Maintaining a compliant organization is no small task. With new rules and regulations emerging each year, it’s easy for small oversights – the proverbial “broken windows” – to slip through the cracks. Unfortunately, these minor missteps can snowball into significant issues during a regulatory examination. Below, we’ve highlighted some common pitfalls to help you stay ahead.
Violating Firm Policy
One of the most common but avoidable mistakes is failing to adhere to your own policies. Compliance professionals often assume that staff are following the procedures laid out in the meticulously crafted policy manual. However, over time, small changes can creep in. Steps may be skipped, processes adjusted, or new hires trained on slightly altered procedures – often without notifying compliance.
To prevent this, conduct an annual policy manual review and engage with staff or department heads to ensure processes align with documented procedures. Ask questions, observe workflows, and identify discrepancies. If necessary, provide additional training or amend policies to reflect effective, compliant changes. The key is ensuring your firm practices what it preaches.
Documentation: If It’s Not Documented, It Didn’t Happen
Regulators operate on a simple principle: if it’s not documented, it didn’t happen. Key procedures such as email reviews, quarterly testing, OFAC checks, and BCP testing must have clear, written evidence.
A compliance calendar with due dates and completion records can be invaluable. Additionally, having Registered Representatives (RRs) or Investment Advisor Representatives (IARs) document client interactions and updates can save your firm headaches. For example, detailed CRM call notes can provide critical evidence during examinations, as was the case when a firm avoided findings by producing documented call notes with updated financial information for a Qualified Purchaser review. Documentation is your first line of defense.
Non-Disclosure of Outside Business Activities (OBA)
Undisclosed OBAs are a frequent issue. To avoid this, require RRs and IARs to complete annual questionnaires listing all OBAs. Cross-check these with Form U4 and ADV2B (if applicable). For any undisclosed activities, ensure a written OBA disclosure form is completed and, if required, obtain senior management approval.
Business Continuity Plan (BCP) Annual Review and Testing
Recent disasters, from hurricanes to pandemics, underscore the importance of an up-to-date and tested BCP. Annual reviews and testing are required yet often overlooked. Ensure contact information for critical vendors and response teams is current and document the results of your testing. Incorporate initial and periodic BCP training for staff and make sure your plan covers a range of potential business interruptions.
Off-Channel Communications
Over the past few years, regulators have been focused on off-channel communications. If your firm permits business communication through platforms like text messages, WhatsApp, or LinkedIn, you must capture, monitor, retain, and be able to produce those communications during an exam.
Update your Electronic Communications policy to define approved channels, retention periods, and monitoring processes. If off-channel communications are prohibited, consider requiring employees to sign quarterly or annual attestations confirming their understanding and compliance of firm policy.
Registration and Notice Filing
Periodic reviews of client counts by state are essential to ensure your IARs and firm meet state registration and notice filing requirements. Overlooking states outside customary de minimus thresholds, such as Louisiana (which requires notice filing for a single client), can lead to fines, investment rescissions, or additional regulatory scrutiny.
OFAC Compliance: Ensuring Proper Screening and Documentation
Screening clients against the Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) list is a critical compliance requirement for investment advisor firms. However, this area is often overlooked, as many firms rely on their custodians to handle both initial and ongoing screenings. While this reliance is common, it is essential that your firm’s policy manual explicitly reflects this practice.
Key Considerations
- Policy Manual Alignment: Review your policy manual to confirm it accurately reflects your reliance on custodians for OFAC and SDN screenings. Regulators expect firms to “do what they say” in their policies.
- Custodial Agreement Language: If your firm relies on a custodian for screening, ensure that the custodial agreement explicitly states these services are performed on behalf of the advisor.
- Annual Attestations: If the custodial agreement lacks specific language regarding screening, request an annual attestation from the custodian confirming their role in performing these services. Additionally, confirm that their Anti-Money Laundering (AML) policy complies with the Bank Secrecy Act (BSA).
- Advisor Responsibilities: Even when delegating screening responsibilities to a custodian, the advisor retains ultimate accountability. Implement procedures to verify client identities and conduct OFAC screenings before establishing relationships. Periodic screenings for existing clients are also considered best practice.
While custodians can be valuable partners, investment advisors must ensure that reliance on third-party services is well-documented, aligned with firm policies, and monitored to meet regulatory requirements. Ultimately, the responsibility for compliance rests with the firm.
Form CRS
Since its implementation in 2020, Form CRS remains a focus area for regulators. Ensure your firm is meeting its obligations by:
- Reviewing and updating Form CRS annually.
- Logging amendments and filing updated summaries with the SEC or FINRA (if applicable).
- Maintaining records of delivery dates to retail customers.
- Prominently posting Form CRS on your website.
- If included in a packet of information, the relationship summary must be placed first. If the relationship summary is delivered electronically, it must be presented prominently in the electronic medium.
- Delivering the relationship summary to retail clients prior to or at the time of recommendations or account openings.
The SEC has identified Form CRS as a 2025 examination priority. These examinations will evaluate whether investment advisors and broker-dealers have met their obligations to file their relationship summary with the Commission and deliver their relationship summary to retail customers. Firms should be prepared to demonstrate compliance with filing and delivery requirements.
Final Thoughts
These are just a few examples of “broken windows” that can lead to scrutiny during an examination. Addressing these areas proactively can help your firm maintain compliance and avoid unnecessary findings. Core Compliance has years of experience and is ready to assist with your compliance needs. Contact us today at info@corecls.com or (619) 278-0020 to learn more.
Author: Apryl Thompson, Compliance Consultant; Editor: Matthew Rothchild, Sr. Compliance Consultant, Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, and private fund managers on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon regarding any particular facts or circumstances without first consulting with a lawyer and/or tax professional.