2023 Division Exam Priorities
Main Contributor: Gretchen Sturdivan, CSCP Creative Director & Compliance Manager
Background
February 7th, 2023 – a day made far less significant in the wake of additional rule proposals, but nonetheless, the day that delivered to us the Division’s 2023 Exam priorities. Before you rip your hair out, take solace in the fact that these exam priorities are not surprising and should not cause great upheavals to your compliance program. At least, if you’ve been paying attention!
Looking back at 2022, the Division of Exams (“EXAMS” or “the Division”) noted that they provided seven risk alerts last year to inform advisers of common compliance issues observed in exams and promote compliance. In those exams conducted last year, they covered 15% of the registered investment adviser population, which has grown to more than 15,000. They also noted that they expect to increase their on-site interactions with advisers during exams in 2023 but will also continue to “leverage remote exams where it makes sense to do so.”
As a reminder, the examination priorities are published to share what the Division considers to be the greatest areas of risk to investors, which are areas in which they expect compliance. This should, in turn, encourage us to review our policies and risk assessments to ensure they appropriately address these high-profile risk areas. In this article, we will discuss those risk areas and any suggestions we have to mitigate the associated risk.
New Rules Under the Microscope
For the last two years at SCS, we had been driving home the importance of compliance with the new marketing rule by the deadline of November 4, 2022, which included implementing policies and procedures, training staff, and updating relevant materials. A massive undertaking for many, not to be forgotten. However, the safety-net time is over, as we will now see a focus during examinations as they review our work. The SEC never did provide much guidance or clarification on the new Marketing Rule, so it appears we will find out the hard way – through exams. We all have questions and now we are going to learn from the collective, from the findings generated out of examinations.
EXAMS will also be focused on the Investment Company Act Rules: Derivatives and Fair Valuation. They will evaluate to see if policies are in place and whether the rules have been adopted and implemented.
SCS Suggests
As EXAMS will focus on policy design, this would be a great time to re-read your policies to ensure they capture the nuances of how your firm operates when it comes to marketing, which should help prevent violations. Take the time to ensure the key marketing professionals, at the very least, are trained and feel equipped to address the new rule’s requirements when they are producing materials. We also continue going back to the rule itself as questions arise with new marketing pieces and scenarios, so we suggest you do the same. As you re-read the rule and familiarize yourself with the requirements, you are able to confidently review marketing materials that come across your desk and support your stance with evidence directly from the rule. EXAMS will review to see if rules have been misinterpreted, so it’s important to ensure you understand the requirements imposed upon your firm.
RIAs to Private Funds
According to the Division, there has been an 80% increase in the assets managed by advisors to private funds in the last five years. This is a 10% jump from last year’s report. Over 35% of all RIAs (about 5,500 RIAs) now manage private fund assets in various strategies. This is a significant amount of the market as well as significant growth, and they continue to be scrutinized. Specifically, as it relates to:
Conflicts of interest;
The calculation and allocation of fees and expenses;
Compliance with the new Marketing Rule (including performance advertising, compensated testimonials, and endorsements/solicitations);
Policies and practices regarding the use of alternative data, and;
Compliance with the custody rule, including the audited financial delivery and selection of permissible auditors.
Apparently, these items aren’t quite enough to bring under the microscope because the Division will also review private fund advisers’ portfolio strategies, risk management, and investment recommendations and allocations. Some private funds have specific risk characteristics that will also be focused on such as: highly leveraged private funds, private funds managed side-by-side with business development companies, and those with hard-to-value investments, such as crypto assets and commercial real estate-connected investments.
SCS Suggests
Though it may seem like a daunting list, when we step back, coming out of a successful exam will require implementing practical policies and procedures that are in line with your actual, daily practices. Review those policies at least annually, or when you know of a material change, to ensure your practices never stray too far away from your documented framework. Conduct forensic testing as often as makes sense with your risk level to document that your fees and disclosures are accurate and that you don’t see any patterns of preferential treatment of investors and funds. And finally, train your staff no less than annually, reminding them of their requirements such as personal trade reporting and reporting of conflicts. As always, a well-documented annual review that supports your practices are in line with your policies will serve your future self well.
Retail Investors and Working Families
The Division will continue its quest to protect retail investors by focusing on fiduciary duty and Form CRS. They want to ensure advisers are not placing the firm’s or its financial professionals’ interests ahead of the investor and that they are acting in the investor’s best interest. Those advisers who are dually registered will be of heightened focus, as they service both brokerage and advisory clients.
They will look at the advice and recommendations provided to investors to ensure they are suitable, whether disclosures include all material facts regarding any conflicts, the process for making best interest evaluations, and how the investor’s investment profile is considered in relation to their account(s) and holdings. This will bring a spotlight upon senior investors in particular and those investors saving for retirement.
EXAMS will also review whether firms have agreements that inappropriately waive or limit their standard of conduct and liability, such as through the use of hedge clauses.
SCS Suggests
Ensure your advice and recommendations are suitable for the investor by documenting a clear investment profile and sticking to it. Don’t recommend complex products or illiquid securities to retail investors with everything to lose. Ensure you have their best interest at heart.
It’s important to ensure that any and all conflicts of interest you might have with a retail investor, such as financial incentives to recommend certain products, are appropriately disclosed on the Firm’s Form CRS and/or ADV, per the instructions. Think about the documentation you maintain for the delivery of Form CRS because there are specific requirements associated with delivery to current investors and you want to substantiate that you follow those requirements to examiners. Not only should disclosure documents be reviewed, but so should your policies – tailor those puppies to match your business model and identify conflicts along with how they are mitigated or eliminated, where appropriate.
ESG Disclosures and Product Labels
Environmental, Social, and Governance (“ESG”) is not a new focus area for the Division as they also issued a Risk Alert about it in April 2021. In the risk alert, they highlighted both the accuracy of disclosures and the implementation of policies, as both things have the potential to mislead investors. In the last two Exam Priorities, this focus continues on disclosures that must meet fund operations, whether ESG products are appropriately labeled, and whether the recommendations for said products are in the investor’s best interest. Hmm, I’m sensing a theme here.
SCS Suggests
Misleading investors (especially retail investors) continues to be a driving force behind the SEC’s rule-making, risk alerts, and exam priorities. ESG investing is not exempt from this and in fact, may put you at higher risk for review. This is not to say you should avoid offering ESG products but to encourage you to develop strong policies and accurate, clear, prominent, and descriptive disclosures that prioritize transparency for investors. It all comes back to fiduciary duty and acting in the investor’s best interest.
Information Security Cannot Wait
It seems old hat at this point. We have policies in place, the BCP is updated, and employees have their laptops, but the hybrid/remote work environment that we now call “home” is ripe for bad actors and security breaches. We feel like we’ve got it all figured out, but information security is changing rapidly and investor information is at risk. EXAMS noted that “the current risk environment related to cybersecurity is considered elevated, given larger market events, geopolitical concerns, and the proliferation of cybersecurity attacks, particularly ransomware attacks.” Hence their focus on cybersecurity controls during exams.
EXAMS will review the practices you have in place to prevent disruptions to mission-critical services and to protect investor information, records, and assets. They will review any potential cybersecurity issues you have with third-party vendors and the due diligence you have conducted to ensure information security. Even if you outsource, the responsibility remains with your firm, should something happen to investor data. They will also focus on your policies to safeguard customer records (internally and outsourced) and governance practices in accessing client information remotely.
SCS Suggests
It cannot wait. The SEC has proposed a cybersecurity rule that is still out there, receiving its second round of comments. We expect the rule to be adopted and firms will want to be prepared once that happens. Educate yourself on cybersecurity terminology and best practices. Invest in your IT department, or outsource as appropriate, to ensure you have safeguards in place to protect client information. Tighten up your BCP plan and your disaster recovery plan to address the impact of substantial disruptions to normal business operations. Train and remind your staff regularly of the importance of the controls in place to prevent cyber risks and document the results of all training efforts. The Division will review the improvements to these plans over the year and a firm’s ability to anticipate and prepare for disruptions to their business.
Crypto is Still a Risko…
EXAMS will focus on investors who are offering new products and services or employing new practices (such as providing automated digital investment advice). If you offer, sell, recommend, or provide advice regarding crypto or crypto-related assets, the staff will assess whether you (1) met and followed standards of care and (2) routinely reviewed, updated, and enhanced disclosures and risk management practices. If you just started offering crypto as well, it sounds like you may be on their radar.
If you offer digital investment services, the Division will review your tools and methods to assess whether:
recommendations were made or advice was provided (social media/social trading platforms);
representations are fair and accurate;
operations and controls in place are consistent with disclosures made to investors;
any advice or recommendations are in the best interest of the investor
risks are considered, especially for senior investors.
SCS Suggests
Again, this risk area can be greatly mitigated by employing standard compliance practices and acting as a fiduciary. Develop specific and tailored policies and procedures to mitigate the risks specific to digital assets and design clear disclosures and trading practices to provide investors with all the facts they should know before investing in digital securities. Ensure you don’t keep static policies and disclosures, however, as this is an ever-changing landscape with new risks emerging daily. Keep things fresh and in line with your current practices.
Conclusion
While the list of focus areas does seem long, it’s not exhaustive. EXAMS will also focus on valuation and fee billing as well as third-party due diligence for outsourcing. The focus areas the Division has highlighted provide a nice reminder to routinely review policies, test your higher-risk areas, and ensure your practices are consistent with your program. Remember the focus the Division is placing on retail investors and private fund managers and make sure you are always acting in each client’s best interest, in line with a strong culture of compliance. Oversight practices help mitigate risk for a firm and compliance definitely comes into view during an exam. Make it a focus this year to review and update the risks facing your firm and tighten up your cybersecurity practices. It will not only serve you well in an exam, but also in mitigating the risk of client information breaches and ransomware attacks.