So you’ve built your robo-adviser, registered it, hired and licensed personnel, implemented a compliance program, conducted a successful marketing campaign, and (finally) gotten to do what you’ve really wanted to do the whole time – advise clients and manage portfolios.  Startup woes seem a thing of the past, and your operation is running smoothly.

Then, one day, you check your email inbox and find a message from the SEC’s Division of Examinations (EXAMS) saying that your firm has been “selected” for examination.  Wait, what?

Take a breath.  Our next series of posts will walk you through the exam process from start to finish, so that you can be well prepared to ace the test when the SEC inevitably draws your firm’s name.

Why were you picked? An entity may be selected for reasons such as the entity’s risk profile, a tip or complaint, or a review of a particular compliance risk area.  Or a firm may just be chosen at random.  Unfortunately, you probably won’t ever know why you were picked – the SEC has stated publicly that it generally does not share those reasons with firms under examination.

What are they looking for? Through the exam process, the SEC seeks to test whether you are following applicable laws and rules, adhering to the disclosures you make to clients and your own internal policies, and implementing a compliance program that is reasonably designed to ensure your firm meets applicable requirements.  There are several flavors of exams:

  • Routine. Routine exams take place periodically (i.e., aren’t triggered by anything particular event) and are designed to test all major areas of your compliance program.
  • Sweep. Sweep exams are usually targeted to just one or a few compliance areas that the SEC deems to be of particular risk to the industry as a whole (such as a sweep exam related to cybersecurity conducted in 2015, the results of which are detailed here).
  • For Cause. The SEC may examine a firm based on a client or employee complaint or referral; such exams tend to focus on the area raised by the complaint or referral.

Sometimes exams are unannounced.  But that’s not the norm. The bulk of exams tend to be announced, so our next few posts will give you a thorough overview of the typical process for an announced exam.  We’ll also give you a few practical pointers at each stage.

As illustrated in the above vignette, at the outset of an announced exam, the SEC will usually send you a communication telling you that it’s your turn.  That communication normally includes a request list for information and documents that the staff will review before they come onsite.  Responding properly to that request list is critical to your exam success, for it’s your opportunity to make a fantastic first impression.  So critical, in fact, that it’s worth its own blog post.  We invite you to return next time when Josh will show you how to make that initial response shine and put the staff at ease before they even walk through your door.

For nearly a decade now, regulators have placed the Chief Compliance Officer (“CCO”) squarely within the sights of enforcement, on the logic that holding target CCO’s individually liable for violations would prompt robust compliance programs, and deter lackluster supervision. The reasonableness of such assumptions is a topic for a different post.  However, despite these drastically raised the stakes for compliance leadership, many institutions fail to keep pace with appropriate corporate governance attention, respect, and funding needed to keep CCOs out of harm’s way.

Some further argue that regulatory enforcement’s focus on CCOs has a chilling effect on the industry, with significant personal risks driving experienced compliance leadership from their roles. And their concerns are not idle.

Earlier this year, FINRA took aim at CCOs for conflicts of interest in accepting “dual hat” roles where compliance responsibilities were at odds with operational roles, and found that such conflicts “failed to observe high standards of commercial honor.”  FINRA imposed hefty fines to boot.

In April, the SEC filed an action against an investment adviser for cherry picking trades for special clients and favoring personal accounts, and leveled fraud allegations against the CCO for signing annual (ADV) disclosures that stated that trades were “allocated fairly.” (See https://www.sec.gov/litigation/litreleases/2021/lr25042.htm)

What is responsible policing of the (compliance) police?  The New York City Bar Association, in conjunction with a few financial services trade organizations, published their answer to this thorny question in June, offering a framework for the SEC to adopt in considering CCO liability: https://s3.amazonaws.com/documents.nycbar.org/files/NYC_Bar_CCO_Framework.pdf.   For any CCO, compliance professional, executive or audit committee, its considerations are illuminating.

The report encourages the SEC to consider factors such as:

1) General:  Does the CCO conduct charge help fulfill the SEC’s regulatory goals?

2) “Wholesale Failure”:  Did the CCO fail to make a good faith effort to fulfill his or her responsibilities?  Does the failure represent a lapse in an otherwise well-run compliance program? Or has the SEC issued recent guidance that puts the CCO on notice of this particular failure?

3) Active Participation:  Did the CCO’s conduct facilitate the fraud?

4) Obstruction:  Did evidence show an intent to deceive the SEC?  Did the CCO course correct after being told of conduct viewed as obstructionist?

While regulators consider these recommendations, compliance obligations continue. Recent regulatory guidance indicates that failing to follow policies and procedures in remote working and client engagement environments will be a top priority for exams. As remote client engagement is the central feature of robo-advisers, they should expect top to bottom review of their processes. The NY Bar questions happen to be a good place to start to evaluate the health of your compliance procedures and the risks to your CCO.

No AccessYou probably don’t need to be convinced that information security is critically important. But just in case you do, you should know that the U.S. Securities and Exchange Commission (SEC) continues to emphasize the importance it places on information security. In our last two posts, Marc and Craig began our discussion of the SEC’s Division of Examinations’ (EXAMS) 2021 priorities related to information security. In today’s post, we’ll continue that theme by looking at a 2021 EXAMS’ priority of particular relevance for robo-advisory firms: access rights and controls.

To start, let’s establish a baseline for specifically what the SEC is concerned with regarding access rights and controls. The 2021 EXAMS’ priorities states that “[EXAMS] will review whether firms have taken appropriate measures to…safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access.” In short, your firm must have controls in place to verify the identity of your clients and protect against unauthorized access of their accounts. As a robo-adviser, your firm’s connectivity to clients is entirely based on the client’s ability to access their account through your website or app. Given this dynamic, let’s review best practices that your firm should have in place.

  • User Access – the first step to having proper controls in place is to ensure each user has appropriate access. As part of the client on-boarding process, your systems should clearly identify the client and only permit access to data and features of your systems necessary for the client to manage their account.
  • Access Management – once a client has been integrated into your systems, the issue of access management becomes critical. You obviously want to prevent third-party access to your clients’ information, but you should also have controls in place to restrict unnecessary access by employees. General best practices for access management include (i) incorporating a separate approval process for clients who wish to add an additional user to their account; (ii) requiring clients to re-certify access rights on a periodic basis; (iii) mandating strong password requirements, including the requirement to periodically update; (iv) requiring multi-factor authentication to obtain account access; and (v) deleting systems access immediately for former employees.
  • Access Monitoring – in order to properly manage access to your clients’ accounts, your control procedures should include the following monitoring polices: (i) tracking failed login attempts and revoking access after a predetermined number of failed attempts; (ii) properly authenticating clients when handling requests, such as for username or password information; and (iii) periodically reviewing the software and hardware components of your systems to ensure all aspects of your infrastructure is current, and when necessary, augmented with update and patches.

For more information on access rights and controls, and other information security observations, you should review EXAMS’ 2020 Guidance Release, and of course, reach out to your legal or compliance professional with any additional questions.

Thank you for your continued readership. Check back next time when Marc will be discussing how to limit liability for robo-advisory firm CCOs.

As Marc mentioned last time, the SEC’s Division of Examinations’ (EXAMS) has made it a priority in 2021 to review the steps that firms take to ensure information security and operational resiliency. For robo-advisers, given that they conduct so much of their operations online, these steps are of paramount importance.

In its report, EXAMS noted that it will scrutinize whether advisers have implemented appropriate measures to oversee vendors and service providers and manage the cybersecurity and privacy risks inherent in those relationships.  So what does the agency expect to see from you?

Luckily, the SEC already tipped its cards.  The agency published guidance in 2020 that indicates its view that vendor management policies and procedures should address due diligence for selecting vendors, monitoring and overseeing them, requiring appropriate contract terms, and understanding how vendors protect client information.

Here are some practices observed by the SEC that illustrate those expectations:

  • Vendor management programs. The agency noted firms had established vendor management programs that set standards for vendors’ information security practices, ensured safeguards were in place, used questionnaires to evaluate potential vendors, required the review of third party reports (such as SOC 2 reports), mandated independent audits, and established procedures for terminating and replacing vendors.
  • Understanding vendor relationships. The SEC found that advisers (and their personnel) demonstrated that they understood privacy and cybersecurity related contract terms, understood risks associated with vendor outsourcing, and effectively managed those risks.
  • Vendor monitoring and testing.  The agency observed that companies took demonstrable steps to monitor each vendor relationship to make sure the vendor continued to meet security requirements and ensure that advisers were alerted to changes in the vendor’s services or personnel.

Want some more advice?  Be ready for data breaches caused by your vendors.  A common misconception is that if you share sensitive information with a vendor and that vendor gets hacked, the vendor is the one with legal obligations relating to the breach.  That’s not true.  State laws put the onus on the adviser who collected information from the consumer in the first place, and they often limit the responsibility of vendors to promptly informing you that something happened.  So what do you do? Ensure your contract with any vendor that handles your clients’ information specifies what must be done if a breach occurs, who must do it, how fast it must be done, and how the costs will be allocated.

Want even more advice?  For a fulsome discussion of the steps you can take to manage the privacy and cybersecurity risks of your service providers, I encourage you to check out our webinar available here.  That’s all for now – please be sure to return for our next post where Josh will discuss the importance of maintaining effective access rights and controls in your organization.

 

We continue our discussion of the SEC’s Division of Examinations’ (EXAMS) 2021 Priorities (see here) with an overview of information security and operational resiliency.  The daily drumbeat of cyber-intrusion incidents is certain to keep cybersecurity at the top of EXAMS’ focus.

In light of the pandemic forcing a shift to remote work, EXAMS has announced its focus on information security issues including: endpoint security, data loss, remote access, third-party communication systems, and vendor management.  EXAMS will assess firms’ reasonable efforts to:

(1) prevent account intrusions, focusing on customer identity;

(2) oversee vendors and service providers;

(3) address malicious email activities;

(4) respond to incidents, specifically ransomware attacks; and

(5) manage operational risk created by remote working.

EXAMS expects to focus these reviews on firms’ policies and procedures for platform investor information security and electronic maintenance of books and records, both by firms and their vendors. The pandemic also provides EXAMS an opportunity to review the sufficiency of disaster recovery and business continuity plans. For those who remember post-Hurricane Sandy sweep exams, these will look familiar. Have you improved since then?

EXAMS also encourages market participants to actively and effectively engage regulators and law enforcement in identifying and addressing vulnerabilities and attacks. We recommend soliciting the appropriate advice to assess your preparedness and assist in incident and remediation reporting.

EXAMS signaled its focus on this topic last year in published guidance (see here), which is useful to governance and risk considerations.  The SEC has stated that effective governance of cybersecurity begins with demonstrated commitment from the top.  This includes boards and executives articulating cyber policies and priorities; performing enterprise risk assessments to identify, manage and mitigate risks unique to the enterprise; and developing methodologies for risk assessments that include when employees are away from the office.

Effective governance also includes routine review of access controls and data loss prevention processes including practices such as penetration testing, software testing, patch management and appropriate encryption and access segmentation.  For digital advisors, which exist almost exclusively in this realm, each of these risks are magnified. Demonstrating resiliency in cybersecurity, then, involves developing a plan and identifying personnel to address incidents, a process for measuring the scope of the vulnerability and risk, and a protocol for elevation and reporting.

When regulators come knocking, it is published guidance, like the above, that they look to in answering whether “you knew or should have known” about the risks, and the “reasonableness” of your cybersecurity practices and procedures. In Source Code’s next post, Craig will discuss managing cybersecurity and privacy risks posed by the vendors your firm works with.

growth

The market for investment products and services is very competitive. Consumers now look to their advisers to not only provide return on their investment but to do so in a way that is consistent with their personal ethos. To meet this demand, many investment advisers have turned to incorporating environmental, social, and governance (“ESG”) factors into their investment strategies. Arguably there is no hotter topic at present in the broader investment community than ESG, or, as it is sometimes called, socially responsible investing. But before your firm begins to include ESG in its investment approach, you should first consider the SEC’s increased scrutiny and subsequent guidance on the subject.

As Marc previously discussed, the SEC recently published its Division of Examinations’ priorities for 2021. Prevalent among these priorities was an enhanced focus on ESG. Moreover, the SEC also published an Investor Bulletin in February 2021 discussing ESG investing and an April 2021 Risk Alert highlighting areas of concern noted from SEC examinations of investment advisers pertaining to ESG investing.

So, what should you take from all of this SEC guidance? For one, if your firm provides ESG investment strategies, you should expect that to be a focus of any SEC examination of your firm. But more broadly, you might read the SEC’s guidance to state that ESG investing should be more than a marketing tool to attract clients (meaning you need to think about how incorporating ESG investing affects clients and what you need to tell them). To that end, below are the key points your firm should focus on when developing and maintaining your ESG program:

  • Portfolio management practices must be consistent with ESG disclosures – This is not a unique concept to ESG. The way your firm manages a client’s account must be consistent with the client’s expectations and your firm’s disclosures. For example, if your website indicates that your algorithm will exclude investments in certain industries (e.g., tobacco or alcohol), you must ensure that the client’s portfolio has been filtered in accordance with this disclosure. You should also review your Form ADV and any marketing materials to ensure that consistent disclosure related to ESG investing is used.
  • Accurate ESG Disclosure – As with all investment strategies, ESG investing contains risks. The SEC will expect your ESG related disclosures to be free from unsubstantiated or misleading statements. Statements such as “our strategy will only invest in companies with high employee satisfaction” must be substantiated by evidence. If your ESG investment process involves screening out certain investments, your disclosure should indicate that such process may result in lower returns due to the potential for higher performing securities to be screened out.
  • Your compliance program must include adequate policies and procedures to monitor and address ESG issues – Adding an ESG component to your firm’s investment offerings means additional compliance responsibilities. The SEC will expect your compliance program to adequately address how your firm will monitor and test for ESG. This should include policies and procedures to periodically review client portfolios to ensure adherence to client stated preferences. For example, if your client intake process allows a client to indicate preferences, such as the exclusion of companies engaged in weapons manufacturing, your compliance program should include a procedure to test for the client’s intended screen. The SEC would also expect policies/procedures around making sure your algorithm is working as expected (i.e., ESG screens being applied appropriately).

While the above bullets are the key highlights from the SEC’s guidance on ESG, you should review the entirety of the guidance at the above links and consult with a legal or compliance professional before implementing your ESG program.

Thank you, as always, for your continued readership. Please check back next time when Marc will continue our series discussing the SEC’s 2021 examination priorities.

Robo-advisory firms often build client portfolios with exchange-traded funds (ETFs) and mutual funds.  This makes practical sense – these instruments allow advisers to efficiently meet a wide range of client investment objectives.  Nevertheless, as mentioned in our last post, the SEC’s Division of Exams (EXAMS) has made it a priority this year to focus on advisers’ recommendations of these assets.  Why?

EXAMS recognizes the widespread use of mutual funds and ETFs by advisers for retail client portfolios.  Due to this prevalence, the associated risks are, in the eyes of the Division, elevated.  Here are some of the key concerns voiced by the SEC in its 2021 Examination Priorities Report:

  • Investors may not understand the risks associated with a particular fund. The risk profiles of mutual funds and ETFs vary widely.  Some funds are widely diversified across industries and asset types, while others may be very focused.  Some funds use relatively simple strategies, and others use very complicated or technical strategies.  Robo-advisers, like all investment advisers, have a duty to ensure that investors receive adequate disclosure of the risks involved with these instruments.
  • Funds used in client accounts may not be suitable. As you might recall from Josh’s previous post, all investment advisers, including robo-advisers, must recommend investments that are suitable for a particular client based on the client’s unique financial situation and investment goals.  EXAMS noted that the Division will make it a point to review an adviser’s basis for selecting investments, highlighting that higher risk investments like niche or leveraged/inverse ETFs will be particularly scrutinized.
  • There may be financial conflicts in the selection of certain mutual fund share classes. The report emphasized the Division’s continued focus on an adviser’s selection of mutual fund share classes for retail client portfolios. As many of you remember, the SEC launched an initiative a couple years ago that resulted in settlements with nearly 80 advisers that the SEC found had (i) placed clients in higher cost mutual fund share classes (such costs generally stemming from 12b-1 fees paid to the adviser or an affiliate) when lower-cost share classes of the same fund were available and (ii) failed to adequately disclose that the higher cost share class would be selected.  EXAMS’ report notes that this practice, and the conflicts caused by it, continue to be areas of focus for the Division.

So what does this mean for your robo-advisory firm?  Now is a great time to review the risk disclosures you provide to investors in your firm brochure, on your website, and in other communications you provide to your clients.  Ensure those disclosures are clear, use plain English, and are robust.  In addition, make sure you are adequately assessing a client’s risk tolerance and investment objectives and making recommendations based on that assessment – clients with a conservative risk profile should not be served higher risk investments.  Moreover, recognize that a particular client’s risk profile is likely to change over time, so you should be making this assessment on an ongoing basis.  Finally, if your client portfolios use mutual funds, fully understand the share classes you’re using and select the one that is best for your client.

We hope you’ll join us next time, when Josh will discuss another 2021 focus for EXAMS – advisers’ use of strategies that focus on sustainability, social responsibility, and environmental, social and governance (or ESG) factors. Thanks for reading!

signOur recent posts have walked you through the SEC’s new marketing rule and discussed valuation and fee assessment. Now, with the ADV season, hopefully, in your rear-view mirror, we turn your attention to planning for the remainder of the year. Determining the most efficient use of a compliance department’s time and resources is essential. Fortunately, the SEC’s Division of Examinations (EXAMS) provides an annual publication of Exam Priorities that is extremely helpful in developing risk-based reviews.

Unsurprisingly, for 2021, the Division will be looking at how advisers have conducted business during the COVID-19 pandemic, including the execution of business continuity plans and remote-work processes.  Specifically, EXAMS will focus attention on whether advisers followed their disclosed plans during this period.  While the SEC acknowledges the extraordinary disruption COVID-19 had on operations, it will be important to have records showing how you responded to those disruptions.

The Division further highlights the following issues for its 2021 reviews that will be of key interest to robo-advisers:

  • Form CRS

EXAMS will continue its review of compliance with Form CRS, and noted that many firms failed to adequately include disciplinary disclosures. It also highlighted the importance of ensuring that Chief Compliance Officers are sufficiently funded and empowered to meet regulatory requirements. Firms are advised to include such consideration in compliance reviews.

  • Retail Investors

The Division will continue to examine advisers to assess whether they have fulfilled their fiduciary duties to retail investors including reviewing fees and expenses, best execution, and compensation arrangements.

  • Mutual Funds and ETFs

As many digital advisers offer ETFs, this EXAMS priority deserves particular attention. The Division will focus on financial incentives that pose potential conflicts of interest in recommending investments, and the adequacy of disclosures regarding such conflicts.

  • Information Security and Operational Resiliency

The Division will review whether firms have taken appropriate measures to: (1) safeguard customer accounts, including identity verification methods; (2) oversee vendors and service providers; (3) address malicious email activities; and (4) manage operational risk in a work-from-home environment, particularly for online access to firm systems.

Firms are advised to document responses to breaches and attempted breaches, and have a well-reasoned analysis of risks posed by remote working.

  • Roboadvisors

Division staff will focus on automated tools and platforms, and whether they perform as described in their disclosures. Firms are well advised to compare policies with procedures long before a regulator comes knocking.

EXAMS remains committed to reviewing all facets of adviser operations. Firms are encouraged to utilize the Exam Priorities publication as a roadmap for compliance, and to seek legal advice to ensure that risks of examination and enforcement are appropriately minimized.

Our next series of posts will take a deeper dive on these examination priorities.  We invite you to join us next time when Craig will take a closer look at the issues highlighted by EXAMS with respect to two particular investments commonly used by robo-advisers, mutual funds and ETFs.

calculatorOver the last three posts to the blog (overview, performance, promoters), we’ve interrupted our previous schedule to provide insight into the U.S. Securities and Exchange Commission’s (“SEC”) recently adopted changes to the rules governing investment adviser marketing and advertising. In today’s post, we resume our previous topic thread focusing on the necessary components of an investment adviser’s compliance program. Specifically, we’re going to examine valuation and fee assessments.

We’ve previously discussed that Advisers Act Rule 206(4)-7 (the “Compliance Rule”) requires that every investment adviser adopt and implement written policies and procedures reasonably designed to prevent violations of the Investment Advisers Act of 1940, as amended and its rules. One of the requirements noted in the adopting release for the Compliance Rule was that all advisers must adopt policies and procedures to value client holdings and assess fees based on those valuations.

As a robo-adviser, you may read this requirement and assume that because you don’t hold securities on behalf of your clients, valuation isn’t an issue for your firm. While this may be the case, attention is still required to ensure compliance. As noted above, your compliance program must contain policies and procedures related to the valuation of client holdings. Your firm’s policy may simply recite that it does not hold client securities and that those securities are valued by the appropriate client account custodian. Attention to valuation may be especially important if your firm provides investment advice on hard to value asset classes, such as cryptocurrency or asset-backed securities. If you are in this situation, we highly recommend working with a legal or compliance professional to draft your policies and procedures.

The second aspect of this necessary compliance component is fee assessment. Fee assessment is tied to valuation because the fee a client is paying to most robo-advisory firms is derived from the value of the client’s assets under management at the firm. Any instance in which a client is paying for investment advisory services carries a high potential for SEC regulatory scrutiny. While there may be a variety of fee arrangements utilized by robo-advisory firms, the key is that your compliance program contains policies and procedures that require regular and reliable testing of your fee arrangement to ensure that clients are accurately charged in accordance to the terms of their agreement with your firm.

We hope you’ve enjoyed our series on critical compliance components. In our next blog, Marc will begin a new chapter in which we review the SEC Division of Examinations’ 2021 exam priorities and their applicability to robo-advisory firms. We thank you for your continued readership and hope that you’ll check back then.

Word-of-mouth is still one of the best ways to attract business.  Investors, whether new or seasoned, consistently look to the experiences of previous customers or talk to someone they trust before they hire a financial adviser.  As a result, posting great reviews and compensating others to make recommendations continues to be a key part of many robo-advisers’ marketing campaigns.

As we noted in a prior post, you’ll want to be careful about using the statements of clients about their experience (testimonials) and other favorable comments.  As you’ll recall, Rule 206(4)-1 (the “Advertising Rule”) generally prohibits the use such statements.  That said, the SEC has, over time, softened that general prohibition through no-action letters and formal guidance, allowing firms to, under certain circumstances, publish content that includes testimonials or other good reviews (including third-party ratings).

In addition, as we also posted, Rule 206(4)-3 (the “Solicitation Rule”) prohibits an adviser from paying a third party solicitor to recommend prospects to the adviser, unless the adviser (i) enters into a written agreement with the solicitor that includes certain provisions, and (ii) the solicitor provides the prospect with the adviser’s firm brochure and a separate document disclosing the solicitation arrangement, which must be signed by the client.

As Marc mentioned last time, the recent amendments to the Advertising Rule will, among other things, eliminate the Solicitation Rule and cause testimonials and cash solicitation to be governed by a single rule. In addition, the no-action letters and formal guidance that have softened the prohibitions on testimonials will be, once the amendments are effective, superseded by the new rule.

So what are the changes you need to know about?  First, we have to learn some new definitions for a couple familiar words.  The new rule redefines “testimonial” to cover statements by a current client about their experience or recommending the adviser, and “endorsement” to mean statements by someone other than a current client about their experience or recommending the adviser.

With those new meanings in mind, here’s how the new rule works.  It allows (i) the inclusion of a testimonial or endorsement in advertising and (ii) an adviser to compensate someone for a testimonial or endorsement, provided the adviser:

  • discloses, or believes the person giving the testimonial or endorsement discloses:
    • whether the person is a client,
    • whether it was a paid statement (and the terms of such payment), and
    • material conflicts of interest;
  • has a written agreement with any person paid to give a testimonial or endorsement (unless there is de minimis compensation or the person is affiliated with the adviser);
  • oversees compliance with the rule; and
  • ensures that no “bad actors” act as promoters.

Importantly, the new rule applies whether the adviser uses cash or non-cash compensation, and it eliminates the requirement for the solicitor to deliver a copy of the adviser’s firm brochure and obtain a signed disclosure document.  Additionally, it specifically permits the use of third-party ratings in an advertisement, provided the adviser provides certain disclosures and satisfies specified criteria related to the preparation of the rating.

The recent amendments to rules governing advertising and solicitation are substantial.  While you still have ample time before compliance is required, we suggest you begin to think now about how your current practices, policies and procedures will be affected so that the transition to the new regime will be as seamless as possible.  We hope you’ll return next time, when Josh will discuss valuation and fee assessment.  Look forward to seeing you then!