By Marina Baranovsky (Scitus Consulting LLC), Ivan Knauer and Tim McTaggart (Pepper Hamilton LLP)


This article was published in the August 13, 2015 issue of Bank Insurance & Securities Association (BISA)’s OneSource. It is reprinted here with permission. This article also was published in the October 2015 issue of NSCP Currents magazine published by the National Society of Compliance Professionals, Inc.

Over the last 30 years and several financial crises, risk assessment (and its related tools) has become an important issue for securities and banking industries.

The banking industry is interconnected with the securities industry. The vast majority of larger banks, regulated by the Federal Reserve, have more than one Securities and Exchange Commission (SEC) registered broker-dealer and investment adviser.

The SEC initially looked at risk assessment through the Consolidated Supervised Entity (CSE) program, which took a systemic approach to risk. The program was created in 2004 as a way for global investment bank conglomerates that lacked a supervisor to voluntarily submit to regulation. The CSE program was canceled in 2008 by former SEC Chairman Cox due to the ineffectiveness of the CSE since major investment banks could decide voluntarily whether to be regulated under CSE.

We note that as a result of the Dodd Frank Act, such regulation of global investment banks is no longer voluntary, and now the Federal Reserve has implemented a new consolidated supervisory framework that applies to institutions, including nonbank financial companies designated by the Financial Stability Oversight Council for Federal Reserve enhanced supervision (still to be issued/determined); additionally, domestic banks and foreign banking organizations with consolidated assets of $50 billion or greater also are subject to the Fed’s supervision. Moreover, the global investment banks in the 2008 time period that survived the crisis also became regulated by the Federal Reserve as bank holding companies. Additionally, the Fed will engage in macro prudential supervision in order to detect potential systemic risks.

To fill the regulatory void after the cessation of the CSE program, the SEC began to analyze risk assessment by utilizing its existing Rule 17-h. SEC Rule 17-h was initially established in 1992 after the financial crisis at that time.

The SEC created its current approach of risk assessment after carefully studying lessons of the past financial crises, including the 2008 crisis, and incorporating it into the structure of the Rule 17-h, Risk Assessment and Record Keeping Requirement. This new approach evaluates risk on an enterprise wide basis as well as systemically in the sector.

Rule 17-h combines the regulation of the banking and the securities industries and serves as a good premise for companies to evaluate known risks. It has two major components:

  1. Regulatory Compliance Requirement
  2. Risk Assessment

Regulatory Compliance Requirement

Broker-dealers with $20 million in capital are required to submit to the SEC quarterly reports about risk assessment and meet related record keeping requirements. In particular, companies are required to provide the following information:

  • Organizational chart, including all material affiliated entities
  • Financial information about Material Associated Persons, such as the holding company and others at a consolidating and consolidated level
  • Credit risk and market risk
  • Material legal proceedings disclosure
  • Information about financing, capital adequacy and risk management, and other policies and procedures.

Based on the Congressional Budget Office Report of 2016, the SEC reviewed 275 broker-dealers, about a third of which are owned by bank holding companies.

Other companies, such as registered investment advisors, broker-dealers and bank holding companies, are also subject to FINRA, SEC, National Futures Association, and CFTC exams focusing on risk assessment.

Risk Assessment

Most of the companies’ compliance and risk functions are run separately for various reasons. For example, market and credit risk have different reporting lines from accounting and regulatory compliance; or, the internal audit department might report to the President and the Board of Directors directly to ensure independence and impartiality. This traditional work stream, where each department analyses its own risk, neglects to assess the impact of each risk element on the entire company at a consolidated level.

Indeed, there are credit risk experts; market risk experts, regulatory compliance experts, internal auditors, accountants, legal experts, information technology experts, security experts, and human resources experts. Each of these functions represents separate departments in larger companies; in smaller companies, some of these functions could be outsourced.

Systemic risk assessment, pursuant to the SEC Rule 17-h, evaluates all affiliated entities for potential risk factors individually and relative to the consolidated company level. Risk assessment includes the analysis of credit risk, market risk, compliance risk, internal audit reports, financial statements, legal proceedings, IT (including cyber security) and other factors.

It remains to be seen whether regulators will seek to use internal risk assessments as a means to identify potential enforcement actions.


Risk assessment should reveal a road map to the important components of a company’s risk. It is not a “one size fits all” approach but rather reflects the identification of risk and scaling the appropriate response to fit each customized set of company risk factors. It is a sophisticated tool to address risk and ultimately it should be an important measure of the longevity and prosperity for every company in the banking and securities industry.

The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.