October 31, 2014

Webinar Recap: Cybersecurity for RIA Firms

Yesterday we hosted 175 RiA firms on a webinar discussing the relevance and importance of protecting advisory clients from cyber threats.

We began by addressing three common misperceptions that sometimes prevail within our industry.

1) Cyber threats against RIA firms are rare.

Regrettably, this isn't the case. Just among our client base, we see attempted (and in one case successful) cyber frauds occur all the time. In fact, 10% of our clients (the clients of our clients, to be exact) have been the target of cyber fraud, usually by means of a hacked email account and a fraudulent wire request.

Michelle Wraight, vice president and chief privacy officer at Pershing agrees: “We’re seeing wire transfer fraud at epidemic levels,”

2) Cybersecurity is a “big firm” problem.

Every RIA - big or small - have points of vulnerability. In fact, regulators have specifically noted that smaller RIA firms will not get a pass when it comes to putting procedures in place to protect clients.

3) Cybersecurity is an IT issue.

Cybersecurity requires a multi-pronged approach. Effective cybersecurity goes way beyond information technology. Effective cybersecurity risk management is a cross-functional challenge that must also address operational processes, vendor management, regulatory requirements and human resources.

We then addressed the topic from a reguator's perspective. Regulators expect that compliance and risk management be an integrated part of the operations of your business. Cybersecurity is not just a technology concern.

The SEC's Office of Compliance Inspections and Examinations' (OCIE) recent cybersecurity initiative was designed to assess the preparedness of RIAs and ensure that firms are taking necessary steps to mitigate cyber threats. These include: preparedness, firm governance, identification and assessment of risks, protection of networks and information, remote access and funds transfer requests

We then provided some practical steps for RIAs to follow that would not only satisfy their regulatory expectations but also protect their clients from the very real threats that exist today. They include: maintaining a working knowledge of all clients (and their "normal" activity with respect to wire requests), securing mobile devices, securing hardware/office space and setting procedures and controls that govern how your firm processes client wire requests.

Click here for a replay of the webinar.

Click here to download the slides.

October 20, 2014

AdvisorAssist Participates in Launch of New Content Site for Advisors

Today marked the launch of a new content site directed towards the advisory industry.

Launched this morning, IRIS is a beautifully-designed content site that covers topics that cut across all aspects of building and managing an advisory business.

Today's launch included content from about 20 contributors, covering topics like human capital management, marketing, leadership, financial planning, and of course compliance.

Our first contribution discusses cybersecurity and how RIA firms can take practical measures to protect clients from the (very real) threats that exist today.

Our article can be found here. (We can't take credit for that graphic, but it does leave an impact!)

If you haven't already, check out IRIS to read some high quality content relevant to the advisory community.

And congratulations to the IRIS team for curating content from so many industry experts, each of whom share two things: a passion for their subject matter and a willingness to share their views.

September 8, 2014

How to Properly Count Advisory Clients for your RIA Firm's Form ADV

Most advisors view their client base in terms of households (i.e distinct relationships), which often makes it challenging to translate into the “clients” and “accounts” data that regulators expect to see accurately reported in Form ADV 1.

Regulators care about two things: clients and accounts. They do not recognize or ask for any data related to households [Note: In some instances a household may equal a client.] During examinations, regulators will check the accuracy of these numbers in your Form ADV 1, so it is important to understand the logic that goes into calculating them.

In another post, we discuss some tips on how to determine your firm's total accounts.

Who is a Client?

A "client" is any natural person, along with their children (minors) and relatives or spouse with same principal residence. This includes any accounts or trusts where a natural person(s) are the only primary beneficiaries or any entity (corporation, general partnership, limited partnership, limited liability company, trust) where you provide investment advice based on the entity’s investment objectives.

Sometimes it helps to think about this way: to whom do I owe a fiduciary duty? If multiple accounts all roll up to one individual, then typically they count as just one client because your are maintaining one fiduciary relationship between you and that one individual.

Confused yet? Me too. So let’s go through a few scenarios.

If Mr. Smith has an IRA, a taxable account and a corporate account where he’s the sole owner, that’s ONE client because Mr. Smith is the only person engaged in this fiduciary relationship.

If you manage accounts for Mr. and Mrs. Smith and consider both of their interests in making investment decisions, they are generally considered ONE client. (In this case, you should have both spouses as a party to your client agreement.)

If Mr. and Mrs. Smith has two individual accounts and one UGMA, this is ONE client.

If Mr. and Mrs. Smith have one joint tenant account and a trust where they are the sole beneficiaries, this is ONE client. Now if the trust had one additional beneficiary outside of their family, then the trust becomes a separate client (that’s TWO clients).

If Mr. and Mrs. Smith have one joint tenant account and a corporate account that is wholly-owned by both, then that is ONE client. But...if that corporate account had external shareholders (outside their family), then it is TWO clients--the couple and the corporation are each a separate client.

If Mr. and Mrs. Smith have one joint tenant account and an adult child with an IRA, that would generally be TWO clients. But if it were a minor child with a 529 plan, it would be ONE client.

If Mr. and Mrs. Smith have one joint tenant account as well as a trust account for the sole benefit of Mrs. Smith, you can still consider this ONE client. But if trust is for an adult child, it would be counted as TWO clients.

When determining your RIA firm’s total number of clients:
  • You may (but are not required to) include clients where you do not receive no compensation for your services.
  • Include clients who are not U.S. residents (and also report these separately on Form ADV 1).
  • For pooled vehicles (hedge funds and mutual funds), the underlying investors are generally not counted as clients (but this may vary by state). So the fund is considered one client.
  • If you have your principal office and place of business outside the United States, you are not required to count clients that are not United States residents. But if your principal office and place of business is in the United States, you must count all clients.

Brian Lauzon

How to Determine the Total Number of Accounts for your RIA Firm's Form ADV

Regulators expect that RIA firms to accurately report their total number of clients and accounts in Form ADV 1. Determining each of these data points can be trickier than you'd expect. In this post, we lay out the logic you can use to calculate total accounts for Form ADV 1.

In another post, we discuss how to count your firm's total clients.

What’s an Account?

Accounts are distinct (segregated) groupings at the client’s designed custodian, trust company or transfer agency or administrator (collectively the “custodians”). This makes relatively easy to determine (as opposed to total clients) since custodians maintain and report on an account-level basis, with each being specifically identified.

When determining your RIA firm’s total number of accounts:
  • You must only include accounts where you provide continuous and regular supervisory or management services.
  • You must include both discretionary and nondiscretionary accounts, as applicable,and report them separately on Form ADV 1, Item 5.F.
  • You may include accounts where you do not receive compensation for your services, as long as you provide continuous and regular supervisory or management services.
  • For pooled vehicles (hedge funds and mutual funds), the underlying investors are generally not counted. So the fund is one account.
  • You should exclude accounts with zero values or those established to allow a client self-directed investments.

During examinations, regulators will check the accuracy of these numbers in your Form ADV 1. We hope that this helps you accurately calculate and report your RIA firm's total accounts.

August 12, 2014

The AdvisorAssist CCO Series: Business Continuity Planning (BCP)

Each of us tend to either ignore or underestimate the possibility of disasters occurring in our futures. This has been proven time and again by cognitive science research and often referred to as "normalcy bias."

In our experience, RIA firms place a high importance on business continuity planning, yet often (particularly with smaller firms), either postpone or abbreviate the process of creating, testing and maintaining their business continuity plans.

These tendencies leave them exposed to the risk of disruptions in their ongoing responsibilities to clients. However, they would all agree that the protection of client information is essential to maintaining the integrity of their business.

Advisor Business Continuity Planning (BCP) In a Nutshell

We employ this framework to help RIA firms implement their business continuity planning:
  1. Business Analysis. Identify the critical business processes that you must perform daily, as well as those that become critical in a typical 10-day period. Think through the possible and likely scenarios that could result in a business disruption (i.e. power outages, weather, systems failures in your office building). Take an inventory of all technologies and external partners that you rely on to run your business.
  2. Plan Design. Define the scope of your plan. (Will it cover disaster recovery only or should it be expanded to include succession planning to mitigate key-person risk?) Your BCP must also contain: firm policy/plan expectations, contingency scenarios, critical business functions (Day 1 vs. Day 10), critical business systems and how to access them, Contact information for employees, vendors and partners, alternate work location(s), back-up and restoration of critical information, protection of client information, and protocols for testing, updates and revisions.
  3. Implementation. With the buy-in and support of your leadership, socialize and review the plan with your team and provide training (and cross-training) for key activities, data access and data protection. Ensure that your plan is accessible to everyone from a remote location (e.g. current copy at home, copy on separate secure server or Intranet)
  4. Testing. Perform a "real" test at least annually by following the BCP as written. Your BCP should be self-implementing; it should contain the process for how to continue your business operations. Document gaps in the plan and document deviations from the plan. Require full participation (at the same time!) and test all critical functions and systems, including operations, vendors, and communications.
  5. Maintenance. Update your plan on a real-time basis for process changes, technology enhancements, regulatory changes, and contact information. Deliver and train your team on changes.

Through the Regulator's Eyes

The SEC has identified business continuity planning as a requirement for RIA firms. (See SEC Release IA 2204) While they require policies and procedures to address business continuity, they do not mandate specific requirements for the BCP, other than it must address the procedures to meet the fiduciary responsibility to protect client interests from being at risk as a result of an advisor’s inability to operate. Some states have adopted formal BCP requirements for state-registered RIA firms. If you are a state-registered RIA firm, be sure to verify your BCP meets applicable state requirements, or check with your compliance consultant.

Regardless of the implicit or explicit requirements, all RIAs should have a formal BCP in place to demonstrate to regulators and clients that they have planned for the undisrupted performance of their fiduciary duty.

CCO Best Practices

  • Plan for the 99.5% and not the 0.5%
  • Ensure buy-in from senior management and owners
  • Test your plan at least annually by selecting one day to conduct business from alternate location(s)
  • Update your plan with new and changing contact information for staff and external partners
  • Ensure that information security is a priority of your BCP, including the protection of client information during business disruptions
  • For state-registered RIAs, validate against the NASAA model rule for business continuity planning
  • Leverage your business continuity planning obligations by using them as a foundation for a documented operating plan (Operating Manual) for your business. Your firm's activities can run just as smoothly day-to-day as they do during business disruption!

The AdvisorAssist CCO Series is a collection of blog posts that cover each of the elements of your RIA's compliance program.  Each post will provide an overview of one compliance topic, including our insights on how regulators view each topic as well as some practical steps to help Chief Compliance Officers address this topic. As always, we would welcome your comments and thoughts.
Brian Lauzon