Throughout the year, the Securities and Exchange Commission's ("SEC") Office of Compliance Inspections and Examinations ("OCIE") releases various risk alerts flagging compliance risks and concerns related to registered investment adviser ("RIA") firms Risk alerts are typically issued as a result of a large number of compliance deficiencies uncovered during regulatory examinations. To help keep you and your firm up-to-date, RIA in a Box releases blog posts summarizing risk alert announcements and rule changes as they occur.
Given that context, paying attention to risk alerts throughout the year might be one of the most important things you do for your advisory business. But we understand that you’re busy with managing client relationships and all the other concerns of running a business, so we stay on top of alerts for you. So let’s review the SEC’s RIA regulatory compliance announcements for the year:
1. SEC Issues Risk Alert on RIA Form CRS Compliance Examinations (April 2020)
On April 7, the SEC outlined the scope and content of what initial examinations would look like after the June 30 compliance date for the Form CRS (“ADV Part 3”). As part of larger Reg BI updates, the new Form CRS rule requires certain SEC-registered investment adviser ("RIA") and broker dealer firms to provide a brief relationship summary to new and existing retail investors known as the Form CRS. Among the areas of focus that the SEC highlighted: Delivering and Filing; Content; Formatting; Updates; and Recordkeeping.
On June 23, the SEC released a risk alert regarding RIAs who manage private equity funds or hedge funds. According to the alert, they had noticed numerous deficiencies in three areas: 1) conflicts of interest, 2) fees and expenses, and 3) policies and procedures related to material non-public information ("MNPI"). The more than 36% of SEC-registered RIA firms that currently manage one or more private funds should expect continued and increased regulatory scrutiny in the coming years.
3. SEC RIA Cybersecurity Risk Alert Flags Ransomware Attacks (July 2020)
On July 10, the SEC released a risk alert regarding phishing campaigns aimed at infiltrating “financial institution networks to, among other objectives, access internal resources and deploy ransomware.” The alert recommended advisers follow cybersecurity alerts from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency for the latest information. Failure to implement policies and procedures related to cybersecurity could mean regulatory compliance issues, as well as broader business issues.
4. SEC RIA Cybersecurity Risk Alert Flags COVID-19 Compliance Risks (August 2020)
On August 12, the SEC released a risk alert highlighting select COVID-19 compliance risks and considerations for RIAs. The SEC observed regulatory deficiencies specifically related to the unique challenges of the pandemic in six key areas:
- Protection of investors’ assets
- Supervision of personnel
- Practices relating to fees, expenses, and financial transactions
- Investment fraud
- Business continuity
- Protection of investor and other sensitive information
5. SEC RIA Cybersecurity Risk Alert Flags Credential Stuffing (September 2020)
On September 15, the SEC released a risk alert regarding an increase in the number of cyberattacks using a technique called “credential stuffing.” Credential stuffing is a strategy for cyberattacks where credentials from a previous successful data breach are used to attempt to log into another unrelated service or website. According to the alert, credential stuffing is most successful when users utilize the “same password or minor variations of the same password for various online accounts, and/or individuals use login usernames that are easily guessed.” They urged all RIA firms to review all logins for password strength, length, type and more. In other words, make updating your passwords one of your 2021 resolutions.
6. SEC RIA Compliance Risk Alert Flags Multi-Branch Office Risks (November 2020)
On November 9, the SEC released a risk alert after a series of exams focused on multi-branch RIA firms with operations that are “geographically dispersed” from the main branch. The most common deficiency found during these exams was a lack of consistency in policies and procedures between offices. Out of 40 firms, half of them had policies and procedures that were:
- Inaccurate or contained outdated information;
- Not consistently applied in all branch offices;
- Inadequately implemented; or
- Not enforced.
7. SEC RIA Compliance Risk Alert Highlights RIA Compliance Rule Issues (November 2020)
On November 19, the SEC released a risk alert regarding compliance deficiencies related to Rule 206(4)-7, also known as the "Compliance Rule", under the Investment Advisers Act of 1940 ("Advisers Act"). Many of the deficiencies centered around inadequate policies and procedures – the primary document that RIA firms should regularly revise to avoid violating the Compliance Rule. Specific deficiencies referenced include: inadequate compliance resources; insufficient authority of CCOs; annual review deficiencies; and multiple issues regarding policies and procedures.
Want to know you are safe from these deficiencies? Schedule a demo to see what RIA in a Box can do for you.
RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.