By Les Abromovitz
From Compliance & Ethics Professional, a publication for SCCE members
As the weather improves and summer approaches, it is a good opportunity for chief compliance officers (CCOs) to add compliance chores to their To-Do lists. Registered investment advisers (RIAs) and broker-dealers (BDs) have a great deal to lose if examiners come for an inspection and their compliance programs are in disarray. Therefore, in addition to the work that you’ll be doing around the house this summer, here are some compliance chores to put on your To-Do list.
Dust off and polish your firm’s policies and procedures
There can be serious consequences when CCOs fail to cross off items on their compliance To-Do lists. Rule 206(4)-7 under the Investment Advisers Act requires SEC-registered advisers to review their policies and procedures at least once per year and to make improvements. Even if they are not required to do so, state-registered investment advisers should conduct similar reviews. All RIAs, whether SEC or state-registered, will benefit by conducting interim reviews of their policies and procedures.
FINRA Rule 3120 obligates BDs to designate and identify one or more principals who will take responsibility for establishing, maintaining, and enforcing supervisory policies and procedures. BDs are required to verify that their supervisory procedures are reasonable, in view of the activities engaged in by the firm and its associated persons, and that they ensure compliance with applicable rules and regulations. Testing of the procedures should be ongoing and risk based. Procedures should be amended if testing dictates that improvements are necessary. At least once a year, designated principals are required to submit a report to senior management, which describes the firm’s supervisory controls, summarizes test results and significant exceptions, and details any additional or amended supervisory procedures implemented as a result of the testing.
It is hard to establish a culture of compliance at a firm if the people in charge diminish the importance of policies and procedures. On too many occasions, policies and procedures are treated with disdain by management or are ignored. Compliance violations are treated nonchalantly, and there are minimal consequences when policies and procedures are violated.
Ignoring policies and procedures is a recipe for disaster. In a great many enforcement actions, examiners identify weak or non-existent policies and procedures as one reason why compliance deficiencies occurred.
Buff up policies and procedures to protect senior investors
As firms improve their policies and procedures, they should be aware of the regulatory landscape. Protecting seniors and older investors is a high priority for the Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), and state securities regulators.
Firms should pay special attention to advertising and marketing pitches aimed at senior investors. Presentations must be fair, balanced, and not misleading in view of the intended audience and how the marketing piece will be utilized. It may also be prudent to have a supervisor attend a seminar or presentation, particularly if attendees are senior or elderly investors.
In addition, reviews should focus on the basis for recommendations made to the client, especially in relation to life events, such as IRA rollovers. There must be a clear and documented basis for any recommendation. Registered representatives (RRs) and investment adviser representatives (IARs) should document why a particular course of action was chosen. They should also document that fees resulting from the recommendation were fully disclosed.
Firms should consider best practices, such as the following, to protect senior investors:
- Increasing the frequency of suitability reviews for clients above a certain age;to
- Using senior-based exception reports to monitor when certain investment products are purchased; and
- Heightened scrutiny of advertisements and marketing presentations aimed at seniors.
Regulators expect to see procedures in place, which are reasonably designed to prevent financial incentives from compromising the objectivity of suitability reviews. Procedures should also be implemented to ensure that no one uses exaggerated or misleading credentials to imply expertise in dealing with seniors or older investors. Policies and procedures governing the use of professional designations should ensure that the firm has conducted due diligence to verify that credentials were, in fact, earned and all ongoing requirements have been satisfied.
Make sure cybersecurity is on your To-Do list
It is clear that examiners are and will continue to be focused on firms’ efforts to protect their clients from cyberattacks. Examiners are likely to question what cybersecurity measures are in place.
On September 15, 2015, the SEC’s Office of Compliance Inspections and Examinations published a Risk Alert, which announced the Commission’s second round of cybersecurity sweep examinations. The purpose of sweep exams is to gather information regarding industry practices. The Risk Alert was accompanied by a five-page sample document request letter. Both documents can be found here.
Even if they are technologically challenged, CCOs, senior managers, and principals should become familiar with the security measures that can help to thwart a cyberattack. They should be hands-on in this area, instead of relying on information technology professionals to take the appropriate steps. Senior-level management and board members must be fully engaged for a firm’s cybersecurity efforts to be successful. Firms should test their cybersecurity procedures to ensure they are effective.
Firms should conduct training on cybersecurity issues. The SEC’s Risk Alert and document request letter are certainly worthy of discussion at a training session. Firms will also benefit by creating an incident response plan, as well as selecting a team that will spring into action if a cyber breach occurs.
Weed out boilerplate policies and procedures and stale advertisements
It is imperative that firms clean up and strengthen their policies and procedures in order to protect investors. Too many firms use boilerplate compliance manuals containing policies and procedures that are inapplicable to their business model. It is much more desirable to implement a streamlined manual with meaningful policies that are followed to the letter. Policies and procedures should always be customized to address the risks facing the firm.
Firms should also weed out erroneous and misleading advertisements. Many firms never get around to updating information or removing stale content from their websites. For example, some RIAs fail to update their websites after they switch from state to SEC registration. Occasionally, RIAs opt to include their Form ADV on their website, but neglect to post the most current version. Form ADV is the uniform form used by investment advisers to register with either the SEC or the appropriate state securities regulator.
Outdated information in advertisements is potentially misleading. CCOs should discard or update advertisements containing references to assets under management and performance, if they are not current. Firms should also include robust disclosures that are tailored to the content in the advertisement. A firm’s policies and procedures should mandate that advertisements be reviewed on a regular basis.
Leave major jobs to the professionals
Some chores around the house are best left to the professionals. Similarly, CCOs may not be equipped to handle all of their firms’ compliance chores. Although CCOs are required to be knowledgeable about the rules and regulations impacting their firms and their business models, they must often turn to compliance consulting firms to fill in the gaps in their knowledge. Some firms might benefit by outsourcing compliance to a third party. In any event, it won’t help to show examiners your compliance To-Do list with several items left unchecked.Put Compliance Chores on Your To-Do ListClick To Tweet