A good friend and colleague, Michael Koch, shared his notes with us regarding the recent phone call held by the Fort Worth SEC office. We believe these notes provide valuable insights and recommendations to everyone in our industry. So, with his permission, we are sharing his notes below. Enjoy, the read, the takeaways are very relevant.
I just spent 90 minutes of my life listening to a presentation by the Ft. Worth Regional Office of the Securities and Exchange Commission regarding 2017 exam results and other industry topics as they saw them. While it was not the most entertaining time I have spent, I laud them for reaching out and trying to provide more insight and transparency to financial services firms in their region. And while nothing “earth shattering” was revealed, I felt it was informative and should serve as a reminder (and possibly a wakeup call) for many firms and their Chief Compliance Officers. My comments below should not be construed as covering the entirety of the call nor should they be viewed as the only relevant or important topics covered. Rather, they are items, comments and topics that I think all firms and CCOs should make sure they are focusing on intently. I will present them in the order of the call and will not reorder them to add my own emphasis. I will add comments that reflect the degree of emphasis I believe should be placed on them by each firm.
- Cybersecurity led the way and nothing new was revealed. What was discussed, however, was the reminder that the SEC published details of its 2016 Cybersecurity Sweep including the actual document request they provided to firms and presumably will continue to use for future exams. This is invaluable information and any firm not taking the request, asking itself the questions and making sure it has satisfactory answers, is frankly being short sighted. Cybersecurity is a hot issue and it’s not if you get attacked but when. Unless you have outsourced this function to external experts/consultants or have such expertise in house, you will likely flunk this inquiry. I strongly recommend if you are going to flunk it, you do so when you can fix the holes and not when you will have to draft a mitigation letter to the SEC after they find it and are taking formal action. I have included the link to the Alert here.
- Based upon 2017 exam results, almost 50% of firms examined by Ft. Worth were cited for deficiencies regarding the “Compliance Rule” Rule 206(4)-7. This rule is broad and sweeping so it is not a surprise it was cited so often. This rule is the heart of the compliance program including policies and procedures, annual testing of the procedures and CCO competence and resources. Items included:
- Failure to tailor procedures manual-This has many facets from buying an “off the shelf” manual but never customizing it to not testing your procedures and keeping them updated to reflect changes in personnel, procedures etc. Manuals can be horrible and the only thing worse than customizing one from a consultant is sitting down and reading the rules and drafting one of your own. This is why it’s recommended to work with an attorney or consultant to get a good basic template as a start. Then go through each page and make sure anything required applies to you and, if so, make sure you are doing what it says or that you change what it says to reflect what you’re doing (as long as what you’re doing is compliant). You’re not done though. Each year (the presenter suggested quarterly testing but let’s start with annually until you get the process down) you must test your existing procedures to ensure they are still compliant and that you are doing what your manual says you are doing. Don’t skimp on this review the first time through. It could be time consuming and laborious but once updated, you can do smaller reviews the following year unless something changed. Put your results in a report with a matrix of what you tested etc. The SEC will ask for it, but even if they don’t, this exercise is truly important and one many firms skimp on if they do it at all.
- Failure to follow the procedures in the manual-This was covered above but it’s a separate item and should be treated as extremely important.
- Inadequate testing of procedures-Again, covered above but very important. This is actually where I agree with quarterly testing. Test a few procedures every quarter and then compile results as one report. This allows you to focus on each review but do them in manageable and effective chunks. Whatever testing you do, document it! If you review the check receipt and delivery blotter to see if you’re following procedures, document it and put it as part of your report. More is truly better in these cases.
- Under qualified and/or under resourced Chief Compliance Officer-This could be called “incompetent CCO” but that’s only a small fraction of the cases as the days of designating whatever admin person missed a meeting as the CCO have pretty much gone away. There are really two main components here-resources i.e. funding and time and CCO position in the Firm. The CCO should be empowered and have access to senior management if not part of senior management. It was interesting that the speaker spent quite some time criticizing CCOs who have multiple hats within a Firm. In reality, the CCO may have different hats but, in the SEC’s eyes, the main hat better by that of the CCO. Multiple hats are not in and of themselves wrong but if the CCO has multiple duties, he/she will need to be very competent with strong policies and documentation of the policies in place. The SEC shouldn’t try and tell firms how to run their businesses but, if an area is a “hot button”, firms should be prepared to defend their decision to press said button.
- The 2018 exam initiatives for the SEC will be issued soon and it is guaranteed that Business Continuity Plans will be on them. Ft. Worth has conducted and will likely continue to conduct exams on firms in areas effected by Hurricane Harvey. They want to know what plans were like before, what did firms do and how did it work out? Then they want to know what was changed based upon the results. Even if a firm has not been contacted or wasn’t directly affected, I recommend that you review these things on your own, document them and keep them available for when the SEC asks. They expect firms to have separate plans for different disasters from cyber-attacks to hurricanes to utility failures. If you can’t explain what something in your existing plan means or how you would implement it, you might as well not have one. Time spent here is valuable. These should also be reviewed, tested and signed off on annually by senior management.
- The speaker spent a tremendous amount of time discussing the second most noted area-Fee billing. This is not simply the miscalculation of fees but much broader and of greater concern. This area seemed like a gateway where the SEC could disagree with wording in your ADV and could then charge you with fee billing violations because you billed a client but had not adequately addressed an issue the SEC considered a conflict of interest. The comments, however, certainly had the tone that the SEC strongly dislikes dual registration both by a broker/dealer who is also an RIA or is affiliated with an RIA. The speaker’s contention was that if a representative is registered with a BD and an RIA, any transaction with that client would make the representative a fiduciary even if sold through the broker/dealer. If the product could not be sold through the RIA, there might be some defense but that seems like a slippery slope. He even said that if an alternative investment was available for RIA accounts (i.e. no fee) but a representative sold it through the BD and received a commission, the SEC could consider that a fee billing violation and a possible breach of fiduciary duty. While this would seem to quell some of the debate regarding the permissibility of using alternative investments in advisory accounts, this also should greatly concern any firms or representatives affiliated with both types of entities. It should be noted that he spoke of “alternative investments” broadly and I assumed he was referring to products ranging from hedge funds to real estate and oil and gas private placements. Admittedly, his brush might not have swept as broadly but his comments gave no clarification or differentiation.
As part of the fee billing comments, there were also points made about inadequate systems in fee billing. Most RIAs don’t struggle with basic quarterly billing but when the system must exclude assets or bill certain assets at different rates, breakdowns can occur. Firms should be testing and verifying on an occasional (maybe quarterly) basis to make sure clients are being accurately billed. Once again, do the testing and document it.
- Final area of citation in exams was that of Amendments to the ADV. This is no surprise either as much of the information requested is subjective and firms and examiners will often disagree on the interpretations. The speaker did spend considerable time talking about the information included on ADV 2B for each representative. Apparently, there has been a reluctance by some firms to include disciplinary items on the ADV 2Bs as well as including disclosures from representatives on the firm’s ADV Parts 1 and 2A. Here is simply caution. If there’s a disclosable item related to a representative, closely review it and the related guidance in the ADV instructions. Unless it clearly can’t be excluded, include it. If you think you have a good case, talk to your counsel or consultant and get their thoughts. If you do exclude it, document your rationale and get buy in from senior management. Even if you think it is clearly excludable, I suggest drafting a short memo laying out your rationale and putting it in the file or emailing it to the representative explaining your thought process. In that way, you will have mitigation if the SEC disagrees. You may not win but you show you reviewed it, considered it and made a rationale decision.
The speaker also talked about adequately disclosing compensation arrangements and conflicts in items 4 and 5. I suggest when you do your ADV update in the next few weeks, act like it’s brand new and review each item along with the instructions and guidance as if you’d never read it before. Don’t assume it’s right just because you used it last year. The SEC won’t.
If you have actually read this far, I hope you found some things helpful. If not, I’m sorry I wasted your time. Bottom line from all this appears to be test and document. Question everything and get your systems down and your procedures for those systems documented. Thank you.