Blog Article

The 10 most common regulatory compliance questions we hear from registered investment advisers

Jul 24, 2023

Discover the top ten regulatory compliance questions posed by Registered Investment Advisers and get brief answers along with helpful links for further information.

Registered Investment Advisers (RIA) come in all types and sizes, but they often face similar regulatory compliance challenges. Whether you run a one-person firm in California or a 30-person team in Ohio, you still need to maintain many of the same compliance standards.

For that reason, we compiled a list of the ten most common regulatory compliance questions we hear from RIAs, and brief answers, as well as links to learn more.

1. Should I register my RIA firm with my state or the SEC?

Here’s the short answer: If your AUM is less than $100 million, you will need to register with the appropriate state(s). If it is $100 million or over, you will need to register with the SEC.*

But there’s more to the question. To determine what state(s) you should register in, you will need to consider the following:

  • Where is your physical location or office?
  • In which states do you have representatives physically located?
  • In what states do you have five or more clients (or a single client in the states of Texas and Louisiana)?
  • In which states are you physically soliciting?

When registering with the SEC, it’s important to bear in mind these additional factors:

  • Advisory firms with principal office and place of business in New York generally must register with the SEC if their AUM is $25 million or greater.
  • Firms that serve as adviser to an investment company registered under the Investment Company Act of 1940 must register with the SEC regardless of AUM.
  • RIAs that are required to register in 15 or more states will generally register with the SEC regardless of AUM.
  • Internet-only investment advisers may register with the SEC regardless of AUM.

*Keep in mind there are exceptions to this rule.

2. Can I say (insert claim about performance)?

It’s hard to answer this question with any certainty, but if you feel like something is in the gray area, then we suggest not saying it.

Yes, the Marketing Rule changed some of the rules here, but saying anything that removes context around results and/or remotely implies that results are guaranteed in any way is still a major thing to avoid.

For a deeper understanding of how to talk about performance, read the article “10 Best Practices for RIAs in 2023.”

Note: Hypothetical performance should not be presented in an open forum like a website or social media.

3. Can I have someone outside my registered investment advisory firm act as my Chief Compliance Officer?

We get this question a lot, and the answer is always the same: While the CCO can technically be outsourced, we do not recommend it.

The SEC very clearly says the CCO needs to be someone in authority at your firm who is involved in decision-making and has the power to say no. When you outsource your CCO, you get someone who can say no, but they don’t hold any power.

That being said, there are several compliance duties you can outsource and we at COMPLY have a deep bench of highly experienced compliance consultants who can help you stay ahead of the regulatory curve.

4. What should be included in my firm’s policies and procedures?

The SEC has expressly identified several key areas where RIAs are required to have policies and procedures. If you’re not sure where to start, here is a list of some of the most important aspects of your operations that you should prioritize.

They include:

  1. The portfolio management process (including asset allocation and disclosures to clients)
  2. The accuracy of disclosures made available to clients, regulators and investors
  3. Proprietary trading
  4. Safeguarding your clients’ assets
  5. Required record keeping (including security and protection from unauthorized use or destruction)
  6. Protecting the privacy of your clients’ information
  7. Trading practices
  8. Marketing of your RIA firm
  9. Processes to value client holdings and assess fees
  10. Plans for business continuity

To learn more, check out our “Guide to Creating and Updating RIA Policies and Procedures.”

5. How can I protect my firm if someone hacks into my firm’s network?

In March 2022, the SEC released a proposed ruling called the “Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure.” In keeping with evolving concerns about the safety of online data, this disclosure requires, among other changes, for cybersecurity incidents to be reported within four business days.

Under this ruling, registrants would be required to:

  • Implement policies and procedures reasonably designed to detect and prevent cybersecurity incidents
  • Provide periodic reports including disclosure of past incidents
  • Report on ongoing cyberattack provisions

RIAs who want to maintain compliant cybersecurity practices are encouraged to follow the following steps:

  1. Offer ongoing team training
  2. Implement a virtual desktop infrastructure which allows your firm to maintain information security and compliance while empowering employees to work anywhere
  3. Prepare periodic reports that highlight strengths of your cybersecurity procedures and address potential vulnerabilities
  4. Review your firm’s cybersecurity policies regularly
  5. Test your systems by conducting an authorized simulated cyberattack on your systems and infrastructure

For more information, check out “The Compliant RIA’s Guide to Cybersecurity.”

6. Do I need to archive my communications on (insert platform)?

The answer to this question is pretty much always yes. If you are talking to clients and/or prospects on any communications platform – email, social, texts, GroupMe, etc. – then you should probably archive everything.

Where advisers get into trouble is when they start fielding communications from prospects and clients via their personal Facebook account or something along those lines. If you are talking shop (i.e., giving financial advice of any kind), then chances are it should be archived.

For a deeper dive, check out our recent article, “4 Areas Every Financial Institution Must Archive.”

7. Now that the SEC Marketing Rule has passed, how do I ask clients for online reviews and testimonials?

Advisers have been told to avoid reviews and testimonials for so long, it’s no wonder that the majority of RIAs are treading carefully when it comes to requesting them.

One of the biggest regulations to be aware of surrounding testimonials is the “cherry-picking” rule.

In essence, you can’t just ask a few of your favorite clients for their feedback – it’s all or none. To maintain compliance with this regulation, you can send out a request for testimonials via your email list. It’s easy, free and a great way to document that you reached out to each and every client.

If you want to learn more, read “Can Financial Advisers Have Google Reviews?

Note: This applies specifically to SEC-registered firms, as not all states follow the new Marketing Rule.

8. My team is fully remote – how can I ensure security of sensitive client and firm information?

In a post-pandemic world, remote work is the norm. While a decentralized team can complicate matters of security, it doesn’t make it impossible. Above all else, firms must have an understanding of the risks and create/implement solid policies and procedures to help maintain security regarding client and firm information.

Additional recommended steps, as well as some guidance from the SEC, include:

  1. Supervise your team – RIA firms are required to supervise their personnel, including providing oversight of supervised persons’ investment and trading activities. Monitoring software is a must.
  2. Address cybersecurity with your team – Employees not accustomed to remote work need to be trained on the proper cybersecurity best practices and precautions which include: secure internet connections, tracking devices, phishing email attacks and wire fraud schemes.
  3. Establish password protection protocols – Advisory firms need to ensure that proper security protocols such as password protection are implemented on all devices and also follow other precautions such as ensuring all computers are locked when leaving the desk and properly shut down at the end of the day.

To learn more, read “Ongoing RIA Compliance Concerns with Remote Work.”

9. Who on my team is responsible for compliance?

The short answer to this question is “everyone.” Maintaining compliance at any firm requires a culture of compliance that touches every team member at your firm.

Often, RIAs leave compliance concerns to the Chief Compliance Officer, but compliance is actually part of everyone’s job – the CCO is just there to watch for red flags and keep up with the latest regulations.

For more information, check out our article “Mythbusters: Your RIA’s CCO is NOT Solely Responsible for Compliance.”

10. What Does COMPLY Do?

While we are compliance-focused, we provide a wide variety of services to RIAs and other wealth management firms. For RIAs specifically, we offer:

  • Firm registration
  • Compliance technology
  • Compliance consultants
  • Communications archiving
  • Employee trade monitoring
  • Cybersecurity
  • IAR continuing education
  • Rollover analysis

To learn more, you can always read through our website, or you can schedule a demo to see it firsthand.