10 Key Principles To Consider When Establishing An IT Control Program

On May 9, 2007, the SEC brought an administrative proceeding against a large investment bank alleging that the firm embedded undisclosed mark-ups and mark-downs in certain OTC executions and delayed execution of other orders, thereby not providing best execution to its retail customers.1 The SEC alleged that the firm was reckless in improperly programming its automated OTC marketmaker system, which caused the errors. Without admitting or denying the allegations, the firm agreed to pay a civil monetary penalty of $1.5 million and disgorgement plus interest of approximately $6.4 million. The firm also agreed to retain an independent compliance consultant to conduct a comprehensive review and provide recommendations on its automated retail order handling system.

In announcing the decision, Elaine Greenberg, Associate Administrator of the SEC's Philadelphia Regional Office, stated that "You can't blame it on the computer. The message in this case is to put brokers on notice that the commission is going to be looking at automated systems" This is the latest in a series of SEC and SRO disciplinary actions where the regulators have imposed large penalties on various broker-dealers for failure to properly program and monitor automated systems.2 Through these actions, the regulators have served notice on the industry that they will hold brokerdealers liable for systemic failures even when there is no intentional wrongdoing, and in some cases, no underlying violation other than the control failure itself.

With the increasing complexity of the trading markets and the volumes and speed at which securities trade in those markets, most firms have little hope of complying with regulatory requirements without sophisticated order management, trading and sales systems. Firms must diligently manage the development, implementation and maintenance of technology to assure compliance with regulatory requirements. Also, they must periodically review and test existing systems and technology to assure continued compliance. In essence, good supervision and good compliance now require even better technology and stronger IT control.

As a result, firms should periodically review and enhance existing IT control programs, or create new programs, to effectively manage systemic risk. There is no one size fits all solution to this problem. The programs must be tailored to the specific needs and risks of each firm's business. At a minimum, however, the following key...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT