According to Securities and Exchange Commission (SEC) Rule 206(4)-7, registered investment advisers (RIA) who are registered with the SEC are required to perform an annual review of their compliance program, including updating and amending their policies and procedures manual to reflect the evolution of compliance and risk within the financial industry.
For those registered with the state, requirements may differ, and firms should look into the specific regulations governing their RIA compliance program to determine whether or not they are required to perform an annual review.
In this guide, we’ll break down SEC requirements, take an in-depth look at the most common deficiencies, highlight the dos and don’ts for your review and provide tactics to help you mitigate risk.
SEC Rule 206(4)-7: RIA compliance requirements
As of Oct. 5, 2004, the SEC finalized Rule 206(4)-7, which requires SEC-registered firms, “to adopt and implement written policies and procedures reasonably designed to prevent violation of the federal securities laws, review those policies and procedures annually for their adequacy and the effectiveness of their implementation, and designate a chief compliance officer (CCO) to be responsible for administering the policies and procedures … These rules are designed to protect investors by ensuring all funds and advisers have internal programs to enhance compliance with the federal securities laws.”
To break this down, your firm must:
1. Create customized policies and procedures, which match the unique nature and business of your RIA firm.
Out of the box policies and procedures will not adequately meet the standards set out by the SEC. Your RIA firm’s policies and procedures must address the specific risk points you face based on your business and its functionality.
2. Review said policies and procedures annually.
Welcome to the annual compliance review. This process will help ensure your policies and procedures meet the requirements set out by the relevant regulatory bodies, addressing new regulations as they come to pass.
3. Appoint a CCO to oversee the compliance program for your RIA firm.
Your CCO should have an in-depth understanding of the Investment Advisers Act, as well as the authority to govern your compliance program throughout the firm.
For the purposes of this guide, we will focus on the second requirement for RIA firms – conducting your annual compliance review.
While many firms choose to conduct their annual compliance review in alignment with the beginning of a new year, the SEC does not mandate when the review should take place, simply stating the review must be completed on an annual basis to ensure your program remains up to date.
WATCH THE RECORDING OF OUR ANNUAL REVIEW WEBINAR HERE
10 steps to conduct your RIA annual compliance review
Every firm will have its own process for reviewing its compliance program, as it should, given the unique nature of each firm’s needs and approaches. However, we have gathered the top 10 steps which should be included in EVERY compliance review to meet relevant standards.
Whether it’s your first year or your fifteenth, the process for your RIA annual compliance review can be a cumbersome one. Let’s break down the steps you should take to ensure a smooth and effective process for your review.
Step 1: Review regulatory developments and/or updates to policies.
Your compliance team should review finalized and proposed rules to ensure adequate preparation for the coming year. Additionally, you should review all risk alerts and enforcements or cases brought by the SEC in the past year to determine if your firm adequately meets requirements for those pre-existing regulations. The SEC expects firms to learn from enforcement actions, so while you may have previously amended your policies to reflect a 2020 ruling, it doesn’t hurt to go back and make sure it aligns with new information put out by the regulator.
Step 2: Review firm documents.
Firm documents must be reviewed annually to ensure they do not reflect any out-of-date business practices or information. Documents to be reviewed include:
- Policies and procedures manual.
- Code of Ethics.
- Business continuity and success plan.
- Information security policy.
Step 3: Conduct a risk assessment.
A thorough compliance risk assessment is designed to determine whether any risk or compliance issues currently pose a threat to your firm and whether your firm is capable of managing and mitigating said risks should they arise. Based on the results, your firm may need to modify current policies or procedures to address risks found during the assessment.
Areas of risk you may consider in your assessment can include:
- Marketing/performance.
- Form ADV and disclosures.
- Invoices/fees.
- Initial public offerings (IPOs).
- Soft dollars/kickbacks.
- Compensation.
- Objectives/restrictions.
- Trade ticket.
- Trade execution.
- Non-public information.
- Personal and proprietary trading account.
- Money/securities to/from broker or custodian.
- Books and records maintenance.
- Proxy voting.
- Branch office supervision.
- Disaster recovery and/or business continuity plan (BCP).
- Cybersecurity.
Step 4: Ensure books and records include necessary information.
In the past year, the SEC made headlines, charging 16 firms a total of $1.1 billion for failing to maintain appropriate books and records. According to Rule 204-2, all RIA firms must maintain and preserve their required books and records for no less than five years from the end of the fiscal year during which the last entry was made on a relevant record to be inspected.
Based on the SEC’s enforcement actions and continued focus on books and records, firms would be wise to ensure this aspect of their compliance review receives significant attention.
Pro-tip: Books and records should include all communications including social media and off-channel communications. Pay close attention to these channels of communication as they have been a recent focal point for the SEC and its Division of Examinations.
Step 5: Review all advertising materials.
This step is especially important given the recent compliance date for the SEC’s new Marketing Rule. This rule combines two previously held rules to more accurately reflect the market and how RIA firms advertise their business. According to a risk alert issued September 2022, the SEC plans to make marketing and advertising a main focus area for exams moving forward. As such, firms should assess:
- Marketing Rule policies and procedures.
- Substantiation requirements.
- Performance advertising requirements.
- Use of past performance information.
- Books and records as they relate to marketing materials.
- Form ADV.
Step 6: Review client holdings and fees charged.
In the past, the SEC has noted issues, such as inaccurate advisory fee calculations, false/misleading/omitted disclosures, missing or inadequate policies and procedures addressing advisory fee billing/calculation and inaccurate financial statements. To avoid these issues, we recommend:
- Implementing policies and procedures specifically written to address supervision, calculation, review and billing of advisory fees.
- Reviewing the firm’s Form ADV to ensure full and accurate disclosures related to fees and expenses are being made which match the firm’s current billing practices.
- Reviewing all client advisory agreements to ensure fees are being billed appropriately, and/or in advance or in arrears, as specified.
- Ensuring your firm has adequate record keeping processes for all advisory expenses and fees assessed to and received from clients.
Step 7: Include cybersecurity as part of your review.
As we’ve all come to learn, cybersecurity represents one of the biggest threats to an RIA firm and its clients. When dealing with such sensitive client information, it is critical for firms to have a thorough cybersecurity plan and program in place, while also investing in the appropriate cybersecurity insurance should the worst come to pass.
As COMPLY Chief Technology Officer Helen Johnson puts it, firms should have a Swiss cheese defense strategy in place, which includes:
- Additional safeguards to protect data if there is a breach.
- Multiple layers of encryptions to thwart malicious attackers.
- Remote lockdowns or wipe-downs of stolen or lost hardware.
- Development of a cyber vault disconnected from the existing network.
Step 8: Hold firm-wide compliance meeting.
After performing your RIA annual compliance review, the natural next step is to educate your firm on the findings and action items from the review. Your firm-wide compliance meeting should:
- Address policy updates/procedural changes.
- Review cybersecurity practices and any changes therein.
- Identify and assign action items.
Step 9: Document meeting.
As they say, if it isn’t documented, it didn’t happen. Take detailed notes on your compliance meeting, including the agenda, who was there, what was actually discussed and any action items taken from the meeting.
Step 10: Document findings from annual review and steps to be taken.
Finally, the result of your annual compliance review should be a list of action items needed to improve your RIA compliance program. Document what areas need to be amended, who is responsible for those actions and by what point they will be finalized. Should the SEC come to evaluate your firm, it will look to see what actions you have taken to improve your compliance program based on your findings. Make sure you have the documentation to back up what steps you have or are currently taking.
DISCOVER THE ULTIMATE GUIDE TO CREATING AND UPDATING YORU RIA POLICIES AND PROCEDURES MANUAL IN 2023
Common deficiencies for annual compliance reviews and how to avoid them
In complying with SEC Rule 206(4)-7, firms must meet certain requirements both upon registering their RIA firm and on an annual basis. While the majority of RIA firms do continually meet said requirements, the SEC has noted some common deficiencies, which can lead to violation and fining.
Common deficiencies found by the SEC
Some of the most common deficiencies, while obvious, can greatly impact your firm, risking monetary fines and reputational damage.
1. No annual review conducted.
The annual review requirement is designed to ensure compliance programs remain at peak efficacy, mitigating risk points, which pose significant harm to a firm and its client. Without the proper assessment and analysis of a firm’s policies, procedures and processes in the event of compliance violation, firms remain open to increased levels of risk year over year.
2. Review said policies and procedures annually.
Welcome to the annual compliance review. This process will help ensure your policies and procedures meet the requirements set out by the relevant regulatory bodies, addressing new regulations as they come to pass.
3. RIAs failed to implement recommendations resulting from annual review.
One of the most critical steps in the RIA annual review process is what comes next. After you’ve assessed risk points and documented potential weaknesses in your program, what are you going to do about it? The SEC expects you to take the appropriate actions to not only identify these points of risk, but also amend your program to more effectively mitigate the risk and protect your clients’ wellbeing.
DISCOVER THE MOST COMMON ANNUAL REVIEW DEFICIENCES AND HOW YOU CAN AVOID THEM
Dos and don’ts for your 2023 annual compliance review
Regulatory compliance is complex. And when you have a process in place, it’s almost too easy to simply check the box and move on to your next task. A pitfall, which can result in your firm facing increased risk and an increased likelihood of an SEC violation.
How can you adequately maintain compliance and protect your firm against risk in 2023 and beyond? Let’s start with what not to do.
Don’t: Make your annual compliance review a once-a-year endeavor.
While the term annual might make you think this is a once-a-year task, RIA firms would be wise to incorporate annual compliance review tasks into their day-to-day. In doing so, you reduce the burden on your team and address compliance risk in a timelier fashion.
Don’t: Only review new/effective SEC rules when considering amendments to your RIA policies and procedures.
While new and effective rules will be the most pertinent to your RIA compliance program, they aren’t the only factors to consider when reviewing your policies and procedures. By accounting for proposed rules, risk alerts and other key information put out by the SEC, you address the compliance landscape more holistically and avoid the need to make rapid-fire adjustments to your policies when a proposed rule is finalized.
Don’t: Simply copy your annual compliance review from last year.
If your annual compliance review is simply a copy of last year’s with a new date placed on it, you’ve done something wrong. The SEC expects a thorough and complete analysis of your program and will find it suspicious if the review holds the same year over year.
Don’t: Just check the box.
To that end, this process is not designed to simply check a box and move on. While a checklist can help you organize the methodology behind your review, this process should be an in-depth assessment.
Don’t: Forget to complete your RIA annual compliance review.
Finally, and most importantly, do not forget to complete your RIA annual compliance review in a timely manner.
You should:
1. Rely on your firm to help achieve annual review requirements.
While your compliance department will lead the charge, the entire firm will likely play a role in the process. Effectively communicate everyone’s role and the impact they have on the firm at large.
2. Lean into your resources, including compliance consultants and technology to aid the process.
Sometimes you need a little outside help. Whether that means bringing in a compliance consultant or finally taking the plunge to invest in a regulatory compliance technology, these resources can help alleviate the pressure and ensure you cover all critical aspects of an annual review.
3. Take a critical look at the potential risk points or red flags within your firm.
The annual compliance review is your opportunity to critically assess your firm’s compliance program and address any red flags before they become an issue down the road. As a regulatory body, the SEC expects firms to find shortcomings in their annual review and follow up with the appropriate actions to eliminate those deficiencies before they open your firm and clients up to risk.
4. Make sure you document the entire process.
Document everything. From the first policy review to the final action item. Make sure you have a thorough document trail reporting on the process from start to finish, including what you found, how you addressed it and what you will continue to do to ensure those deficiencies don’t recur.
5. Take action on your findings to elevate your compliance program and continue to protect your clients.
As they say, actions speak louder than words. After you’ve analyzed your program, you must introduce new protocols or remediations to safeguard your firm from future risk. If the SEC should come to examine your program, it will expect to see these actions taken to ensure ongoing protection of your clients and their personal information.
CHECK OUT THE FULL LIST OF ANNUAL REVIEW DOS AND DON’TS
Annual compliance review resources
Having worked with thousands of RIA firms, we understand how time consuming and sometimes insurmountable your annual compliance review can be. Our single, best recommendation? Lean into your resources.
Compliance consulting and regulatory technology provide an answer to how to get through the compliance review process and each firm should consider its options.
For some firms, a consultant will make more sense. This outside resource is a one-time fee, which can provide new perspective on what your regulatory compliance program might be missing.
On the other hand, a regulatory technology implementation provides a long-term solution to alleviating the often-mundane compliance tasks, which consume a significant amount of the firm’s time.
Compliance consulting
Compliance consultants are often outside experts with experience as a former regulator, CCO or legal counsel. As this would suggest, these individuals are specialists in the field of compliance, with a pulse on the industry and any new or upcoming regulations, which could impact the landscape, whether seismically or incrementally.
Depending on the size and complexity of the firm, they will dedicate a certain number of hours or days to assess and lead you through the RIA annual compliance review process, which typically includes:
- Analyzing applicable rules and regulations.
- Evaluating compliance processes and records within your investment firm.
- Spotting gaps in your firm’s regulatory compliance program.
- Providing actionable insights.
With this information and insight, your firm can more effectively build a culture of compliance. One that not only meets compliance requirements, but proactively manages risk points before they become an issue.
Regulatory compliance technology
Implementing a regulatory compliance technology is one of the best methods to streamline your compliance program and free up more time to focus on other strategic initiatives. Beyond supporting your annual compliance review process, implementing a regulatory technology solution allows firms to more effectively manage their compliance program year-round.
When assessing the options for a compliance technology partner, you should consider:
- How customized the solution/technology is.
- Whether or not it meets your budgetary constraints.
- The modules available for your specific needs.
- Whether or not the technology vendor offers additional resources.
- Ongoing advancements of the technology.
As a long-term solution, it is essential to select the right vendor in your process to ensure you meet your current and future needs.
Conclusion
The recent surge in SEC regulations and activity highlights where and how the regulatory body plans to take action in the coming months. For firms just beginning the annual review process, taking heed of the risk alerts and proposals coming can help you more closely align your compliance program with the expectations and requirements.
Armed with a thorough process and the support of your resources you can meet the stringent requirements of your annual review and maintain compliance for this year and the next.
