1. How New Technology and Regulations Will Impact the Future of RIA Compliance
May 24, 2017
FPA of Georgia

2. GJ King President, RIA in a Box
GJ is the President of RIA in a Box® which provides compliance and operations support to over 1,500 registered investment adviser (RIA) firms. He is a frequent industry speaker on the topics of RIA compliance, operations, and technology best practices. GJ previously worked in the investment management division of Goldman Sachs serving as a trusted advisor to a select group of high net worth entrepreneurs, families, and foundations. King holds an MBA from the Graduate School of Business at Stanford University and a BA from Brown University.

3. Disclosures
RIA in a Box is not a law firm, CPA firm, or registered investment advisory firm.
None of the information presented, advice given, or services rendered should be considered legal, tax, accounting, or investment advice.

4. Today’s Topics Technology New Rules Form ADV Changes Audit Future
System Adoption
How it Comes Together
New Rules
DOL Fiduciary Rule
Form ADV Changes
Audit Future
Stats to Know
Big Data
Exam Scope & Frequency

5. Today’s RIA Technology Landscape
CRM is the hub.

6. Integrated RIA Compliance Technology
CRM
Portfolio Management & Reporting
Document Storage
Archiving
Compliance Platform
CRM is the hub.

7. Your CRM System 48% of RIA firms use a CRM system today*
2015 AUM growth rate: 4.6% vs. 2.0% average
Most popular solutions are Redtail and Salesforce
General client information and notes
Good business practice that is crucial during any regulatory issue
Integrated calendar and tasks
Documentation of compliance program implementation
Client suitability information
Top deficiency cited during regulatory exams
Client location
Is your firm registered in all proper jurisdictions?
Documented processes via workflows
Internal review and approval processes for investment recommendations
Everything should integrate with CRM.
Source: 2016 RIA in a Box Technology Survey

8. Your Portfolio Management & Reporting System
48% of RIA firms use a portfolio management and reporting system today*
2015 AUM growth rate: 3.8% vs. 2.0% average
Most popular solutions are Morningstar Office and Orion
Form ADV filing information
Automatically aggregate and normalizes data across multiple custodians
Calculate total regulatory assets under management (“AUM”)
Discretionary vs. Non-discretionary
AUM by client type
Systemized advisory fee billing
Manual fee calculation is a major compliance risk
Opportunity to determine a “reasonable fee”
Systemized review of client portfolio performance
Are there any outliers?
Orion integration
Source: 2016 RIA in a Box Technology Survey

9. Your Document Storage System
46% of RIA firms use a document storage system today*
2015 AUM growth rate: 4.8% vs. 2.0% average
Most popular solutions are DropBox and Box
Official books and records
Foundation of your firm’s compliance program
Organized client documentation
Ability to produce required client files
Business continuity
Ability to access files and continue operations during a business disruption
Benefits of cloud storage -> talk about security
Source: 2016 RIA in a Box Technology Survey

10. Your Archiving System ~50% of RIA firms use an archiving system today
Some systems focus exclusively on
Some systems archive across all channels (social media, text, etc.)
Requirement to keep correspondence and advertising records
Can lead to serious regulatory issues
Easier compliance monitoring
Centralizes capture of all information to allow for easier review
Demonstrate “Culture of Compliance”
Ability to demonstrate program implementation during an exam
Can be expensive

11. Your Compliance Software Platform
39% of RIA firms use compliance software today
Some systems focus exclusively on employee trade monitoring
Some systems serve more broadly as your firm’s compliance hub
Implement a comprehensive yet efficient program
Perform only relevant tasks based on your firm’s profile
Centralized compliance program documentation
Organize all competed activities in a digital compliance log
Supervise staff
Track and document all staff attestations and activities
Automatically capture all employee trade data
More efficiently review employee trades vs. client trades
Last frontier of RIA technology
Source: 2017 InvestmentNews Adviser Technology Study

12. DOL Fiduciary Rule
This rule does impact RIA firms but it is manageable
June 9, 2017: Comply with the Impartial Conduct Standards
Example impacted investment recommendation scenarios:
IRA rollover from a Qualified Retirement Plan
IRA rollover from another IRA
Switch from commission-based to fee-based IRA

13. Impartial Conduct Standards
CRM & Doc Management
Best Interest
Reasonable Compensation
Portfolio Management
No Misleading Statements

14. Five Steps to Comply Qualify for streamlined Level Fee Exemption
Educate and train all staff members
Create an “IRA Investment Recommendation Checklist”
Implement a process to review recommendations
Establish additional procedures to ensure compliance

15. Form ADV Changes
This rule impacts all state and SEC-registered RIA firms
October 1, 2017: New Form ADV becomes effective
Significant changes include:
Disclose company social media pages
Disclose use of outsourced Chief Compliance Officer
More detailed AUM information by client type
More detailed information on Separately Managed Accounts
More detailed information on Wrap Fee Programs

16. Three Steps to Comply
Begin to organize portfolio management and reporting information to mirror Form ADV data fields
Ensure that all social media pages are properly archived
Document all new required information by October 1, 2017

17. Establishing the Culture of Compliance
While the above statement is a sometimes overused phrase in the RIA compliance world, our team of former regulators can assure you that it is taken very seriously by every regulator in every jurisdiction.
If you are successful in demonstrating a “culture of compliance” at your firm and willingly cooperate with the examiners, your exam is more likely to have better results.

18. Keep the Proper Books & Records
Know the rules applicable to your firm
SEC Rule 204-2
Georgia Rule
Are you aware of your jurisdiction’s Books & Records requirements?
Inspection of the firm’s books and records is a key audit focus
Don’t wait to prepare these until requested by the examiner
Unique Georgia requirements
Specific supervision rules including annual office inspection
Make sure you bookmark your jurisdiction’s rules – NJ follows SEC books and records rule
SEC: 18 items with subsections ranging from financial statements to client information to policies and procedures and documentation of annual review

19. Elements of Effective Compliance Program
Annual Review
Written Policies & Procedures
Code of Ethics
Staff Training & Attestations
Risk Assessment & Compliance Calendar
P&P
COE – stand alone doc or part of P&P
Training of advisory personnel and attestations from them
Will move fairly quick through first 3 topics; meat of today’s presentation will be Implementation of your program.

20. Policies & Procedures SEC has stated:
Even small advisers may have arrangements, such as soft dollar agreements, that create conflicts… Advisers of all sizes, in designing and updating their compliance programs, must identify these arrangements and provide for the effective control of the resulting conflicts...We would expect smaller advisory firms without conflicting business interests to require much simpler policies and procedures than larger firms.
Policies and procedures requirement applies to all investment advisers regardless of size

21. Policies & Procedures
Rule 206(4)-7 under the Investment Advisers Act of 1940 requires SEC registered investment advisers to:
adopt and implement written policies and procedures reasonably designed to prevent violation, by you and your supervised persons, of the Act and rules under the Act.
conduct a review, no less than annually, of the adequacy of the policies and procedures and the effectiveness of their implementation.
designate a Chief Compliance Officer (CCO) to administer the policies and procedures.
Rule 206(4)-7 is a classic area of enforcement. Common mistakes include: has manual but doesn’t implement it, manual that is not tailored, just updates Form ADV but doesn’t implement a program, don’t conduct an annual compliance review, no documentation of any reviews, or insufficiently qualified or empowered CCO

22. Policies & Procedures (Cont.)
At a minimum, the SEC has stated the policies and procedures should address the following (if applicable to an investment adviser’s business):
Portfolio management processes – allocation of investment opportunities among clients, consistency of investments with investor goals, disclosures
Trading practices – procedures to determine best execution, allocation of aggregated trades among clients
Proprietary trading of the adviser and personal trading of supervised persons (Code of Ethics)
Accuracy of disclosures to clients and regulators – brochure, advertising
Accurate creation and secure maintenance of required records

23. Policies & Procedures (Cont.)
Marketing – use of solicitors
Processes to value client holdings and assess fees based on those valuations
Safeguards to protect client assets from conversion or inappropriate use by advisory personnel
Safeguards to protect client information
Business continuity plans
If we created your P&P, all of these items are covered in varying degrees depending on your business model.
If you’re a new IA or aren’t sure if your P&P cover all these items, I suggest you pull them out and read them.
Business continuity: proposed rule from the SEC not finalized, but still expect you to have one as part of your fiduciary responsibility

24. Code of Ethics
Requirement to have language that all supervised persons will comply with security laws.
Requirements for reporting of access persons’ personal securities transactions and holdings and pre-approval of IPO investments and limited offerings.
Procedures to report violations of the Code and sanctions for violations.
Requirement to provide copy and obtain annual acknowledgments.
A COE is very important part of your P&P so it gets special attention. The risks addressed by the COE are present in every firm and address activities that pose serious risk of harm to your clients.
Often where regulators discover fraud within a firm that hasn’t been caught.

25. Staff Training & Attestations
Provide investment adviser personnel with copies of Policies and Procedures, Code of Ethics, and Privacy Policy.
Do they understand them?
Individual’s attestation that they have read, reviewed, and understand
Initially, annually, or when modified
First a note on training: Should not just be a mechanical process of passing out these documents and getting signatures back. Should be a meaningful discussion and meaningful review of these docs so that you are reasonably assured that you and your employee understood what they require. This training, at a minimum, should occur when employee is initially hired and on an annual basis. DO THESE WITH SOFTWARE!

26. Risk Assessment
Neither Rule 206(4)-7 nor similar state rules require a risk assessment; but, the SEC’s initial request for information during an exam asks for:
Inventory of compliance risks that forms the basis for policies and procedures
Documents mapping the inventory of risks to written policies and procedures
Risk assessment can help you create your P&P or if you’ve purchased either an off-the-shelf manual or even an customized manual, you should still use a risk assessment to make sure your P&P adequately address and control the particular risks inherent in your business.

27. Risk Assessment Four Step Process: Prepare risk inventory
Assign a “rating” to each risk identified in your inventory
“Map” risks to specific procedures and/or disclosures
Review and update, as needed
Make sure to update your risk inventory each year when new focus areas or hot topics are identified. Two relevant examples right now: cyber security and the DOL fiduciary rule.

28. Compliance Calendar
Use a compliance calendar to monitor and test your policies and procedures.
The calendar should indicate:
What is the specific task to be performed
When and how often will the specific task be performed
Who will be responsible for performing the task
Once you’ve done a risk assessment and are comfortable that your P&P cover all the things they should, then you face the task of doing everything your P&P says you will do. A way to manage that task is to create a compliance calendar. USE SOFTWARE FOR THIS!
Not performing a task that is specifically included in your written compliance policies and procedures is a red flag to a securities regulator that you may not be implementing your written compliance policies and procedures. 

29. Compliance Monitoring & Testing
Your calendar will have tasks designed to monitor and test your policies and procedures.
Monitoring: Keeping track of and checking your procedures on a continuing basis.
Testing: Submitting your procedures to evaluation to determine their ability, or inability, to detect and prevent compliance violations.

30. Compliance Monitoring & Testing
Policy: The firm’s Chief Compliance Officer (CCO) shall be responsible for approving all company advertising and ensuring it is in compliance with jurisdictional regulations. No advertisement shall be distributed without the CCO’s approval.
Task: Review and approve advertising.
When:
As needed: Review and note approval when advertisement placed;
Quarterly / Annually: Spot check advertisement records to ensure prior approval was obtained and perform a general internet search for “unapproved” advertising
 Look at specific example of task for your calendar.
Review and approve content at time ad is placed to make sure no testimonials, appropriate disclosures, fair and balanced, no misleading language.
Periodic reviews – Quarterly / Annually – make sure CCO approval is documented
General Internet search on your IA and its personnel for any unapproved advertising
In each case document the review.

31. Compliance Monitoring & Testing
Policy: The Firm shall bill clients accounts on a quarterly basis and deduct the fees directly from clients accounts.
Task: Review client accounts for billing errors.
When: Review sample client files every quarter after the most recent billing cycle.
 Another example.
Procedures say basically that you will manage your clients’ accounts in accordance with their investment objectives.

32. Annual Review
CCO or person designated to conduct a review must assess the adequacy and effectiveness of the compliance program at least annually.
Adequacy
Has the firm updated its policies and procedures in response to changes in business practices or regulatory requirements?
Has the firm conducted risk assessment in response to any changes?
Effectiveness
Is the firm implementing policies and procedures as designed?
Document the annual review and make changes as necessary.
Top to bottom review of your compliance program.
Checking Adequacy – read slide
Effectiveness – if kept compliance calendar and engaged in monitoring and testing throughout the year, then you can be reasonably assured that your program is doing what it’s supposed to do. Make sure you have documentation of that monitoring and testing.
Document annual review – P&P are up-to-date; met with and reviewed those with employees; annual attestations.

33. RIA Examination Frequency
What percentage of SEC-registered RIA firms are audited on an annual basis?
11%
18%
27%
43%

34. RIA Examination Frequency
SEC Audit Statistics
Examined 30% of total assets under management (“AUM”) in 2014
From 2001 to 2015, total aggregate SEC-registered RIA AUM increased approximately 210% from $21.5 trillion to approximately $66.8 trillion
As of February 28, 2017, there are 12,286 SEC-registered RIA firms with a median AUM of $302 million and an average of $5.459 billion AUM
SEC exam volume is up 25% in 2017 vs. 2016
11% audit frequency -> expect this number to move closer towards 13-14% in next report with exam volume up 25% YoY
Challenge is the number of firms continues to grow at a fast pace -> historical focus on larger AUM firms
Sources: 2014, 2015, 2016, and 2017 SEC Fiscal Year Congressional Budget Justifications

35. Exam Document Preparation
Overview slide deck
Org chart
Joint ventures
Client account information
Type
Custodian
E-delivery authorization
Custody
Value for advisory fees

36. Exam Document Preparation
Lost advisory clients
Registration justification
Service provider list
Policies and Procedures
Non-compliance records
Review documentation
Code of Ethics
Trade errors
Risk assessment
Employee trade records

37. Exam Document Preparation
Litigation records
Security list
Soft dollar arrangements
Custodial agreements
Financial statements
Trade blotter
Advertising materials
Advisory agreement

38. Exam Deficiencies
What percentage of SEC RIA audits result in a deficiency being cited?
34%
42%
63%
77%

39. Referrals to Enforcement Division
What percentage of SEC RIA audits result in a referral to Enforcement? 7%
11%
26%
32%

40. Possible Referral to Enforcement
SEC Enforcement Statistics
Sources: 2014, 2015, 2016, and 2017 SEC Fiscal Year Congressional Budget Justifications

41. Deficiencies
Source: 2015 North American Securities Administrators Association RIA Coordinated Examination Report

42. Evolving Audit Scope

43. Better Data and More Focus
The Form ADV Part 1 changes taking effect October 1, 2017 further demonstrate this.

44. Best Practices Proper documentation
Accurate Form ADV documents and disclosures
Know relevant requirements
Periodic review of client files and marketing
Customized policies and procedures
Client files: required documents (contracts, investment policy statement, etc.), billing accuracy
Marketing materials: from a regulator’s perspective
DOCUMENT, DOCUMENT, & DOCUMENT -> you must prove it

45. Efforts to Increase Audit Frequency
3rd party self regulatory organization (SRO)
Congressional bill introduced by Spencer Bachus (formerly R-AL) in April 2012
User fees
Congressional bill introduced by Maxine Waters (D-CA) in April 2013
3rd party audits
Introduced in May 2014 by former SEC Commissioner Daniel Gallagher at a Financial Industry Regulatory Authority (FINRA) event
Increased SEC focus on RIA firms
Shift of 100 broker-dealers to adviser exams
Hiring more adviser examiners
Changing AUM registration threshold
Previously raised from $30 to $100 million as part of Dodd-Frank
Raising to $300 million would shift around ½ of SEC-registered firms to state level
Though not likely, most likely scenario among these is the introduction of 3rd party audits at the federal level to do limited scope exams related to asset verification and fee calculation confirmation.

46. About RIA in a Box www.riainabox.com @riainabox
We support RIA firms with industry-leading registration and compliance services
Experience & Expertise
30+ employees including former regulators, advisors, and technologists
Have helped register over 3,000 new RIA firms
MyRIAComplianceTM
Proprietary RIA compliance management software
Provide compliance software and ongoing consulting support to over 1,500 RIA firms
@riainabox