Investment Adviser Regulation

A chief compliance officer (“CCO”) for a registered investment adviser (“RIA”) found himself barred from any compliance or supervisory role in the future because he willfully refused to fix a number of compliance issues.  See https://www.sec.gov/litigation/admin/2017/34-82397.pdf. 

The RIA had conducted a review that uncovered numerous compliance problems.  Despite having notice of the results of this review, the CCO simply ignored it, and did not address any of the problems, including, among other things, the failure to retain emails, electronic information, or protect customer information.  The CCO also failed to update the compliance manual or conduct an annual review.

Such a step by the SEC is in keeping with its belief that CCOs are on the front lines of ensuring that the public are protected.  Here, it seems that the CCO ignored those responsibilities, and was punished severely.

We are regularly approached by both our RIA (and BD too) clients, who inquire, usually around election time, how they should make political contributions. Our advice is usually do not make the political contribution and you can blame your lawyer!

However, those persons, ignoring that advice, should be concerned that the SEC, recently, fined an investment adviser for violating the Investment Advisers Act of 1940’s pay-to-play rule prohibiting an RIA from accepting compensation for 2 years following a political contribution to an official that may influence, who obtains an investment contract.  See https://www.sec.gov/litigation/admin/2018/ia-4960.pdf.  Although in this case the significant investment in the RIA’s managed fund preceded the campaign contribution, it simply did not matter. The RIA could no longer do business with the entity once the campaign contribution was made, it was simply strict liability.

Thus, we are always reluctant to recommend that a client should make a political contribution since it could cost the RIA business.

In rapid succession, the SEC has issued warnings and announced sanctions against registered investment advisers for fee and expense practices, false statements regarding assets under management, and misleading performance data.  No one should be surprised that the SEC is actively seeking to uncover transgressions in the RIA field.

Initially, the SEC’s Office of Compliance Inspections and Examinations issued a Risk Alert outlining a variety of RIA failures concerning the proper calculation and disclosure of fees and expenses.   See https://www.sec.gov/ocie/announcement/risk-alert-advisory-fee-expense-compliance.  In particular, the alert detailed a series of failures that OCIE found in its examinations of RIAs, among other things, RIAs failed to properly value assets, overbill, use incorrect fees or time periods.

Similarly, the SEC also sanctioned a principal of a closed RIA for falsely stating it was subject to SEC registration.  See https://www.sec.gov/litigation/admin/2018/ia-4875.pdf.  Although we believe it admirable for someone to want to achieve SEC RIA registration status, you want to be accurate when you make this claim.  Apparently, this individual was not, and lying to the SEC will always incur its wrath.

Finally (and this is a pet peeve with us), the SEC also sanctioned a RIA for using misleading performance data.  See https://www.sec.gov/litigation/admin/2018/ia-4885.pdf.  The RIA was caught using hypothetical back-tested performance data– a pretty big no-no.  We are constantly advising RIA clients of the pitfalls in using any type of performance data, and this case illustrates how closely the SEC will look at its use.

In sum, RIAs have to be careful the SEC is watching.

 

 

The SEC recently announced an enforcement initiative that will target retail investor harm. The agency’s task force will use data analytics to find widespread problems regarding fee disclosures and unsuitable investment recommendations. In addition to data analytics, the SEC will rely upon tips, complaints and referrals that come into the SEC.

This heightened analysis of the retail investor market should be a wake-up call to firms who service the retail investor space. There are a few questions that you should be asking as you move forward:

  1. Do I have a rigid supervisory system to make sure clients are receiving suitable investment advice for the fee being paid?
  2. If my firm does not have a robust supervisory system over retail investment advice, what is the firm doing to develop and deploy such a system?
  3. What does you supervisory system provide if it finds unsuitable investment recommendations?

There are certainly additional questions that firms can ask themselves, but the point is made. What are you doing to make sure the SEC does not have an issue with the retail investment advice that you are giving to your clients? If you cannot answer that question, you had better go back to the drawing board.

 

Over the last several months, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has been conducting a “sweep examination” of over 70 broker-dealers and investment advisers to assess their cybersecurity policies and procedures.  https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.  In particular, OCIE looked at their preparedness regarding governance and risk assessment; access rights and controls; data loss prevention; vendor management; training; and incident response.

For the most part, OCIE found policies and procedures in place, and these firms did, in fact, conduct penetration tests and vulnerability scans; used a system to prevent data loss; installed software patches; adopted response plans; and conducted vendor risk assessments.  However, all the news was not good.  OCIE believes that these firms should have better tailored policies and procedures; conduct enhanced employee training; replace outdated systems; and make sure that various vulnerabilities were addressed in a timely fashion.  OCIE also informed these firms that it will continue to be vigilant in the cybersecurity sphere in both its examinations and testing.

In sum, with the exception of tweets from the White House, no area is getting more attention from the public and the government than cybersecurity precautions and detection.  It is critical that senior management and compliance at broker-dealers and investment advisers take this threat seriously or there could be serious repercussions if their business is attacked.

The SEC recently issued regulatory guidance for robo-advisors. This guidance focuses on what robo-advisors must do to meet their disclosure obligations.

Among other things, the SEC has recommended robust disclosures in the following areas:

  1. The use of algorithms, overrides, third parties, fees and client information.
  2. The limits on use of the robo-advisor model to ensure adequate disclosures.
  3. Adequate and clear investment questionnaires to ensure suitability of investments.

Robo-advisors are a growing trend. Thus, it is only logical that the SEC would provide such guidance. Now that the SEC has spoken, it is on you to ensure that you take the message to heart; or learn the hard way.

The SEC recently released its findings relating to exams of investment advisers.  https://www.sec.gov/ocie/Article/risk-alert-5-most-frequent-ia-compliance-topics.pdf.

In particular, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) found weak compliance programs; insufficient or late filings; custody rule violations; Code of Ethics problems; and the often used books and records issues. OCIE, in fact, criticized the use of non-particularized, “off-the-shelf” manuals, nearly non-existent annual reviews, and plain and simple failure to implement or follow procedures.  Form ADV and Form PF filings also included inaccurate information or were late.  Investment advisers were also found to not have the requisite knowledge to follow the custody rule, its requirements, persons responsible, or adequate and readily available books and records.

Finally, RIAs should consider this release a warning shot.  That is, the SEC staff will most likely continue to focus on these issues during its future exams.

 

According to Bloomberg, Trump plans to order a review of Dodd-Frank, with an eye to significantly scale back the regulations.  Trump also plans to do away with the “fiduciary rule”, which requires retirement account advisers to perform in the best interests of their clients.

BoardThis confirms Trump’s goal to loosen regulations in the financial services industry.  While the Dodd-Frank review will not have an immediate impact, Trump’s order will stall the fiduciary rule from going into effect this April.  Trump is likely to face significant opposition to his efforts to dismantle Dodd-Frank, but will likely succeed in scaling back at least some of its regulations.

We will continue to monitor developments in this area and provide further updates as they unfold.

Consistent with the ongoing guidance/requirements from the SEC and FINRA, all firms must have and enforce data security policies and procedures.  Even the best policies and procedures may, however, not protect the firm in every instance.  So what do you do if there is a breach?19196909_s

One of the most important things to determine is what law governs.  In other words, if you have clients in all 50 states, it is possible that there are 50 different data breach laws that may be implicated.  Fox Rothschild LLP has a free app, Data Breach 411, which provides an overview of state data breach laws.

Knowing what you need to know is imperative when assessing a data breach.