Frequently asked compliance questions in wealth management

Answers to the most frequently asked wealth management compliance questions

July 31, 2023 5:18 PM

With regulation of the advisory industry becoming ever more complex, it should come as little surprise that planners occasionally look to outside experts for help staying in compliance.

Indeed, a whole slew of consultants have built their businesses around trying to meet this need. With the Securities and Exchange Commission's adoption of a new marketing rule in November and its recent proposals of myriad new regulations, firms most likely have more reason than ever to tap experts on the shoulder for a little wise advice.

One of the best-known compliance consultants, RIA in a Box — which has been part of the Comply family of companies since 2021 — has released a ranking of the regulatory topics advisors most often ask about. Topping the list are questions over whether firms need to be registered with the SEC, individual states or perhaps both.

David Hunter, the owner and lead advisor at First Light Wealth in Palmyra, Pennsylvania, said the seeming ubiquity of this question is likely a reflection of the number of advisors who are breaking off from larger firms to go independent these days. Hunter said he left a well-established registered investment advisor early this year and started his business in April.

For help with the registration question, he turned to the XY Planning Network, which also offers expert advice on compliance matters. Hunter said he thinks other planners who are contemplating striking out on their own would be wise to do something similar. That goes not just for questions on registration, he said, but the host of other compliance issues advisors are likely to encounter throughout their careers.

"Unless you're big enough to have a standalone chief compliance officer who's also a lawyer," Hunter said. "And even then, unless that's really all they do, they are likely going to be leaning on some sort of outside legal team, in my opinion."

And the SEC's marketing rule is not the only industry regulation planners many times feel ill-equipped to handle on their own.

For some of the highlights from RIA in a Box's list, scroll down.

Where do I register?

RIA in a Box says there's a straightforward answer to this question. If you have $100 million or more in assets under management, you have to register your firm with the SEC. If it's anything less, then you'll most likely be going with state regulators.

Of course, though, it's not quite that simple. For firms that have to register with state regulators, the primary question is: Which state?

If an advisor operates only in, say, Montana, Mississippi or Missouri, then it should register wherever it has its primary office. But most firms do business across state lines. If that's the case, they'll have to look up individual statues to see which regulations apply.

Many states, according to RIA in a Box, require registration for firms that have five or more clients within their borders. Texas and Louisiana make that demand for advisors with a single client in their jurisdictions. New York requires state registration for all firms with $25 million or more in assets under management.

Corey Kupfer, the founder and principal of Rye Brook, New York-based Kupfer and Associates, said most firms would prefer to be solely under the SEC if that's an option. One huge advantage to having a federal-level regulator is that it avoids the patchwork of laws advisors must deal with if they're registered in more than one state.

"I don't know an advisor who's qualified to be registered with the SEC who doesn't take that choice," Kupfer said.

foxyburrow - stock.adobe.com

Marketing misgivings

RIA in a Box is just the latest compliance consultant to note advisors' apparent unease with the SEC's recent overhaul of its long-standing marketing regulations. Before the adoption of the new rules, financial planning had been one of the few industries that was prohibited from using client testimonials and endorsements by celebrities and other third parties.

Even with the recent lifting of that ban, RIA in a Box notes advisors have been slow to take advantage of the new freedom.

"Advisers have been told to avoid reviews and testimonials for so long, it's no wonder that the majority of RIAs are treading carefully when it comes to requesting them," according to RIA in a Box.

Just as small firms often have to register with states instead of the SEC, they may also come under individual state laws on advertising and solicitation. Hunter said his firm, with about $10 million in assets under management, is registered solely with Pennsylvania and that every state imposes its own marketing requirements and restrictions.

"There is a pretty big gray area in regards to what is allowed or not allowed," he said in an email.

One reason for advisors' hesitation to take advantage of client testimonials and third-party endorsements is no doubt regulators' insistence that planners have solid evidence to back up any claim they make in their marketing. RIA in the Box's latest regulatory bulletin warns of another pitfall: The need to avoid reporting only client reviews and performance data that put your firm in a good light and ignoring less-flattering results.

Such "cherry picking," as RIA in a Box deems the practice, will not be welcome to regulators.

"In essence, you can't just ask a few of your favorite clients for their feedback — it's all or none," RIA in a Box says.

To avoid cherry picking, the compliance consultant recommends that you make sure you send out emails requesting testimonials from people you've worked with to all your clients.

RIA in a Box also recommends caution when you're trying to decide which statements can be legally included in marketing statements and which can't. The SEC's new rule sets strict limits on what advisors can say when they seek to highlight their knowledge or expertise by noting the performance of their past investment recommendations.

They're not allowed, for instance, to report results for only one time period to the exclusion of others. If they're going to brag about the performance of a given investment recommendation, they have to show how it did over three distinct periods of time: one year, five years and 10 years.

RIA in a Box isn't the only industry consultant to note the industry's struggles with the new marketing rule. In a survey of roughly 580 advisory firms conducted in May, the compliance firm ACA Group found that only 5% of the respondents reported using their newfound freedoms to rely more on testimonials by former clients and endorsements by celebrities or other third parties.

Remote work

The ACA's survey suggested more and more advisors are returning to the office. Even so, remote and hybrid working arrangements remain common in the industry.

RIA in a Box said many advisors continue to seek guidance on how they and their employees can operate at a distance without running afoul of regulators or exposing clients to additional risks. The firm said the way to avoid these twin dangers is to subject remote employees to frequent and careful monitoring, particularly through the use of software systems.

Many firms, for instance, use computer programs to collect and store employees' digital communications. RIA in a Box advises using these systems for all messages regardless of if they're sent by email, social media, text or direct messaging services like WhatsApp.

"Where advisers get into trouble is when they start fielding communications from prospects and clients via their personal Facebook account or something along those lines," according to RIA in a Box. "If you are talking shop (i.e., giving financial advice of any kind), then chances are it should be archived."

Cybersecurity should be a priority for all advisors, but particularly so for those who rely heavily on technology to make remote work possible. The SEC has proposed a rule that would give advisors 48 hours to report data breaches and put in place other requirements meant to protect client information.

Even while the industry awaits adoption of that proposal, RIA in a Box recommends firms provide cybersecurity training to their employees and periodically scrutinize their data protection policies for strengths and weaknesses. The compliance consultant said firms can even run simulated cyber attacks to expose previously unnoted deficiencies.

To outsource or not to outsource?

RIA in a Box said one of the questions it most frequently hears is whether firms should try to outsource the responsibilities that would normally fall on a chief compliance officer. The answer to this question, according to the compliance consultant, is almost always "no."

For firms that are large enough to have a CCO, RIA in the Box says, the SEC is pretty insistent that the person in that position be someone who can make decisions. Such executive authority is rarely given to outside consultants, no matter how much weight is given to their recommendations.

"When you outsource your CCO, you get someone who can say no, but they don't hold any power," according to RIA in a Box.

Aaron Pinnick, a researcher and manager of thought leadership at ACA Group, noted that only 2% of the respondents to ACA's recent survey said they outsource regulatory functions. But for firms that are small and have no one on staff who can make compliance their top priority, looking elsewhere for help might be their best option.

"It's not as if there's a right or wrong approach," Pinnick said. "The wrong approach would be to ignore your compliance obligations."