This year will certainly be one for the history books. The worldwide pandemic continues to impact our country and the way we live. For the financial industry, we have witnessed evolutions and changes of focus in regulatory examinations.
Much of the U.S. workforce continues to work remotely. Fraudsters continue to take advantage of vulnerable investors, which have seen a rise in financial scams. Collectively, this has caused the U.S. Securities and Exchange Commission (“SEC”) and state regulators to perform a detailed analysis of the compliance risks that have been and continue to be created due to this activity. In the beginning, senior management was surprised at how easy the transition was from office to remote working. However, the swiftness with which the switch had to be made prevented compliance and IT personnel from being proactive in determining what additional procedures and controls were necessary, especially in the areas of cybersecurity, privacy, business continuity, and supervision.
In August 2020, the SEC issued a Risk Alert on compliance risks due to COVID-19, which outlined compliance considerations in the following areas:
- Protection of Investor Assets
- Supervision of Personnel
- Fees, Expenses, and Financial Transactions
- Investment Fraud
- Business Continuity
- Protection of Sensitive Information
The SEC also reminded firms to be aware and alert for fraudulent activities and provided links to various resources.
Given the fact that many firms continue to work remotely, we have arranged this year’s compliance checklist to focus on the higher risk areas first.
Assess the Strength of Your Privacy and Cybersecurity Programs
- Perform an assessment of your privacy and cybersecurity policies, procedures, and prevention controls to confirm risk areas have been addressed and ensure adequacy and effectiveness of the program.
- Compliance Step: Review the strength of remote access protocols and the security levels of personal computers and home wireless connections.
- Ensure that vulnerability assessments and penetration testing are performed before year-end on all networks and electronic systems being used for business purposes.
- Compliance Step: Utilize an unaffiliated firm that specializes in this area, as this allows for an independent evaluation.
- Test safeguarding protocols and controls in place to ensure that client non-public information is being protected.
- Compliance Step: Determine that employees working at home have implemented safeguards to prevent inadvertent access to such information by family members.
- Confirm that your Incident Response Plan is comprehensive and provides details on roles and responsibilities, preventative measures, and response priorities.
- Compliance Step: Discuss in detail with a cybersecurity expert to ensure all applicable areas are covered.
Determine Whether Your Compliance Program is Adequate
- Complete a risk assessment and conflicts inventory to confirm all identified risks and conflicts have been adequately addressed and disclosed.
- Compliance Step: Map each risk and conflict to applicable policies and procedures that ensure appropriate elimination or mitigation steps are being taken. Also review Form ADV and standard investment advisory agreements to make sure all material risks and conflicts are being disclosed.
- Determine whether the firm’s compliance policies and procedures are addressing the high-risk areas outlined in the SEC’s Risk Alerts and exam priorities list that are applicable to the firm’s business practices, along with any regulatory changes that have taken place.
- Compliance Step: Confirm that applicable policies and procedures address remote working, especially in the areas listed in the SEC’s Risk Alert referenced above.
- Confirm compliance testing protocols are working properly and set up to detect both gaps in processes and trends and patterns that show potential systemic risk.
- Compliance Step: Ensure testing is being performed to detect any compliance gaps applicable to employees working remotely.
- Ensure that an annual review has been performed and documented in accordance with Rule 206(4)-7 of the Investment Advisers Act of 1940 (“Advisers Act”).
- Compliance Step: Document a plan for implementing any enhancements needed to the firm’s compliance program.
- Review your Compliance Calendar to make sure all compliance tasks outlined in your firm’s policies and procedures have been/will be performed.
- Compliance Step: Utilize compliance technology solutions to the extent possible to help ensure all tasks are performed within required time periods.
Review Financial, Custody, and Billing Processes
- Audit the firm’s fee calculation and billing process to ensure advisory fees are calculated and billed to clients in accordance with client agreements and disclosures.
- Compliance Step: Review the SEC’s Risk Alert on deficiencies of assessment and disclosures of advisory fees.
- Ensure that there are strong controls in place for confirming client identity when requesting money transfers via phone or email.
- Compliance Step: Perform testing to ensure that steps are not being circumvented.
- Determine whether any clients have Standing Letters of Authorizations with their custodian that authorizes the firm to transfer client assets to third parties.
- Compliance Step: Confirm that these assets are reflected in Item 9 of Form ADV Part 1 and the firm’s policies and procedures outline controls in place to address this type of custody.
- If the firm is deemed to have custody that requires an annual surprise custody audit, ensure it is performed and the Form ADV-E gets filed with the SEC prior to year-end.
- Compliance Step: Ensure the engagement agreement with the auditing firm contains the information required by Rule 206(4)-2 (a)(4) under the Advisers Act, and when required, the auditing firm is registered with, and subject to, the Public Company Accounting Oversight Board (PCAOB).
- If the firm manages private investment funds, confirm that an annual audit of affiliated private fund financials has been scheduled/performed and internal controls are in place to ensure timely mailing of the audited financial statements to investors within the required period.
- Compliance Step: Coordinate with each fund’s third-party service providers and employees to allow enough time to prepare for and facilitate the audit.
Analyze Service Provider and Solicitor Arrangements
- Ensure that due diligence reviews of service providers have been performed and documented, with particular focus on the service provider’s business continuity, cybersecurity, privacy, and supervision of remote employees.
- Compliance Step: Implement an automated due diligence calendar and monitoring system for tracking purposes.
- Review solicitor arrangements to confirm that agreements are up-to-date and in compliance with Rule 206(4)-3 of the Advisers Act. Also verify that solicited clients have received and signed a copy of the solicitor’s disclosure statement.
- Compliance Step: Have solicitors provide written certifications that they continue to remain in compliance with applicable regulations and are adhering to all requirements outlined in the agreement.
Provide Training to All Employees
- Ensure compliance training has been provided to firm personnel covering firm policies and procedures, cybersecurity, business continuity, and privacy safeguards and include additional considerations due to COVID-19.
- Compliance Step: Training can be delivered in several ways throughout each year, including webinars, in person compliance meetings, conferences, simulated phishing exercises and sending periodic compliance emails.
Prepare for Year-End Regulatory Filings
- Review the IARD Renewal Calendar and schedule all deadlines to ensure timely filings and payments.
- Compliance Step: Review current investment adviser representative registrations to determine if any post-dated U-5 filings should be made to terminate unnecessary state registrations.
- Pull the IARD Preliminary Renewal Statement on or after November 16th and pay the annual required filing fees within the required deadline.
- Compliance Step: This year’s deadline for payment is December 14, 2020. The method of payment instructions can be found at https://www.iard.com/accounting#Renewal_Account
- Confirm that all applicable required federal and/or state filings are made. Examples include Form 13F, Form 13H (Large Trader), Schedule 13D/G, Form PF, and Form D (private funds), NFA filings, state net capital filings, state registrations, state notice filings and state blue sky filings.
- Compliance Step: Program all deadlines in your Compliance Calendar and consider software and third-party outsourcing solutions to assist with these filings.
- Look at current registration forms and client disclosure documents (g., Form BD, Form N1-A, Form ADV, client agreements, prospectus and statement of additional information, and private placement memorandums) to ensure they are current and contain required and applicable disclosures.
- Compliance Step: Read the SEC issued instructions for the applicable document to ensure you are including all required information. Also consider recent SEC enforcement actions to better understand the types of disclosures the SEC requires.
- Ensure that all registered personnel have reviewed their current Form U-4 and Form ADV Part 2Bs, as applicable, and confirmed that information is accurate.
- Compliance Step: Have each representative provide written certifications that they have no new disciplinary or legal issues to disclose.
Determine Whether Firm Documents Require Updating
- Confirm that business presentations, commentaries, websites, social media sites, and other marketing materials are up to date, contain all necessary disclosures, have been reviewed by compliance and are retained as part of the firm’s required books and records.
- Compliance Step: Perform email reviews to help confirm that employees are only using currently approved marketing and promotional materials.
- Have legal counsel review standard client agreement(s) for required and necessary provisions and consistency with disclosures in Form ADV.
- Compliance Tip: Have the agreement(s) reviewed by legal counsel that is experienced with federal and state securities laws.
Now is also the time to begin planning for next year and ensuring that your compliance resources are adequate. Implementing compliance technology and using compliance consultants can be a highly effective and cost-efficient way to help ensure that all applicable requirements are adequately and timely addressed.
Author: Tina Mitchell, Managing Director, Consultation Services, Core Compliance & Legal Services, Inc. (“Core Compliance”); Editor: James Smith, Sr. Compliance Consultant, Core Compliance. Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
 See ”Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers” (August 12, 2020) at https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf
 This list is not all inclusive and is only meant to provide guidance on what CCOs should be considering.
 This should include all home computers and other electronic devices, including personal cell phones, that are being used by employees working remotely.
 See “Overview of the Most Frequent Advisory Fee and Expense Compliance Issues Identified in Examinations of Investment Advisers (April 12, 2018)” at https://www.sec.gov/ocie/announcement/ocie-risk-alert-advisory-fee-expense-compliance.pdf
 See Investment Adviser Association No-Action Letter (February 21, 2017) at https://www.sec.gov/divisions/investment/noaction/2017/investment-adviser-association-022117-206-4.htm
 This can be done by going to the PCAOB website at https://pcaobus.org/Registration/Firms/Pages/RegisteredFirms.aspx
 Consider using project management software, such as Trello (www.trello.com) or Kerika (www.kerika.com).