Weighing the Benefits of Outsourcing Compliance

Transcription

1 National Compliance Services Weighing the Benefits of Outsourcing Compliance By Rita Dew, Founder and President, National Compliance Services (NCS) To many, the word outsourcing evokes the negative image of jobs shipped overseas. Yet a growing trend of outsourcing compliance greatly benefits Registered Investment Advisers (RIAs). Outsourcing permits RIAs and Investment Adviser Representatives (IARs) to focus on what they do best providing advisory services to investors instead of attempting to create a compliance program that may or may not meet regulatory requirements. RIAs of All Size Need Expert Compliance Support Outsourcing helps RIAs run a compliant business by tapping resources and expertise that are not typically available at an advisory firm. Just as many advisory firms use third-party managers to fill gaps in their money management abilities, RIAs can rely on qualified consulting firms, including some law firms, to help manage their compliance activities. The U.S. Securities and Exchange Commission (SEC) publishes enforcement actions taken against investment advisers and other financial professionals for compliance missteps. When an adviser commits an infraction, the individual, the firm, and even the RIA s CCO may be fined or barred from the securities industry. In many cases, the SEC requires the RIA to hire an independent compliance consulting firm to help correct the violations. Yet, even if violations are remedied, the RIA and associated personnel often incur significant financial and reputational damages. Small or medium-size RIAs are not the only ones that outsource. Large RIAs can more cost-effectively manage compliance by outsourcing mundane tasks, such as registering IARs or filing amendments. At many large RIAs, the Chief Compliance Officer (CCO) may wear a number of hats, so tasks like licensing, registration, and renewals may slip through the cracks. RIAs of all size may also need specialized compliance support that only an expert can provide, such as advertising reviews or assistance with social media. Selective outsourcing can give CCOs an independent and fresh set of eyes for compliance reviews conducted by experts who deal on a regular basis with securities regulators. Compliance outsourcers also have access to state and SEC deficiency letters. These letters are issued by a firm s regulator following an examination, and National Compliance Services, Inc.

2 pinpoint areas in which a firm s compliance is weak. A compliance consultant can use these letters, without identifying the recipient, to guide their clients on what examiners priorities are, and how they will be scrutinized, in real time. The Compliance Program Rule Rule 206(4)-7 under the Investment Advisers Act, better known as the Compliance Program Rule, requires advisers that are registered with the SEC to adopt and implement written compliance policies and procedures. Most states have similar requirements. In all cases, an RIA s policies and procedures should be designed to protect investors and prevent violations of federal and state securities laws. The SEC rule, and relevant state rules, requires each RIA to designate a CCO to develop and enforce its compliance policies and procedures. The CCO should be competent and have a working knowledge of the Investment Advisers Act or relevant state securities law. These customized policies and procedures, often referred to as the RIA s compliance manual, are an RIA s roadmap to compliance success. RIAs should adopt compliance policies and procedures intended to: Prevent violations from occurring; Detect violations that have already occurred; and Correct such violations. Rule 206(4)-7 gives RIAs the flexibility to design compliance policies and procedures that are relevant for their firm. At a minimum, policies and procedures should address the: Accuracy of disclosures made to clients, investors, and regulators, including account statements and advertisements; Portfolio management processes of the firm; Trading practices engaged in by the firm; Proprietary trading of the RIA and personal trading activities of supervised persons; Safeguarding of clients assets from conversion or inappropriate use by advisory personnel; Creation of required books and records, as well as maintenance of them in a manner that protects them from unauthorized alteration or use and unwarranted destruction; Marketing practices utilized by the RIA, including the use of solicitors; Processes used by the firm to value client holdings and assess fees based on those valuations; Safeguards implemented by the RIA to protect clients privacy and confidential information; and, Business continuity plans implemented by the firm. Business continuity plans can be incorporated into an RIA s policies and procedures, and should address disaster recovery and succession planning. In addition to testing the firm s compliance procedures, examiners expect RIAs to test their business continuity plans. Many RIAs test their business continuity plans at the same time they conduct their annual compliance reviews. National Compliance Services, Inc. Page 2

3 All federally registered RIAs, and many state RIAs, must conduct an annual audit of their policies and procedures to ensure that they are thorough and effective. In states where the annual audit is not required, it is, nonetheless, a best practice for stateregistered advisers to conduct similar reviews. Although only annual reviews are required, RIAs should conduct interim reviews in response to significant compliance events, changes in business arrangements, and regulatory developments. For example, an RIA s policies and procedures should change in response to recent regulatory guidance 1 relating to social media and cyber-security. Each RIA should compile an inventory of compliance risks and conflicts of interest, as well as the written policies and procedures the firm has implemented to address them. Each compliance risk should have a corresponding control that is addressed in the written policies and procedures. An RIA must also measure the effectiveness of its policies and procedures at least annually. The rules do not specify the specific approach an RIA must take to complete the annual compliance review. The SEC and state regulators expect that the review will take into consideration any compliance matters that arose during the previous year, any changes in the business activities of the RIA or its affiliates, and any changes in the Investment Advisers Act, relevant state law, or related rules. 2 Failure to adopt compliance policies and procedures is a violation of Section 206 of the Investment Advisers Act and Rule 206(4)-7, and similar state rules. An RIA cannot defend itself by saying a deficiency caused no harm to investors. The SEC s goal is to force RIAs to implement robust policies and procedures before investors are harmed. Rule under the Investment Advisers Act and similar state rules require RIAs to maintain copies of current compliance policies and procedures, as well as those that have been in effect during the last five years. These policies and procedures may be maintained in paper or electronic form and must be easily accessible. In addition, Rule requires RIAs to document all annual reviews and identified compliance risks. Analysis The Compliance Program Rule was adopted on December 17, In a speech given a few months after the rule became effective on February 5, 2004, Lori A. Richards, former Director of the Office of Compliance Inspections and Examinations ( OCIE ), offered her opinions regarding the advisability of outsourcing the CCO function: I also understand that many fund firms are thinking about outsourcing the Chief Compliance Officer function. While the rule does not preclude outsourcing, let me caution you that the Chief Compliance Officer is responsible for administering the fund's compliance program, which includes both adopting and implementing the policies and procedures. She has to have intimate knowledge of the firm s operations in order to administer an effective compliance program. Remember that the 1 For additional information on the SEC s cyber-security initiative, see OCIE Cybersecurity Initiative, available at: 2 For additional information on the SEC s expectations with regard to the annual compliance review, see Examiner Oversight of Annual Reviews Conducted by Advisers and Funds, available at: National Compliance Services, Inc. Page 3

4 Commission stated in the Release that the Chief Compliance Officer should be competent, knowledgeable and empowered. It would therefore be logical to infer that a reasonable amount of time would have to be spent not only overseeing the structure of the compliance program but its implementation as well. Because of this, I am wary about whether a compliance "rent a cop" could really be up to the task. For example, is it reasonable to expect a Compliance Officer in New York to be able to effectively implement and monitor a compliance program in California? While Richards remarks were aimed at mutual fund firms, the same logic applies to outsourcing the CCO function at RIAs. An article entitled, How to Design Investment Adviser Compliance Programs, authored in December 2007 by attorneys at the law firm of Hodgson Russ, made the following observation: In large organizations with complex operations, the CCO may need to be a full-time dedicated individual with appropriate staff support. In small advisory firms, the CCO may wear several other hats. Some firms may choose to outsource the CCO function, although the staff of the SEC has cast doubt on whether an outside person will have sufficient operational awareness and involvement to be able to adequately administer a compliance program. Although outsourcing the CCO position in its entirety may not be advised, RIAs can benefit from outsourcing specific tasks to compliance experts. Consulting firms can help RIAs implement and manage a compliance calendar, risk matrix, and audit checklists, for example. This makes it less likely that an RIA will overlook important compliance obligations, such as disseminating privacy notices to clients on an annual basis. Outsourcing compliance can also help RIAs improve their policies and procedures. In most deficiency letters issued by securities regulators, the examiners cite inadequate policies and procedures as a contributing factor that led to the deficiency. In many cases, the deficiency letter urges the RIA to implement stronger policies and procedures to correct the problems observed. These revisions will help the firm avoid repeating the mistakes that caused the weakness in the first place. In the event a deficiency is found, a compliance firm can play an invaluable role, both by helping the RIA remedy the infraction and by addressing examiner concerns. Improving the firm s policies and procedures benefits the RIA as well as its clients. Policies and procedures remind everyone at the RIA of their fiduciary obligations. They help keep IARs and other associated persons from taking actions that might unintentionally harm investors. And they serve as a reminder of the rules and regulations that all staff members of the firm are expected to follow. As examiners inspect an RIA s books and records, they will be looking to see if policies and procedures have been revised. Policies and procedures should evolve over time based on changes in the firm s business model, changes in the rules and regulations that govern the firm, and in an effort to prevent violations. An RIA s compliance procedures should also include a process for correcting violations that have already occurred. National Compliance Services, Inc. Page 4

5 Outsourcing Arrangments Advisers should not outsource their compliance obligations with the hope of disowning responsibility. An RIA may, however, utilize outsourcing to tactically outsource tasks that are better handled by an experienced third party such as: Drafting and revising compliance manuals; Acting as a service bureau administrator for the RIA s IARD account; Drafting brochures and brochure supplements in plain English; Preparing and filing annual renewal documents; Filing amendments, and state notice filings; Evaluating weaknesses in policies and procedures; Mock audits; Annual risk assessments; Creating and maintaining compliance calendars; Compliance education, as well as training; reviews; Privacy notices; 13F and 13H as well as Form D filings; Review advertisements, including websites and social media; Assistance with handling client complaints; and, Creation and storage of books and records. Even when an adviser outsources specific tasks, the RIA is ultimately responsible for fulfilling its compliance obligations. Benefits Derived by Outsourcing Compliance Outsourcing provides many benefits, including: A key reason RIAs outsource compliance tasks to a third party is the economic benefit. For instance, by outsourcing, RIAs can potentially avoid the cost of hiring qualified personnel, testing and managing compliance, and purchasing resources to address compliance obligations. Outsourcing also provides the RIA with the ability to align compliance costs with their specific business needs. In many cases, outsourcing also provides for an independent review from an expert with broader subject matter knowledge than a team of internal staff members. Additionally, outside consultants typically serve other clients in the same industry and can therefore bring a depth of knowledge of issues within the specific subject matter. Outsourcing helps to simplify an RIA s compliance responsibilities. According to J. Samuel Taylor, CFP, CIMA of the Taylor Financial Group in Roanoke, Virginia. The compliance landscape is very complicated. Having a compliance consultant to assist in navigating this landscape is key for an RIA such as ours. RIAs benefit from the expertise offered by many compliance consulting firms. Even if an adviser is willing to take time away from clients to become well-versed in compliance, it is doubtful he or she will know as much as consultants who have been dealing with these matters on a daily basis and for many years. Compliance consultants are likely to be more current regarding regulatory developments, especially if they interact on a regular basis with the SEC and state securities regulators. Breadth and depth of the outsourcer's expertise, no learning curve on compliance; Reduction of head count and cost-efficient use of resources; Independent analysis of compliance issues. Compliance consulting firms should do more than just supply template policies and procedures. They should offer customized procedures, guidance on changing rules and regulations, and checklists, so RIAs can easily conduct a risk assessment and National Compliance Services, Inc. Page 5

6 evaluate their policies and procedures. A few compliance consultants offer online tools to streamline the evaluation process. Qualified compliance consultants tailor the RIA s policies and procedures to each firm s specific business model. They also help RIAs develop policies and procedures to address regulators current concerns, such as custody of client assets and cyber-security threats. Firms with less complicated business models will usually require simpler policies and procedures. On the contrary, do-it-yourself compliance programs and boilerplate policies and procedures can be a recipe for disaster. Examiners may look at the RIA s boilerplate compliance manual and find many procedures were ignored. A streamlined manual with meaningful policies is a better choice than one filled with procedures that do not apply to the RIA s business model. Newly registered advisers operating on a shoestring budget may benefit most by outsourcing some of their compliance obligations. Many new RIAs come to compliance consulting firms with little or no knowledge of how to become registered, how to market their services, or what fees to charge. The SEC is devoting considerable resources to examining registered advisers that have not yet been examined. If an RIA gets off on the wrong foot with regulators, the firm may be subject to heightened scrutiny for years to come. Whether an RIA is newly registered or has been in business for years, building a relationship with a compliance consulting firm can pay dividends. After becoming familiar with the RIA s business model, the consultant can offer tailored and generalized guidance regarding approaches taken by other advisory firms. By outsourcing compliance, an RIA is likely to gain credibility with examiners. The RIA s policies and procedures are often far more professional and thorough than if the adviser had drafted them on their own. If questions are raised by examiners, the consulting firm can help the adviser explain why certain steps were taken. Conversely, if an adviser ignored a consultant s advice and examiners find out about it, the RIA may be cast in a negative light. Samuel Mitchell, CFP, of Ironmark Advisors, a boutique advisory firm in Plano, Texas, relies on his compliance consulting firm to do the heavy lifting. He compared the process to building a house. We relied on our compliance consultant to lay the foundation, build the walls, and put on the roof of our program. By outsourcing some of the tasks, we made sure the foundation of our compliance program was solid. According to Mitchell, his firm can now handle the upkeep, having built a sound underlying culture of compliance. By outsourcing some of its compliance responsibilities, Ironmark learned how to speak the SEC s language and understand its expectations. As a small firm, Ironmark lacked the capacity needed to build a compliance program from the ground up. The expertise gained from outsourcing gave the RIA a highlevel operational standard to target, compelling the firm to continually improve its compliance program. Securities regulators expect CCOs to be well-versed on compliance matters. A compliance consulting firm should therefore provide educational materials and training to CCOs, as well as other members of the firm. Customer-oriented consulting firms offer informative newsletters and webinars on compliance topics. They are also proactive in notifying and explaining new rules and regulations affecting the RIA. National Compliance Services, Inc. Page 6

7 A compliance consulting firm s technology can make it far easier for RIAs to stay compliant and up-to-date. The provider's system should offer 24/7 access to an online library of relevant forms, checklists, and educational materials. The provider's platform should give RIAs the ability to view and store their Form ADV, contracts, and policies and procedures. All of the RIA s materials should be backed up on a regular basis. In addition, given the cyber threats facing RIAs and regulators business continuity requirements, the consulting firm s system must possess the highest level of security. Finally, the compliance consulting firm s pricing should be flexible enough to accommodate any adviser s budget. Advisers should be able to choose from a number of pricing schedules that feature as many or as few consulting hours as the RIA anticipates needing. Recommendations Outsourcing helps RIAs focus on their core business of providing advisory services to investors. Once an RIA recognizes the benefits of outsourcing, the firm should shop around for the right compliance partner. RIAs using a particular broker-dealer s platform, such as Schwab or TD Ameritrade, may be offered a list of recommended consultants offering compliance services to RIAs on those platforms. Regardless of the clearing platform, for both established and newly registered RIAs, the benefits of outsourcing compliance make economic sense, and the regulatory climate is pushing firms in this direction. Having a solid compliance program is perhaps the most efficient way to comply with Federal and state laws that govern the RIA industry. 3 On the SEC s website, the Commission publishes enforcement actions taken against investment advisers and other financial professionals. When an adviser has engaged in egregious behavior, the individual, the firm, and even the RIA s CCO are sometimes fined or barred from the securities industry. In many cases, the SEC orders the RIA to hire an independent compliance consulting firm to help correct the violations. Even if violations are addressed, the RIA and the culpable individuals may forever be viewed in a negative light. Therefore, an RIA may benefit from outsourcing its compliance obligations before securities regulators require them to do so. Advisers should be wary if a quoted price seems to good to be true. Few services may actually be included in the price, and the RIA may be charged separately for the services they require. On the contrary, many compliance consulting firms offer retainer packages that include all registration-related services and a specified number of consulting hours. These packages frequently give RIAs more bang for their buck. 3 To see a published list of SEC enforcement actions and other legal notices, visit National Compliance Services, Inc. Page 7

8 National Compliance Disclosures Services This white paper is general in nature, and it should not be construed as legal, compliance, or regulatory advice. National Compliance Services, Inc. is not engaged in the practice of law. Always consult an attorney or tax professional regarding your specific legal or tax situation. 355 NE 5th Ave., Suite 4 Delray Beach, Florida Tel#: info@ncsonline.com National Compliance Services, Inc. Page 8