Spring Training and Compliance Strikes: Lessons from Two Sigma

It must be Spring Training because everyone is talking about baseball . While teams are gearing up for the new season, another game is playing out in the world of finance-one where compliance missteps lead to serious consequences. Two Sigma Investments LP and Two Sigma Advisers LP (collectively, Two Sigma) just got hit with three compliance strikes, and the SEC is calling them out. The SEC recently announced $90 million in penalties against Two Sigma for breaching their fiduciary duties. Here's how their compliance failures stack up in baseball terms and what you can do to ensure your team is a winner:

Strike 1: Lack of Supervision

A Two Sigma researcher made unauthorized changes to 14 models, leading to unintended investment decisions-$450 million in gains and $170 million in losses. Without proper oversight, critical changes went unchecked, exposing the firm and its clients to unnecessary risk.

Strike 2: Waited Too Long

In March 2019, employees identified vulnerabilities that could negatively impact client returns. However, instead of addressing the issue promptly, they waited until August 2023 to act. Compliance delays can be as damaging as outright failures.

Strike 3: Failed to Act

After recognizing these vulnerabilities, Two Sigma failed to adopt and implement written policies and procedures to mitigate against future missteps . Recognizing a problem is only half the battle-without action and ongoing monitoring, the risks remain.

And in the SEC's press release, regulators made it clear that Two Sigma's fiduciary approach was far from best practice: "The federal securities laws require investment advisers like Two Sigma to take steps - both proactively and reactively - to minimize operational risks to protect their clients."

The message is clear: In an era where firms increasingly rely on models and technology for investment decisions, robust compliance programs which integrate people, process and technology are more important than ever. As the SEC put it, "Doing nothing for years is not the answer."

What can you do to prevent compliance failures?

The Takeaways:

Here are five impact actions to mitigate risk:

1. Role-Based Access Control (RBAC)

• What It Is: Implement strict role-based access controls to limit access to sensitive systems and data based on job functions.
• How It Helps: Only authorized personnel, such as model developers or investment committee members, can make changes to live-trading models.

2. Change Management Procedures

• What It Is: Establish formal change management procedures that require approval, documentation, and tracking for modifications to investment models.
• How It Helps: Unauthorized changes would be flagged if they do not go through a documented and approved process.

3. Code Review and Audits

• What It Is: Implement regular code reviews and audits for changes made to the models. Utilize peer reviews or automated review tools.
• How It Helps: Detects and prevents unauthorized changes or potential errors in the code before they impact live trading.

4. Segregation of Duties

• What It Is: Separate responsibilities for model development, deployment, and trading activities to ensure no single employee has unilateral control over all aspects.
• How It Helps: Reduces the risk of any individual making unauthorized changes without detection.

5. Monitoring and Alerts

• What It Is: Implement a compliance monitoring system that detects changes made to live-trading models, with alerts triggered for anomalies or unauthorized modifications.
• How It Helps :Real-time alerts can help detect and respond quickly to unauthorized changes before they impact trading.

Final Thoughts

In baseball, three strikes mean you're out. In compliance, the consequences can be far worse-financial penalties, reputational damage, and loss of client trust. Two Sigma's case is a cautionary tale for firms that rely on advanced models and technology. Compliance isn't just about reacting to issues - it's about proactively safeguarding clients and ensuring operational integrity, starting with a robust compliance system reinforced with relevant, adaptable processes and expert human oversight.

So, as you think about your own organization, ask yourself: Is your compliance program ready for the big leagues?