The Securities and Exchange Commission (SEC), through its Office of Compliance Inspections and Examinations (OCIE), has published its exam priorities for 2020. According to the SEC, these priorities reflect certain practices and products that may present heightened risk to investors and/or the integrity of the U.S. capital markets. As an initial matter, the SEC reminds firms of the importance of compliance: "Culture and tone at the top are key." Hallmarks of effective compliance, according to the SEC, include:
- Compliance's active engagement in most facets of firm operations and early involvement in important business developments, such as product innovation and new services
- A knowledgeable and empowered CCO with full responsibility, authority and resources to develop and enforce the firm's policies and procedures
- Commitment to compliance from executives and support for compliance at all levels of the organization
The SEC's exam priorities include three broad categories: retail investors, information security and financial technology (FINTECH).
Retail Investors
This priority will emphasize the protection of retail investors, particularly seniors and those saving for retirement. The SEC will prioritize:
- RIAs, b/d firms and dually-registered firms serving retail investors, including those targeting retirement communities, teachers and military personnel
- Investments marketed to retail investors, including:
- Mutual funds and ETFs
- Fixed income securities
- Microcap securities
- Private placements
- RIA fulfillment of the duty of care and loyalty, including:
- Whether advice is in the clients' best interest
- Whether RIAs eliminate, or at least fully disclose, all conflicts of interest that could lead to giving conflicted advice
- Whether fees and expenses and compensation arrangements are inadequately disclosed
- RIA compliance with Reg BI, including the content and delivery of the new Form CRS Relationship Summary
Information Security
Examinations will focus on, among other things, proper configuration of network storage devices, information security governance and retail trading information security. Specific to RIAs, the SEC will focus on assessing the protection of client personal financial information. Particular focus areas include:
- Governance and risk management
- Access controls
- Data loss prevention
- Vendor management
- Training
- Incident response and resiliency
In the area of third-party and vendor risk management, the SEC will focus on oversight practices related to certain service providers and network solutions, including those leveraging cloud-based storage.
The SEC will review for compliance with Regulations S-P and S-ID. It will also focus on the controls surrounding online access and mobile app access to customer brokerage account information.
The SEC will examine for the safeguards around the proper disposal of retired hardware that may contain client information.
Financial Technology (FINTECH)
Noting that registered firms increasingly use new sources of data (referred to as "alternative data") that may drive investment decision-making, the SEC will focus on firms' use of these technologies and assess the effectiveness of related compliance and control functions.
Digital Assets – Due to the risks relating to digital assets, the SEC will examine RIAs engaged in this space. Examinations will assess:
- Suitability
- Portfolio management and trading practices
- Safety of client assets
- Pricing and valuation
- Effectiveness of compliance programs and controls
- Supervision of employee outside business activities
Electronic Investment Advice – The SEC will focus on RIAs that provide services through "robo-advisers." Areas of focus include, among others:
- SEC registration eligibility
- Cybersecurity policies
- Marketing practices
- Adequacy of disclosures, and
- Effectiveness of compliance programs
Some Additional Focus Areas
The SEC typically assesses an RIA's compliance programs in at least one "core" area. This would include the appropriateness of account selection, portfolio management, custody, best execution, fees/expenses and valuation of client assets. In addition, it will often assess the adequacy of disclosures and governance practices in the core areas reviewed.
RIA Compliance Programs – the SEC will review whether compliance programs are reasonably designed, implemented and maintained. It will prioritize examinations of RIAs that are dually registered as, or affiliated with, broker-dealers, or have supervised persons who are registered representatives of unaffiliated broker-dealers.
The SEC will prioritize examining firms that utilize the services of third-party asset managers to assess, among other things, the extent of the RIAs' due diligence practices, policies and procedures. The SEC has a particular interest in the accuracy and adequacy of disclosures where RIAs offer new or emerging investment strategies (e.g., strategies focused on sustainable and responsible investing).
Never-Before and Not Recently-Examined RIAs – The SEC will continue to conduct risk-based examinations of new RIAs and those that have never been examined. It will also prioritize examinations of RIAs that have not been examined for a number of years to focus on whether the RIAs' compliance programs have been appropriately adapted in light of any substantial growth or change in business model.
To discuss any topic mentioned above, please contact Matt Boos, Chair of Fredrikson & Byron's Investment Management Group.
