Each year the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) publishes Risk Alerts as part of its National Exam Program. The intent of the Risk Alert is to remind advisers of their regulatory responsibilities and to advance compliance efforts through education about what OCIE has observed during its examinations in terms or internal control systems, policies and procedures – both good and bad.
Since 2015, OCIE has issued twenty-one (21) Risk Alerts,1 four (4) of which focused on cybersecurity issues,2 two (2) of which focused on disclosures related to fees and expenses3 and one (1) of which focused on senior investor issues coming off the heels of the OCIE-FINRA Report on National Senior Investor Initiative.4 Each of these areas has consistently been in the SEC Examination Priorities Lists since 2015, and 2019 is no exception.5 In comparing the Risk Alerts, to the ongoing SEC examination priorities, and the National Examination Program’s routine initial document requests, a trend is apparent – in nearly all cases, each Risk Alert highlights issues that are areas of emphasis for the SEC staff. .
In this month’s Legal Risk Management Tip, we will discuss how Risk Alerts can help you prepare for your next examination. We will explore recent SEC examination focus areas and include practical tips for mitigating risks, relating to three specific areas: advisory fees, senior client issues and cybersecurity.
1. The Advisory Fee Risk Alert
The April 12, 2018 Risk Alert entitled, Overview of the Most Frequent Advisory Fee and Expense Compliance Issues Identified in Examinations of Investment Advisers (the “Advisory Fee Risk Alert”), highlights some of the most common, repeated compliance issues related to fees and expenses observed by the SEC staff. Most investment advisers provide information related to their advisory service fees in a firm’s advisory contracts, Form ADV Part 2A, marketing disclosures and/or during client meetings. But what has surfaced during recent OCIE examinations is that the disclosure of an adviser’s fee is not always consistent or at an enterprise level, is not adhered to or is inconsistently applied. Moreover, OCIE found that the internal controls at advisory firms relating to reviewing billing methodologies were not effective, which resulted in incorrect calculations of advisory fees or assessing fees not reflecting associated discounts.6
The Advisory Fee Risk Alert emphasizes six (6) compliance issues for investment advisers to review, which include the following:
- Fee-Billing Based on Incorrect Account Valuations – Most investment advisers assess advisory fees based on a percentage of the value of the assets in client accounts. The SEC staff found that advisers were valuing assets based on original costs (rather than fair market value) or were using market values at the end of the billing cycle (instead of average daily balance of the account) or including assets that should have been excluded from the fee calculation (g., cash or alternatives) as specified in the firm’s advisory agreement.
- Billing Fees in Advance or with Improper Frequency – In some instances, the staff found that advisers were not billing in accordance with the time period stated in their advisory agreements and Forms ADV – such as billing monthly instead of quarterly, billing in advance instead of arrears or not pro-rating advisory fees for clients who opened or terminated an advisory account mid-billing cycle.
- Applying Incorrect Fee Rate – This was noted when an adviser applied a higher rate than what was agreed to in an advisory agreement or did not comply with Section 205(a)(1) of the Investment Advisers Act of 1940 (“Advisers Act”), which prohibits compensation to investment adviser based on a share of capital gains (with exception given to qualified clients).7
- Omitting Rebates and Applying Discounts Incorrectly – Perhaps one of the most commonly cited deficiencies observed is investment advisers who do not appropriately provide breakpoints to clients as specified in their disclosures to clients, resulting in overcharges, which are not detected or rebated. This occurs, for example, when an investment adviser fails to aggregate client account values for members of the same household (as the term “household” is defined by the firm) or does not apply the firm’s tiered breakpoint schedule resulting in lower fee rates as a result of an increased value in the client’s assets under management.
- Disclosure Issues Involving Advisory Fees – Generally, this compliance issue arises if the disclosures made within an adviser’s contract or Form ADV are inconsistent with the adviser’s actual fee practices (such as applying more than the stated maximum fee) or disclosures are omitted related to additional markups and fees to be assessed (g., for third-party execution) or additional compensation earned by the adviser (such as for fee sharing arrangements with affiliates).
- Adviser Expense Misallocations – This was observed when an adviser to a private or registered fund, misallocated expenses to the fund, For example, such as an allocation for marketing expenses and regulatory filing fees, rather than to the adviser.
Advisers were put on notice during 2Q2018 to pay particular attention to these areas and to evaluate disclosures as well as policies, procedures and other controls used by the firm for its advisory fee billing practices. Now, in 1Q2019, JLG is observing OCIE’s focus on these exact areas during SEC examinations of investment advisers. A sampling of the staff’s initial document requests during recent investment adviser examinations include:
- Current standard client advisory contracts or agreements;
- The general ledger detail of the account(s) into which fees are being booked; provide the monthly reconciliation of fees received against fees billed;
- A list of revenue sharing and expense sharing agreements indicating the entity the agreement is with and the dollar amount involved for the most recent fiscal year;
- Current fee schedule for your advisory programs, if not otherwise stated in advisory contracts or in Form ADV, Part 2A; indicate if the standard fee schedule has changed within the past two years, and if so, please provide details regarding such changes. If fees are tiered, explain the tiered billing process and whether accounts are grouped or household for breakpoint purposes;
- Compliance and operational policies and procedures in effect for the Adviser and its affiliates for the period of January 1, 2014 through the present. These should include, but not be limited to, any written procedures (including operational or desktop procedures) for calculating and billing advisory fees. If Adviser does not maintain any of the aforementioned policies, provide a written statement to that effect;
- A description of the current fee billing process, including, but not limited to: identifying the person(s) who calculates advisory fees, sends the invoice to the custodian, and tests advisory fee calculations; identifying any software programs or systems that are used in calculating fees; description of any reconciliation processes that are completed. If this process has changed during the period of January 1, 2014 through the present, please describe the changes made;
- For the billing period ending December 31, 2018, provide a spreadsheet that includes advisory fee calculations for each advisory client. Include the billing rate, market value used to calculate the advisory fee, and total nominal fee billed. Please also identify which accounts, if any, are grouped together for fee billing purposes, and from which account the fee is paid;
- A copy of any on-going analysis or documentation during the most recent fiscal year of client accounts and fee billing practices to ensure clients are being billed the correct fees;
- Names of any securities in client portfolios for which a market value is not readily available and must be determined by you or a third party, if applicable. If so, please provide a list of those securities; and.
- Names of any security or account types that, as a matter of policy or practice, the Adviser does not charge a fee on.
From this list, it is apparent that the SEC staff is assessing those compliance issues identified in the Advisory Fee Risk Alert. If the adviser reviewed its compliance program practices considering this Risk Alert, the adviser will be better prepared to respond to these examination requests. Risk Management Tips for investment advisers to consider include:
- Review disclosures relating to advisory fees and whether there are omissions of material fact;
- Consider policies and procedures or protocols for calculating and reconciling advisory fees for accuracy; and
- Test to see if “householding” rules are consistently applied.
2. Senior Investors and the ReTire Risk Alert
The June 22, 2015 Risk Alert entitled, Retirement-Targeted Industry Reviews and Examinations Initiative (the “ReTire Risk Alert”) highlights what the staff’s examinations will focus on with advisers who service retiring retail clients, which includes seniors as the largest sub-set of that group. The ReTire Risk Alert provides insight into what the SEC staff will focus on during its examinations as it relates to retirement products and services, including sales to retirees and oversight processes related thereto.
The ReTire Risk Alert emphasizes four (4) compliance areas for investment advisers and broker- dealers to review, which include the following:
- Reasonable Basis for Recommendations – During examinations, OCIE staff will consider (a) the type of retirement account a client is recommended to hold retirement investments (e.g., either remaining at the plan, through an IRA rollover, taking distributions or a combination of these); (b) the due diligence performed on investment options; (c) the firm’s initial investment recommendations; and (d) ongoing account management provided.
- Conflicts of Interest – Generally, compensation arrangements can create conflicts. Therefore, during its exams, OCIE staff will analyze the sales and account selection practices of the adviser or broker-dealer. They will also take into account the fees and expenses assessed, services provided, conflict of interest disclosures made and strength of the compliance program to identify and mitigate such conflicts.
- Supervision and Compliance Controls – The compliance rules governing investment advisers and broker-dealers require registrants to have strong internal controls, including oversight and supervision of personnel. Consequently, OCIE staff will review the supervisory and compliance controls of registrants, with focus on multiple and branch office safeguards as well as outside business activities of associated persons.
- Marketing and Disclosure – The staff will be reviewing marketing and disclosure documents to assess the adequacy of disclosures to confirm that omissions of material fact are not occurring, that representations are true and correct, that credentials and endorsements are valid, and that fee disclosures are accurate.
Since the ReTire Risk Alert, the SEC has focused its attention on how advisers are servicing senior investors and the unique compliance challenges associated with this demographic. In recent examinations, the SEC staff’s examination of advisers addresses not only the ReTire risks, but also the internal controls that investment advisers and broker-dealers should implement if they are serving senior investor clients. Recent initial documentation requests have consisted of the following:
- Indicate the approximate percentage of clients who are 62 or older8(including grantors to trusts). Provide a brief description as to how the approximate percentage was determined;
- Indicate the approximate percentage of Adviser’s regulatory assets under management that are for advisory clients age 62 or older (including grantors to trusts). Provide a brief description as to how the approximate percentage was determined;
- Provide any policies and procedures designed to address issues associated with clients who are Senior Clients and perceived by the Adviser to have possible issues associated with diminished capacity or competence;
- Provide any policies and procedures concerning the handling of client requests for changes to beneficiaries, including all policies and procedures concerning monitoring and supervision relating to changes to beneficiaries;
- Provide any policies and procedures concerning powers of attorney, including all policies and procedures concerning monitoring and supervision relating to changes in power of attorney as they relate to the adviser and/or third patties with power of attorney authority;
- Provide any policies and procedures concerning trustees, including all policies and procedures concerning monitoring and supervision relating to changes of a trustee as they relate to the adviser and/or third patties;
- Provide any policies and procedures that contemplate or consider establishing a trusted point of contact in the case the client(s) have diminished capacity or competence;
- Provide any policies and procedures designed to address what steps are taken with client account(s) upon death (e.g., establishing communication with beneficiary or trustee, repapering of account information, liquidation of account, or the transferring of assets to appropriate parties);
- Provide any policies and procedures designed to facilitate the transition of a Senior Client from actively employed to a retired status (e.g., communication with a client to setup an updated investment profile);
- Provide any policies and procedures that discuss how often the Adviser communicates with its clients (e.g., adviser speaks with its client on a quarterly basis to update the client’s investment guidelines); and
- Provide a list of any training provided by the firm to its employees during the review period that related to Senior Clients and indicate the nature of the training method (e.g., in person, computer-based learning, or email alerts). Please identify the dates, topics, and groups of participating employees for these training events and provide a copy of any written guidance or training materials provided.
Similar to the Advisory Fee Risk Alert, the ReTire Risk Alert foreshadowed many of the examination “hot areas” that the staff is assessing during its examinations. Had a broker-dealer or investment adviser reviewed their compliance program practices in light of the ReTire Risk Alert, it would be better positioned to quickly respond to these types of examination requests. Risk Management Tips to consider include:
- Develop an escalation system for reporting elder abuse matters;
- Have a disclosure form for your senior and retirement investors explaining investment options available to them (e.g., they can stay in a 401(k), do an IRA rollover or take a lump sum distribution); and
- Add language to advisory contracts that addresses safeguards, such as trusted contacts, that the firm has established for retirees and senior clients.
3. The Cybersecurity Risk Alerts
As previously mentioned, there have been four (4) Risk Alerts focused on cybersecurity areas, each worthy of its own focus. For purposes of analysis, JLG believes that the latest of the Risk Alerts entitled, Observations from Cybersecurity Examinations (the “Cyber Risk Alert”), best highlights those areas JLG is seeing in recent document requests of SEC registrants.
During the Cybersecurity 1 Initiative, the SEC staff analyzed whether registrants were inventorying cyber risks and mapping them to cyber controls. For the Cybersecurity 2 Initiative, the SEC staff reviewed registrants’ cybersecurity governance structure, access rights, data loss prevention, vendor management, training and incident response. Among other things, there were a number of issues found including:
- Policies and procedures were not reasonably tailored for employees, nor did they articulate necessary procedures to follow to implement the policy;
- Policies were not reflective of the firm’s actual practices or were not adhered to or enforced;
- Systems were not maintained, patches were not done, and cyber risk assessments not conducted; and
- Cybersecurity vulnerabilities were not addressed.
Recent initial documentation requests include:
- Indicate whether the Adviser conducts periodic risk assessments to identify cyber security threats, vulnerabilities, and potential business consequences. If such assessments are conducted please also:
- Identify who (individual(s), business group(s), and title(s)) conducts them, and the month and year in which the most recent assessment completed; and
- Describe any findings from the most recent risk assessment that were deemed to be potentially moderate or high risk and have not yet been fully remediated.
- Indicate whether the Adviser provides clients with on-line account access. If so, please provide the following information:
- The name of any third party or parties that manage the service;
- The functionality for clients on the platform (e.g., balance inquiries address and contact information changes, beneficiary changes transfers among the clients’ accounts, withdrawals or other external transfers of funds);
- How clients are authenticated for on-line account access and transactions;
- Any software or other practice employed for detecting anomalous transaction requests that may be the result of compromised client account access;
- A description of any security measures used to protect client PINs stored on the sites; and
- Any information given to clients about reducing cybersecurity risks in conducting transactions/business with the registrant.
- Describe the adviser’s reaction to the following cyber issues.
- Malware was detected on one or more Adviser devices. Please identify or describe the malware;
- The availability of a critical Adviser web or network resource was impaired by a software or hardware malfunction. (Down time resulting from routine maintenance and equipment upgrades should not be included in this response.) Please identify the service affected, the nature and length of the impairment, and the cause;
- The Adviser’s network was breached by an unauthorized user. Please describe the nature, duration, and consequences of the breach, how the Adviser learned of it, and how it was remediated;
- The compromise of a client’s or vendor’s computer used to remotely access the Adviser’s network resulted in fraudulent activity, such as efforts to fraudulently transfer funds from a client account or the submission of fraudulent payment requests purportedly on behalf of a vendor;
The Cyber Risk Alert foreshadowed those areas of particular focus on recent SEC exams. To prepare, it important for firms to:
- Review incident response plans for thoroughness;
- Consider vendor management internal controls, such as cybersecurity risk provisions in servicing agreements; and
- Develop customized policies and procedures and training materials related to cyber risks identified for the firm (e.g., concentrate on higher risk areas, such as client portals).
In her 2004 speech, “The New Compliance Rule: An Opportunity for Change,” Lori Richards Director of the SEC’s Office of Compliance Inspections and Examinations, provided the following guidance.
“Compliance staff should continually be asking: Are we detecting problematic conduct with this policy? Based on what we’ve detected, should we alter our policy? Is there a better way to detect problematic conduct?… Were the actions we took, once problematic conduct was detected, adequate to deter problematic conduct by this individual or others?”9
Being able to answer these questions articulately and competently is essential to today’s examination process. Given the complexity of today’s regulatory environment, the National Examination Program’s Risk Alerts provide a valuable tool in alerting advisers about where to focus compliance program efforts. Consider conducting a mock regulatory examination which incorporates the topics outlined in recent Risk Alerts. This will allow senior management the opportunity to assess the strength and readiness of the firm’s compliance program, and provide the firm an opportunity to improve policies, procedures and internal controls governing the business.
Author: Michelle L. Jacko, Esq., Managing Partner, Jacko Law Group, PC (“JLG”). JLG works extensively with investment advisers, broker-dealers, investment companies, private equity and hedge funds, banks and corporate clients on securities and corporate counsel matters. For more information, please visit https://www.jackolg.com/.
This communication is not intended for transmission to, or receipt by, any unauthorized persons. Inadvertent disclosure of the contents of this article to unintended recipients is not intended.
The Risk Management Tip is published solely based off the interests and relationship between the clients and friends of the Jacko Law Group P.C. (“JLG”) and in no way be construed as legal advice. The opinions shared in the publication reflect those of the authors, and not necessarily the views of JLG. For more specific information or recent industry developments or particular situations, you should seek legal opinion or counsel.
You hereby are notified that any review, dissemination or copying of this message and its attachments, if any, is strictly prohibited. These materials may be considered ATTORNEY ADVERTISING in some jurisdictions.
1 For a list of all Risk Alerts, see https://www.sec.gov/ocie.
2 Cybersecurity Risk Alerts include Cybersecurity Examination Sweep Summary (Feb. 3, 2015), OCIE’s 2015 Cybersecurity Examination Initiative (Sep. 15, 2015), Cybersecurity: Ransomware Alert (May 17, 2017) and Observations from Cybersecurity Examinations (Aug. 7, 2017) available at Id.
3 Risk Alerts include OCIE’s 2016 Share Class Initiative (Jul. 13, 2016) and Most Frequent Advisory Fee and Expense Compliance Issues Identified in Examinations of Investment Advisers (Apr. 12, 2018) available at Id.
4 See Risk Alert: Retire-Targeted Industry Reviews and Examinations Initiative (Jun. 22, 2015) and OCIE-FINRA Report on National Senior Investor Initiative (Apr. 15, 2015), both available at Id.
5 For a full text of the 2019 SEC Examination Priorities, see https://www.sec.gov/files/OCIE%202019%20Priorities.pdf.
6 See, e.g., In the Matter of Barclays Capital Inc., Advisers Act Rel. No. 4705 (May 10, 2017) and In the Matter of Morgan Stanley Smith Barney, LLC, Advisers Act Rel. No. 4607 (Jan. 13, 2017).
7 See Advisers Act Sections 205(a)(1) and 205-3 available at https://www.law.cornell.edu/uscode/text/15/80b-5 and https://www.law.cornell.edu/cfr/text/17/275.205-3.
8 Within several examination document requests, the staff defines “senior client” as any retail client who is age 62 or older, retired or transitioning to retirement, including accounts of deceased clients, and retail clients in joint accounts with at least one individual meeting this definition.