On November 24, 2020, North American Securities Administration Association (NASAA) members voted to adopt a model rule that creates a requirement for a registered investment adviser (RIA) firm to establish, maintain, and enforce written policies and procedures tailored to the advisory firm’s business model. This new model rule was developed with the the hope of strengthening advisers’ already existing manuals, assisting advisers in creating their initial policies and procedures, and emphasizing the importance of the document.
NASAA provides the list of requirements within the model rule and dives deeper into what each requirement entails. A Sample Compliance Grid is also provided for firms to utilize and build their own policies and procedures or to assess and strengthen their current document.
The new model rule calls for firms to provide information for the following:
- Compliance Policies and Procedures: The investment adviser must establish, maintain, and enforce written compliance policies and procedures reasonably designed to prevent violations by the investment adviser of the Act (“Uniform Securities Act of 1956”) and the rules that the Administrator has adopted under the Act;
- Supervisory Policies and Procedures: The investment adviser must establish, maintain, and enforce written supervisory policies and procedures reasonably designed to prevent violations by the investment adviser’s supervised persons of the Act (“Uniform Securities Act of 1956”) and the rules that the `Administrator` has adopted under the Act;
- Proxy Voting Policies and Procedures: If the investment adviser has the authority to vote client securities, If the investment adviser does not have the authority to vote client securities then this information must be disclosed to clients.
- Physical Security and Cybersecurity Policies and Procedures: The investment adviser must establish, implement, update, and enforce written physical security and cybersecurity policies and procedures reasonably designed to ensure the confidentiality, integrity, and availability of physical and electronic records and information. The policies and procedures must be tailored to the investment adviser’s business model, taking into account the size of the firm, type(s) of services provided, and the number of locations of the investment adviser.
- Code of Ethics: The investment adviser must establish, maintain, and enforce a written code of ethics that outlines how employees are expected to conduct business, as well as the course of action if an employee violates the Code of Ethics.
- Material Non-Public Information Policy and Procedures: The investment adviser must establish, maintain, and enforce written policies and procedures reasonably designed to prevent the misuse of material, non-public information by the investment adviser or any person associated with the investment adviser.
- Business Continuity and Succession Plan: The investment adviser must establish, maintain, and enforce written policies and procedure relating to a business continuity and succession plan.
In addition to providing a clear outline for RIA policies and procedures, this model rule aims to build upon two already existing NASAA model rules: the NASAA Model Rule on Business Continuity and Succession Planning (April 13, 2015) and the NASAA Investment Adviser Information Security and Privacy Rule Model Rule (May 19, 2019). The common theme of these three model rules is cybersecurity, and each focus on important steps to take when protecting your firm. In recent years, the rise of cyber crime has been hard to ignore, with threats reaching an all-time high during the pandemic due to the increasing number of remote workers. When faced with this reality, it is important for a firm to be proactive and follow the steps outlined in these model rules, rather than waiting until it is too late.
The MyRIACompliance cybersecurity platform was built to help RIA firms take that proactive approach and implement a robust cybersecurity compliance program while also meeting all regulatory requirements. The platform is designed to help meet the new rule’s obligation to establish, maintain, and enforce “written policies and procedures tailored to the investment adviser’s business model, taking into account the size of the firm, type(s) of services provided, and the number of locations of the investment adviser” as the platform not only helps to create customized cybersecurity policies and procedures, but also empowers RIA firms to digitally implement, update, and enforce their policies and procedures.
In the near future, we expect the vast majority of individual states to adopt this model rule as the basis for their own investment adviser regulation. As such, we recommend that the Chief Compliance Officer (CCO) of all state-registered investment advisory firms review this new model rule in detail to prepare for the implementation of new policies and procedures.
For the full text of the Rule and the Sample Compliance Grid, please click here.