complianceThe exam is finally over! If your advisory firm has been undergoing an SEC examination, you’ve probably been waiting a long time to utter those words. Well, time to get back to business, right? Not so fast. As our series on SEC examinations has detailed, this is a long process. And if your firm received a deficiency letter, the process is even longer. This is not just in reference to the time it takes to respond to the deficiency letter. No, even more important than the response you provided to the SEC is the remedial action you now need to take to resolve any deficiencies the examination highlighted.

Where to start? Well, for one, address the issues you promised to in your response letter. This seems too simple, but, believe it or not, this is a problem for some advisory firms. As Marc previously pointed out, one of, if not the first thing that will be reviewed on your next examination, is how your firm remedied previous deficiencies. Likely the last thing you want to do is consider another examination so soon. However, you really don’t want to find yourself in the position of explaining of a reoccurring deficiency. So, let’s discuss how to remedy those deficiencies.

If your firm was cited for a deficiency related to a particular compliance policy or procedure be sure to implement the changes to bring the policy or procedure into compliance. This remedy will likely require multiple steps. You may need to update the text of the policy in question. Once you are confident that the text of the policy reflects compliance with the applicable regulation, review your corresponding procedure related to the policy and update any controls that are needed. It’s one thing to have a compliance manual that contains all necessary policies. But those policies will curry no favor with your regulator if your procedures, in practice, don’t match the words in your manual. Remember, systems and processes are your friends. If you are remedying a deficient compliance procedure, make sure, as much as possible, that the revisions you make allow the procedure to be easily conducted and repeatable.

For example, let’s say your firm was cited for deficiencies related to misleading advertising. Your response to the SEC deficiency letter outlined additional controls that would be implemented to prevent future violations. You review your compliance policy on advertising and determine it is complaint.  You next review your procedure related to advertising review and revise it to implement the additional controls you laid out in your response letter. However, in practice, these additional controls translate into added reviews of your marketing materials by your Chief Compliance Officer, who already has an overfilled schedule. Moreover, your Marketing Officer still isn’t clear on what materials do or do not need to be reviewed. This is a recipe for a deficiency on a future exam and ever worse, a recurring deficiency.

As this example has shown, don’t simply take the words you wrote in your responses to the deficiency letter and paste them into your compliance policies and procedures. Take this as an opportunity to holistically review your compliance program. You just experienced an examination. Take an inventory of what went well and what could be improved, even if it didn’t manifest a deficiency. Use this experience to establish or improve upon processes that will enhance your compliance program. As in the example above, consider if you have appropriate resources. Determine if all members of your firm are adequately trained on your policies. And, if you conclude that the additional resources or trainings are needed, consider proactively consulting your legal or compliance professional.

We hope you’ve found this series on SEC examinations helpful. Please check back next time when Marc concludes this topic by discussing mock exams.

An onsite examination from the SEC can often feel like a surprise visit from your in-laws.  You wish you had more time to clean up before they arrived, you know they’re judging you the whole time they’re there, and you can’t wait for the moment you get to say goodbye.

And, after what seems like an eternity, that moment has come.  On the last day of an onsite examination, the SEC often conducts an “exit interview” which signals their impending departure.  At that interview, expect a discussion of the exam status, any outstanding information or documentation requests, and perhaps even a hint of what you might see on your report card (also known as the infamous “deficiency letter,” which I’ll get to in just a bit).  Even though you might be exhausted from their visit, use this time wisely and respond completely to their requests.  If, during the course of the exam, issues have already been identified and you’ve already got plans in place to address them, let the staff know you’re working on it before they leave your office.

After the onsite portion, the SEC will take back all the information they’ve gathered and will, in many cases, perform additional analysis.  They may even call you with more questions or ask to see more data.  Don’t be overly concerned if this happens, even if you get more than one round of comments or questions.  It’s all part of the process and may even present opportunities for you to put the SEC at ease about any particular issue before you get the formal summary of examination findings, the deficiency letter.

So, the deficiency letter.  Here’s what you need to know.  First off, while it’s possible to get a perfect score (i.e., a “no findings” letter), that’s not the norm, especially if you’ve had a routine examination. Those exams, as discussed previously, are designed to test all major areas of your compliance program, so there’s likely going to be at least one thing you can improve on.  Secondly, you might have to be patient.  By law, the SEC has up to 180 days to issue its letter.  Use that time wisely to anticipate what changes you’ll have to make, because once that letter comes, the SEC normally gives you only 30 days to respond.

When the letter arrives, read it carefully and respond fully, focusing on precisely how you’re going to address the deficiency identified.  For example, if the SEC noted a failure to adopt policies and procedures for filing and distributing Form CRS, don’t merely state that you will adopt such policies and procedures – provide a copy of them.  If you don’t agree with a particular finding, or don’t quite understand a comment, reach out to the staff by phone to try to resolve the issue before responding in writing.  And if you need more time to finish your response letter (perhaps to accommodate the schedule a of a key person), don’t be afraid to ask for it.  The goal here should be to send a single response that appropriately addresses all deficiencies.  And if you do that, instead of more comments and questions from the staff, you’ll likely get the letter you’ve been wishing for ever since this whole thing began – the notification that the exam is closed.

Let’s say you finally got that closing letter.  Take a moment, breathe, even celebrate. But here’s the thing – while the exam might be over, the work isn’t quite done.  Remember all those promises to take remedial measures you made in your response letter?  The time has come to make good on those, and that’s where Josh will pick up next time.  Thanks for reading!

EvidenceIn our last episode Don’t Panic, Josh walked through how to respond to an initial examination letter, including a handy checklist of items that roboadvisors should always have in good order. But what if your existing practices don’t cover all the examination letter requests?  Do not fret. No examiner is expecting perfection. More important is understanding the examination objective to determine the appropriate response.

Here are five questions your organization will want to answer before responding to the exam:

1) Is this a routine examination?

The SEC will prioritize “newly” registered investment advisers for examination.  This is standard operating procedure- you are not being singled out.  Thus, by definition, a review of a previously unexamined roboadvisor is “routine”.  Typically, this review will be conducted within the first year or two.  Even if there are no on-site visits (halted during COVID), expect a telephonic and/or video interview of managers in addition to the written requests. In 2020, the Division examined 15% of all investment advisors.

For “sweep” exams, regulators are surveying similarly-situated RIAs for specific topics or practices. For example, one Division sweep exam on cybersecurity looked like this: SEC Sample Letter.    As we’ve stated before, the motivation and focus of many such examinations are often right in the Division of Examinations (“EXAM’s”) annual disclosure of exam priorities.  For 2021, they were:  Priorities.

In exams for “cause”, you can often intuit topics of interest from the examiners’ questions themselves.  Regulators’ policies differ on whether they will disclose why they are asking what they ask.  In most instances, however, proactively calling EXAMS is a fruitful use to time before responding.

2) How long should I expect the exam to take?

Settle in. This is not a quick process. But being prepared and timely responding to examiners will help move things and make business disruption as painless as possible (a relative term, I know). Following an initial interview, on-site visit (if required), and receipt of all requested documentation, the SEC has 180 days to complete its exam.

3)  Do we have history of regulatory issues or deficiencies?

One of the first things an examiner will check is previously identified risks in your business model.  Prior deficiency letters?  Expect examiners to make a bee line for such topics. Know the issues, and how compliance responded and documented them, cold.   And if there are clear outstanding issues or complaints, don’t hide the ball or mislead.

Beyond the obvious obligations to report problems or complaints, assume examiners already know or will soon discover these meddlesome facts, and have shared the same with other regulators.  That said, carefully consider exam questions and answer what is asked. Rushing to answer can open misleading topics and unnecessary doors.

4) Are we doing what we say we do?

Step two for any examiner will be to look at your ADV. Check to make sure that your ADV, advisory agreements, fee disclosures, brochures and other documents match your exam replies AND one another.  If there have been updates, explain that- but be prepared with books and records to demonstrate how compliance policies are reviewed and when they changed.

5) Are there recent Division pronouncements for RIAs? 

Advisers have an obligation to keep abreast of applicable laws. EXAMS regularly publishes guidance, and has focused on digital advisers for a few years now. For example, EXAMS provided recent guidance on wrap fee program violations found in RIA exams: Wrap Fee Risk Alert.  Examiners will routinely ask about priority topics, testing whether your compliance staff keeps up with the rules.

Having experienced staff and counsel who know how to answer these questions, and keeping up with rule changes, is crucial to successfully navigating an examination. In our next post, Craig will discuss what happens once exam requests have been supplied.

Do Not PanicYou open your inbox, ready to start your day, and what’s the first thing that greets you? A notice that you’re being examined from the SEC’s Division of Examinations (EXAMS), along with an initial request list for information. Time to panic? Of course not. Being examined by the SEC, and other regulatory authorities, is an inherent part of the investment advisory business. But the question remains, now that your firm has been selected for an examination, how should you respond to the initial EXAMS’ request letter?

For starters, it’s important to note that your response to the SEC starts long before you receive your letter from EXAMS. In fact, the work you do to adhere to your compliance program on a daily basis is the best preparation for any regulatory examination. That aside, let’s discuss the practicalities of the process and best practices for your response.

As Craig noted in our last post, an SEC examination can have a variety of different focuses. A commonality among all of these examinations is that they typically start with an initial document request list. In general, the EXAMS’ request letter will require your firm to provide a list of business records and perhaps narrative responses as to how your firm complies with regulations.

If you look back to our previous discussion on the Advisers Act Books and Records Rule, you’ll recall that the amount of records your firm is required to maintain is numerous and the retention period and location for these records can vary greatly. If you’re not sure if your firm is up-to-date on its records retention, now is the time review and come into compliance if needed before you receive a request letter.

Some examples of commonly requested materials you may be asked to provide include copies of your:

  • compliance policies and procedures (see our post on building your compliance program);
  • business continuity plan (see our post on business continuity plans);
  • organizational chart;
  • client agreement (see our post on client agreements); and
  • trade blotter.

Organization is the key when preparing your response. When you receive the request letter and list of documents, review the list and identify potential issues.  If you are uncertain about any requests, contact the assigned examiner on the request letter for clarification.  You’ll likely have to provide many documents to EXAMS and will be required to do so promptly. To do this efficiently, identify all personnel in your firm who will be needed to provide documents or input on your response. Then, create a tracking document, assign the various items as applicable, compile and label the requested documents, and draft your response. When you begin to provide documents to the SEC as part of your response, be sure to track when and how you provide materials (i.e., via electric portal, postal mail, etc.). We also recommend you prepare and file a confidential treatment request in conjunction with your response to help keep it safe from requests made for public information under the Freedom of Information Act.

Responding to an SEC examination can be stressful, and we strongly recommend working with your legal or compliance professionals throughout the process. We’ll continue in our series on examinations next time, when Marc picks up our thread following the response to the initial examination request.

So you’ve built your robo-adviser, registered it, hired and licensed personnel, implemented a compliance program, conducted a successful marketing campaign, and (finally) gotten to do what you’ve really wanted to do the whole time – advise clients and manage portfolios.  Startup woes seem a thing of the past, and your operation is running smoothly.

Then, one day, you check your email inbox and find a message from the SEC’s Division of Examinations (EXAMS) saying that your firm has been “selected” for examination.  Wait, what?

Take a breath.  Our next series of posts will walk you through the exam process from start to finish, so that you can be well prepared to ace the test when the SEC inevitably draws your firm’s name.

Why were you picked? An entity may be selected for reasons such as the entity’s risk profile, a tip or complaint, or a review of a particular compliance risk area.  Or a firm may just be chosen at random.  Unfortunately, you probably won’t ever know why you were picked – the SEC has stated publicly that it generally does not share those reasons with firms under examination.

What are they looking for? Through the exam process, the SEC seeks to test whether you are following applicable laws and rules, adhering to the disclosures you make to clients and your own internal policies, and implementing a compliance program that is reasonably designed to ensure your firm meets applicable requirements.  There are several flavors of exams:

  • Routine. Routine exams take place periodically (i.e., aren’t triggered by anything particular event) and are designed to test all major areas of your compliance program.
  • Sweep. Sweep exams are usually targeted to just one or a few compliance areas that the SEC deems to be of particular risk to the industry as a whole (such as a sweep exam related to cybersecurity conducted in 2015, the results of which are detailed here).
  • For Cause. The SEC may examine a firm based on a client or employee complaint or referral; such exams tend to focus on the area raised by the complaint or referral.

Sometimes exams are unannounced.  But that’s not the norm. The bulk of exams tend to be announced, so our next few posts will give you a thorough overview of the typical process for an announced exam.  We’ll also give you a few practical pointers at each stage.

As illustrated in the above vignette, at the outset of an announced exam, the SEC will usually send you a communication telling you that it’s your turn.  That communication normally includes a request list for information and documents that the staff will review before they come onsite.  Responding properly to that request list is critical to your exam success, for it’s your opportunity to make a fantastic first impression.  So critical, in fact, that it’s worth its own blog post.  We invite you to return next time when Josh will show you how to make that initial response shine and put the staff at ease before they even walk through your door.

For nearly a decade now, regulators have placed the Chief Compliance Officer (“CCO”) squarely within the sights of enforcement, on the logic that holding target CCO’s individually liable for violations would prompt robust compliance programs, and deter lackluster supervision. The reasonableness of such assumptions is a topic for a different post.  However, despite these drastically raised the stakes for compliance leadership, many institutions fail to keep pace with appropriate corporate governance attention, respect, and funding needed to keep CCOs out of harm’s way.

Some further argue that regulatory enforcement’s focus on CCOs has a chilling effect on the industry, with significant personal risks driving experienced compliance leadership from their roles. And their concerns are not idle.

Earlier this year, FINRA took aim at CCOs for conflicts of interest in accepting “dual hat” roles where compliance responsibilities were at odds with operational roles, and found that such conflicts “failed to observe high standards of commercial honor.”  FINRA imposed hefty fines to boot.

In April, the SEC filed an action against an investment adviser for cherry picking trades for special clients and favoring personal accounts, and leveled fraud allegations against the CCO for signing annual (ADV) disclosures that stated that trades were “allocated fairly.” (See

What is responsible policing of the (compliance) police?  The New York City Bar Association, in conjunction with a few financial services trade organizations, published their answer to this thorny question in June, offering a framework for the SEC to adopt in considering CCO liability:   For any CCO, compliance professional, executive or audit committee, its considerations are illuminating.

The report encourages the SEC to consider factors such as:

1) General:  Does the CCO conduct charge help fulfill the SEC’s regulatory goals?

2) “Wholesale Failure”:  Did the CCO fail to make a good faith effort to fulfill his or her responsibilities?  Does the failure represent a lapse in an otherwise well-run compliance program? Or has the SEC issued recent guidance that puts the CCO on notice of this particular failure?

3) Active Participation:  Did the CCO’s conduct facilitate the fraud?

4) Obstruction:  Did evidence show an intent to deceive the SEC?  Did the CCO course correct after being told of conduct viewed as obstructionist?

While regulators consider these recommendations, compliance obligations continue. Recent regulatory guidance indicates that failing to follow policies and procedures in remote working and client engagement environments will be a top priority for exams. As remote client engagement is the central feature of robo-advisers, they should expect top to bottom review of their processes. The NY Bar questions happen to be a good place to start to evaluate the health of your compliance procedures and the risks to your CCO.

No AccessYou probably don’t need to be convinced that information security is critically important. But just in case you do, you should know that the U.S. Securities and Exchange Commission (SEC) continues to emphasize the importance it places on information security. In our last two posts, Marc and Craig began our discussion of the SEC’s Division of Examinations’ (EXAMS) 2021 priorities related to information security. In today’s post, we’ll continue that theme by looking at a 2021 EXAMS’ priority of particular relevance for robo-advisory firms: access rights and controls.

To start, let’s establish a baseline for specifically what the SEC is concerned with regarding access rights and controls. The 2021 EXAMS’ priorities states that “[EXAMS] will review whether firms have taken appropriate measures to…safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access.” In short, your firm must have controls in place to verify the identity of your clients and protect against unauthorized access of their accounts. As a robo-adviser, your firm’s connectivity to clients is entirely based on the client’s ability to access their account through your website or app. Given this dynamic, let’s review best practices that your firm should have in place.

  • User Access – the first step to having proper controls in place is to ensure each user has appropriate access. As part of the client on-boarding process, your systems should clearly identify the client and only permit access to data and features of your systems necessary for the client to manage their account.
  • Access Management – once a client has been integrated into your systems, the issue of access management becomes critical. You obviously want to prevent third-party access to your clients’ information, but you should also have controls in place to restrict unnecessary access by employees. General best practices for access management include (i) incorporating a separate approval process for clients who wish to add an additional user to their account; (ii) requiring clients to re-certify access rights on a periodic basis; (iii) mandating strong password requirements, including the requirement to periodically update; (iv) requiring multi-factor authentication to obtain account access; and (v) deleting systems access immediately for former employees.
  • Access Monitoring – in order to properly manage access to your clients’ accounts, your control procedures should include the following monitoring polices: (i) tracking failed login attempts and revoking access after a predetermined number of failed attempts; (ii) properly authenticating clients when handling requests, such as for username or password information; and (iii) periodically reviewing the software and hardware components of your systems to ensure all aspects of your infrastructure is current, and when necessary, augmented with update and patches.

For more information on access rights and controls, and other information security observations, you should review EXAMS’ 2020 Guidance Release, and of course, reach out to your legal or compliance professional with any additional questions.

Thank you for your continued readership. Check back next time when Marc will be discussing how to limit liability for robo-advisory firm CCOs.

As Marc mentioned last time, the SEC’s Division of Examinations’ (EXAMS) has made it a priority in 2021 to review the steps that firms take to ensure information security and operational resiliency. For robo-advisers, given that they conduct so much of their operations online, these steps are of paramount importance.

In its report, EXAMS noted that it will scrutinize whether advisers have implemented appropriate measures to oversee vendors and service providers and manage the cybersecurity and privacy risks inherent in those relationships.  So what does the agency expect to see from you?

Luckily, the SEC already tipped its cards.  The agency published guidance in 2020 that indicates its view that vendor management policies and procedures should address due diligence for selecting vendors, monitoring and overseeing them, requiring appropriate contract terms, and understanding how vendors protect client information.

Here are some practices observed by the SEC that illustrate those expectations:

  • Vendor management programs. The agency noted firms had established vendor management programs that set standards for vendors’ information security practices, ensured safeguards were in place, used questionnaires to evaluate potential vendors, required the review of third party reports (such as SOC 2 reports), mandated independent audits, and established procedures for terminating and replacing vendors.
  • Understanding vendor relationships. The SEC found that advisers (and their personnel) demonstrated that they understood privacy and cybersecurity related contract terms, understood risks associated with vendor outsourcing, and effectively managed those risks.
  • Vendor monitoring and testing.  The agency observed that companies took demonstrable steps to monitor each vendor relationship to make sure the vendor continued to meet security requirements and ensure that advisers were alerted to changes in the vendor’s services or personnel.

Want some more advice?  Be ready for data breaches caused by your vendors.  A common misconception is that if you share sensitive information with a vendor and that vendor gets hacked, the vendor is the one with legal obligations relating to the breach.  That’s not true.  State laws put the onus on the adviser who collected information from the consumer in the first place, and they often limit the responsibility of vendors to promptly informing you that something happened.  So what do you do? Ensure your contract with any vendor that handles your clients’ information specifies what must be done if a breach occurs, who must do it, how fast it must be done, and how the costs will be allocated.

Want even more advice?  For a fulsome discussion of the steps you can take to manage the privacy and cybersecurity risks of your service providers, I encourage you to check out our webinar available here.  That’s all for now – please be sure to return for our next post where Josh will discuss the importance of maintaining effective access rights and controls in your organization.


We continue our discussion of the SEC’s Division of Examinations’ (EXAMS) 2021 Priorities (see here) with an overview of information security and operational resiliency.  The daily drumbeat of cyber-intrusion incidents is certain to keep cybersecurity at the top of EXAMS’ focus.

In light of the pandemic forcing a shift to remote work, EXAMS has announced its focus on information security issues including: endpoint security, data loss, remote access, third-party communication systems, and vendor management.  EXAMS will assess firms’ reasonable efforts to:

(1) prevent account intrusions, focusing on customer identity;

(2) oversee vendors and service providers;

(3) address malicious email activities;

(4) respond to incidents, specifically ransomware attacks; and

(5) manage operational risk created by remote working.

EXAMS expects to focus these reviews on firms’ policies and procedures for platform investor information security and electronic maintenance of books and records, both by firms and their vendors. The pandemic also provides EXAMS an opportunity to review the sufficiency of disaster recovery and business continuity plans. For those who remember post-Hurricane Sandy sweep exams, these will look familiar. Have you improved since then?

EXAMS also encourages market participants to actively and effectively engage regulators and law enforcement in identifying and addressing vulnerabilities and attacks. We recommend soliciting the appropriate advice to assess your preparedness and assist in incident and remediation reporting.

EXAMS signaled its focus on this topic last year in published guidance (see here), which is useful to governance and risk considerations.  The SEC has stated that effective governance of cybersecurity begins with demonstrated commitment from the top.  This includes boards and executives articulating cyber policies and priorities; performing enterprise risk assessments to identify, manage and mitigate risks unique to the enterprise; and developing methodologies for risk assessments that include when employees are away from the office.

Effective governance also includes routine review of access controls and data loss prevention processes including practices such as penetration testing, software testing, patch management and appropriate encryption and access segmentation.  For digital advisors, which exist almost exclusively in this realm, each of these risks are magnified. Demonstrating resiliency in cybersecurity, then, involves developing a plan and identifying personnel to address incidents, a process for measuring the scope of the vulnerability and risk, and a protocol for elevation and reporting.

When regulators come knocking, it is published guidance, like the above, that they look to in answering whether “you knew or should have known” about the risks, and the “reasonableness” of your cybersecurity practices and procedures. In Source Code’s next post, Craig will discuss managing cybersecurity and privacy risks posed by the vendors your firm works with.


The market for investment products and services is very competitive. Consumers now look to their advisers to not only provide return on their investment but to do so in a way that is consistent with their personal ethos. To meet this demand, many investment advisers have turned to incorporating environmental, social, and governance (“ESG”) factors into their investment strategies. Arguably there is no hotter topic at present in the broader investment community than ESG, or, as it is sometimes called, socially responsible investing. But before your firm begins to include ESG in its investment approach, you should first consider the SEC’s increased scrutiny and subsequent guidance on the subject.

As Marc previously discussed, the SEC recently published its Division of Examinations’ priorities for 2021. Prevalent among these priorities was an enhanced focus on ESG. Moreover, the SEC also published an Investor Bulletin in February 2021 discussing ESG investing and an April 2021 Risk Alert highlighting areas of concern noted from SEC examinations of investment advisers pertaining to ESG investing.

So, what should you take from all of this SEC guidance? For one, if your firm provides ESG investment strategies, you should expect that to be a focus of any SEC examination of your firm. But more broadly, you might read the SEC’s guidance to state that ESG investing should be more than a marketing tool to attract clients (meaning you need to think about how incorporating ESG investing affects clients and what you need to tell them). To that end, below are the key points your firm should focus on when developing and maintaining your ESG program:

  • Portfolio management practices must be consistent with ESG disclosures – This is not a unique concept to ESG. The way your firm manages a client’s account must be consistent with the client’s expectations and your firm’s disclosures. For example, if your website indicates that your algorithm will exclude investments in certain industries (e.g., tobacco or alcohol), you must ensure that the client’s portfolio has been filtered in accordance with this disclosure. You should also review your Form ADV and any marketing materials to ensure that consistent disclosure related to ESG investing is used.
  • Accurate ESG Disclosure – As with all investment strategies, ESG investing contains risks. The SEC will expect your ESG related disclosures to be free from unsubstantiated or misleading statements. Statements such as “our strategy will only invest in companies with high employee satisfaction” must be substantiated by evidence. If your ESG investment process involves screening out certain investments, your disclosure should indicate that such process may result in lower returns due to the potential for higher performing securities to be screened out.
  • Your compliance program must include adequate policies and procedures to monitor and address ESG issues – Adding an ESG component to your firm’s investment offerings means additional compliance responsibilities. The SEC will expect your compliance program to adequately address how your firm will monitor and test for ESG. This should include policies and procedures to periodically review client portfolios to ensure adherence to client stated preferences. For example, if your client intake process allows a client to indicate preferences, such as the exclusion of companies engaged in weapons manufacturing, your compliance program should include a procedure to test for the client’s intended screen. The SEC would also expect policies/procedures around making sure your algorithm is working as expected (i.e., ESG screens being applied appropriately).

While the above bullets are the key highlights from the SEC’s guidance on ESG, you should review the entirety of the guidance at the above links and consult with a legal or compliance professional before implementing your ESG program.

Thank you, as always, for your continued readership. Please check back next time when Marc will continue our series discussing the SEC’s 2021 examination priorities.