As fiduciaries, registered investment advisers (RIA) are responsible for acting in the best interests of their clients – but sometimes that’s easier said than done.
With ever-changing regulations, advancing technologies and new staff on board, accidental oversights can (and do) happen. Luckily, there are steps you can take to proactively reduce those risks and maintain compliance.
Related: The Cost of Noncompliance for Investment Advisory Firms
In today’s blog, we’re exploring five common non-compliance moves your firm may be making without even realizing it.
Five Regulatory Compliance Mistakes Your Firm May Be Making Without Even Realizing It
1. Messaging clients (and prospects) on personal emails, social media accounts or phones
Clients want more communication from their advisers, with at least one study finding 75% are looking for more personalized outreach.
And with a variety of social media and messaging apps available – as well as the fact that many professionals have multiple cell phones – you can easily make the mistake of using off-channel communication with a client.
But the SEC’s Rule 204-2 requires all client communication, regardless of which application or device it is sent or received from, to be properly archived. And given the recent onslaught of enforcement actions, it’s clear the regulator is focusing on this area within their examinations.
To maintain compliance, it’s important to:
- Train your staff. All members of your team need to be aware that client communication via unmonitored or personal accounts is unacceptable – as well as what to do in case of a real or potential breach.
- Use archiving technology when and where it’s applicable. Consider choosing a compliance-friendly messaging app or system, encouraging your staff to only use that specific platform for client communications.
- Review your process. Communications and archiving processes aren’t a “set it and forget it” kind of task – they should be reviewed and updated regularly.
Also keep in mind that device or app backups serve a separate purpose from archival – while archival is designed for the long-term storage of data and with compliance in mind, backup systems usually copy data in case it’s lost due to device failure or other disaster.
Related: Archiving: An Essential Task for RIAs Using Social Media
2. Forgetting about the documentation aspect of your annual review
Each RIA is required to conduct an annual review of their compliance processes, including but not limited to:
- Advertising and marketing
- Advisory agreements
- Your Form ADV
- Custody
- Best execution
- Business continuity
- Books and records
- Your investment process and portfolio management strategies
Related: Recent rules and regulatory updates to consider as you conduct your annual review
That’s a big list to tackle – and a lot to keep track of. One mistake you don’t want to make, however, is waiting to document your review process until it’s over. If you have a surprise SEC examination and are scrambling to create documentation of your annual review from last month, it could land you in hot water with the SEC.
Especially given the recently effective ruling which mandates that all firms must document (in writing) their annual review to, “help advisers better assess whether they have considered any compliance matters that arose during the previous year…[and] allow the Commission and the Commission staff to determine if the adviser is regularly reviewing the adequacy of the adviser’s policies and procedures.”
At minimum, you’ll need to document the findings of the review and testing, issues addressed, any changes you plan to implement, as well as how and when those changes will occur. It’s also a good idea to document who will take the lead on any action items and when they are expected to be completed.
Click here to download the 2024 Annual Review Guide
3. Skipping regular risk assessments
The SEC considers risk assessments to be a vital part of any firm’s compliance program. These assessments are usually designed and overseen by your CCO based on your organization’s unique compliance needs, and are often conducted as part of your annual review – although new risks throughout the year may make more frequent or unplanned risk assessments necessary.
For example, if you’ve recently implemented new client communication software, it would make sense to develop and run a risk assessment of the new technology to check for any errors, gaps or threats in data security. But as you are working to get the system up and running, that assessment gets deprioritized in favor of more pressing tasks.
It is important to note, that while the above example deals with data privacy risk, compliance risks can come in many different forms. Firms should also identify how those risks will be mitigated (disclosure, policies, etc.).
Download: The Ultimate Guide to Cybersecurity Compliance
Failing to take action at that moment puts your team and clients at risk, and the SEC may find your compliance program lacking enough to warrant a violation.
While there are no set standards for how often a risk assessment should occur. In addition to reviewing your compliance risks at least annually, any significant changes to your firm processes, structure or operations can signal the need for an assessment.
4. Using outdated fee disclosures
RIAs are required to create, maintain and disperse a number of disclosures, including fee disclosures.
Fee disclosures provide clients with detailed information about the costs and compensation associated with the advisory services they receive, including your:
- Fee schedule
- Billing practices
- Methodology for calculating fees
- Related conflicts of interest
- And more
If your firm makes any changes related to your fees, it’s imperative that you update your disclosures and/or agreements and let all clients or prospects know of the changes. Forgetting to do so can be a costly mistake that reflects poorly on your firm’s overall reputation.
Similarly, if the SEC updates the fee disclosure or reporting requirements (as they did for many private fund advisors in 2023), it’s crucial that your firm comply by the required date(s).
5. Waiting to document rationale behind client recommendations
Lastly, it’s critical that you document the rationale behind client recommendations as they occur. While it may seem like a straightforward process, overlooking or delaying this documentation can lead to serious consequences.
The firm must have a basis for making recommendations in the best interests of the client. Clear and accurate information about the client is critical to ensuring your firm always acts in the client’s best interest.
In the event of an SEC audit or unhappy client, your firm will need documentation that your recommendations align with clients’ financial goals, risk tolerance and overall financial situation.
If you haven’t done so recently, it’s a good idea to review and update your documentation processes, which should include timestamped summaries of the client’s financial goals, risk tolerance, investment horizon and any specific circumstances that influenced the advice.
You can also involve clients at this step by providing them with the documentation as well – this can strengthen your compliance process and promote further adviser-client transparency overall.
In the eyes of regulatory bodies, unintentional non-compliance is essentially non-existent. To protect your firm from unexpected violations and risks, it’s important to be aware of high-risk compliance areas that may otherwise stay in the background of your day-to-day work.
Create a Robust Compliance Program
Find a proactive approach to compliance with COMPLY’s comprehensive compliance software. Click here to schedule a free demo today