August 12, 2014

The AdvisorAssist CCO Series: Business Continuity Planning (BCP)

Each of us tend to either ignore or underestimate the possibility of disasters occurring in our futures. This has been proven time and again by cognitive science research and often referred to as "normalcy bias."

In our experience, RIA firms place a high importance on business continuity planning, yet often (particularly with smaller firms), either postpone or abbreviate the process of creating, testing and maintaining their business continuity plans.

These tendencies leave them exposed to the risk of disruptions in their ongoing responsibilities to clients. However, they would all agree that the protection of client information is essential to maintaining the integrity of their business.

Advisor Business Continuity Planning (BCP) In a Nutshell

We employ this framework to help RIA firms implement their business continuity planning:
  1. Business Analysis. Identify the critical business processes that you must perform daily, as well as those that become critical in a typical 10-day period. Think through the possible and likely scenarios that could result in a business disruption (i.e. power outages, weather, systems failures in your office building). Take an inventory of all technologies and external partners that you rely on to run your business.
  2. Plan Design. Define the scope of your plan. (Will it cover disaster recovery only or should it be expanded to include succession planning to mitigate key-person risk?) Your BCP must also contain: firm policy/plan expectations, contingency scenarios, critical business functions (Day 1 vs. Day 10), critical business systems and how to access them, Contact information for employees, vendors and partners, alternate work location(s), back-up and restoration of critical information, protection of client information, and protocols for testing, updates and revisions.
  3. Implementation. With the buy-in and support of your leadership, socialize and review the plan with your team and provide training (and cross-training) for key activities, data access and data protection. Ensure that your plan is accessible to everyone from a remote location (e.g. current copy at home, copy on separate secure server or Intranet)
  4. Testing. Perform a "real" test at least annually by following the BCP as written. Your BCP should be self-implementing; it should contain the process for how to continue your business operations. Document gaps in the plan and document deviations from the plan. Require full participation (at the same time!) and test all critical functions and systems, including operations, vendors, and communications.
  5. Maintenance. Update your plan on a real-time basis for process changes, technology enhancements, regulatory changes, and contact information. Deliver and train your team on changes.

Through the Regulator's Eyes

The SEC has identified business continuity planning as a requirement for RIA firms. (See SEC Release IA 2204) While they require policies and procedures to address business continuity, they do not mandate specific requirements for the BCP, other than it must address the procedures to meet the fiduciary responsibility to protect client interests from being at risk as a result of an advisor’s inability to operate. Some states have adopted formal BCP requirements for state-registered RIA firms. If you are a state-registered RIA firm, be sure to verify your BCP meets applicable state requirements, or check with your compliance consultant.

Regardless of the implicit or explicit requirements, all RIAs should have a formal BCP in place to demonstrate to regulators and clients that they have planned for the undisrupted performance of their fiduciary duty.

CCO Best Practices

  • Plan for the 99.5% and not the 0.5%
  • Ensure buy-in from senior management and owners
  • Test your plan at least annually by selecting one day to conduct business from alternate location(s)
  • Update your plan with new and changing contact information for staff and external partners
  • Ensure that information security is a priority of your BCP, including the protection of client information during business disruptions
  • For state-registered RIAs, validate against the NASAA model rule for business continuity planning
  • Leverage your business continuity planning obligations by using them as a foundation for a documented operating plan (Operating Manual) for your business. Your firm's activities can run just as smoothly day-to-day as they do during business disruption!

The AdvisorAssist CCO Series is a collection of blog posts that cover each of the elements of your RIA's compliance program.  Each post will provide an overview of one compliance topic, including our insights on how regulators view each topic as well as some practical steps to help Chief Compliance Officers address this topic. As always, we would welcome your comments and thoughts.
Brian Lauzon

May 8, 2014

Chris Winn will be hosting a webinar on "SEC's New RIA Guidance On Social Media" at 4:00pm EST


SEC's New RIA Guidance On Social Media

Register Now
Friday, May 9 at 4 p.m. Eastern

You must be a paying A4A member ($60 annually) to attend webinars, view replays, and receive CPA,
CFP or IMCA CE credit. Join.
How do RIAs and their teams use social media without raising the risk of compliance problems?

Last month, the SEC released new guidance for RIAs on the use of client testimonials in social media, clarifying what you can and cannot say and do. For instance, publishing a partial client list is okay, the SEC says, and SEC no longer maintains that a social profile with non-investment related commentary regarding an IAR, such as regarding an IAR’s religious affiliation or community service, may violate the testimonial rule.   

At this webinar, Chris Winn will cover the current trends in social media regulation, including the SEC’s recent guidance to provide practical advice to navigate the social world in a compliant manner, including:
  • Current social media regulatory framework
  • New SEC guidance
  • When is an action a "testimonial"?
  • Common social media mistakes made by IARs
Chris Winn is founder of AdvisorAssist, a management consulting firm focused exclusively on investment advisory firms. AdvisorAssist manages the start-up and transition to help firms get off to a good start. It also provides ongoing support on compliance, practice management and technology to aid in risk-managed growth. Services include strategy, transition management, registration, incubation, vendor selection and compliance program design.
Advisors4Advisors is a continuing education sponsor for CFP, CPA, CIMA, CIMC, and CPWA professionals. CFP® and IMCA-accredited professionals receive professional education credit on 24/7 replays as well as live sessions held Fridays at 4 p.m. ET. CPAs must attend live sessions to receive CPE. View details.

This webinar is pending eligibility for CFP®, IMCA® and PACE credit toward CLU® and ChFC® designations and it is eligible for CPA CPE credit.
Who Should Attend:
 Financial Advisors, CFPs, CFAs, CPA/PFSs, CIMAs, CLUs and ChFCs.
Cost: There is no fee to attend this course if you are a member of Advisors4Advisors ($60/year).CPE credit: 1 hour, in the Regulatory Ethics field of study
Prerequisites: None
Advanced Preparation: None
Course Level: Overview
Course Delivery Method: Group Internet-Based
Program Policies: For more information regarding administrative policies such as refund, cancellation and complaint, please contact our offices at 516-333-0066 x219, or via email:

Advisors4Advisors is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its Advisors4Advisors is also approved as a continuing education sponsor by IMCA, which administers the CIMA and CPWA designations, and CFP Board of Standards, which licenses the designation for CFP® professionals.
View webinars

February 21, 2014

SEC Warns Never Before Examined Advisors - We're Coming!

Are you ready for an SEC Exam?

If you are SEC registered and have yet to receive an exam, you better prepare.

For months the SEC has alluded to its focus on "never-before examined advisers".

On February 20, 2014, despite tight resources at the SEC, they formally issued a letter to Firm Owners and Chief Compliance Officers.

"Our [SEC] records indicate your firm is a registered investment adviser that has never been examined by the Office of Compliance Inspections and Examinations (“OCIE”) within the United States Securities and Exchange Commission (“Commission”)." [See SEC Letter dated February 20, 2014.]

So, we have established they are coming. Now we are left with "when" and are you ready?

As a compliance consultant, I can attest that the SEC has been active. We have been neck deep in supporting advisor exams throughout the fall and coming into 2014. However, it is quite doubtful that they will get to all NBE Advisers in 2014, but your firm must prepare as if your turn is imminent.

The SEC has disclosed two approaches towards these examinations, including: a risk assessment reviews and focused reviews.

Risk-Assessment Reviews are broader examinations that cover your entire compliance program. These reviews will focus on the effectiveness of your overall compliance program in preventing, detecting and correcting violations of the securities laws. In these examinations, the SEC will examine your overall business model and ensure you not only have the policies and procedures in place, but that your firm adheres to these policies consistently. The SEC will focus on your documentation and its consistency. [Note: If you can prove you completed a task or action, it did not happen in the eyes of the regulators. So please maintain proper documentation of business and compliance activities.]

Focused Reviews will target specific areas of your business model, including the Compliance Program, Filings/Disclosures, Marketing, Portfolio Management, and Safety of Client Assets. While these items may sound focused, they are both broad and inherent in most aspects of your enterprise risk and compliance. If the SEC finds some areas of weakness, they are very likely to continue into a deeper examination. In addition, the SEC recently announced their 2014 Priorities, which may yield some additional insights into the topics for Focused Reviews.

So how do you prepare?

There is no single answer to this question, but certainly taking no action has a certain end result. Here are some suggestions:

  • Risk Inventory. Start with developing a risk matrix that identifies all the business and compliance processes of your firm. Rank each items for their level of risk, impact, frequency and other parameters. The outcome of this activity should be a sortable list of your risk areas that can serve as the basis to formulate priorities.
  • Review Action Plan. Develop a reasonable and continuous action plan to review the target areas on your risk assessment. [Note: you will want to cover all areas of your business over time.]
  • Document. Document. Document. It is imperative that you document the details of your reviews. If you find areas of material weakness, you may want to consult your compliance or legal partners before committing the issues to writing. However the key takeaway is that you must be able to demonstrate [through evidence] that you perform these reviews of your firm. The approach towards documentation is not defined by the regulations, but it must sufficient to demonstrate the effectiveness of the control environment.
  • Leverage your Team. Compliance has largely been left on the shoulders of the Chief Compliance Officer. An effective compliance program contemplates a "culture of compliance". Leaving the risk management to the CCO is not an effective way to manage risk and it naturally results in a low return on your investment. Integrating risk management into your organization brings accountability to all supervised persons of your firm and creates a stronger risk environment.
  • Seek External Support. If you have areas of your compliance program that require immediate attention or you are not sure how to get started, it is often best to engage external compliance resources. Mock examinations, structured compliance programs and targeted support are some of the options that are available.

Best of luck in your preparation

February 6, 2014

Minnesota IARs - Did you register?

The registration for Investment Advisor Representative (IAR) registrations in Minnesota is January 31, 2014

In August 2013, Minnesota enacted a law bringing its IAR rules in line with virtually every other state. [See August Post]. Effective August 31, 2013, Minnesota law required formal registration for all IARs.

Due to system delays at FINRA, the Minnesota Department of Commerce issued [“Implementation of Registration Process for Investment Adviser Representatives.” dated October 31, 2014], which set forth the required filing period [November 1, 2013 to January 31, 2014].

A Form U4 must be filed for each IAR. Further, each IAR must have completed the required examinations [Series 65 or 66] or have a recognized exemption from the examination requirements [CFP®, ChFC®, CFA®, PFS, or CIC designations in good standing].

If you are in need of assistance with these requirements, please contact us at or call 617-800-0388.

Below is a notice emailed to advisor from the Minnesota Department of Commerce.

Minnesota issued an update to all Minnesota Registered Investment Advisors on February 6, 2014

As of February 1, 2014 The Minnesota Department of Commerce has closed the initial Investment Advisor registration window. This allowed investment advisors to register with the State of Minnesota without first meeting an exam requirement per the Amended Order (.pdf) issued on October 31st, 2013.

Any applications that have been submitted on or prior to January 31st 2014, will be reviewed and processed as outlined in the amended order. Any applications received on or after February 1, 2014 will need to comply with the requirements as outlined in Minnesota Statute 80A.58 [AA Note: which requires the Series 65 or 66 exam or specific exemption].

To date, close to 10,000 investment advisor representatives have been approved for registration and more than 2,000 refunds have been issued to firms. If you are waiting for a refund please remember to send the following information to the Securities Registration mailbox.

Firm Name/CRD Number
Individual name/CRD number
Transaction Number & Transaction Date
Posting Date
Dollar Amount
Hire Date

Please send questions or comments to:

For additional information please visit the Securities Registration and Enforcement Section of the Minnesota Department of Commerce website.

February 4, 2014

SEC Announces Cyber Security Exams

Financial Advisor Magazine reports that the SEC will begin conducting Cyber security exams for investment advisory firms by late September.

More at