The ultimate guide to creating (and updating) your RIA policies and procedures manual in 2023

Every registered investment adviser (RIA) registered with the Securities and Exchange Commission (SEC) is required to create and regularly update their policies and procedures manual in order to comply with the Investment Advisers Act of 1940 (Advisers Act).

As a rule of thumb, your firm should be reviewing your policies and procedures manual at least once a year, however, more frequent reviews can be extremely helpful during times of increased regulatory change. Why? Regular reviews can help the Chief Compliance Office (CCO) and other key team members prevent or detect potential violations, especially when new rules are enacted or regulations change.

Here’s a look at how you and your team can best create and update your RIA firm’s policies and procedures for 2023.

Review who your RIA’s governing body actually is

As an RIA, you’re either registered with the state(s) you practice in or the SEC. While many state regulations closely follow the Advisers Act, it’s important to know who regulates and monitors your firm’s actions.

Generally speaking, investment advisory firms with less than $100 million in regulatory assets under management will register at the state level, while larger RIAs will register with the SEC. FINRA is not the regulatory organization for RIAs.

If you are registered with a state(s), you’re going to need to follow their guidelines for creating or updating policies and procedures, even if they differ from what the SEC says.

Prioritize general areas of regulatory compliance concern first

The SEC has expressly identified several areas within an RIA firm which require written policies and procedures. If you’re not sure where to start when creating or updating firm guidelines, this list prioritizes some of the most important aspects of your operations.

They include:

• The portfolio management process (including asset allocation and disclosures to clients).
• The accuracy of disclosures made available to clients, regulators and investors.
• Proprietary trading.
• Safeguarding your clients’ assets.
• Required record keeping (including security and protection from unauthorized use or destruction).
• Protecting the privacy of your clients’ information.
• Trading practices.
• Marketing of your RIA firm.
• Processes to value client holdings and assess fees.
• Plans for business continuity.

Track regulatory compliance changes throughout the year

Rules and regulations are updated on an ongoing basis, which can make it hard for busy CCOs to keep track of changes and ensure compliance. Using third-party resources, such as RIA in a Box, is an effective way to stay up-to-date year-round.

Staying on top of changes in real time makes it much more manageable to update your firm’s policies and procedures, rather than waiting until an annual review. This also helps prevent potential violations due to missed compliance dates or outdated policies.

Identify key stakeholders and order of communication

When a policy or procedure is updated, who needs to be notified and when?

This is a question your team should be able to answer, especially when new changes occur which can impact your business across multiple areas — see, e.g., the SEC’s recent anti-greenwashing environment, social and governance (ESG) proposed ruling.

When a regulation, such as the one mentioned above, is passed, your policies need to clearly identify who is notified first, and what procedures should be followed to communicate and execute the changes internally.

Importantly, new rules typically contain a specific compliance date. Firms should use that date and work backward to create a timeline for notifying, communicating, training and implementing changes.  

Update all impacted documents within your RIA firm

Recordkeeping is an important task for RIA firms, which means most policies have multiple forms, documents, agreements or disclosures to be updated. Once you’ve identified information to be updated, take inventory of all affected documentation. A change to one policy could impact multiple client-facing disclosures or staff training manuals, for example.

This may more involved than anticipated, so leave plenty of time to make these cumulative changes. Once all relevant documents have been updated, you’ll likely need firm stakeholders to review and sign off on the changes.

Make sure your RIA’s staff is on board

Updating your policies and procedures on paper is important, but making sure your personnel is educated on these changes is even more critical.

Give staff the opportunity to ask plenty of questions and provide resources they can refer back to as needed. Share the policy updates in writing, and set aside time to meet and train staff members in person as well. It’s possible this is something you’ll want to do several times throughout the transition period leading up to the compliance date.

You’ll also want to follow-up with your staff members after the compliance date has passed to ensure they have a good handle on the changes and are following through with everything they learned during the trainings.

A CCO’s job isn’t done once the training has ended. Reiteration of regulatory changes and regular check-ins are key to staying compliant and detecting potential violations before they get out of hand. To that end, it’s possible you’ll need to further tweak your written policies to adjust to real-life scenarios which will come up in your firm’s day-to-day operations.

Conclusion

Overall, it is key to develop and update written policies and procedures which comport to the latest regulatory developments. It’s an easy area for regulators to catch as a deficiency, so RIAs should ensure they have in place a solution to promptly identify policies and procedures manual updates and communicate them out to staff.