of their end-to-end customer protection processes and controls from the customer reserve formula through possession or control . The SEC is currently conducting a comprehensive sweep of broker-dealers to determine the adequacy of customer protection governance and identify instances of noncompliance .

EY has deep experience working with multiple broker-dealers on their customer protection transformation programs and has deployed teams of advisors with industry, regulatory and consulting experience to assess and help them implement enhancements related to their customer protection processes, technology and controls . Due to the heightened importance of this initiative, financial institutions could benefit from a third-party review to provide senior management, investors and clients further confidence in the strength of their programs .

Contents Regulatory landscapeCustomer Protection Rule InitiativeBroker-dealers need to review and enhance their customer protection-related processes on an end-to-end basis, while proactively working with the SEC to support their industry sweep and remediate any potential noncompliance.

Regulatory scrutiny

Since the financial crisis and the collapse of MF Global in 2011, regulatory scrutiny on SEC Rule 15c3-3 customer protection has increased, and investors have been more focused on the proper custody of their assets. For example, the Financial Industry Regulatory Authority (FINRA) fined Pershing $3m for violating customer protection rules, and the SEC amended Rule 17a-5 to further promote customer protection processes.

Merrill Lynch settlement

On June 23, 2016, the SEC announced that Merrill Lynch agreed to pay $415m to settle charges that it misused customer cash. The SEC’s order focused on: (1) trades devised to reduce the amount of cash required for the customer reserve account and (2) control accounts that were subject to liens or lacked proper documentation. The SEC also initiated administrative proceedings against Merrill Lynch’s former head of regulatory reporting.

Customer Protection Rule Initiative

Simultaneously, the SEC announced a two-part initiative designed to uncover abuses of the Customer Protection Rule (the CPR Initiative): Part 1: Encourages broker-dealers to self-report potential violations of the rule and provides for favorable settlement terms Part 2: Announces an industry sweep (i.e., risk-based examinations) of certain broker-dealers to assess their compliance with SEC Rule 15c3-3

5Assessing customer protection: SEC Rule 15c3-3 |4 | Assessing customer protection: SEC Rule 15c3-3

Assessing customer protectionThree main stages to assessing customer protectionSignificant customer protection issues have been identified at large broker-dealers that had high confidence in their governance models. Possession or control impacts many functional teams in operations and requires diligent oversight and comprehensive training and procedures. Reserve formula issues may not result in underfunding but may be material and warrant self-reporting.

• Investigate potential violations

• Review the impacted time period and quantify the potential exposure to customers

• Implement “quick wins” and tactical preventative measuresUnderstand impact

• Future state operating model should include a centralized customer protection control team, streamlined functional support, a robust training and education program, enhanced policies and procedures, and strategic technology architecture.

Design and implement future state models

Understand Analyze Evaluate

Gain an understanding of the customer protection process operations, risk areas and compliance with Rule 15c3-3

• Broker-dealers must act quickly to identify any noncompliance with the CPR Initiative.

Using a risk-based approach, review processes, procedures and controls that are currently in place for Rule 15c3-3 compliance

Identify potential exposure

Perform an end-to-end Rule 15c3-3 compliance review

Identify weaknesses in processes and controls and document gaps in the control environment

1

2

3

Our leading-edge technologies, paired with industry knowledge, allow us to assist our clients in a cost-effective way when they are subject to government scrutiny and inquiries . Our teams include former regulators, certified public accountants (CPAs), Certified Fraud Examiners (CFEs) and forensic accountants .

• The right team with the right experience: We know the industry, and we combine that insight with a deep understanding of compliance, operations, technology and forensics focused on broker-dealer issues with perspectives on industry trends, key challenges and leading practices. Our team comprises former regulators, including senior officials who were directly involved in policy and supervision and guide on regulatory expectations. We are currently working with many of the top broker-dealers on compliance and regulatory-related issues.

• A proven approach: We have direct experience identifying and remediating customer protection-related issues, having conducted multiple engagements related to customer and asset protection in general across the globe and specifically related to Rule 15c3-3, where we have assisted broker-dealers across the diagnosis, design, remediation and implementation phases of an engagement. We host periodic roundtables conducted in the compliance and regulatory space to understand priorities and can be built into specific engagements.

• A truly global team: EY is an integrated organization with a team of over 500 resources dedicated to capital markets with decades of both industry and consulting experience, enabling us to assist clients to implement pragmatic approaches and litigation support. EY has over 200,000 employees in 150 countries.

• The ability to accelerate project execution: Through leading methodologies and tools, our resources with the diverse skill sets required to execute such a complex engagement, along with subject-matter resources, are used effectively to facilitate decision-making for clients. We utilize lists of leading industry practices and controls, along with an initial set of hypotheses of potential issues that can be leveraged to jump-start the diagnosis phase of the engagement. In addition, analytical tools and approaches specifically used for Rule 15c3-3 in other engagements can be leveraged directly.

• Independent and objective: We will provide objective, fact-based observations based on our experience and our understanding of your goals and objectives. Our work is governed by professional standards based on integrity, independence and professional rigor.

EY can assist broker-dealers in this time-sensitive and complex initiative by leveraging its deep pool of resources with diverse and relevant skill sets, utilizing accelerators developed from executing similar engagements and delivering a pragmatic approach that meets the immediate tactical needs and position for a more robust future state.

How EY can help

7Assessing customer protection: SEC Rule 15c3-3 |6

Customer protection Illustrative functional modelThrough prior engagements and industry experience, we have developed a functional model that highlights the key components of the customer reserve formula and possession or control aspects of customer protection. The functional model should be overseen by a strong control and governance structure.

General ledger

Stock record

Cash and securities transactions

Reference data Customer protection dashboard (tracking, managing and curing deficits)

Customer protection platform

Custodians and agent banks (DTC, BNYM, JPM, Euroclear, etc.)

Clearance and settlement processing

Securities lending

Corporate actions

Trad

e ca

ptur

e

Trad

e en

richm

ent

• Clients trade on margin.• Clients pay off debit

balances.• Clients instruct account

transfers.• Clients participate

in corporate action events.

• The account master codes good control locations.

• The account master codes customer accounts.

• The security master determines where trades should settle and where seg. instructions are sent.

• Dashboards provide transparency into deficits and violations and are available first thing in the morning with proper aging.

• Incident tracking

• 15c3-3 reserve formula calculation

• 15c3-3 security lockup calculation

• 15c3-3 deficit and violation calculations

• Asset optimization

• Dually eligible securities can cause issues settling in the wrong depot or being priced inaccurately.

• Custody breaks can impact the integrity of books and records.

• Segregation movements should not be made directly in the depository or custodian.

• Automated customer account transfer service (ACATS) realignments and intercompany movements may be settled with the improper segregation codes.

• Agents may deposit exchange-traded fund creations/redemptions and deposits/withdrawals at custodian (DWACs) in the segregation box even for margin inventory.

• Settlements “own the box” and verify that there is enough segregated inventory to cover the requirements (ideally on a real-time basis).

• Settlements group is often required to make manual adjustments to segregation for trades that do not flow through proper channels or settle same day.

• Settlements may need to manually instruct delivery of positions for ad hoc client requests.

• Settlements group manages fails and liaises with securities lending to remediate deficits.

• Stock loan lends out eligible client securities.

• Stock loan borrows to facilitate deliveries and cover deficits.

• On voluntary elections, fully paid for and margin clients may tender or “take no action” impacting the segregation requirements.

• Clients may be called in Depository Trust Company (DTC) lotteries or exercise survivor options.

Client-driven actions

Firm-driven actions

Market-driven actions

Customer reserve formulaIllustrative root cause analysisThrough our client engagement and industry experience, EY has developed the following root cause analysis model for the customer reserve formula. This, among other EY tools, will accelerate clients’ assessment of their customer protection environments.

Ineffective change management

Ineffective supervision controls

Incorrect coding of customer, non-customer and other operating accounts Lack of reconciliations

Inadequate training program

Inadequate training program

Lack of knowledge Lack of knowledge

Lack of knowledge

1 . Improper allocation

3 . Improper netting and aging of suspense

items, fails, short securities, etc .

Inadequate procedures and checklists

Inadequate procedures and checklists

Willful neglect, circumvention or incorrect interpretation of the SEC rule

Using unqualified securities

Inadequate supervision over activities in the reserve bank account

Timing issues with deposits, withdrawals and substitutions

Ineffective communication between departments (i.e., regulatory reporting and other relevant departments)

Inadequate reserve bank letters

Incorrect coding of customer, non-customer and other operating accounts

2 . O

vers

tatin

g cu

stom

er d

ebit

bala

nces

and

unde

rsta

ting

cust

omer

cred

it ba

lanc

e

4 . Im

prop

er fu

ndin

g of

the

rese

rve

bank

acc

ount

Inadequate training program

Inadequate procedures and checklists

Ineffective supervision controls

Customer reserve formula violations

| Assessing customer protection: SEC Rule 15c3-3

9Assessing customer protection: SEC Rule 15c3-3 |8 | Assessing customer protection: SEC Rule 15c3-3

Possession or controlIllustrative root cause analysisThrough our client engagement and industry experience, EY has developed the following root cause analysis model for possession or control. This, among other EY tools, will accelerate clients’ assessment of their customer protection environments.

Errors in calculation logic

Errors in calculation logic

Inadequate no lien and SEC letters

Issues with end-user computing (EUC)

Issues with market pricing

Lack of education and training

Inefficient buy-in and recall processing

Insufficient filing of extensions

Stock record/ custody breaks

Ineffective supervisory controls

Lack of effective policies and procedures

Client vs. non-client accounts

Reference data

1 . Incorrect determination of requirem

ent

or accomplishm

ent

3 . Improper release of securities

Good vs. not good control locations

Inability to instruct multiple depositories for dually eligible securities Inadequate metrics and reporting

Ineffective change managementLack of prioritization of deficit remediation

2 . Is

sues

tran

smitt

ing

info

rmat

ion

to d

epos

itorie

s

4. L

ack

of ti

mel

y re

solu

tion

of d

eficit

s

Timing issues (e.g., releasing seg. S-1 for sells and locking up end of day for buys)

Incorrectly calculating or resetting the 30-calendar clock

Segregation deficits and violations

Customer protectionOverview of broker-dealer requirements SEC Rule 15c3-3 (customer protection) is intended to protect customers’ assets held by their broker-dealers. Specifically, the rule prohibits broker-dealers from using customer funds and fully paid for/excess margin securities to finance their businesses. The rule requires that the broker-dealer maintain custody of customers’ securities and cash by complying with the following requirements:

Additionally, broker-dealers are required to file an annual report (compliance report) with the SEC asserting they have established and maintained internal controls over compliance with the financial responsibility rules, including the Customer Protection Rule (15c3-3). In an effort to address the requirements of Rule 17a-5, broker-dealers have developed a comprehensive governance control framework to enable the firm to make the required assertions in the compliance report.

Customer reserve computation

Broker-dealers must prepare a reserve formula computation of all customer free credit balances plus the value of customer securities used in the normal course of business to the extent it exceeds approved customer financing. Based on the results of that computation, a broker-dealer may be required to make a deposit into the Special Reserve Bank Account for the Exclusive Benefit of Customers.

Possession or control

Broker-dealers must promptly obtain and thereafter maintain physical possession or control of all customer fully paid for and excess margin securities. These securities cannot be used for any firm purposes, including collateralizing loans or securities lending by the broker-dealer and should be held in a “good control” location/account free of any right, charge, securities interest, lien or claim of any kind that is in favor of the custodian.

11Assessing customer protection: SEC Rule 15c3-3 |10 | Assessing customer protection: SEC Rule 15c3-3

Customer reserve formulaIllustrative case study

Customer reserve formula concerns EY’s approach/recommendations

• The engagement identified the following areas of concern for customer protections related to reserve formula computation:

• A general lack of knowledge and understanding of the Customer Protection Rule and its implications on the reserve formula computation

• Inadequate governance and control over the reserve formula computation

• Lack of reconciliations and governance over balances that impact the reserve formula such as suspense items and fails

• Lack of transparency, communication and root cause analysis

• Heavy reliance upon EUC tools to capture customer balances

• Data integrity issues with referential data, including allocation and customer vs. non-customer balances

• Enhance training and enhance guidance/procedures that reflect firm’s processes for identification, classification and allocation of customer, non-customer and proprietary accounts of broker-dealers

• Verify that adequate controls are in place to monitor account activity in the reserve account to confirm it is adequately funded at all times (i.e., evidence of timing of deposits, withdrawals and substitutions) and with the proper assets such as cash or qualified securities

• Identify unusual transactions/trades occurring prior to and subsequent to reserve formula computations

• Verify consistent coordination and communication between regulatory reporting, treasury, operations and any other departments that are involved in the process of funding the reserve bank accounts

• Establish and document procedures for the review of unknown operational/aged balances (e.g., suspense, dividends, interest, short security count differences, fail to deliver balances)

• Enhance automation EUC tools that have significant impact on reserve computation

• Implement controls to verify and reconcile systems input/output to verify referential data integrity

Design and implementation of a customer reserve formula target operating model

EY was engaged by a global clearing firm, registered as a US broker-dealer, to conduct an end-to-end assessment of their customer reserve formula computation and regulatory reporting processes to verify compliance with SEC Rule 15c3-3. The firm provides clearing, custody and execution services to fund managers, registered investment advisor firms and wealth managers in more than 60 markets globally and custodies approximately $1 trillion in client assets.

Possession or controlIllustrative case study

Possession or control concerns EY’s approach/recommendations

• The engagement identified the following areas of concern for customer protection:

• A general lack of knowledge of the Customer Protection Rule and its implications on daily processing

• Inadequate governance and control of the possession or control process

• Lack of transparency, metrics, root cause analysis and incident reporting for deficits and violations

• Heavy reliance upon EUC tools for sensitive customer protection-related processing

• Data integrity issues with referential data, including good vs. non-good control locations, client vs. non-client accounts and primary settlement depository

• Data integrity issues with the stock record due to a large number of aging stock record and custody breaks

• Leverage subject-matter resources with significant regulatory experience to provide guidance and a structured approach to interface with regulators and auditors

• Develop a comprehensive in-person and web-based training program for CP and review and update all procedures for functions that impact CP, including manual segregation adjustments

• Develop and implement a governance model that includes a dedicated CP control team, escalation protocols, metrics and reporting, links to Rule 17a-5 compliance reporting, preventative and detective controls, and a comprehensive change management protocol

• To automate EUC tools that have significant impact on CP

• Rationalize redundant and duplicate technology systems, and implement reconciliations process to provide referential data integrity

• Auto-suspense custody reconciliation breaks to verify a conservative approach is taken with the CP calculations

Design and implementation of a possession or control target operating model

EY was engaged by a large broker-dealer to provide assistance in mobilizing and implementing an SEC 15c3-3 customer protection (CP) possession or control target operating model across the multiple business lines. The program included 12 work streams and covered 20 functional areas across three international offices.

12 | Assessing customer protection: SEC Rule 15c3-3

EY | Assurance | Tax | Transactions | AdvisoryAbout EY

EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.

© 2017 Ernst & Young LLP. All Rights Reserved.

SCORE No. 00454-171US1701-2161439 FSO

ED None

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

ey .com

For more information, please contact:Ann CheesemanPartnerErnst & Young LLPOffice: +1 312 879 3084ann.cheeseman@ey.com

Matthew FischerSenior ManagerErnst & Young LLPOffice: +1 212 773 9899matthew.fischer@ey.com

Tony HounshellSenior ManagerErnst & Young LLPOffice: +1 212 773 7100tony.hounshell@ey.com

Nagaraj SwaminathanExecutive DirectorErnst & Young LLPOffice: +1 212 773 8710nagaraj.swaminathan@ey.com

Steve ZammittiPartnerErnst & Young LLPOffice: +1 212 773 2903stephen.zammitti@ey.com