2021 Exam Priorities: Discussion for Registered Investment Advisors

Main Contributor: Katie Mogan, IACCP® Vice President, Senior Compliance Consultant 

2021 Exam Priorities: Discussion for Registered Investment Advisors

We finally have the 2021 Examination Priorities (“Priorities”) from the SEC, albeit later than previous years. You can read the release here.

The Priorities for 2021 are strikingly similar to those of previous years, as noted below:

1. Retail Investors, Including Seniors and Individuals Saving for Retirement

2. Information Security and Operational Resiliency

3. Financial Technology (FINTECH) and Innovation Including Digital Assets

4. Anti-Money Laundering (AML)

5. The London Inter-Bank Offered Rate (LIBOR) Transition

6. Additional Focus Areas Involving RIAs and Investment Companies

7. Additional Focus Areas Involving Broker-Dealers and Municipal Advisors

8. Market Infrastructure

9. Focus on FINRA and MSRB

Within this article we will focus on the key issues for Registered Investment Advisors so not all of the areas in the Priorities are identified here.  Small note of distinction before we dive into the Priorities.  The new name of the Office of Compliance Inspections and Examinations (“OCIE”) is now the Division of Examinations, and the SEC will refer to the old OCIE as the Division or EXAMS. The SEC also created a new team to respond to new and emerging risk areas, called Event and Emerging Risks Examinations Team (EERT).  We will be using these terms throughout this and future articles.

As a reminder, the key to a successful compliance program is ensuring your firm: 

1. Has policies and procedures that are consistent with actual practice;

2. Provides regular internal training so employees are aware of their requirements;

3. Maintains proper supervision of employee activities;

4. Generates a comprehensive annual review that tests your procedures to ensure they are in fact being followed and are reasonably designed; and

5. Has a system/infrastructure that supports and empowers compliance and adapts to the necessary changes.

The annual examination priorities are a great tool for compliance professionals to use as they embark on a new year and set up their compliance calendars for the annual review. Below are the key risk areas we believe can be added to annual reviews with substantive testing and reviews, where applicable.

Retail Investors: Seniors and Those Saving For Retirement

Once again, we see senior investors, retirees and now those saving for retirement on the list of exam priorities for the SEC.  We have seen this in previous Exam Priorities and Risk Alerts, and we believe this topic is here to stay. The SEC will focus on services and investments targeted to seniors and retirees such as the selection of higher cost mutual funds and exchange traded funds (“ETFs”); municipal securities whose operations have had significant impacts on their operations and finances due to the pandemic; other fixed-income instruments for compliance with best execution, pricing, and disclosures on markups and markdowns; and micro-cap securities and questionable claims made during the pandemic.

SCS Suggests

If you have read any of our previous articles this will not come as surprise to you, as much of our advice remains consistently the same:

1. Review your disclosures and make certain that you have clearly disclosed all fees, expenses and conflicts of interest to your clients. The most common conflicts are around fees and the recommendations made that provide the advisor more fees.  For example, if you are the advisor to a mutual fund that you are recommending a client invest in, then you have a potential conflict due to your financial interest in that investment.  You will also want to make certain the recommended investment does not cost your client more money and therefore should provide discounts when it makes sense.  Be sure to take into consideration any indirect compensation (i.e. soft dollars) when making your analysis and updating your disclosures.

2. If you have senior investors, consider training your client-facing staff on signs of diminished capacity and elder abuse. The training should touch on key signals that your elderly clients may be in need of assistance. New beneficiaries or trustees on accounts, sudden changes to investment strategy and frequent withdrawals can possibly indicate elder abuse. Confusion on previous discussions with regard to investment decisions or forgetting previous conversations can indicate diminished capacity. Employees should know their clients they have direct relationships with and inform compliance when something seems off in order for the firm continue with its fiduciary obligations of doing what is best for the client.

3. If you have retail clients, ensure you have filed Form CRS timely, posted it to your website and provided it to your retail clients initially and then as required by the Rule. See our blog for more information on Form CRS.

4. The SEC has identified senior investors, retirees, teachers, military personnel and individuals saving for retirement as sub-group of retail investors they intend to focus on during exams. Ensure a process is in place to test and review investment recommendations made to retail investors, especially this newer focus group. Testing can be as simple as a review of their IPS or advisory agreements for intended investment goals, objectives and risk tolerance to their actual portfolio holdings. Review recommendations in light of the SEC’s focus of mutual funds and exchange traded funds (“ETFs”), municipal securities and other fixed-income instruments and micro-cap securities to ensure recommendations, disclosures and documentation is all in line with the client’s documented tolerance/desires.

5. Turnkey asset management platforms (“TAMPS”) and advisors using them should review fees and revenue sharing arrangements to ensure they are adequately disclosed to clients and any additional fees are clearly explained.

Information Security & Operational Resiliency: Remote Working

In light of the pandemic and so many working from home, the SEC will focus on information security and operational resiliency. The Division intends to focus on the following during exams to make sure advisors have taken the appropriate measure to:

1. Safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access;

2. Oversee vendors and service providers;

3. Address malicious email activities, such as phishing or account intrusions;

4. Respond to incidents, including those related to ransomware attacks; and

5. Manage operations risk as a result of dispersed employees in a work-from-home environment.

Even if you are not a technology expert, there are tasks you can incorporate into your annual review to better understand your information security risk level and to increase protections for your firm and your clients as employees work-from-home.

SCS Suggests

1. Educate and Train. First off, educate yourself regularly about cyber security and stay up to date on the current security requirements.  In a July 2020 risk alert the SEC encouraged registrants to utilize the Department of Homeland Security Cybersecurity and Infrastructure Security Agency which provides alerts regarding recent ransomware attacks.  If reading the Department of Homeland Security’s website is not your cup of tea, there are also service providers out there that offer regular updates on current trends to keep yourself in the loop. Then, train your staff and remind them regularly of the habits they need to be employing to protect themselves, the firm, and the firm’s clients.  Remind them that when working from home, the same rules apply!

2. Work-from-home environment. During the pandemic advisory firms pivoted quickly to provide seamless service to clients. Some advisors saw little change in their day-to-day work life. Most firms incorporated new technology such as Zoom calls and remote learning and everything in between. Some changes are everlasting and others only temporary. For your 2020 annual review consider what worked and what did not, policies that changed and new processes that were implemented. Document in your annual review the wins and losses.

3. Consider cybersecurity insurance. There are many plans available that will provide you the support you need in the event of a data breach, including forensic testing and legal advice.

4. Be an expert or hire an expert. If you do not have the resources internally to be able to understand and keep up with current trends, technology, and best practices, hire an expert to assist.  Depending on your needs, you can find firms that not only educate and implement, but also monitor your current systems on a regular basis and provide reporting to support the current environment.

5. Test your plan. One of the most effective forms of testing is a phishing simulation test conducted with your employees.  Your employees are your #1 risk for a cyber-attack and the most common form of attack is the result of a user action.  Test your employees and provide them the results and training afterwards.  A vulnerability review can assess the current environment to determine what areas of your infrastructure are a high risk and what changes should be implemented to properly safeguard and protect your clients.  Penetration testing involves a simulated attacked to exploit weaknesses.  By obtaining these forms of testing, your firm can obtain expert, unbiased feedback, which can prevent expensive and damaging breaches.

6. Create an Incident Response Plan (“IR Plan”). An IR plan serves as the guide for how your firm will respond in the event of a breach. Having a well-planned approach can reduce damage, recovery time and expenses. Some key elements of an IR Plan are:

   1. A risk assessment/analysis of the situation, including the nature, scope, and parties impacted;

   2. Determining whether the FBI or other federal and state agencies should be notified;

   3. Determining whether the parties impacted need to be notified;

   4. A post-incident review of current procedures and processes for changes to prevent further breaches; and

   5. Proper documentation

7. Complete due diligence on third party service providers; particularly those that have access to sensitive information. Document your due diligence in your annual review, prioritizing key vendors first. Key vendors are vendors that are vital to your advisory firm’s business continuation.

Conclusion

The 2021 Exam Priorities are more of the same but are helpful in creating your annual review and updating your policies and procedures. 2020 saw an unprecedented year in markets and our work/life balance.  The SEC will certainly expect you to address the pandemic in your annual review, even if the consequences on your firm were minimal.  If you struggle to start or finish your annual review, the 2021 Exam Priorities is a great starting or ending point. Review in light of the topics that have a direct impact on your firm and review your policies to check that you are addressing the SEC’s main points. And remember, Exam Priorities are just that, priorities. Keep plugging away at your annual review: document your findings and correct/improve policies that are not working for your firm, whether or not they are included in the 2021 Priorities.