Last year alone, the Securities and Exchange Commission (SEC) issued a record-breaking $6.4 billion in fines and disgorgements. In that same time period, proposed SEC rules have also increased dramatically, with approximately 30 current proposals on the books – more than the industry has seen in a long time.
And it’s not just the sheer amount of rule proposals that have caught the eye of compliance experts across the country – it’s also the potential impact of those rule changes. Many are far-reaching and could significantly alter daily operations for firms both large and small.
Related: Download the 2023 CCO Playbook
To keep you apprised of the biggest rule proposals on the menu, we’ve outlined three rule proposals every financial professional should know, what those rule updates could mean for your firm and three best practices you can use to prepare.
Three SEC proposed rules you should be aware of in 2023 (and what they mean)
Through those 30 proposals, there are a few rules that stand out as having the most impact. Let’s explore three of the more significant and impactful proposed rules your firm should be aware of in 2023, as well as how the rules could effect your compliance processes if officially adopted by the SEC.
Proposed Rule #1: Safeguarding Advisory Client Assets
On February 15, 2023, the SEC published a press release announcing a proposed amendment to rule 206(4)-2, also known as the Commission’s Custody Rule.
The crux of the proposed update lies in changing the term “funds and securities” to the more vague and inclusive “assets” – which would include traditional funds and securities as well as digital assets and other discretionary assets. The terminology would also leave room for future interpretations over what type of investments RIA’s can have custody over.
If the rule change is accepted, many investment advisers will feel the impact in their custodial operations, as they’ll likely need to redo their custodial agreements.
Proposed Rule #2: Cybersecurity Updates
There are two major cybersecurity updates proposed by the SEC in recent months. The rules contain similar content and repercussions, but are split based on the type of firm affected.
The first of these two rules cover broker-dealers, exchanges and related entities. The other would affect investment advisers and investment companies. Regardless of which rule your firm falls under, the new requirements would have an impact on your security and response procedures.
Related: The 2023 RIA cybersecurity guide: What your RIA can do to stay compliant
Every firm under the new rules will need to have a designated Chief Compliance Officer (CCO), written policies and procedures and regular testing. Additionally, there will be new requirements for actions taken in the event of a cybersecurity breach.
Proposed Rule #3: Privacy, Reg S-P
The SEC released a proposed update to Regulation S-P in March of 2023, with the goal of increasing safety for clients’ personal and financial information.
The main crux of the proposal is the written policies and procedures for incident response plans, which would now require firms to update persons affected within 30 days of the initial breach.
As a result, the updated rule would also require mandatory contract revisions with certain service providers and emphasize the need for written policies and procedures surrounding the disposal of customer information.
Although the proposed updates would take steps toward increased client privacy and security, it could also leave more room for compliance errors or fines.
Three best practices to protect your SEC registered firm
COMPLY’s Chief Regulatory Officer, John Gebauer, estimates that the SEC examines 10-15% of registrants each year for compliance. In most cases, you can expect your firm to be chosen for examination at least once every six to seven years, if not more frequently. When it happens, having a few best practices in place can help your firm avoid SEC penalties and better prepare for compliance examinations.
The odds of being chosen increase for newly registered advisers, who can expect a “welcome” examination within the first year or so. Similarly, the SEC prioritizes firms with higher risk profiles. For example, if a recent risk alert addresses firms with multiple branches, and your firm has several branches, you’ll likely get bumped up the list.
In short, compliance examinations are a part of life for financial professionals – and the better prepared you are for said examinations, the more likely you are to avoid costly penalties and reputational damages. To help you in that preparation, here are three best practices we recommend for all firms:
1. Conduct a risk assessment of your business. Your firm’s risk profile will look vastly different from the firm next door. You have a unique tech stack, internal processes, client communication methods and so on. Find out exactly what is applicable to your firm and then focus on those things.
Related: How to Conduct a Gap Analysis of Your Compliance Program
2. Focus on highest risk areas from that risk assessment. You have a limited amount of resources, so tackle the highest risk areas before those low risk areas to help minimize compliance errors.
3. Pay close attention to exam priorities, risk alerts and additional guidance. Annual risk assessments are a great foundation for your compliance program, but your firm shouldn’t stop there. Anytime a significant change occurs, such as a relevant risk alert from the SEC or an update to your tech stack, take a fresh look at your processes and potential areas of risks.
The era of increased SEC oversight is here – and your firm’s best chance for successful compliance lies in increased awareness and proactivity. With these three best practices and an overview of recently proposed rules, you’re on the right track for success in 2023 and beyond.
Learn more with ComplySci
We’re here to help take the guesswork out of compliance. Click here to connect with a member of the ComplySci team and get started today.