ERISA Fiduciary - Improving Investment Advice for Workers and Retirees

  

ERISA Fiduciary
Improving Investment Advice for Workers and Retirees

On December 18, 2020, The Department of Labor (“DOL”) adopted Prohibited Transaction Exemption 2020-02 (“PTE 2020-02”). PTE 2020-02, called Improving Investment Advice for Workers and Retirees, expands the definition of advice covered under ERISA law to include recommendations about retirement plan rollovers and Individual Retirement Accounts (“IRAs”). PTE 2020-02 went into effect on February 16, 2021, and included a non-enforcement policy until December 20, 2021.

The result of expanding the DOL definition of investment advice to include recommendations to rollover a client's assets from an ERISA sponsored retirement plan to an IRA is significant, as ERISA fiduciaries are prohibited from engaging in transactions where they receive increased compensation as a result of the advice provided, otherwise categorized as “conflicting advice”. There is a myriad of disclosures and policies and procedures that require implementation in order to receive compensation for rollover recommendations.

The DOL has established a Five-Part Test in order to assist advisors in determining whether a recommendation to roll over retirement plan assets into an IRA falls under ERISA. The regulation states that a person provides “investment advice” if he or she: (1) renders advice to a plan or participant as to the value of securities or other property, or makes recommendations as to the advisability of investing in, purchasing, or selling securities or other property; (2) on a regular basis; (3) pursuant to a mutual agreement or understanding; (4) that such advice will be a primary basis for investment decisions; and that (5) the advice will be individualized to the plan or participant.

How does this impact Registered Investment Advisors? Many that once did not offer retirement plan advisory services will now find themselves subject to the ERISA fiduciary standard when providing recommendations to roll over a participant’s retirement plan assets into an IRA. Certain of these requirements and standards were already required under the Investment Advisers Act of 1940 (“Advisers Act”), so the DOL requirements below shouldn’t come as a major surprise. Under the DOL there are requirements to adhere to the following:

1. acknowledgment from the advisor of their fiduciary status under Title I of ERISA and the Internal Revenue Code;
2. due diligence and written documentation of the specific reasons that any recommendation to roll over assets (whether from an ERISA plan to an IRA, from one IRA to another IRA, or from one type of account to another (e.g. commission-based account to fee-based account) is in the best interest of the client.
3. written disclosure to clients that include (i) the scope of the relationship, (ii) all material conflicts of interest, and (iii) the reasons the rollover recommendation is in their best interest;
4. compliance with the Impartial Conduct Standards which includes (i) provide prudent investment advice, (ii) charge only reasonable compensation, and (iii) avoid misleading statements; and
5. an annual compliance review with the results in a written report to a Senior Executive Officer of the advisor.

ACKNOWLEDGEMENT OF FIDUCIARY STATUS

The written fiduciary acknowledgment is designed to ensure that the fiduciary nature of the relationship under Title I of ERISA and/or the Code is clear to the advisor, as well as the client, at the time of the recommended investment transaction. This requirement reflects the DOL’s view that parties wishing to take advantage of the broad prohibited transaction relief in the new exemption should make a conscious up-front determination that they are acting as fiduciaries; tell their client’s that they are rendering advice as fiduciaries; and, based on their decision to act as fiduciaries, implement and follow the exemption’s conditions.

DUE DILIGENCE AND DOCUMENTATION

There are a number of specific considerations to be reviewed and compared before executing any action. Considerations include the following:

• The range of investment options between the existing plan and proposed rollover account, and which is in the client's best interest.
• A comparison of the fees and expenses associated with the existing plan and the proposed rollover account.
• What, if any, tax implications exist for the individual client should they choose to accept rolling over their ERISA plan assets into an IRA?
• Are there services that the client would receive from the existing plan that would benefit them that they would not receive in a new account?
• Is the client's age a factor? Are they planning to retire early or do they plan to work past the age where Required Minimum Distributions (RMD’s) will come into play?
• ERISA plans typically have unlimited protection from creditors, whereas IRA assets are only protected in bankruptcy proceedings. Is this a concern for the client?

Advisors are expected to make diligent and prudent efforts to obtain information about the existing employee benefit plan and the participant’s interest in it. The focus should not be solely based on the client’s current holdings, but instead should consider the overall options available in the plan. Consideration of factors like the long-term impact of any increased costs, why the rollover is appropriate (notwithstanding any additional costs), and the impact of any economic investment features that exist are critical components in determining suitability with each individual client. In the event that a client won’t provide the information, even after an explanation of its significance, and the information is not otherwise readily available, the institution and professional should make a reasonable estimation of expenses, asset values, risk, and returns based on publicly available information. Documentation should be maintained whenever assumptions are being used and their limitations.

WRITTEN DISCLOSURES

Prior to engaging in a transaction under the exemption, the Advisor must provide its clients a written description of the Advisor’s material conflicts of interest arising out of the services it provides and any recommended investment transaction. These conflicts must include those associated with proprietary products, payment from third parties, and compensation arrangements for both the advisor and its investment advisor representatives. Disclosures with material omissions will be considered inaccurate and will not satisfy the exemption. It should be further noted that the disclosure cannot be a “check-the-box” activity. As it pertains to the written disclosure of the recommendation, advisors should consider, discuss, and document the alternatives to executing a rollover. Those alternatives include leaving the money in the existing plan, rolling the money into a new employer-sponsored plan, or withdrawing money from the ERISA plan completely.

Disclosures with material omissions will be considered inaccurate and will not satisfy the exemption. It should be further noted that the disclosure cannot be a “check-the-box” activity. As it pertains to the written disclosure of the recommendation, advisors should consider, discuss, and document the alternatives to executing a rollover. Those alternatives include leaving the money in the existing plan, rolling the money into a new employer-sponsored plan, or withdrawing money from the ERISA plan completely.

IMPARTIAL CONDUCT STANDARDS

The cornerstone of the exemption is the requirement that advisors adopt and adhere to the Impartial Conduct Standards. The essence of these standards should come as no surprise, as they speak directly to the duty of care and loyalty that should be paid to all clients and transactions at all times as an advisor. Those standards are outlined below:

• Investment advice must be in the best interest of the client and must not place any other interests ahead of that interest.
• Compensation paid for such advice must be reasonable.
• Statements made with respect to the transaction must not be materially misleading.

ANNUAL REVIEW

The Advisor’s annual review should be designed to assist the firm in detecting and preventing violations of, and archiving compliance with, the impartial conduct standards and their policies and procedures. The results of the review must be reduced to a written report that is submitted to one of the institution's senior executive officers. The officer must make certain certifications related to their review of the report. The report, certification, and supporting data must be retained for six years and provided to the DOL within 10 business days of a request.

How will the DOL Oversee Compliance with PTE 2020-02?

To the extent that advisors experience violations of the exemption, PTE 2020-02 contains a self-correction procedure for violations of the conditions under the exemption. To self-correct, an advisor must:

1. Determine that the violation did not result in investment loss, or it must make the client whole for any such loss;
2. Correct the violation and notify the DOL within thirty (30) days of correction;
3. Complete the correction no later than ninety days after the advisor learned of (or reasonably should have learned of) the violation; and
4. Notify the person(s) responsible for conducting the retrospective review during the applicable review cycle so the correction can be included in the report.

NEXT STEPS: We are currently building various tools embedded within AdvisorCloud360® to assist with these requirements. In the meantime, we strongly encourage advisors to adopt policies and procedures to help with their due diligence and documentation efforts, as well as ongoing disclosure requirements.

If you’d like to receive more information on the new DOL rule, please reach out to AdvisorAssist at info@advisorassist.com.

RESOURCES:

DOL Final Rule

Read More

CCO Series - Client Suitability

As a fiduciary, an RIA firm is required to make investment decisions in the best interests of its clients. When making decisions regarding the investment options for accounts an RIA firm needs to be able to defend such decisions as being reasonably suitable to the goals and needs of its beneficial owners. Regulators will seek to ensure that decisions made by the firm during the course of providing its services primarily benefit the client and are suitable for a particular account's objectives. Documentation that define a fund's investment objectives or a model portfolio strategy will be compared against the trading history and the decisions made for clients to validate whether or not the firm is making suitable investment decisions when providing its services.

RIA Client Suitability In a Nutshell

Client suitability starts with information about how the RIA firm's investment managers will provide its advisory services and the information about the client or fund that will be relied upon to guide those decisions. For a typical retail RIA situation, this may include your client profile, risk tolerance questionnaire, investment policy statement (IPS), or client notes capturing similar information. For structured investment products this may include the operating agreements, offering documents, and similar information about the funds, parties and entities involved. As these documents are executed, modified, updated or amended the advisor should keep and maintain this additional documentation for their firm's books and records.

Risks related to strategies used by an RIA firm must be disclosed to clients through Form ADV. Specifically in Form ADV Part 2A, the Disclosure Brochure, Item 8 Methods of Analysis, Investment Strategies and Risk of Loss should contain information regarding how the firm's investment management services will be applied to the client's accounts and the potential losses that can occur due to the way the firm will invest the client's assets. It is important for firms to review these disclosures and ensure they accurately reflect the firm's investment methods and cover the risks related to the firm's advisory services.

Confirming Suitability

After collecting a client's information, having them sign an advisory agreement and providing a copy of your ADV and other new client paperwork, suitability becomes a compliance matter for the relationship as you move to digest the information and start making investment decisions for the client's account(s). While your documentation may tell the client to notify your firm of any changes to their profile, goals or objectives, every RIA firm still has an obligation to reach out to the client and confirm the information you have is still accurate and that ultimately to confirm your current understanding of what is suitable for that client.

Confirming suitability can take the shape of having the client complete a new risk questionnaire, sign a new IPS, or to have a meeting with the client where you discuss the management of their account and address suitability matters. Documenting this confirmation is critical to the firm's books and records for compliance purposes on this topic, and can take the form of client notes indicating suitability was discussed and the results of that discussion, or the updated formal documents such as the questionnaire or IPS. For fund managers, this activity means ensuring that the decisions being made for the fund are reasonably accomplishing the objectives of the fund as described in its documentation and ensuring that due diligence documentation is retained for various non-public investments. By having this documentation in your firm's books and records you can demonstrate that your firm has upheld their fiduciary duty when making investment decisions for its various clients.

Through the Regulator's Eyes

Regulators expect RIA firms to maintain documentation on each advisory client to support the investment decisions made for their account(s). During an examination, regulators will typically ask firms to provide their risk questionnaires or similar documents used to obtain information about their clients, and will also request information about trades in client accounts, and will reconcile the two to ensure that decisions made for clients are suitable and that there is a rational basis between the documentation, analysis, and investments. Further, regulators will review the information in your firm's disclosure brochure to reconcile to the types of investments to ensure that the strategies and risks are properly and fully disclosed to clients.

CCO Best Practices

Conduct a random sampling review of client files to verify that suitability is appropriately documented. Run a comparison between the client's trading history and the suitability documented to ensure investment decisions are in line with investment objectives. Validate that the last outreach attempt to each client is within one year. Additionally, review your firm’s client intake/onboarding and ongoing review process to ensure you are capturing adequate information to make, or continue to make, appropriate investment decisions in client accounts and provide advice that is in the client’s best interest.

The AdvisorAssist CCO Series is a collection of blog posts that cover each of the elements of your RIA's compliance program. Each post will provide an overview of one compliance topic, including our insights on how regulators view each topic as well as some practical steps to help Chief Compliance Officers address this topic. As always, we would welcome your comments and thoughts.

Read More

Who's Who in the Eyes of RIA Regulators

Years ago, as a partner in a small advisory firm, I was asked to review and update our compliance program. This firm was a bit more complex than most, in that we had a pretty expansive set of outside shareholders, contractors and advisory board members in place. When I got to the topic of reviewing "roles" of each of these individuals I got a bit stumped. Who exactly were our "access persons"? Supervised persons?

Fortunately in most wealth management business models, determining "who's who" in your advisory firm is fairly simple ..assuming you understand the SEC's definitions of each role.

Here is an overview of each defined role that advisors must identify and monitor.

Chief Compliance Officer (CCO)

This is an individual that is responsible for administering and enforcing your firm’s compliance program. The CCO may delegate responsibilities to appropriate designees as long as he/she remains primarily responsible for compliance oversight and administration.

The CCO must be empowered with full authority to develop and enforce your firm’s compliance policies and procedures. The CCO and designees must be competent and knowledgeable regarding the Investment Advisers Act of 1940 as well as securities laws that apply to your investment process.

Key Takeaways: Be able to demonstrate that your CCO is knowledgeable of securities regulations and has sufficient authority to enforce and affect change.

Investment Adviser Representative (IAR)

Any person that (for compensation) makes any recommendations or delivers advice to clients; manages client portfolios; determines which recommendation or advice regarding securities should be given; solicits, offers, or negotiates for the sale of or sells investment advisory services, or supervises people that perform any of these activities.

Key Takeaways: Essentially anyone that provides (or sells) advice for your firm will be considered an IAR. With the exception of administrative duties (like answering the phone, taking messages, or setting up meetings) everyone that has client contact should be an appropriately-licensed IAR of your firm. This includes solicitors.

Supervised Person

A supervised person is any partner, officer, director (or other person occupying similar status or performing similar functions), or employee of an investment adviser, or another person who provides investment advice on behalf of the investment adviser.  This definition essentially defines those individuals that are considered to be under the supervision and control of your firm.

Key Takeaways: Essentially includes your entire team including external solicitors. Your Written Supervisory Procedures apply to all Supervised Persons.

Access Person

Access Persons are anyone that has access to nonpublic information regarding client transactions or who is involved in making securities recommendations to your clients or has access to recommendations that are non-public.

Key Takeaways: Non-public information includes client information, trading activity, and model portfolios. Access persons are subject to your firm's Code of Ethics and Personal Trading Policies.

CCOs should maintain an up-to-date list of people that fall under each of these categories. By doing so, they will be in a solid position to ensure (and document) that policies are applied to appropriate people that fall under their firm's compliance program.

Read More

SEC Action Lookup Website

The U.S. Securities and Exchange Commission ("SEC") has launched a new website [https://www.sec.gov/litigations/sec-action-look-up] to assist investors as well as recruiting advisors with a search tool to search for those individuals for which the SEC has taken action.

The website search includes individuals against whom a judgment or order has been issued by the SEC, including individuals who settled, defaulted, or contested their actions, provided a judgment or order was issued against them.

The results will not include individuals whose cases are currently pending at the trial court or those against whom no judgment or order has been issued. Results will also not include individuals named in district court actions as “relief defendants.” See https://www.sec.gov/sec-action-lookup-information for a full description.

Advisor Takeaways:

The SEC continues to try and close information gaps for investors. Compliance personnel should reference this site before hiring any supervised person. In addition, while reviewing these regulatory actions may provide some entertainment value, there are lessons to be learned. Not every action is rooted in intent. Mistakes happen and mistakes can be costly. Compliance Officers should add this resource to their toolkit.

AdvisorAssist is here to assist with any compliance or regulatory questions you may have.

Read More

SEC 2018 Examination Priorities

Each year, the Office of Compliance Inspections and Examinations (“OCIE”) of the U.S. Securities and Exchange Commission (“SEC”) communicates its examination priorities for the upcoming year. The SEC has narrowed their focus on the following common themes:(1) Retail Investors (2) Compliance and risks in critical market infrastructure (3) Cybersecurity. Based on these themes, the SEC has pinpointed several key areas of concern that will be focus areas for 2018. Some of which are similar to years past, however, continue to be a priority for the SEC. We have provided an overview below of the key topics that RIAs need to be mindful of in 2018.

Disclosure of the Costs of Investing

The SEC will focus on the calculation of fees and expenses paid to the Advisor as well as any compensation that is paid to affiliates of the Advisor.

Focus areas include:

• Consistency of the advisory fee calculations and the advisory fee methodology disclosures.
• If charging an asset-based fee, the consistency of the valuation of client securities and the valuation methodology disclosures.
• Advisors that receive financial incentives to recommend mutual fund share classes (ie. high sales loads or distribution fees).
• Client accounts that are not re-assigned to a new IAR when an employee leaves the firm.
• Advisors that transition from commission based accounts to fee based accounts.

Electronic Investment Advice

As in prior years, the SEC will continue to focus on advisors that offer investment advice through automated programs (ie. robo-advisors).

Focus areas include:

• Oversight of the algorithms used to generate general investment advice.
• Marketing materials.
• Policies and procedures related to client data protection.

Wrap Fee Programs

For advisors that charge a wrap fee (ie. fee that includes both advisory fees and execution costs), they will need to demonstrate that the wrap fee is in the best interest of the client.

Focus areas include:

• Any conflicts of interest are disclosed.
• Review for best execution.
• Disclosure of execution costs with broker-dealers.

Never Before Examined Investment Advisors

Due to the large volume of newly registered advisors and the limited resources of the SEC, the SEC will continue to prioritize advisors that have “elevated risk profiles”. This likely includes advisors that fall under the scenarios outlined by the 2018 exam priorities.

Senior Investors and Retirement Accounts and Products

Advisors that provide investment advisory services to seniors and/or retirement accounts will continue to be a focus for the SEC. Advisors will need to have internal controls in place to identify and mitigate financial exploitation of seniors.

Focus areas include:

• Investment product recommendations.
• Sales of variable insurance products.
• Usage of target date funds.
• Advisors that serve state and local government employees and non-profit employees (ie. 403(b) and 457 plans).

Mutual Funds and ETFs

As the primary investment products for retail clients, the SEC will focus on the types of mutual funds and ETFs recommended to clients.

Focus areas include:

• Funds that experienced poor performance or liquidity.
• Funds that are managed by advisors with little experience managing a fund.
• Funds that hold securities that are difficult to value due to market stress (ie. securitized loans or mortgage backed securities).
• Ensure that risk disclosures are provided to investors.

Cryptocurrency, Initial Coin Offerings (ICOs), Secondary Market Trading, and Blockchain

Cryptocurrency has wildly risen in popularity over the past year. The SEC will monitor this space as advisors engaged in this market continues to grow.

Focus areas include:

• If advisors maintain controls and safeguards to protect assets from theft.
• If advisors are providing adequate disclosures associated with the risks of these type of investments including: investment losses, trading liquidity, price volatility, and potential fraud.

Cybersecurity

Cybersecurity continues to be a priority for the SEC as we have witnessed large scale cyber attacks over the past year.

Focus areas include:

• Governance and risk assessment.
• Access rights and controls.
• Data loss prevention.
• Vendor management.
• Training.
• Incident response.

Please remember that OCIE and the SEC communicate these as PRIORITIES, and not an all-inclusive list of all focus areas. To read the full report, click here: "2018 National Exam Program Examination Priorities"

Contributors:

Brian Young
Conor Anderson

Read More

Three Actionable Tips to Become SEC Examination Ready

Over the summer, we heard rumblings that the SEC was conducting unannounced examinations on RIAs in the Boston area. While we have certainly seen a significant uptick in the examinations of never before examined advisors, none of which have been unannounced. Regardless if it is a routine exam or unannounced, it is best practice for advisors to stay examination ready regardless of location or if registered with the SEC or applicable State(s). As we preach to our clients, make sure you take proactive measures to become “examination ready”. Don’t wait until the SEC or a state level examiner comes knocking at your door!

Here are three (3) actionable tips to consider:

1. Customize your Compliance Program

We see far too many advisors that think they are “plain vanilla” and therefore think they can get by with a generic compliance manual (Wrong!). Most firms do not create their compliance manual from a blank page. They start with a model document to address the broad regulatory structure and industry requirements. Although, a model document is a good starting point, it does not amount to a finished product. RIAs need to know that a one-size-fits-all compliance manual does not exist and no consultant or legal resource knows the firm better than the people actually operating it on a daily basis. The creation of a firm specific compliance manual should include three broad steps:

• Review the model document for content and applicability (ask questions).
• Customize the model document to be firm specific, which means customize language specific to your business practice and make sure to remove language that is not relevant to your firm. Then operate your firm in a manner that is consistent with your compliance manual.
• Regularly review, and update your compliance manual as the dynamics of the business evolve and the regulatory environment changes. A compliance manual should never be considered a final document but a current draft of a “living document”.

Always remember that SEC or State regulators expect there to be evidence to demonstrate that policies and procedures are being implemented. Simply put, if there is no evidence, it did not happen.

2. Complete an annual review of your Policies and Procedures

On an (at least) annual basis, you should complete a review of the adequacy and effectiveness of your compliance program. Ideally, the firm should conduct risk assessments of your compliance program throughout the year to test the risk controls and identify any weaknesses. If any issues are identified, make sure to take corrective action and document, document, document! If you don’t document the steps you have taken, (*in the regulator’s eyes) it never happened!

Keep in mind that an effective compliance program should identify potential risks and mitigation opportunities. If the established controls never identify a risk or a mitigation opportunity, the controls should be evaluated and potentially revised.

3. Organize your Books and Records

During the examination process, the regulators will want to complete a sampling of your books and records. You should make sure that your books and records are maintained in an organized fashion to ensure they can be readily delivered. The examination process typically starts with a document request letter including (but not limited to):

• Financial Statements including income statements, balance sheets, and other key accounting records.
• Client Records including a full list of current and past client accounts, supporting client agreements, profiles, investment policy statements and trade data.
• Communications with existing or prospective clients including emails, advertisements, and social media accounts.
• Regulatory filings and other compliance program documents including your ADV 2A/2B, compliance manual, compliance certifications, business continuity plan, code of ethics, and cyber-security policy.

This is by no means an exhaustive list, but should get you started on the right track. If you have any additional questions, please feel free to post a comment below or send an email to info@advisorassist.com.

Contributors:

Brian Young
Dan Rome

Read More

SEC Risk Alert: Cybersecurity

On August 7, 2017, the Office of Compliance Inspections and Examinations (“OCIE”) released their observations of cybersecurity preparedness from the examinations of 75 SEC registered firms, including registered investment advisors (“RIAs”). Although the OCIE noted improvements since their last cybersecurity risk alert in 2014, there is still room for improvement.

The OCIE suggests that RIAs consider the following practices to enhance their cybersecurity policies and procedures.

What you need to know:

• Include details on how safeguards will be implemented. OCIE recommends adding safeguards that are specific to your RIAs computers and systems to your procedures.
• Penetration tests to review the effectiveness of the firm's cybersecurity policies and procedures.
• Security monitoring and system auditing of the firm’s cybersecurity framework. To answer questions, such as, when systems are reviewed for software updates and patches and who is responsible for conducting the reviews.
• Tracking list of vendors and what data is stored on the vendor’s system.
• Tracking of access rights for all employees to the systems that store client data.
• Access controls to firm data and systems including:
  • Acceptable use policies for using the firm’s network or equipment.
  • Restrictions and controls for using mobile devices when connected to the firm systems.
  • Require third party vendors to provide logs of their activity on the firm’s network.
• Reporting of the loss of sensitive information including who should be contacted.
• Providing mandatory staff training of cybersecurity policies and procedures.
• Involvement from senior management to develop and approve the firm’s policies and procedures.

If you have any questions, please schedule time with your compliance consultant to discuss your cybersecurity risks.

For full details of the risk alert:

https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf

Contributors:
Brian Young
Brendan Furey

Read More

Exam Priorities: Multi-Branch Adviser Initiative

Each year the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) creates initiatives in order to address priorities for examinations of SEC-registered investment advisors (“Advisors”). The OCIE recently issued a risk alert about their ongoing initiative to make Advisors with multiple branch offices an examination priority. This initiative will center on examining the effectiveness of supervisory practices over advisory personnel in branch offices.

What you need to know

The OCIE perceives an increase in Advisors having numerous branch offices and operations that are geographically dispersed from the main office. With this increase in the use of a branch office model additional and unique risks are created. In particular, the design and implementation of a compliance program and the supervision of people and processes in branch offices. There are risks that those individual(s) responsible for compliance and oversight will not be able to review adherence to and/or enforce the use of policies and operating procedures.

Review of Compliance Programs

Under SEC Rule 206(4)-7, Advisors are required to implement written policies and procedures reasonably designed to prevent and detect violations of the Advisers Act and related rules by Advisors and their supervised persons. According to the risk alert, during examinations, Advisors will be asked about the oversight of the staff at branch offices and the exam will review the staff’s compliance with your policies and procedures. Through interviews of the staff and inspection of books and records, the exam will assess the:

• Implementation of policies and procedures in the branch offices.
• Supervision structure, including an assessment of how such supervision is tailored to the unique risks in particular branches.
• Role and empowerment of compliance personnel charged with overseeing branch offices, including their level of access to documents and relevant information.
• Accuracy of information on filings regarding branch offices, including Form ADV, as compared to actual business practices.

Review of Investment Recommendations

As a fiduciary, an Advisor has an obligation to act in the best interests of its clients and to identify and disclose any material conflict of interest. According to the risk alert, during the examination, the Advisor will be asked about the process for formulation of investment recommendations and the management of client portfolios at branch offices. In particular the exam will focus on policies and procedures and supervisory controls that cover the following:

• Oversight. Supervision and review of investment recommendations made to clients within specific branch offices and across branch offices, including processes and controls regarding investment authority, suitability of the investment advice, and any due diligence that the adviser has told clients is undertaken with respect to investments.
• Conflicts of Interest. Identification, management, and disclosure of conflicts of interest that arise through branch office activities and personnel, including conflicts arising from various compensation arrangements and supervised persons’ outside business activities.
• Allocation of Investment Opportunities. Allocation of investment opportunities among client accounts, including how branch offices’ trading activity is monitored and what disclosures are made to clients regarding trade allocation.

Additional Areas of the Review

In addition, the exam may focus on assessing compliance and testing controls in one or more of the following risk areas:

• Fees and Expenses. The calculation of fees and other expenses, including the effectiveness of controls over the billing and invoicing processes.
• Advertising. Controls over advertisements, such as the process for reviewing and approving advertisements, particularly those created or disseminated by its branch offices.
• Code of Ethics. The implementation of the code of ethics, including oversight and monitoring of personal securities transactions and whether have properly identified access persons at branch offices.
• Custody. Controls related to the identification of accounts which the Advisor maintains custody and the involvement of branch office personnel in making such determinations.

CCO Best Practices

To avoid these deficiencies at your firm AdvisorAssist recommends the best practices of:

• Perform an annual review of your books and records archive to ensure you are keeping the required documentation.
• Review your compliance program documents to ensure that they are up to date and correct.
• Ensure your staff certifies their understanding and adherence to your compliance program at least annually.
• Test your staff’s adherence to the policies and procedures in your compliance program at least annually.
• Compile all of your findings into summary reports to document the annual completion of your oversight responsibilities.
• Conduct formal meetings with any compliance staff in any branch locations to demonstrate supervision to and compliance by those branches.

AdvisorAssist’s CCO Series: Exam Priorities is a series of articles that will help your firm understand and prepare for the most common compliance exam topics. Our goal is to help you increase your confidence that your firm remains “exam ready” as well as some practical steps to help Chief Compliance Officers address this topic.
Contributors:
Brendan Furey
Brian Young

Read More

Cybersecurity: Best Practices and Webinar Replay

Webinar Replay

AdvisorAssist recently hosted a webinar titled "Cybersecurity for RIAs: How Safe are You?" Click here to watch or download the replay.

What you need to know

When seeking to act in their client’s best interest, registered investment advisors collect private information from their clients. This information forms the basis for the advice they will provide to their client, whether through consultation or discretionary investment management. Understandably, the advisor is in continuous possession of private client information while servicing a particular client, investor, or related participant.

Section 30(a) of Regulation S-P under the Gramm-Leach-Bliley Act of 1999 requires advisors (along with broker-dealers and investment companies) to adopt policies and procedures that create administrative, technical, and physical safeguards for the protection of customer records and information. These policies and procedures must must be reasonably designed to:

• Ensure the security and confidentiality of customer records and information;
• Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
• Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

The SEC has said that an RIA’s policies and procedures must include how advisors conduct periodic risk assessments, implement a firewall, encrypt private client information stored electronically, and maintain a response plan for cybersecurity incidents. Advisors are expected to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.¹.

Why You Should Care

Identify theft, cyber fraud and high profile security breaches have become common occurrences, especially among commercial merchants and asset managers. Previously, we covered common misperceptions that sometimes stop advisors from properly protecting advisory clients from cyber threats. Since then, the SEC Office of Compliance Inspections and Examinations (“OCIE”) published a series of Risk Alerts announcing a priority for examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry.

The focus of the OCIE during exams will be on the following areas:

• Governance and Risk Assessment, including the level of communication to, and involvement of, senior management and boards of directors.
• Access Rights and Controls, including a review of controls associated with remote access, customer logins, passwords, protocols to address customer login problems, network segmentation, and tiered access.
• Data Loss Prevention, including how advisors verify the authenticity of a customer request to transfer funds.
• Vendor Management, including due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms.
• Training, including how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.

Our Recommendations

To ensure that your firm is keeping up with regulatory requirements and industry best practices in this area AdvisorAssist recommends that the CCO:

• Review written policies and procedures to ensure they include:
1. Identification of Cybersecurity risks
2. Controls in place to detect and mitigate the Cybersecurity risks
3. Assessment of points of vulnerability, both operational and technological
4. A mechanism to gauge the effectiveness of policies and procedures that protect the your networks and sensitive information
5. Descriptions of how you will respond to a breach of security
• Train your employees on cybersecurity policies. The policies must be communicated and enforced by the highest levels of management.
• Document all testing and monitoring of cybersecurity policies.
• Engage an independent third party provider to conduct internal and external vulnerability assessment scans and penetration tests.
• Review your Privacy Policy and update as needed.

^{1. See SEC Release No. 4204 published September 22, 2015. ↩ Back to note 1}

Contributors:
Brendan Furey
Michael Conlon

Read More

SEC Announces Cyber Security Exams

Financial Advisor Magazine reports that the SEC will begin conducting Cyber security exams for investment advisory firms by late September.

More at http://www.fa-mag.com/news/cyber-security-exams-coming-for-advisors--says-sec-16805.html?section=101

Read More

The AdvisorAssist CCO Series: Email Archiving & Surveillance

An important and modern advancement of the SEC’s “Books and Records Rule” is the review and storage of email activity by registered investment advisors (RIAs).

Emails (as well as their attachments) fall under the regulatory definition of “written messages” and, therefore, are subject to the archiving requirements defined within the Books and Records Rule. Likewise, CCOs are expected to ensure that the content of these electronic communications remain within regulatory guidelines and consistent with the fiduciary standard to which they are held.

Email Archiving & Surveillance in a Nutshell

So what does your firm need to do with email? The Books and Records Rule for RIA firms states that “written messages” are subject to archiving requirements. Specifically, written messages must be kept (with some exceptions) for a period of five years, the most recent two of which must be stored on-site or immediately accessible from your office. (As is the case with all books and records, cloud-based systems that are accessible from on-site are considered "on-site".) Email messages that fall under the Books and Records Rule are those sent by employees of registered investment advisors that fall into any of these categories:

• Compliance Program
• Client Management
• Trading
• Marketing
• Business Management
• Potentially others, depending on your firm’s specific business practices.

For more detail on the Books and Records Rule, please see our prior blog post here, and also the text of the full rule here.

Email Archiving
Email messages and attachments must be archived in a manner that preserves their original record state. It is the CCO's responsibility to ensure that all email records are maintained and protected from any alternation or destruction. Similar to your other books and records, regulators allow for cloud-based, electronic storage of email messages and attachments. The key is that you can demonstrate your ability to:

• reasonably safeguard them from loss, alteration or destruction,
• prevent unauthorized access from individuals outside your firm, and
• retrieve archived messages in their original recorded state based on keyword searches, employees and/or specific time frames.

Technology controls of archived email should be understood and reviewed periodically to ensure that they are immune to tampering, that is, that they cannot be altered or destroyed, to ensure that archives remain free from the threat of alteration or the accusation of wrongdoing by means of altering archival data. Note: Your “inbox” does not demonstrate the proper archiving standard expected by regulators because anyone who has access to that inbox has the ability to alter or destroy messages or attachments.

Email Surveillance
While the Books and Records Rule requires that you keep copies of your email messages and attachments, there is no specific requirement to monitor or periodically search emails. With that said, your firm’s chief compliance officer (CCO) is expected to follow procedures to detect risks and prevent bad conduct, so it is considered a best practice to conduct some level of proactive surveillance.

CCOs would therefore want to implement some periodic review of the messages that are sent and received, so as to ensure compliance with SEC (or state) regulations, like adherence to your Code of Ethics and advertising constraints, among others. The frequency and depth of review should be based on the structure and complexity of your firm’s business.

Through the Regulator’s Eyes

Regulators will focus on two aspects of your email system: the quality of your archive, and your surveillance process. In their view, these tasks are designed to protect your business and clients from unauthorized access or disclosure of sensitive data, and also to ensure that your firm is actively monitoring its staff and addressing issues internally. Regulators expect you to be able to retrieve any email sent or received that may be used to substantiate your finances, support the decisions made on behalf of your clients, or validate that you are always adhering to your fiduciary duty.

Recently, the SEC Commissioners’ opinion has also clarified that a firm’s obligation to produce electronic records includes employees’ personal email messages, Instant Messages (IMs), text messages and personal computer hard drives when they are used for business purposes.

Thinking through an advisor complaint will help define the expectations that will be placed on your firm during an examination. Regulators are required to respond to every complaint lodged against an RIA, and in that response, they may request any and all emails sent and received between the firm and the client involved. As such, you want to be confident that those records exist and are ready to retrieve. A complete history of all communications through the past five years in a readily accessible archive will allow you to promptly respond to the regulator’s request and reach a resolution. Additionally, the regulators will wonder why it reached this point, and look to your policy and process of email surveillance and the business practices that surround them. Regulators want to ensure that you are reasonably monitoring your employee’s communications that are subject to the Books and Records Rule, to verify you have a satisfactory level of prevention to internally address potential issues before they escalate. In response, you will want to provide reports and supporting documentation of email surveillance performed by the firm.

Most states enforce the Books and Records requirement on registered investment advisors in a manner consistent with the SEC, but you are under the oversight of state regulators, you’ll want to familiarize yourself with their requirements as well.

CCO Best Practices for Email Archiving & Surveillance

• Create another inventory list of all possible avenues of communication, including your company email system(s), CRM to the extent it can send and receive messages, social media websites, standard mail through a post office, text and instant messaging, cloud-based file sharing like DropBox, and others.
• Consider creating an approved technology and device list, so as to limit unauthorized use of communications and limit the scope of your firm’s technology usage for the purposes of monitoring and regulatory examination. For example, requiring that business communications and documents are transmitted only through company-owned computers or devices.
• Don’t be surprised when regulators request to review personal email or messages sent, received or stored on personal devices, such as personal cell phones, so as to ensure that there is no business usage of those devices, and prepare your employees for those requests.
• Don’t approach email surveillance and archiving as a compliance chore. The best practice in the long term is foster strong relationships between compliance and the individuals that are subject to your firm's compliance program. For instance, ensure that compliance is represented in any discussions related to operational or technology changes.
• Periodically conduct email surveillance by searching for keywords (e.g. “complaint”, “performance”, “guarantee”, “superior”, “great performance”, “guaranteed performance”.)
• Integrate your email surveillance and archiving requirements into your firm’s technology architecture to generate a culture of compliance among your technology operations, and keep current with any changes in your technology policies and procedures.
• Perform due diligence on vendors that provide your firm with applicable communication streams, such as cloud-based email archiving service providers, to verify they have appropriate physical, electronic and procedural safeguards. Document the results of this due diligence and include in your annual CCO report.

---

The AdvisorAssist CCO Series is a collection of blog posts that cover each of the elements of your RIA's compliance program. Each post will provide an overview of one compliance topic, including our insights on how regulators view each topic as well as some practical steps to help Chief Compliance Officers address this topic. As always, we would welcome your comments and thoughts.

Michael D. Conlon

Photo Courtesy of: http://www.flickr.com/photos/epublicist/

Read More

Are you a late ADV filer? You still have time.

Annual ADV Filing - Due April 1st!

If you have yet to file your annual update to your ADV 1 and 2, you still have time.

An RIA is required to file its annual amendment to Form ADV1 and ADV2 (the "Disclosure Brochure") and ensure all related documents and disclosures are up to date. Each year the advisors are required to complete these updates through the IARD filing system within 90 days following fiscal year end. For those December 31 year end firms, the deadline would be March 31st. As March 31st falls on a Sunday and a Holiday, with the loss of Friday and Saturday as filing days, the SEC issued a notice (see below) that extends the ADV filing deadline to Monday, April 1, 2013.

The SEC notice is below:

---

Notice to Form ADV Filers

Filers should be aware of the following:

Rule 204-1 under the Advisers Act requires advisers to file an "Annual Updating Amendment" to Form ADV with the Commission within 90 days after their firm's fiscal year end. Many advisers have a December 31 fiscal year end, which means that they would have to file their annual amendment by March 31, 2013. This year, March 31 falls on a Sunday. In addition, Friday, March 29, 2013 is a holiday for FINRA (the entity that runs the IARD system). The IARD system therefore is closed both March 29 and March 31, 2013.

Rule 0-4 under the Advisers Act provides that fillings required to be made through the IARD on a day that the IARD is closed will be considered timely filed with the Commission if filed through the IARD no later than the following business day. (See Title 17: Commodity and Securities Exchanges Part 275 - Rules and Regulations, Investment Advisers Act of 1940) Therefore, advisers with a December 31 fiscal year end may file their Annual Updating Amendments no later than Monday, April 1, 2013.

If you have any questions about the Form ADV deadlines, please contact:

The Office of Chief Counsel / Public Inquiry

Phone: (202) 551-6865
E-mail: IMOCC@sec.gov

http://www.sec.gov/divisions/investment/imannouncements/formn-mfp-im.htm

Read More

A Regulatory AUM Primer for RIAs

The SEC and states are aggressively reviewing the reported regulatory AUM of advisors. Calculating your regulatory AUM (“RAUM”) under this new definition often requires a close inspection of the service you are providing, the role you play for clients, and how you receive compensation

The SEC (and states) define “regulatory assets under management” as assets where the advisor provides “continuous and regular supervisory or management services.” Here are some guidelines to help you determine which of your clients’ assets should be counted towards your RAUM under this new definition.

1. How do you describe your services in advisory agreements?
If your advisory agreement for a particular client indicates that you provide ongoing management services, this suggests that these assets should be counted towards “regulatory AUM.” But before doing so, advisors should read on to be certain.
2. How are you compensated for your advisory services?
If your advisory fees are calculated based on your client’s average market value over a specific time period, this suggests continuous and regular supervisory or management services. Other advisory fee arrangements, however, would suggest otherwise. For example:
• Time-based. If your advisory fee is based on the amount of time spent with a client
• Project-based. If you charge a one-time financial planning fee based on the assets covered under a plan
3. How do you manage your clients’ assets?
In the following instances you would likely count these assets as regulatory AUM:
• If you have discretionary authority to allocate client assets among third-party asset managers
• If you allocate client assets to other managers (as a “manager of managers”), but only if you have discretion to hire and fire these managers and/or reallocate among these managers or if you recommend that clients hire/fire or reallocate among managers.
• If you do not have discretionary authority (but otherwise satisfy the definition of “continuous and regular supervisory or management services”) and provide recommendations to your clients on their holdings, you should count these assets as regulatory AUM if you are responsible for arranging or effecting transactions after your client accepts your recommendations.

The key here is the extent to which you monitor your client’s portfolios, needs and objectives. Infrequent rebalancing or trading (in and of itself) does not necessarily mean that your advisory services are not “continuous and regular.” According to the SEC, you do not provide continuous and regular supervisory or management services for clients where you provide:

• Market timing recommendations (but have no ongoing management responsibilities)
• Impersonal investment advice (like a newsletter)
• Guidance on an initial asset allocation (without continuous and regular monitoring and reallocation)
• Advice on an intermittent or periodic basis (i.e. upon client request, in response to a market event, or just at pre-specified points in time, like quarterly or annual reviews, or employee education seminars for defined contribution plans)

What about “held away” accounts?
Accounts that are “held away” follow the same logic. If you provide “continuous and ongoing” services for these accounts (and your advisory agreements and services are consistent with the tests noted here) then they may be counted towards regulatory AUM. This includes situations where you serve as a 3(21) or 3(38) fiduciary on ERISA (e.g. 401(k) or other defined contribution plans) assets. If you provide plan-level recommendations or are charged with implementing changes to the plan, you should count these towards your regulatory AUM.

Brian Lauzon

Read More

SEC names Canellos as Enforcement Chief

Long-time prosecutor, George Canellos, has been appointed as acting enforcement chief of the U.S. Securities and Exchange Commission. His authority will kick in on February 8, 2013.

Canellos was tapped to fill the void of the much discussed departure of Robert Khuzami. Canellos served under Khuzami. In an endorsement, Khuzami states, "George is highly respected for his intellect, prosecutorial instincts, and commitment to tough and fair enforcement of the federal securities laws."

Will this be a long-term role?

Only time, politics, and possibly job performance (and did I mention politics), will tell. With the appointment of Mary Jo White to take over for interim chief, Elisse B. Walter, this could be short-lived??

Stay tuned.

Read More

FINRA off the table for 2012

July 31, 2012

For the moment, FINRA as an Self Regulatory Agency is off the table. H.R. 4624 (the “Investment Adviser Oversight Act of 2012”), which would subject RIA firms to the absurd rule making, inspection and enforcement authority by FINRA, is off the table of this session of Congress.

Not a time for celebrating...

FINRA and its advocates have taken a step back to come up with a better argument and hope the SEC makes no progress on funding, increased exam coverage and credibility. Expect to see this come back in the next session!

As a lesser of two evils, the discussion on RIA Exam Fees is back in circulation. 

On July 25, 2012, Rep. Maxine Waters (D-Calif.) proposed a bill that would would permit the SEC to impose user fees on SEC-registered investment advisors (note SEC only) that will be used solely to enhancing the SEC's examination program.

We see this as a likely reality that more fees are in store for advisors. This will also pave the way for states to implement exam fees.

Sadly, we have yet to see a bill that suggests the SEC actually review its methodology. 

That's politics. We'll keep you apprised of the developments.

February, 2013 Update

Citing a lack of "strong momentum," FINRA has stepped out of the ring and has backed off their efforts to convince Congress that they should oversee registered investment advisors. No doubt they are strategizing on their next move so we will most likely see them resurface at some point. Our view remains that FINRA's long term approach to regulating broker dealers and registered representatives is not a good fit for regulating fiduciaries.

Read More