The U.S. Securities and Exchange Commission (“SEC”) continues to make progress with its self-imposed mandate of expanding its investment adviser examination reach. Leveraging increased staff and proprietary risk analytics, the Commission maintained its examination coverage of registered advisers in 2019 versus 2018 despite an increase of nearly 4 percent in registered firms and a month-long suspension of examination activity due to the 2019 government shut down. Examinations of registered advisers in fiscal year 2019 remained robust covering 15 percent of the registered adviser population.
On January 7, 2020, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced its examination priorities for 2020. The priorities are a mix of old and new, and include the integration of recent changes in the adviser regulatory regime, i.e., the Commission’s interpretation of the investment adviser fiduciary standard and Form CRS rules.
The Commission continually reminds advisers of the need for dynamic compliance programs capable of responding to new and amended rules, regulatory guidance, examination findings, and enforcement protocols. Publication of exam priorities is intended to inform advisers of their responsibility to develop and implement a risk-based compliance program. OCIE believes that by revealing its view of existing and emerging compliance risks, advisers will be compelled to be more proactive in identifying and mitigating compliance risk, with the ultimate objective of protecting investors.
2020 Exam Focus Areas
The 2020 hit list includes “perennial risk areas” (e.g., cybersecurity, senior investors, and fintech) along with several new risk sets. Newly adopted rules addressing the fiduciary standard and client best interests will figure prominently in OCIE scrutiny of compliance programs and adherence to the fiduciary standard, i.e., the twin duties of care and loyalty owed to clients. This will include assessment of the objectivity of advice relative to the best interests of clients and the adviser’s capability to identify, eliminate, mitigate, and/or disclose the material conflicts of interest attendant to its business.
The Commission brought many enforcement actions in 2019 where advisers failed to mitigate or properly disclose material conflicts of interest, resulting in non-compliance with Section 206 of the Investment Advisers Act of 1940. OCIE has stated that beginning in the second half of 2020, examiners will focus on “the content and delivery” of Form CRS to retail investors, which supplements Form ADV disclosure requirements.
Other areas of examination focus will include:
- Retail Investors: Scrutiny will be placed upon senior client demographics and client assets designated for retirement funding. Examinations will focus on recommendations and advice given to retail investors, with a focus on: (1) seniors, including recommendations and advice made by entities and individuals targeting retirement communities; and (2) teachers and military personnel. Adviser disclosure, mitigation and internal control testing pertaining to client fees, client borne expenses and the communication of investment advice relative to strategies employed and attendant risk remain priorities. OCIE stated that examination resources will significantly focus upon investment advice utilizing mutual funds, ETFs, municipal securities, and microcaps.
- Cybersecurity: OCIE will continue to expend resources on cybersecurity and other information security risk sets which confront registered advisers. OCIE reiterated previous cyber focus areas for 2020 examinations: (1) governance and risk management; (2) access controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response and resiliency. Related areas of interest will entail scrutiny of the configuration of network storage devices and the security of retail trading information.
- Vendor Risk Management: Vendor due diligence is a rapidly evolving and expanding risk set. OCIE is evaluating supervisory protocol pertaining to service providers and network solutions (including those leveraging cloud-based storage) which retain nonpublic information of the adviser and/or its clientele. In this respect, compliance with Regulations S-P and S-ID and their attendant information safeguard provisions will receive scrutiny. The digital revolution entails accelerated retirement of obsolete hardware which introduces risk of inadvertent access to nonpublic information. OCIE will examine the safeguards around the proper disposal of retired hardware that may contain client information and potential network information that could create an intrusion vulnerability.
- Niche Investment Strategies: Examiners will scrutinize adviser disclosures and execution of investment advice pertaining to niche investment strategies such as Environmental, Social and Governance (“ESG”) and sustainable investing.
- Unexamined Advisers: Never before/not recently examined advisers will be prioritized, especially if client demographics of registrant firms retain significant retail investor or private fund attributes.
- Side-by-Side Business Models: Conflicts of interest attendant to side-by-side models whereby advisers provide investment advice both to separately managed accounts and private funds will receive attention relative to conflict disclosure, mitigation, and related internal controls.
- Fintech and Innovation: Advisers operating in the digital asset space continue to present a relatively higher risk profile in the eyes of the SEC. OCIE intends to evaluate compliance risk attendant to registered advisers engaged in the digital asset space and/or those registrants utilizing the “robo-adviser” model. For robo-advisers, examiners will be looking to assess SEC registration eligibility, cyber policies and procedures, marketing practices, adherence to fiduciary standards, and the effectiveness of compliance programs.
- Transition Away from LIBOR: OCIE will evaluate registrant exposure and preparation for the transition from LIBOR to an alternate reference rate.
The eighth annual OCIE priorities communication provides registered advisers with solid risk management perspective which should be leveraged to responsibly and proactively orient compliance policy, procedure, and internal control protocol. Undisclosed and/or poorly mitigated conflicts of interest remain the Achilles heel of fiduciaries, with cybersecurity continuing to evolve as an elevated risk set.
Cybersecurity regulation continues to be addressed indirectly through pre-existing rules (e.g., Regulation S-P, Regulation S-ID) and with prodigious Commission guidance. Obtainment and retainment of cyber risk management expertise remains an extremely important hurdle for advisers and directly intersects with vendor due diligence scrutiny expected from OCIE in 2020.
The pre-existing fiduciary standard attendant to the responsible management of permissible conflicts of interest has been elevated in 2019 with the introduction of Standards of Behavior for Investment Advisers and Regulation Best Interest. Advisers should tend to their compliance risk matrix which identifies and maps conflicts of interest to the compliance program.
The Form CRS deadline looms over advisers with retail clients. Advisers are urged to get started with Form CRS preparations as soon as possible. Below is a summary of helpful FAQs issued by the SEC in late November.
Follow this link to download a complete copy of the SEC’s 2020 examination priorities: https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2020.pdf.
Form CRS FAQs
On November 26, 2019 the staffs of the SEC’s Division of Investment Management and the Division of Trading and Markets published their first responses to questions about Form CRS. The Form CRS FAQ page will be updated from time to time in coming months.
- Q: My firm offers three types of services to our retail investors. Can my firm prepare and deliver three different relationship summaries, one for each type of service that it offers? A: The short answer is no.
- Q: How do I create machine readable headings to comply with General Instruction 7.A.(i) to Form CRS? A: The staff recommends that registrants consult with the specifications and instructions provided by the software provider of the application used to create the PDF to determine how to make the headings machine readable. The FAQ proceeds to provide an example using Microsoft Word and Adobe.
- Q: Can a firm satisfy its relationship summary delivery requirement with respect to its existing retail investor clients or customers by including the relationship summary with the mailing of its June 2020 quarterly account statements (e.g., within one week after June 30, 2020)? A: The short answer is yes.
- Q: My firm is an investment adviser to pooled investment vehicles, such as hedge funds, private equity funds and venture capital funds. The investors in these funds include natural persons who may be “retail investors” as defined in Form CRS. Am I required to deliver a relationship summary to these funds? A: The short answer is no, unless these same investors also maintain a separate advisory relationship outside the private fund.
To read the latest Form CRS FAQs, follow this link: https://www.sec.gov/investment/form-crs-faq#delivery.