2020 SEC Exam Priorities

2020 SEC Exam Priorities

29 January 2020

I can’t think of a better way to start off the year than by reading the SEC’s Exam Priorities for 2020.  Okay, I’m being a bit facetious.  But in all honesty, I do look forward to this publication. It is a great compliance tool because it puts a spotlight on SEC focus areas and allows you, the compliance professional, to review your policies and risk matrix with hot topics in mind.  So, what are they focusing on this year?

  1. Retail Investors
  2. Market Infrastructure
  3. Information Security
  4. RIAs that have never been examined or newly registered for several years and have yet to be examined (including RIAs advising retail investors and private funds)
  5. Risk-based exams for investment companies, broker dealers and municipal advisors
  6. Anti-money laundering programs – for broker dealers
  7. Fintech, digital assets, and electronic investment advice (hello Robo-advisors)
  8. Review of FINRA and MSRB operations

We encourage you to take the time to read through the SEC’s Exam Priorities.  It’s actually not too hard to read, being 28 pages and written in plain English.  It also provides some interesting facts and statistics about the industry and their exams.

I also want to remind you that the key to surviving any kind of exam is dependent on the amount of work put in before they arrive.  You could read these articles, but it doesn’t matter if the following does not exist within your firm:

  1. Having policies and procedures that are consistent with actual practice
  2. Providing regular internal training so employees are aware of their requirements
  3. Maintaining proper supervision of employee activities
  4. Generating a comprehensive annual review that tests your procedures to ensure they are in fact being followed and are reasonably designed
  5. A system/infrastructure that supports and empowers compliance and adapts to the necessary changes

We have summarized the two (2) categories that we believe directly impact registered investment advisors below.

Retail Investors

This category shouldn’t come as a surprise as this has been on the SEC’s radar for years and for good reason, given the rising population of baby boomers.  In 2017, the percentage of Americans 65 or older was about 15.6%. That number is expected to reach 22.1% by 2050.  The SEC has indicated that the focus will continue to be on disclosures relating to fees, expenses, and conflicts of interest.  They will also focus on the investments marketed to retail investors, including mutual funds, exchange traded funds, fixed income securities, and microcap securities.

SCS Suggests

If you have read any of our previous articles this won’t come as surprise to you, as much of our advice remains consistently the same:

  1. Review your disclosures and make certain that you have clearly disclosed all fees and expenses and conflicts of interest to your clients. The most common conflicts are around fees are the recommendations made that provide the advisor more fees.  For example, if you are the advisor to a mutual fund that you are recommending the client invest in, then you have a potential conflict because of your financial interest in that investment.  You will also want to make certain the recommended investment doesn’t cost your client more money and therefore provide discounts when it makes sense.  Be sure to take into consideration any indirect compensation (i.e. soft dollars) when making your analysis and updating your disclosures.
  2. Review the firm’s processes for making investment recommendations to ensure it is in the best interest of your clients. Having a process to record and document trade rationale will be a critical component to successfully demonstrating that the trading activity is in the client’s best interest.
  3. If you recommend riskier products, such as private placements and annuities, to senior investors be prepared to substantiate that they have been provided with all the facts, including the risks involved and how those risks are suitable for their needs. Having a suitability checklist and IPS for each client will be critical for your supporting documentation.
  4. The SEC expects you to aggregate household accounts, whenever possible, to reduce the overall fee rates being paid by the retail clients.
  5. Although not addressed in this risk alert, in our experience, the SEC also expects you to refund any fees paid in advance when a client terminates. They believe by not doing so, you are penalizing your client and therefore going against your fiduciary responsibility.
  6. Be prepared for the Form CRS Relationship Summary, which has a direct impact on retail investors.

Information Security

The SEC will focus on the following areas as it relates to information security:

  1. Proper configuration of network storage devices
  2. Information security governance
  3. Retail trading information security

The six (6) areas the SEC will look for in an information security policy are:

  1. Governance and risk management
  2. Access controls
  3. Data loss prevention
  4. Vendor management
  5. Training
  6. Incident response and resiliency

The SEC will also continue to focus on compliance with Regulation S-P.

SCS Suggests

  1. Educate and Train. First off, educate yourself regularly about cyber security and stay up to date on the current security requirements.  Then, train your staff and remind them regularly of the habits they need to be employing to protect themselves, the firm, and the firm’s clients.  People have to be reminded!
  2. Get cybersecurity insurance. There are many plans available that will provide you the support you need in the event of a data breach, including forensic testing and legal advice.
  3. Test your plan. This doesn’t mean you need to spend $30K on penetration testing.  Understand your firm’s infrastructure and schedule the type of testing that is appropriate based on your firm’s risks and weaknesses.  One of the most effective forms of testing is a phishing simulation test conducted with your employees.  Your employees are your #1 risk for a cyber-attack and the most common form of attack is the result of a user action.  Test your employees and provide them the results and training afterwards.
  4. Complete due diligence on third party service providers; particularly those that have access to sensitive information.

Conclusion

The 2020 Exam Priorities should come as no surprise for registered investment advisors, including the repeat of retail clients and information security. Use the Priorities to your advantage and review your disclosures (which you should be doing regardless this time of year) and make sure you have proper training for your staff. Updating your policies and procedures does not have to be a daunting task because you know the areas to review and update, if necessary.  Take a risk-based approach to your testing; meaning, the more likely or serious a risk the more attention and testing a particular risk should have in your review. And finally, in preparation for an exam, a great tool to use are the Exam Priorities.