Coordinated state audits conducted by members of the North American Securities Administration Association (NASAA) for 2015 uncovered the top registered investment adviser (RIA) compliance deficiencies across 20 categories. Last week, we discussed registration-related investment adviser regulatory deficiencies, specifically related to Form ADV inconsistencies, timely filing of amendments, fee structure, and the description of services provided. In this week’s installment, we cover another common RIA compliance deficiency category: privacy.
The latest 2015 NASAA coordinated examination report shows that of the 1,170 investment advisory firms examined in 2015, 21.5% of all firms with assets under management (AUM) examined had at least one privacy-related regulatory deficiency. Compared to the 2013 NASAA report, at which time 19.6% of firms which were audited had at least one privacy-related deficiency, the frequency of privacy-related issues has slightly increased in 2015 and has returned closer to the 21.2% figure cited in the 2011 NASAA report. The table below summarizes the frequency of privacy-related regulatory deficiencies from the 2007 to 2015 reports:
According to the 2015 study, about 25% of RIA firms with AUM less than $30 million had at least one privacy-related deficiency compared to roughly 18% of investment advisory firms with greater than $30 million in AUM. Also notable, about 25% of firms with only one investment adviser representative (IAR) had at least one registration-related deficiency compared to around 15% of firms with more than one IAR.
The Chief Compliance Officers (CCO) of every advisory firm needs to be aware of the top privacy-related compliance deficiencies. In 2015, the top issues were:
- Annual delivery of privacy policy (50.3%)
- Initial delivery of privacy policy (21.7%)
- No privacy policy (14.0%)
- Inadequate privacy policy (11.5%)
- Disclosed confidential client information without proper authorization (UBP) (2.5%)
In 2013, the top issues were:
- Annual delivery of privacy policy (48.6%)
- Initial delivery of privacy policy (19.9%)
- No privacy policy (13.8%)
- Inadequate privacy policy (10.5%)
- Disclosed confidential client information (UBP) (1.7%)
In general, RIA firms need to be very focused on designing and implementing policies and procedures which help secure and protect confidential client information. Simply creating an initial privacy policy which meets the pertinent state or federal regulatory requirements is not enough. As once again demonstrated in this most recent NASAA report, many firms continue to fail to deliver a copy of the firm’s privacy policy to clients on an annual basis as required.
While many investment advisory firms are familiar with the requirements to inform all clients of any material changes to the advisory firm’s Form ADV within 120 days of the firm’s fiscal year end, many investments advisers overlook the requirement to deliver the firm’s current privacy policy to all clients on an annual basis. RIA firms need to distribute privacy policies and disclosure brochures initially and annually. It is important to note that just offering a copy of the privacy policy on an annual basis to clients does not fulfill this regulatory requirement as all firms are required to deliver the privacy policy on an annual basis. As RIA compliance consultants, we encourage the CCO of every investment advisory firm to take a few minutes to look over the firm’s current privacy policy procedures to ensure the firm is meeting all delivery requirements.