In its recently issued annual report on state-registered investment advisers, the North American Securities Administrators Association (NASAA) was straightforward about the steps it believes advisers should be taking to create a culture of compliance in today’s rapidly changing regulatory environment. You can find the full NASAA report here.
State securities regulators have regulatory oversight responsibility for nearly 17,500 investment advisers – almost 3,000 in California alone – with assets under management of $100 million or less. States also have sole regulatory oversight of all investment advisers, whether the adviser is registered with a state or with the U.S. Securities and Exchange Commission (SEC). State regulators work diligently to protect investors by pursuing security violations since not all advisers are registered with the SEC.
What NASAA Wants
NAASA recently adopted a model rule for policies and procedures consistent with the Uniform Securities Act of 2002, whose purpose is to assist the SEC’s enforcement efforts by addressing and dealing with securities fraud at the state level. NAASA’s enforcement efforts center on the fact that it is unlawful for an investment adviser to provide investment advice to clients unless the investment adviser establishes, maintains, and enforces written policies and procedures tailored to the investment adviser’s business model.
A financial advisory firm’s written policies and procedures must take into account the size of the firm, the type(s) of services provided, and its number of locations. Advisers also must maintain and enforce written policies and procedures with robust and documented supervision and oversight, which is where many firms fall short.
One of the most common violations cited in state exams every year is a lack of supervision. In my experience as a regulator, I would often ask someone a question about a specific aspect of their firm’s written supervisory policies and procedures and they didn’t know what I was talking about.
In its annual report, NASAA recommends that financial advisers bolster their business continuity and succession plans and reassess their operations to determine the potential risks and vulnerabilities posed by remote working.
NAASA and Cybersecurity
To help combat the growing concern of cybersecurity, the SEC has made it clear that its examiners will review a firm’s policies and procedures in that area. Anything the SEC is going to take a hard look at, firms should expect that NAASA will, too.
It is important for firms to make sure they have established written policies and procedures on such topics as system communications, personal trading accounts, and outside business activities. These are areas where things generally can run afoul. As an example, you might have an RIA trying to circumvent compliance oversight while working remotely. Systems must be in place and you must see that they’re being used. If you’re not using systems, your firm is just throwing money away.
When it comes to cybersecurity, regulators want to see that firms have established proper incident response protocols when dealing with such malicious activities as phishing emails, ransomware, and unauthorized account access. Additionally, firms must have designed protocols to mitigate problems if vendors or other service providers experience a cyber incident.
NAASA has cited five specific functions it wants to see in a firm’s written cybersecurity policies and procedures it has designed to help protect investors:
- Identify – How does your firm manage information security risk to systems, assets, data, and capabilities.
- Protect – What safeguards does your firm have in place to ensure the delivery of critical infrastructure services?
- Detect – What activities has your firm implemented to recognize an information security event?
- Respond – What activities has your firm put in place to take action regarding a detected information security threat?
- Recover – What has your firm done in terms of maintaining plans for resilience and restoring any capabilities or services impaired as the result of an information security event?
Yes, cybersecurity can be a little intimidating at first, but we all practice some form of it on a daily basis, whether it’s not answering spam calls to not opening suspicious email attachments. Employees must know your firm’s cybersecurity policies and procedures and review them often.
NAASA has published a sample compliance grid for firms that cover these and other areas of interest. The experienced team of specialists at Core Compliance & Legal Services can work with your team to help address any items of concern before regulators come calling. Contact Core Compliance at (619) 278 – 0020 or visit us online at corecls.com to schedule a timely consultation.