August 9, 2017

SEC Risk Alert: Cybersecurity

On August 7, 2017, the Office of Compliance Inspections and Examinations (“OCIE”) released their observations of cybersecurity preparedness from the examinations of 75 SEC registered firms, including registered investment advisors (“RIAs”). Although the OCIE noted improvements since their last cybersecurity risk alert in 2014, there is still room for improvement.

The OCIE suggests that RIAs consider the following practices to enhance their cybersecurity policies and procedures.

What you need to know:

  • Include details on how safeguards will be implemented. OCIE recommends adding safeguards that are specific to your RIAs computers and systems to your procedures.
  • Penetration tests to review the effectiveness of the firm's cybersecurity policies and procedures.
  • Security monitoring and system auditing of the firm’s cybersecurity framework. To answer questions, such as, when systems are reviewed for software updates and patches and who is responsible for conducting the reviews.
  • Tracking list of vendors and what data is stored on the vendor’s system.
  • Tracking of access rights for all employees to the systems that store client data.
  • Access controls to firm data and systems including:
    • Acceptable use policies for using the firm’s network or equipment.
    • Restrictions and controls for using mobile devices when connected to the firm systems.
    • Require third party vendors to provide logs of their activity on the firm’s network.
  • Reporting of the loss of sensitive information including who should be contacted.
  • Providing mandatory staff training of cybersecurity policies and procedures.
  • Involvement from senior management to develop and approve the firm’s policies and procedures.

If you have any questions, please schedule time with your compliance consultant to discuss your cybersecurity risks.

For full details of the risk alert:

Brian Young
Brendan Furey

June 20, 2017

Guest Post: 3 Critical Steps to Improve Your RIA's Cybersecurity

Wes Stillman is the chief executive officer of RightSize Solutions, a provider of cybersecurity and technology management services for wealth management firms. We have asked Wes to share a few tips on cybersecurity for RIAs:

Cybersecurity is a growing concern, and recently has become a hot button issue amongst business publications and consumer national news. Regulatory boards that monitor the financial services industry are taking note to quickly shift accountability to financial advisors.

While these may seem daunting at first glance, the better you plan to address these issues the more prepared you will be for an audit, and equally important, how you’ll respond to an unforeseen incident.

To help you manage this critical aspect of your business's health, success and security, as well as clients personal too, here are 3 proactive steps you can immediately take:

“9 out of 10 organizations do not believe their cybersecurity fully meets their needs.” EY Global Information Security Survey

1. Survey your existing technology environment. You can find easy wins, and avoid pitfalls, by just recognizing your strengths and weaknesses.

The best place to start is by looking at what you already have. Take an inventory of what policies, software and hardware your firm utilizes. Where are your weak points? Consider the business partnerships and data exchanges your company executes on a daily basis. In today’s interconnected business environment, our data supply chains create many access points to your customers’ data. Make sure you are doing your part to protect these connections. Understand and document how your partners are protecting your clients’ data. Some partners, like your custodian, may offer tools and assistance for improving your security. As a last line of defense, check your Errors and Omissions Insurance, many policies now include or require cybersecurity. If yours does not, consider a standalone Cyber-insurance policy. Keep in mind, having insurance protection is important, but it does not negate the need for proper processes and procedures in place.

“62% of cyber-breach victims are small to mid-size businesses, which are at the greatest risk for an attack. Their level of preparation is low, and the costs of customer notification alone can be enough to do a small company irreparable financial harm.” PropertyCaualty360

2. Make sure the IT/cybersecurity section of your employee handbook is up-to-date and enforceable

Establish a clear contingency plan for dealing with cybersecurity incidents. Make sure your plan has both preventative and reactive action items. Do you have a clear contingency plan set in place and a process for responding to cyberattacks? Do your employees know what is expected of them? To ensure this, create actionable steps for dealing with employees, clients, partners, members of the press, and police & government. Think about all of the levels of security at your company. Clearly lay out who has access to what and control administrative privileges accordingly (both with internal staff and outsourced vendors). For example, by limiting the ability to install drivers and execute applications can help control what gets onto your systems and prevent attacks like ransomware.

Lastly, recognize the impact of social media and create a policy specific to it. Not only does it distract employees, social media is a direct portal to cyber incidents. RIAs are prime targets for advanced phishing campaigns because much of their personal and business information is available online. Social Media should be monitored for both public and employee comments. Policies should restrict what employees can and/ or should be saying on Social Media accounts. Be sure to include any company social media accounts in your archive process for auditing purposes.

“Elite RIAs are more focused on maximizing their investments in existing technology as well as their partnerships with technology vendors.” InvestmentNews Research and BlackRock Elite RIA Study

3. Empowering your entire company to participate in awareness and rewarding employees when they do, can drastically improve your security

Building a culture of cybersecurity is one of the most important things you can do. Lead by example; regularly discuss cybersecurity in staff meetings and with other internal communication. Employees need to be empowered with knowledge and a shared commitment that goes far beyond the annual ‘check the box’ that you have read and understand the company IT policies. If an incident does occur, let your employees know about it. Not only will it help deter the impact of the incident, it will help your employees develop a team approach to cybersecurity. When employees alert management to mistakes early in the process, they are giving management the opportunity to prevent huge losses of time, data, and money. Specific ways that you can educate employees are by conducting mock cybersecurity drills, scheduling periodic ‘test’ phishing emails or phone calls. Discussions regarding recent and specific documented cases should be had in staff meetings. Question employees directly on how they would individually handle such situations.

In conclusion, the biggest stumbling block for registered investment advisors when it comes to guarding against cybersecurity breaches is not technology-based, it’s a people problem. The right technology is critical, but RIA leaders can face a bigger challenge in fostering a cybersecurity-sensitive culture in a way that resonates throughout all levels of their firms.

Read our ‘Managing Your Company’s Security Policy’ whitepaper for all 10 tips to help improve your firm’s cybersecurity.

Guest Contributor:

Wes Stillman is the chief executive officer of RightSize Solutions, a provider of cybersecurity and technology management services for wealth management firms.

June 14, 2017

DOL Rule: Level Fee Fiduciary

Even if you are a fee only RIA, the DOL still applies to you!

Unless you have been living under a rock, you are already aware that June 9, 2017 marked the official compliance effective date of the DOL Rule. Although advisors have until January 1, 2018 to be in full compliance of the new rule, it is recommended that you get started today.

I have been asked multiple times about the applicability of the DOL rule to a fee only RIA. Just because you do not collect commissions via mutual fund or insurance sales does not mean that you are safe from the DOL rule. Yes, as a fee only RIA, you are in good shape because you are already held to a fiduciary standard under the Advisers Act. However, the DOL rule expands the definition of a “fiduciary” as it relates to retirement plans and accounts. The most common scenario is when an Advisor recommends a retirement account rollover. In a rollover situation, there are additional disclosures and documentation practices that Advisors will need to implement to comply with the DOL rule. As it relates to fee based RIAs, I will focus my conversation on the level fee fiduciary exemption.

So who is a level fee fiduciary? Per the DOL rule, it is an advisor that provides services based on an AUM or fixed fee that does not vary based on the recommended investments. I think most people would agree that a fee based account versus a commission based account better aligns the interests between the Advisor and client. However, the DOL rule seeks to cover the conflict of interest that potentially lies in the rollover of a retirement account. More specifically, the scenario where the Advisor is able to generate revenue that they would not receive if not for the account rollover. Here are a couple scenarios to consider:

Scenario 1:

Your client has an ERISA retirement plan account through their employer, XYZ Corp. They are making a career change and starting a new job with ABC Corp. They reached out to you to help decide what they should do with their XYZ Corp sponsored retirement account. You recommend that the client should rollover their retirement plan account into an IRA account.

Scenario 2:

Your client has an IRA account that is held in a commission based account. You recommend that they rollover this account into a fee based account.

In these scenarios, here are a few best practices to make sure that you adhere to the level fee fiduciary exemption. You will need to:

  • Acknowledge your fiduciary status through a written notice to your client.
  • Abide by the impartial conduct standards:
    • Act in the best interest of the client.
    • Charge reasonable compensation.
    • Do not make misleading statements.

In both account rollover scenarios, it is important that you also document how you are adhering to the impartial conduct standards. Here are few questions that you should answer and keep saved in your client files:

  • Why was the account rollover recommendation in the best interest of the client?
  • What other investment options are available to the client besides an account rollover?
  • What are the fees and expenses in the previous account versus the fee based account?
  • What are the level of services or investments made available under the previous account versus the fee based account?

If you have any additional questions, please feel free to post a comment below or send an email to We will be posting more content in regards to the DOL Rule, so please subscribe to our blog!

Brian Young

March 13, 2017

Custody Rule: Standing Letter of Authorizations

There has been a level of uncertainty for Registered Investment Advisors (“RIA”) over the past year in regards to the SEC’s position on Rule 206(4)-2 (“Custody Rule”) (see the AdvisorAssist blog post on Custody for additional information) and how it applies to standing letters of authorization (“SLOA”) for a client at a qualified custodian (“Custodian”). It​ has been a common business practice for RIAs and clients to establish a SLOA at the Custodian which authorizes the RIA to instruct the Custodian to disburse client funds to a third party account or payee. Generally speaking, the intent of this practice is to minimize the administrative steps for RIAs to service the money movement requests of their clients. However, there has been much confusion by both RIAs and examiners ​as to​ which ​SLOA scenarios ​constitute custody of client funds and trigger the Custody Rule requirements for the RIA.

On February 21, 2017, the SEC provided clarity to this question through a no-action letter. The SEC confirmed their stance that the business practice of using SLOAs as instructions for payments to third parties fall under the definition of custody. Thereby requiring RIAs to disclose that they have custody of client funds. However, the SEC also provided some relief for RIAs as it relates to the independent surprise examination requirement of the Custody Rule.

The SEC advised that they would not seek enforcement action against RIAs who do​ not obtain a surprise examination as long as the RIA follow the below guidelines:

  • The client provides an instruction to the Custodian, in writing, that includes the client’s signature, the third party’s name, and either the third party’s address or the third party’s account number at a Custodian to which the transfer should be directed.
  • The client authorizes the RIA, in writing, either on the Custodian’s form or separately, to direct transfers to the third party either on a specified schedule or from time to time.
  • The client’s Custodian performs appropriate verification of the instruction, such as a signature review or other method to verify the client’s authorization, and provides a transfer of funds notice to the client promptly after each transfer.
  • The client has the ability to terminate or change the instruction to the client’s Custodian.
  • The RIA has no authority or ability to designate or change the identity of the third party, the address, or any other information about the third party contained in the client’s instruction.
  • The RIA maintains records showing that the third party is not a related party of the RIA or located at the same address as the RIA.
  • The client’s Custodian sends the client, in writing, an initial notice confirming the instruction and an annual notice reconfirming the instruction.
  • CCO Best Practices

    To ensure that you are properly dealing with custody issues AdvisorAssist recommends the best practices of:

  • Perform an assessment to determine whether or not you have custody of client assets or securities
  • Review all current SLOA to identify any that are established to send funds to an account at a different Custodian or to a third party payee.
  • RIAs have until October 1, 2017 to comply with the above described actions. Also, there will be a new requirement for RIAs to state client assets that are subject to a SLOA on their ADV1, Item 9.

    Brian Young
    Conor Anderson
    Brendan Furey

    February 10, 2017

    Wyoming RIAs - Get Ready for Changes!

    In March 2016, the State of Wyoming joined the ranks of other states by implementing the Wyoming Uniform Securities Act.

    For years, Wyoming has been a sanctuary for registered investment advisors that sought registration with the U.S. Securities and Exchange Commission ("SEC"), but did not have the requisite $100 million in assets under management ("AUM").

    In other states [excluding NY], an Advisor with less than $100 million in AUM was required to register with the state securities division of their home state and other states in which the advisor had a place of business or clients exceeding a de minimis level. As Wyoming did not have formalized securities regulations, those advisors became the jurisdiction of the SEC.

    With the implementation of Wyoming’s Uniform Securities Act, Wyoming will require registered investment advisors to register with Wyoming state securities division if they have less than $100 million in AUM. The new legislation will take effect on July 1, 2017..

    The SEC has begun contacting firms that may be affected by this change. If you are in need of assistance in updating your registration or transitioning from SEC to state registration, please contact us at

    Sample [redacted] notice from the SEC:

    Sent: 09 February 2017 22:01
    To: [Advisor]
    Subject: [Advisor - CRD######]

    We are contacting you about your status as an SEC registered investment adviser with a principal office or place of business in Wyoming. As you may know, investment advisers with a principal office and place of business in Wyoming have been required to register with the SEC because the State of Wyoming has not previously regulated investment advisers. Advisers indicate this basis for SEC registration by checking the box for Item 2.A.(3) in Form ADV.

    The State of Wyoming has recently adopted legislation to begin regulating investment advisers on July 1, 2017. See Wyoming Uniform Securities Act. After that date, SEC registered investment advisers will no longer be eligible for SEC registration solely on the basis of having a principal office and place of business in Wyoming. If you are an adviser with regulatory assets under management of over $100 million or you have another basis requiring you to remain registered with the SEC after the Wyoming legislation goes into effect on July 1, 2017, we encourage you to select the checkbox on Item 2 in Form ADV indicating that other basis for SEC registration as early as possible and uncheck the Item 2.A.(3) box. Additionally, if you are required to remain registered with the SEC after July 1, 2017, you should consider whether you will also be required to include Wyoming as a state in which you must provide a notice filing in Item 2.C.

    If you are an adviser that does not have another basis requiring you to remain registered with the SEC after July 1, 2017, you may be required to become registered with the State of Wyoming or other states in which you conduct business. State regulator contact information may be found at the Contact Your Regulator - NASAA webpage. You may apply for state registration by filing a new Form ADV through the IARD system (select the "Apply for registration as an investment adviser with one or more States" option) and file a partial ADV-W withdrawing from SEC registration after your state registration has been approved. Advisers that are no longer eligible for SEC registration after the Wyoming state legislation goes into effect on July 1, 2017 and who have not applied for state registration may be subject to having their SEC registration cancelled.

    You may reply to this email if you have questions or contact us at 202-551-6999.


    Division of Investment Management
    U.S. Securities and Exchange Commission
    100 F Street, N.E.
    Washington, D.C. 20549-8549
    P: (202) 551-6999

    January 26, 2017

    CCO Series: Custody

    What you need to know

    In developing policies and procedures for a registered investment advisor ("RIA") a topic that should be addressed is custody. As stated in their release, the SEC created rule 206(4)-2 under the Advisers Act, “to reflect modern custodial practices and clarify circumstances under which a RIA has custody of assets.” The rule requires a RIA that has custody of client securities or funds to implement a set of controls designed to protect those assets from being lost, misused, or misappropriated. The rule provides that, in general, a RIA should maintain funds and securities with a broker-dealer, bank, or other "qualified custodian" to avoid having custody themselves. Then, if the qualified custodian sends account statements directly to the RIA's clients, the RIA is relieved from undergoing an annual surprise custody audit. Many states have also implemented custody rules similar to 206(4)-2.

    Definition of Custody

    A RIA has custody when it holds, "directly or indirectly, client funds or securities or [has] any authority to obtain possession of them." The SEC created examples to illustrate circumstances under which a RIA has custody of client funds or securities.

    • Holding clients' stock certificates or cash, even temporarily, is custody. However, the rule acknowledges that there may be times of inadvertent receipt of funds or securities. Therefore, to avoid custody, any check or security certificate inadvertently received by a RIA must be returned to the sender or placed with the qualified custodian within three business days of receiving them.
    • A RIA has custody if it has the authority to withdraw funds or securities from a client's account, such as a power of attorney, possession of account login credentials or an authorization other than discretionary trading.
    • Acting in any capacity that gives it legal ownership of, or access to, the client funds or securities, such as acting as both general partner and investment advisor to a limited partnership is custody. As general partner, the RIA generally has authority to dispose of funds and securities in limited partnership account(s) and thus has custody.
    • Collecting prepayment of fees in an amount of $1,200 or more for services to be performed six months or more in advance. In this case, the RIA must include an audited balance sheet with its Form ADV deliveries to clients from whom the RIA has received such prepayments.

    Avoiding Custody Issues

    There are several steps to take in order to avoid custody issues:

    • Due Inquiry. A RIA is required to have a reasonable basis to believe that, after due inquiry, the qualified custodian is delivering an account statement to each of your clients at least quarterly. The account statements must identify the amount of funds and of each security in the account at the end of the period and setting forth all transactions in the account during that period. In SEC Release No. IA-2968, the SEC identified common ways to satisfy due inquiry requirement:
      1. Request copies of client account statements be sent to them.
      2. Request a written confirmation from the custodian that the account statement was sent to each client.
      3. The CCO maintains his or her personal accounts at the same qualified custodian that has all of the RIA’s Client accounts and the CCO ensures that he or she receives statements at least quarterly.
    • Deduction of Fees. For a SEC registered RIA documentation of “due inquiry” is the primary safeguard for the deduction of fees to not be deemed custody. However, in addition to “due inquiry”, many states also require that in order to deduct fees from a client’s account without creating custody, the RIA must:
      1. Have written authorization from the Client to deduct advisory fees from the account;
      2. Each time a fee is directly deducted, the RIA concurrently sends the qualified custodian notice of the amount of the fee to be deducted, and client an invoice itemizing the fee including the formula used to calculate the fee, the amount of assets under management upon which the fee is based, and the time period covered by the fee;
      3. Ensure the qualified custodian sends statements, on at least a quarterly basis, to Clients showing all disbursements, including the amount of the advisory fees; and
      4. Form ADV states that the Advisor intends to use the safeguards provided in regulation, instead of the requirements for custody.
    • Linked Accounts. Since May 20, 2010, the SEC has stated in Question II.4, that the limited authority to transfer a assets between the Client's accounts maintained at one or more qualified custodians is not custody, if:
      1. the Client has authorized the RIA in writing to make such transfers and
      2. a copy of that authorization is provided to the qualified custodian, specifying the Client accounts maintained with qualified custodian.

    For transfers outside of the qualified custodian or recurring transfers, the RIA should have an authorization signed by the Client for each transfer specifying the transfer destination and the dollar amount for each transfer.

    Maintaining Custody

    For RIAs that have custody of funds or securities there are a number of requirements in order to ensure that the RIA is a “qualified custodian” for those assets.

    • Annual audited financials. A RIA with custody of Client funds or securities must have its financials audited annually and then report the balances on Part 1 of Form ADV.
    • Annual surprise examinations. The independent verification and audit of the custodied funds must occur at at a time that is chosen by the accountant without prior notice or announcement to you and that is irregular from year to year. The accountant must be registered with the Public Company Accounting Oversight Board.
    • Internal controls report. Based on the surprise examination, the accountant must issue a written internal control report with opinions as to whether controls have been placed in operation as of a specific date, and are suitably designed and are operating effectively to meet control objectives relating to custodial services, including the safeguarding of funds and securities held during the year.
    • The accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction;
    • In addition, many states also require that RIAs with custody also maintain at least a specific amount of net capital or require a surety bond.

    What are the next steps for a CCO?

    To ensure that you are properly dealing with custody issues AdvisorAssist recommends the best practices of:

    • Perform an assessment to determine whether or not you have custody of client assets or securities, and respond appropriately, depending upon your intention to have custody or not.
    • Implement controls to ensure the proper handling of client assets and securities to avoid the abuse of the authority granted by your clients to access and manage their assets and securities.
    • Perform "due inquiry" on your custodian to ensure that each of your Clients are receiving statements at least quarterly.
    • Review your advisory agreements to ensure that you have proper authorization to deduct fees from Client accounts.
    • If your RIA receives deposit checks or stock certificates from Clients, maintain a "checks received log" and institute a policy of remitting these checks within 72 hours of receipt to the qualified custodian.
    • If your RIA maintains custody, contract with an independent accounting firm to perform surprise custody audits at least annually on the accounts over which you have custody.
    • If you are a state registered RIA, review your fee deduction process to ensure that each time a fee is directly deducted, you concurrently send the qualified custodian notice of the amount of the fee to be deducted, and the Client an invoice itemizing the fee including the formula used to calculate the fee, the amount of assets under management upon which the fee is based, and the time period covered by the fee.

    The AdvisorAssist CCO Series is a collection of blog posts that cover each of the elements of your RIA's compliance program. Each post will provide an overview of one compliance topic, including our insights on how regulators view each topic as well as some practical steps to help Chief Compliance Officers address this topic. As always, we would welcome your comments and thoughts.

    Brendan Furey
    Conor Anderson