Main Contributor: Joe Reilly, Compliance Associate

Background

You may have wondered which topics are frequently brought up during SEC Investment Adviser Examinations and where advisers are receiving deficiencies.  While the SEC’s examination process is broad in scope and addresses a wide range of SEC rules and regulations, we have noticed that there are some areas that tend to arise more often than others. This article looks at the five most common areas for deficiencies we find the SEC focuses on during examinations.

#1: Policies and Procedures

Advisers are required to adopt and implement policies and procedures that are reasonably designed to prevent violations of the Investment Advisers Act of 1940.  Because this requirement is so broad in scope, advisers often find that their compliance manual either does not account for certain SEC regulations or it does include all of the relevant procedures, but the firm fails to adhere to them.

Keep in mind that your policies and procedures include your code of ethics, business continuity plan, compliance manual, and cybersecurity plan.  There is no requirement for all of these policies to be combined into one document.  Whether separate or combined, a comprehensive set of policies and procedures provides firm employees with a road map to ensure your firm stays compliant. 

SCS Suggests

With regulations that are constantly evolving, it is essential to continually (or at least annually) review your policies and not assume they are evergreen. This means you ensure:

(1)  that they adequately address SEC requirements and

(2)  that both your new and current firm employees are acting in accordance with their provisions. 

To ensure your firm’s policies and procedures are aligned with your practices, remove any provisions that are not tailored to your operations.  Obtaining an acknowledgement from each of the firm’s employees can help with this, as can conducting training on various aspects of your policies and procedures.  Making your policies and procedures a part of your firm’s culture and discussions with different firm employees also helps to identify areas where the policies and procedures are out of date and need updating. 

#2: Cybersecurity and Business Continuity

Pursuant to Regulation S-P, investment advisers need to adopt administrative, technical, and physical safeguards to protect customer records and information. Advisers also need to ensure that they can operate in the event of a significant business disruption that alters their day-to-day business functioning. The starting point for these safeguards and procedures will live within your policies and procedures and will be implemented through training and testing.

Common deficiencies surrounding cybersecurity include:

• a lack of adequate penetration testing,

• inadequate incident response plans,

• issues with access control, or

• missing systems for backing up sensitive information. 

Common deficiencies surrounding business continuity plans include:

• issues with handling cybersecurity incidents and data breaches that affect their operations.  

• not conducting tabletop exercises of their Business Continuity Plan to assess whether they can operate in the event of certain significant business disruptions. 

• relying on the fact that their employees can work from home as adequate documentation for their testing efforts. Post-pandemic, this is no longer sufficient.

SCS Suggests

Both your business continuity plan and cybersecurity plan should align with your firm’s processes and be reviewed and updated as necessary, at least annually.  This can help address out-of-date aspects with either business continuity plans or cybersecurity plans and can help you stay on top of new SEC guidance or areas of focus. It is also critically important to test the procedures you lay out within your policies to ensure they are effective in the event of a disaster or data breach.

#3: Accuracy and Consistency of Filings

Advisers’ regulatory filings need to be accurate and consistent with each other and with the firm’s practices. Two regulatory filings that are most frequently cited for deficiencies include Form ADV and Form U4.

• Form ADV Parts 1, 2A, and 2B and the advisers’ practices are inconsistent with each other.

• Form ADV is often cited as inconsistent with the ADV instructions. The language in the instructions is sometimes unclear and can lead advisers to inadvertently answer questions incorrectly.

• Form U4s contain outdated or inaccurate information.

• Form U5s were not filed timely or provided to the individual within 30 days of their termination.

SCS Suggests

In addition to reviewing all of your filings on at least an annual basis, you should also update them throughout the year, in real time, as your practices change. Compare each regulatory document to each other to help identify discrepancies among them. Because Form U4s contain detailed information like personal residences, employment history, and other business activities, it is easy to miss updates that need to be made.  Having each Investment Adviser Representative (“IAR”) review their own Form U4 annually solidifies in their memory the information they would need to report if and when it changes.

#4: Form CRS

The Form CRS is a relatively new requirement that comes with detailed instructions, which comes as no surprise then, that it’s also an area where common issues are found during SEC Examinations. Common deficiencies for the Form CRS include:  

• The adviser’s website may be missing the current version of their Form CRS,

• The adviser’s website does not display the Form CRS prominently or in an easily accessible format,

• Form CRS does not include an appendix of changes,

• Form CRS is inconsistent with the word-for-word instructions and formatting requirements, or

• Form CRS is inconsistent with other regulatory and internal documents, and the adviser’s practices.

SCS Suggests

Be sure to compare your current Form CRS to the Form CRS instructions to identify any inconsistencies.  If you amend the Form CRS, ensure that those changes abide by the Form CRS requirements and that you include them in an appendix at the end, per the instructions.  Ensure that your website has the most current Form CRS posted in an easily accessible fashion (which we interpret to be a button or link that is accessible from the landing page). 

#5: Marketing

Since the SEC’s new marketing rule became effective in November 2022, the SEC has published Risk Alerts, like the one we covered in our last article.  The SEC has also focused on marketing during Examinations.  In addition to scrutinizing performance advertising, third-party ratings, and testimonials and endorsements, the SEC has identified deficiencies in which advisers include untrue statements of material facts or material statements of fact that the Adviser does not have a reasonable basis for believing it can substantiate to the SEC.  If you make a claim on your website, ask yourself whether this is a material fact you would be able to substantiate.  Otherwise, the SEC could interpret it as misleading considering the facts and circumstances. 

SCS Suggests

Have a structured process for reviewing marketing materials.  It is helpful to have a checklist of things to look for based on the SEC’s marketing rule.  Be sure to maintain documentation of any reviews that you complete, and if you make edits based on those reviews, keep the “before” and “after” versions for books and records purposes.

Conclusion

Focusing on these common deficiencies can help you avoid some of the common pitfalls that many advisers make.  Several of these common deficiencies relate to one another and addressing these topics when conducting your Annual Review can help mitigate the likelihood of other deficiencies. Of course, there are numerous other items not listed here that can lead to deficiencies in SEC Exams. Having a robust compliance program and annual review process is the overall key to staying compliant, but these deficiencies can give you a place to start when identifying potential risks for your firm.