5 ways for wealth management firms to keep compliant in 2023

January 13, 2023 6:21 PM

With holiday celebrations behind them, investment advisors can now buckle down to the serious task of making sure they are doing everything possible to avoid running afoul of regulators in 2023.

From getting acquainted with a new Securities and Exchange Commission marketing rule to making sure they are properly conducting and documenting their annual compliance reviews, firms will have plenty to do to stay on the right side of state and federal laws. Here are five steps to take to make sure your regulatory house is in order.

Annual compliance reviews

In a list of 10 do's and don'ts for the new year for registered investment advisors, RIA in a Box — a provider of compliance software — emphasizes the need to not skimp on annual compliance reviews. The SEC, Wall Street's regulator, requires RIAs to review their policies, procedures and internal controls every year to make sure they comply with the law.

Although the SEC's requirement may be an annual one, RIA in a Box recommends firms consider doing internal reviews more frequently.

"By taking the time throughout the year, you not only avoid a mad rush come year end, but you also realize the benefits of an updated compliance program which proactively meets new requirements and heightened risk points," the compliance consultant suggests.

RIA in a Box also recommends that firms hold annual meetings to discuss compliance with employees and keep notes of what's said. Of particular importance is to document any decision to make a particular person within the firm responsible for certain aspects of compliance. If one employee's duties include ensuring the company abides by the SEC's new marketing rule, that obligation should be spelled out on paper.

In perhaps its biggest "don't," RIA in a Box warns firms against simply copying and pasting their compliance review for the previous year and resubmitting it to the SEC. That, the company cautions, will immediately send up a red flag for regulators.

"Your RIA annual compliance review is not a check-it-and-go kind of task," RIA in a Box adds. "It requires a thorough analysis of both the industry and your firm."

New regulations

One of the biggest rule changes to hit advisors in years is the SEC's new marketing rule, which took effect last November. Among other things, the rule defines an advertisement as a communication an advisor sends to two or more current or potential clients about new advisory services. One-on-one communications are exempted.

It also requires firms to keep records of things like every advertisement they have authorized, the money they've paid for ads and testimonials and the data they've used in presentations of investment performance.

Cory Roberson, the founder of regulatory consultant FIN Compliance, said a provision of the marketing rule allowing advisors to market themselves using client testimonials is garnering particular interest. As usual, the key to avoiding run-ins with regulators is to keep records of everything you're doing.

"If you are working with a marketing or solicitation firm, how are you documenting that?" Roberson said. "Especially at the end of the year, if you receive an SEC audit and you need to be able to say: 'Here are our policies and procedures.'"

Meanwhile, firms need to be on the lookout for other regulations that are up for adoption this year. The SEC, for instance, has proposed a rule that would require advisory firms that outsource services to make sure their third-party contractors aren't violating the fiduciary obligations owed to clients. A separate proposal from the Department of Labor could disrupt many advisors' ability to work as "independent contractors" that are affiliated with larger firms rather than being direct employees.

Although industry watch dogs usually give firms a grace period to come into compliance with new regulations, it doesn't hurt to start preparing now. One way to do this, says RIA in a Box, is to make sure internal policies and procedures take account of new rules.

"Take the time to look back at any new regulations which have passed in the last year and adjust your manual to reflect new requirements for your RIA firm," RIA in a Box recommends.

Paperwork, paperwork everywhere

Scott Gill, the owner and senior compliance consultant at Synergy RIA Compliance Solutions, said the biggest compliance mistake firms make is to not have mandatory reports and documentation organized and conveniently stored for when regulators come calling.

Gill said being able to present information in a way that the SEC and other regulators want to see it can make the difference between a relatively easy compliance review and a difficult one.

"If you can give them what they want, they may ask a couple of questions, and then generally we can close that exam pretty quickly," he said. "But if you can't give it to them, then there might be multiple phone calls and multiple requests back and forth for books and records."

Gill said most advisory firms start the year off by filing an amendment to their Form ADV with the SEC. Form ADV is the basic document advisors use to register with the SEC and contains information on the type of investing they do, their assets under management and fee structures. Firms are required to submit amendments to their Form ADVs within 90 days of the end of their fiscal year, usually Dec. 31.

Gill noted that some — but not all — states also require firms to submit financial statements toward the beginning of the year.

"If you are registered in a particular jurisdiction," he said, "you obviously don't have to worry about the rules that other jurisdictions are concerned with."

Cybersecurity

RIA in a Box's list of do's and don'ts also says that the beginning of the year is a good time for firms to take stock of their cybersecurity measures. With many transactions now being conducted online and many advisors still taking advantage of remote-work policies adopted during the pandemic, regulators will be eager to ensure firms are doing all they can to protect online data.

Industry regulators have warned that scams over the internet, email or messaging apps are becoming more common. The Financial Industry Regulatory Authority, broker-dealer's self-regulator, established a Cyber and Analytics Unit last year to combat abuses like unauthorized intrusions into customers' online accounts and ransomware attacks, in which a hacker takes control of a company's computer systems and will only release them after receiving a payment.

In its recent 2023 report on its Examination and Risk Monitoring Program, FINRA notes that many firms are not taking basic cybersecurity steps. These include having systems to identify customers who are trying to open new accounts online are, in fact, who they say they are. FINRA also cautions that firms may be moving services like email and data storage to the cloud — on outside servers run by third-party companies — without making sure customer information is adequately protected.

Roberson said firms that allow working from home may want to make sure that employees are using systems like virtual private networks — which operate over the internet while offering some of the safeguards of private computer networks. They also probably want to set up multifactor verification systems. These usually require employees to complete verification steps before accessing a company system; many, for instance, will require users to enter both a password into a laptop and then a code sent separately to their cellphones.

Roberson said many firms, particularly small ones, are likely to be unable to set up these systems on their own.

"You're probably going to need some additional consulting to help put all those pieces together," he said. "And then, if you have a general IT vendor, there's a chance they do not understand the risk areas of the advisor world you work in. So you may need to take all this to someone who understands that side of things."

Watch that app

Another priority listed in FINRA's annual report was ensuring firms are monitoring their employees' electronic communications on email and messaging services like WhatsApp. Advisors don't necessarily have to be doing anything nefarious like insider trading to catch regulators' notice. Federal officials have strict rules requiring recordkeeping for all discussions of business matters.

In September, the SEC and the Commodity Futures Trading Commission hit 16 big-name Wall Street firms, including Goldman Sachs, Bank of America and Morgan Stanley, with $1.8 billion in fines for violations of this record-keeping rule. Bill Simpson, compliance principal at the communication consultant Hearsay Systems, said regulators will most likely turn their attention to smaller companies this year.

Simpson said the avenues for electronic communications continue to grow in number. In December, the SEC brought charges of stock manipulation against eight social media influencers in part for discussions they'd been having on the messaging app Discord, which was originally used mostly by gamers.

"So are firms going to think about their policies as they relate to Discord?" Simpson said. "And then, where does it stop? How many channels do you need to account for?"