In 2022, the Securities and Exchange Commission (SEC) reported a record-high $6.4 billion in civil penalties, disgorgement and prejudgment interest. While the number of enforcement actions only increased by 9% since 2021, the amount fined nearly doubled in that same time period.
The numbers tell a clear story: Compliance errors can have massive consequences on both the revenue and reputations of RIAs, regardless of size.
One tool in your toolbelt to help mitigate compliance risks? An RIA risk assessment.
To ensure your firm is on track for compliance success, we’re outlining the purpose of an RIA risk assessment, as well as three tips for a fruitful risk assessment each and every year.
What’s the purpose of an RIA risk assessment?
A risk assessment ultimately serves your RIA’s policies and procedures by identifying potential compliance breaches. It is called for under the SEC’s Investment Advisers Act of 1940, which requires all registered firms to design and implement written policies and procedures. The SEC considers risk assessments a vital part of any compliance program, although the specifics of each assessment will vary.
There is not necessarily a standard “risk assessment” for every firm to follow – rather, your firm’s chief compliance officer (CCO) should design a risk assessment process based on your firm’s unique challenges. After identifying risks, your CCO can implement proper measures to proactively mitigate any potential compliance issues.
If your firm is chosen for an audit, the SEC will likely want to know in-depth details about your risk assessment process.
Three tips for a successful RIA risk assessment
Before you begin designing your RIA risk assessment, it’s crucial to identify areas of risk, involve your team and review recent SEC risk alerts.
1. Identify areas of operational or compliance risk
When conducting a risk assessment, the CCO should start by identifying a list of operational and compliance risks within your specific firm. For example, if your firm has onboarded new tech vendors in recent months, cybersecurity may require a more detailed review in your upcoming risk assessment.
Likewise, if your firm has onboarded several new employees in recent months, you may need to focus more on compliance training in your upcoming assessment. Consider any changes your firm has undergone since your last assessment – do any of those changes pose a compliance risk?
Furthermore, it is a good idea to include each aspect of the SEC’s sample risk inventory guide, which identifies 12 potential risk categories:
- Marketing/performance.
- Form ADV/disclosures.
- Invoice/fees.
- IPO offerings.
- Soft dollars/kickbacks.
- Compensation.
- Objectives/restrictions.
- Trade tickets.
- Trade execution.
- Non-public information.
- Personal trading and proprietary trading accounts.
- Money and/or securities to/from brokers and custodians.
2. Involve your entire firm
Often, smaller RIAs identify a CCO within their team that is already fulfilling another role. In these cases, hiring another individual specifically for CCO duties may not make economic sense, so it’s not unusual to have a CCO doing several jobs. This does, however, mean that the CCO is already reaching their maximum bandwidth.
To promote proper compliance hygiene, it’s important for these CCOs to involve their entire team in developing a comprehensive risk assessment process. Consider adding an all-hands meeting to the team calendar specifically for discussing potential compliance risks. Give your employees a heads-up so they have time to ruminate on the topic beforehand.
3. Stay up to date with SEC risk alerts
The SEC provides periodic risk alerts throughout the year to let firms know which specific risks may be most relevant. Firms should be aware that the SEC will likely take a closer look at those categories should they be chosen for an audit.
For example, some of the top risk alerts in 2022 focused on compliance with Regulation S-ID as well as the updated Marketing Rule.
A proper RIA-specific risk assessment is critical for every firm. We recommend the CCO of all SEC-registered RIA firms ensure that the risk assessment process is properly designed and conducted frequently enough to address new areas of risk as the firm’s business model evolves, ideally at least annually.