Investment advisers are regulated entities subject to various securities laws. State registered investment advisers are subject to the regulations of each state the firm is registered with; however, those are not the only securities laws that can apply to a state registered investment adviser. For example, if a state registered adviser provides advisory services to a 401K plan, the firm is subject to regulations under the Employee Retirement Income Security Act of 1974 (“ERISA”).
It’s essential that firms understand all the securities laws that apply to them in order to fully prepare for a regulatory examination. In this Risk Management Update, we discuss some of the additional regulations that can apply to state registered investment advisers, outline top areas of deficiencies found by state examiners during exams, and provide compliance steps that will help firms prepare for a regulatory exam.
An investment adviser’s business practices generally drive which regulations the adviser must comply with. In addition to ERISA, below is a list of the most common regulations that can apply:
- Financial Modernization Act of 1999 (aka Gramm-Leach-Bliley Act) – outlines steps that firms must take to protect the privacy of client non-public information.
- Advisers must have written privacy notices that are delivered initially to new clients and annually.
- Advisers must implement controls to ensure that non-public information is protected from unauthorized use.
- Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 – requires, among other things, investment advisers that manage private funds to obtain registration or file an exemption.
- Advisers that manage private investment funds relying on certain Regulation D exemptions must register or file as an “Exempt Reporting Adviser” with the SEC and/or one or more states, depending on the type and amount of assets of the private fund(s).
- Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (“USA PATRIOT Act”) – requires financial industry firms to take steps to prevent terrorism and money laundering.
- Advisers, among other financial industry firms must, at a minimum, comply with the Office of Foreign Assets Control (“OFAC”) Sanction Programs. This includes setting up processes to ensure that the advisory firm does not do business with anyone on the Specially Designated Nationals (“SDN”) list, or in/with a sanctioned country.
- Commodity Futures Trading Commission (“CFTC”) Regulations – requires investment advisers and others that invest in certain derivatives to register with the CFTC.
- Advisers that fall within the definition of Commodity Pool Operator (“CPO”) or Commodity Trade Advisor (“CTO”), among others, must register with the CFTC and become a member of the National Futures Association (“NFA”).
Top Areas of Deficiencies
In September 2019, the North American Securities Administrators Association (“NASAA”) issued a coordinated report on the areas of deficiencies that state examiners were finding during routine exams of state registered investment advisers. These included:
- Books and Records – Missing and/or incomplete: (i) written agreements, (ii) business continuity plans, (iii) bank statements and checks, (iv) general and auxiliary ledgers, (v) trial balances, (vi) financial statements, (vii) disclosure brochures, (viii) advertising files, and (ix) client suitability information.
- Registration – Inconsistencies between Form ADV Part 1 and Part 2A and timeliness of Form ADV filings. Also, lack of and/or incorrect disclosures covering: (i) firm affiliations, (ii) assets under management, (iii) conflicts of interest, (iv) personnel, (v) business description and services provided, and (vi) fee structures.
- Contracts – Did not contain: (i) 48-hour rescission clause, (ii) other state-specific requirements, (iii) fee information, and/or (iv) discretionary authority. Also, were not properly executed with signatures and dates or were not in writing.
- Cybersecurity – Did not: (i) have a contract with their technology provider, (ii) perform testing of cybersecurity vulnerability, (iii) maintain hardware and software security procedures, (iv) have adequate protection of sensitive data files, (v) suspend operation during a cybersecurity event, (vi) have strong passwords, and (vii) secure or limit access to computers/devices.
- Fees – Deficient processes, which included: (i) fees charged did not match contract or Form ADV, (ii) performance fees were charged to non-qualified clients, (iii) no evidence of work product to justify fees, (iv) fees charged on non-managed assets, (v) charged unreasonable or excess fees, and (vi) overcharging fees.
- Advertising – Marketing materials that included: (i) untrue or misleading statements or omissions, (ii) testimonials, (iii) misleading charts, graphs, formulas or other devices, (iv) exaggerated claims, (v) misleading use of profession designation, RIA and IAR abbreviations, and (vi) insufficient website disclaimers.
- Supervision – Failure to: (i) periodically assess and update compliance/supervisory program, (ii) follow compliance/supervisory procedures, (iii) avoid or mitigate conflicts of interest, (iv) have procedures preventing the misuse of material nonpublic information, and (v) have adequate policies and procedures.
- Custody – Did not: (i) provide invoices with all required information, (ii) provide notice to administrators on Form ADV, (iii) have written client authorization for direct fee deductions, (iv) provide clients with written notice of the custodian or custodian changes, and (v) send invoices to custodians and clients.
Exam Preparation Steps
Advisory firms need to have adequate policies, procedures, and controls that cover state requirements and other applicable regulations. Importantly, these need to be customized to the firm’s business practices and not off the shelf. In addition, it’s crucial to consider risks and conflicts and ensure they have been properly identified, addressed, and disclosed (when necessary).
Additional steps should include:
- Review past regulatory exam letters to ensure all deficiencies have been addressed.
- Audit firm books and records to confirm those that are required are being retained.
- Review all regulatory filings to confirm they up to date and disclosures appear adequate.
- Prepare employees for an examination, including having mock interviews.
- Perform and document compliance training with employees.
Consider having a mock regulatory audit performed by an independent consultant or law firm. These types of audits can be invaluable in your preparation process. Also, in some cases, insurance companies will provide a credit to firms that obtain these types of reviews.
Being prepared is key to having a clean regulatory exam. Senior management and compliance personnel need to remain aware of requirements and changes to regulations in order to make appropriate updates when necessary and ensure a strong compliance program.
The Core Compliance team has many years of experience in assisting firms to prepare for regulatory exams and performing mock audits. For assistance or more information about our services, please contact us at firstname.lastname@example.org, at (619) 278- 0020 or visit us at www.corecls.com for more information.
Author: Tina Mitchell, Managing Director, Consultation Services; Core Compliance & Legal Services (“Core Compliance”). Editor: James Smith, Sr. Compliance Consultant, Core Compliance. We work extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
 Notably, each state also has specific privacy laws that also must be considered.
 While this is the federal Act implemented, a number of states have specific regulations that apply to advisers that manage private funds.