Investment Adviser Regulation

 

Over the last several months, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has been conducting a “sweep examination” of over 70 broker-dealers and investment advisers to assess their cybersecurity policies and procedures.  https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.  In particular, OCIE looked at their preparedness regarding governance and risk assessment; access rights and controls; data loss prevention; vendor management; training; and incident response.

For the most part, OCIE found policies and procedures in place, and these firms did, in fact, conduct penetration tests and vulnerability scans; used a system to prevent data loss; installed software patches; adopted response plans; and conducted vendor risk assessments.  However, all the news was not good.  OCIE believes that these firms should have better tailored policies and procedures; conduct enhanced employee training; replace outdated systems; and make sure that various vulnerabilities were addressed in a timely fashion.  OCIE also informed these firms that it will continue to be vigilant in the cybersecurity sphere in both its examinations and testing.

In sum, with the exception of tweets from the White House, no area is getting more attention from the public and the government than cybersecurity precautions and detection.  It is critical that senior management and compliance at broker-dealers and investment advisers take this threat seriously or there could be serious repercussions if their business is attacked.

The SEC recently issued regulatory guidance for robo-advisors. This guidance focuses on what robo-advisors must do to meet their disclosure obligations.

Among other things, the SEC has recommended robust disclosures in the following areas:

  1. The use of algorithms, overrides, third parties, fees and client information.
  2. The limits on use of the robo-advisor model to ensure adequate disclosures.
  3. Adequate and clear investment questionnaires to ensure suitability of investments.

Robo-advisors are a growing trend. Thus, it is only logical that the SEC would provide such guidance. Now that the SEC has spoken, it is on you to ensure that you take the message to heart; or learn the hard way.

The SEC recently released its findings relating to exams of investment advisers.  https://www.sec.gov/ocie/Article/risk-alert-5-most-frequent-ia-compliance-topics.pdf.

In particular, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) found weak compliance programs; insufficient or late filings; custody rule violations; Code of Ethics problems; and the often used books and records issues. OCIE, in fact, criticized the use of non-particularized, “off-the-shelf” manuals, nearly non-existent annual reviews, and plain and simple failure to implement or follow procedures.  Form ADV and Form PF filings also included inaccurate information or were late.  Investment advisers were also found to not have the requisite knowledge to follow the custody rule, its requirements, persons responsible, or adequate and readily available books and records.

Finally, RIAs should consider this release a warning shot.  That is, the SEC staff will most likely continue to focus on these issues during its future exams.

 

According to Bloomberg, Trump plans to order a review of Dodd-Frank, with an eye to significantly scale back the regulations.  Trump also plans to do away with the “fiduciary rule”, which requires retirement account advisers to perform in the best interests of their clients.

BoardThis confirms Trump’s goal to loosen regulations in the financial services industry.  While the Dodd-Frank review will not have an immediate impact, Trump’s order will stall the fiduciary rule from going into effect this April.  Trump is likely to face significant opposition to his efforts to dismantle Dodd-Frank, but will likely succeed in scaling back at least some of its regulations.

We will continue to monitor developments in this area and provide further updates as they unfold.

Consistent with the ongoing guidance/requirements from the SEC and FINRA, all firms must have and enforce data security policies and procedures.  Even the best policies and procedures may, however, not protect the firm in every instance.  So what do you do if there is a breach?19196909_s

One of the most important things to determine is what law governs.  In other words, if you have clients in all 50 states, it is possible that there are 50 different data breach laws that may be implicated.  Fox Rothschild LLP has a free app, Data Breach 411, which provides an overview of state data breach laws.

Knowing what you need to know is imperative when assessing a data breach.

 

 

In the hectic world of financial services, registered representatives and investment adviser representatives are always looking to increase their assets under management. At what cost? Are there situations where you would be better off just saying no to accepting that one additional client?

In my many years of defending representatives and advisers from customer complaints, the unqualified answer is yes; there are situations when you are better off just saying no. Any good risk avoidance program will provide for the proper screening/selection of prospective clients. I have addressed this very issue in a risk avoidance handbook.whistle

The key to this screening process is being able to sniff out the types of clients that you do not want to accept. For example, are you the fourth adviser that this client has come to in the last four years? Does the client profile not fit your personal/company investment philosophy? Does the client have unrealistic expectations on what she is expecting you to deliver?

If the answer to any of these questions is in the affirmative, there should be a huge stoplight in front of you flashing red. Any client who fits any of these descriptions is also the client most likely to bring a claim against an adviser.

So before you take on any client with a little money, be cautious. Are there red flags coming into the relationship? If so, just say no.

That is the question that the SEC has essentially posed for registered investment advisers in a National Exam Program Risk Alert. In doing so, the SEC has stated that it will be “examining compliance oversight and controls of registered investment advisers that have employed or employ individuals with a history of disciplinary events . . . .”

The SEC will essentially be examining the investment advisers business and compliance practices, particularly focused on higher risk individuals. Does this mean that you should not hire or retain someone who may have a disciplinary past?Core Values

Of course, not. Instead, this alert should be telling you that such people, if you do decide to hire (or retain) them, should come under some form of heightened supervision for a period of time, if not forever. But be forewarned that the SEC is going to check up on you by reviewing certain information, including the following:

  1. Your compliance program , including the practices surrounding the hiring and ongoing reporting obligations of investment adviser representatives.
  2. The firm’s disclosures (i.e., Form ADV) that it makes to its customers to ensure that they are accurate.
  3. The conflict of interest that the firm discloses.
  4. The firm’s marketing.

By reviewing these areas, the SEC believes that it can better understand how firms are handling and representing advisers with a past to their customers. If you decide to hire or retain such advisers, you should focus on what you are saying to the public about them through your words and actions before you are in the SEC doghouse following an examination.

 

The SEC has repeatedly included issues around social media in its annual exam priorities for investment advisers. With the SEC’s recent release of a final rule on the subject, the SEC has taken that “exam priority” to the next level.

Under this new rule, investment advisers will have to complete an additional component to their annual Form ADV filed with the SEC. In doing so, investment advisers will have to disclose their addresses for Twitter, Facebook and LinkedIn. So what’s the point?

By requiring this disclosure, the SEC can better focus on each examined firm’s use of social media. Undoubtedly, the SEC will use this information when framing its examination of individual firms.

The SEC can also use this information on an ongoing basis to assess what firms are putting out there on social media. The industry has to assume that the SEC will be doing more with this information than just tucking it away for examination purposes.Core Values

This new rule should incentivize you to review your social media policy, assuming that you have one. If you do not have one, you need to have one prepared.

You should also monitor the information that your firm is putting out there on social media. Does it confirm with SEC rules? Rest assured. If you are not minding the store, the SEC will.

It was great speaking at the May 17 New York NSCP regional conference on risk issues facing firms where Ernie Badway and I discussed cyber-security, risk issues, regulatory matters, issues involving elder clients and ways compliance personnel can protect themselves.  For those of you who could not make the conference, these topics are frequently discussed in our various publications.  Feel free to access them here and use them as you see fit.  Core Values