Building an RIA compliance program

The Registered Investment Advisor (RIA) market has swelled to 12,000 firms, posting a rapid 17 percent increase over the last two years1 and attracting the undesired attention of the Securities and Exchange Commission along the way. In response to this trend, and the approximately $70 trillion that RIAs now manage by the end of 2016, the SEC has hired and deployed 20 percent more examiners to supervise wealth managers and investment companies.

In this climate of regulatory vigilance, the Investment Advisers Act of 1940 remains the top priority for RIA compliance teams. But in 2017, RIAs must also contend with looming Financial Crimes Enforcement Network2 reforms that impose the same anti-money laundering AML requirements upon RIAs as other financial institutions, including banks, broker-dealers, and pooled investment companies.

A formal AML program for RIAs entails detailed currency transaction reports for cash movements of $10,000 or more, suspicious activity reporting that is in line with the adviser’s risk profile, and accurate regulatory technologies (regtech) for verifying the ultimate beneficial owners of client accounts. Further compounding RIA compliance are the complex data-reporting mandates of the Dodd-Frank Act and new Department of Labor laws that impose strict fiduciary limits on advisers managing retirement account investments.

This new wave of investment advisor regulations demands that RIAs across the board implement risk-based and comprehensive compliance programs. While the scope of legislative disruption may seem daunting and hard to navigate, there are several best practices that, with a high degree of certainty, mitigate the threat of enforcement action. For RIAs seeking to create and implement a top-flight compliance program, the following five initiatives are foundational:

  • Delegate broad and sweeping supervisory controls to their chief compliance officers
  • Diagnose the highest probabilities for error and tailor a comprehensive, risk-based solution
  • Ensure that policies and procedures cover the full scope of the IAA, along with other relevant legislation
  • Ensure that annual audits and regulatory technology are adequate
  • Digitize all record-keeping systems and practices to confirm that violations are being dealt with appropriately and in a timely manner

The following article will examine these compliance guidelines and provide best practices for the execution of each initiative.

Empower Your Chief Compliance Officer

Due to the growth of the RIA sector, the SEC and state regulators have allocated more supervisory resources to monitor independent investment advisers. In today’s regulatory regime, RIAs are facing the same type of scrutiny generally reserved for more systemically significant financial institutions. As a result, the designation of a CCO and the delegation of sweeping authority and supervisory controls to this C-Suite role have never been more essential for RIA organizations.

While the SEC’s final rule3 mandating that RIAs designate a CCO has been in effect since 2004, the emphasis for today’s enforcement landscape is more focused on the technological fluency this officer possesses, along with the decision-making power it wields over the organization. It follows that RIAs must offer their CCOs a seat at the boardroom table and empower their compliance leaders with equal, if not more senior, stature to other C-Suite executives. The transformation is a cultural one – RIAs must enable their CCOs to set the organizational tone for compliance from the top.

This reorganization sends a clear and unequivocal message to firm personnel, investors, and outside regulators that risk management and compliance are taken seriously by the organization. Also, by engaging the CCO in all boardroom decisions of significance, RIAs promote transparency, which makes regulators more likely to conclude that the firm is willfully attempting to comply. Finally, it follows that enhanced responsibility for CCOs merits compensation incentives that better reflect the role’s rising value proposition.

Implement a Risk-Based Strategy

RIAs conducting business in today’s capital markets cannot afford to assume that their risk exposures will reflect the generic regulatory list delineated by SEC release IA-2204. The sprawling regulatory octopus compels the RIA ecosystem to abandon checkbox compliance and adopt risk-based models, tailored to the specific operational threats that each investment adviser faces. RIAs face a wide range of risk exposures, including:

  • Operational disruptions
  • Anti-money laundering requirements
  • Proprietary trading
  • Insider trading
  • Retirement account management
  • Counterparty vulnerabilities
  • Investment product offerings
  • Transition planning
  • Cybersecurity
  • Marketing & advertising

The myriad complex reporting, record-keeping, and disclosure requirements only serve to complicate this risk matrix. It follows that different RIAs will have varying distributions of risk, depending on their customer base, investment product offerings, IT systems, operating geographies, and vendors they engage in business.

The myriad complex reporting, record-keeping, and disclosure requirements only serve to complicate this risk matrix. It follows that different RIAs will have varying distributions of risk, depending on their customer base, investment product offerings, IT systems, operating geographies, and vendors they engage in business.

Enact Comprehensive Policies

In what may seem the most obvious best practice, RIA compliance teams must draft and enforce internal policies that reflect the regulatory standards delineated by the IAA, Dodd-Frank, the Bank Secrecy Act, and other relevant laws. The primary challenges that arise are:

  • Rapidly evolving scope of legislation
  • Narrow time constraints for the implementation of regulatory reforms
  • Sweeping data-reporting demands
  • Potential ambiguities surrounding rules and exemptions

Nevertheless, it is the duty of the CCO and their compliance lieutenants to keep abreast of regulatory reforms in order to transition to new policies and laws on schedule and without penalty.

Digitize Record-Keeping Systems to Enhance Transparency

Investment in modern technology systems is crucial for RIAs seeking regulatory approval. The vast data-reporting obligations of Dodd-Frank and BSA legislation compel investment advisers to upgrade regtech assets and network security systems. Two key considerations for regtech and network security are data integrity, which measures information accuracy, and data quality, which measures information consistency and timeliness.

The volume, velocity, and variety of market data demanded fluid technology solutions that can recognize adverse threats in real time. Instead of breaking the bank with costly R&D to create proprietary firm solutions, RIAs will realize greater value by outsourcing these functions to specialized vendors.

For regtech applications, RIAs should partner with vendors that use direct data feeds, ensuring more secure, robust, and high-quality information. On the network security side, RIAs should seek out machine-learning specialists that can detect malicious attacks and data breaches before they cause significant operational harm.

Ensure that Record-Keeping Systems Are Adequate

Record keeping forms the core of transparency for financial institutions. However, an unethical employee or group of employees may subvert firm compliance by omitting information or producing misleading documentation in an effort to sweep a violation under the rug. For this reason, it is imperative that all compliance recordkeeping be filed, stored, and curated digitally. A clear digital record provides metadata history that records:

  • Creation of Data
  • Purpose
  • Timestamp
  • Author
  • Computer used
  • Standards
  • File size

By implementing a transparent, digital-only record-keeping system, RIAs promote accountability and track violations, incident reports, recommendations, and revisions more accurately and effectively.

Smarter Compliance through Regtech

While a strong CCO forms the core of a high-performing compliance program, this leader will only be as effective as the technology they have at their disposal and their ability to use it appropriately. The expansion of FinCEN’s AML regime into the RIA space, along with heightened SEC oversight, necessitates a sophisticated response from investment advisers.

To mitigate AML risks and avoid punitive enforcement actions, RIAs should seek out a modern investigative technology solution that identifies adverse counterparties before they sabotage operations and undermine profit. By partnering with a best-in-class regtech vendor, RIAs can transform compliance from a cost center and regulatory lightning rod into a catalyst for asset capture and bottom-line growth.